idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1277 has weird spacing: '...ty-time yan...' -- The document date (28 January 2022) is 819 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) ** Downref: Normative reference to an Informational RFC: RFC 8329 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-16 == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-25 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-tcpm-rfc793bis' == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-15 Summary: 5 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 1 August 2022 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 28 January 2022 12 I2NSF NSF Monitoring Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-14 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model of an interface for monitoring Network Security 19 Functions (NSFs) in the Interface to Network Security Functions 20 (I2NSF) framework. If the monitoring of NSFs is performed with the 21 NSF monitoring interface in a comprehensive way, it is possible to 22 detect the indication of malicious activity, anomalous behavior, the 23 potential sign of denial of service attacks, or system overload in a 24 timely manner. This monitoring functionality is based on the 25 monitoring information that is generated by NSFs. Thus, this 26 document describes not only an information model for the NSF 27 monitoring interface along with a YANG data diagram, but also the 28 corresponding YANG data model. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 1 August 2022. 47 Copyright Notice 49 Copyright (c) 2022 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Revised BSD License text as 58 described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Revised BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 68 4.2. Notifications, Events, and Records . . . . . . . . . . . 7 69 4.3. Unsolicited Poll and Solicited Pull . . . . . . . . . . . 8 70 5. Basic Information Model for Monitoring Data . . . . . . . . . 9 71 6. Extended Information Model for Monitoring Data . . . . . . . 10 72 6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 10 73 6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11 74 6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 75 6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 11 76 6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12 77 6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 78 6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 79 6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 80 6.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 81 6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 14 82 6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 15 83 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 15 84 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 15 85 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 16 86 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 17 87 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 18 88 6.3.5. VoIP/VoLTE Event . . . . . . . . . . . . . . . . . . 19 89 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 19 90 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 20 91 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 20 92 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 21 93 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 22 94 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 22 96 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 22 97 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 23 98 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 24 99 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 24 100 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 25 101 7. YANG Tree Structure of NSF Monitoring YANG Module . . . . . . 26 102 8. YANG Data Model of NSF Monitoring YANG Module . . . . . . . . 34 103 9. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 82 104 10. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 83 105 10.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 83 106 10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 85 107 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 87 108 12. Security Considerations . . . . . . . . . . . . . . . . . . . 87 109 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 89 110 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 89 111 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 90 112 15.1. Normative References . . . . . . . . . . . . . . . . . . 90 113 15.2. Informative References . . . . . . . . . . . . . . . . . 93 114 Appendix A. Changes from 115 draft-ietf-i2nsf-nsf-monitoring-data-model-13 . . . . . . 94 116 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 94 118 1. Introduction 120 According to [RFC8329], the interface provided by a Network Security 121 Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to enable 122 the collection of monitoring information is referred to as an I2NSF 123 Monitoring Interface. This interface enables the sharing of vital 124 data from the NSFs (e.g., events, records, and counters) to the NSF 125 data collector through a variety of mechanisms (e.g., queries and 126 notifications). The monitoring of NSF plays an important role in an 127 overall security framework, if it is done in a timely and 128 comprehensive way. The monitoring information generated by an NSF 129 can be a good, early indication of anomalous behavior or malicious 130 activity, such as denial of service attacks (DoS). 132 This document defines a comprehensive information model of an NSF 133 monitoring interface that provides visibility into an NSF for the NSF 134 data collector. Note that an NSF data collector is defined as an 135 entity to collect NSF monitoring data from an NSF, such as Security 136 Controller. It specifies the information and illustrates the methods 137 that enable an NSF to provide the information required in order to be 138 monitored in a scalable and efficient way via the NSF Monitoring 139 Interface. The information model for the NSF monitoring interface 140 presented in this document is complementary for the security policy 141 provisioning functionality of the NSF-Facing Interface specified in 142 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 144 This document also defines a YANG [RFC7950] data model for the NSF 145 monitoring interface, which is derived from the information model for 146 the NSF monitoring interface. 148 2. Terminology 150 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 151 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 152 "OPTIONAL" in this document are to be interpreted as described in BCP 153 14 [RFC2119] [RFC8174] when, and only when, they appear in all 154 capitals, as shown here. 156 This document uses the terminology described in [RFC8329]. In 157 addition, the following terms are defined in this document: 159 * I2NSF User: An entity that delivers a high-level security policy 160 to the Security Controller and may request monitoring information 161 via the NSF data collector. 163 * Monitoring Information: Relevant data that can be processed to 164 know the status and performance of the network and the NSF. The 165 monitoring information in I2NSF environment consists of I2NSF 166 Event, I2NSF Record, and I2NSF Counter (see Section 4.1 for the 167 detailed definition). This information is to be delivered to the 168 NSF data collector. 170 * Notification: Unsolicited transmission of monitoring information. 172 * NSF Data Collector: An entity that collects NSF monitoring 173 information from NSFs, such as Security Controller. 175 * Subscription: An agreement initialized by the NSF data collector 176 to receive monitoring information from an NSF. The method to 177 subscribe follows the method explained in [RFC5277]. 179 This document follows the guidelines of [RFC8407], uses the common 180 YANG types defined in [RFC6991], and adopts the Network Management 181 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 182 in tree diagrams is defined in [RFC8340]. 184 3. Use Cases for NSF Monitoring Data 186 As mentioned earlier, monitoring plays a critical role in an overall 187 security framework. The monitoring of the NSF provides very valuable 188 information to an NSF data collector (e.g., Security Controller) in 189 maintaining the provisioned security posture. Besides this, there 190 are various other reasons to monitor the NSF as listed below: 192 * The I2NSF User that is the security administrator can configure a 193 policy that is triggered on a specific event occurring in the NSF 194 or the network [RFC8329] 195 [I-D.ietf-i2nsf-consumer-facing-interface-dm]. If an NSF data 196 collector detects the specified event, it configures additional 197 security functions as defined by policies. 199 * The events triggered by an NSF as a result of security policy 200 violation can be used by Security Information and Event Management 201 (SIEM) to detect any suspicious activity in a larger correlation 202 context. 204 * The information (i.e., events, records, and counters) from an NSF 205 can be used to build advanced analytics, such as behavior and 206 predictive models to improve security posture in large 207 deployments. 209 * The NSF data collector can use events from the NSF for achieving 210 high availability. It can take corrective actions such as 211 restarting a failed NSF and horizontally scaling up the NSF. 213 * The information (i.e., events, records, and counters) from the NSF 214 can aid in the root cause analysis of an operational issue, so it 215 can improve debugging. 217 * The records from the NSF can be used to build historical data for 218 operation and business reasons. 220 4. Classification of NSF Monitoring Data 222 In order to maintain a strong security posture, it is not only 223 necessary to configure an NSF's security policies but also to 224 continuously monitor the NSF by consuming acquirable and observable 225 data. This enables security administrators to assess the state of 226 the networks in a timely fashion. It is not possible to block all 227 the internal and external threats based on static security posture. 228 A more practical approach is supported by enabling dynamic security 229 measures, for which continuous visibility is required. This document 230 defines a set of monitoring elements and their scopes that can be 231 acquired from an NSF and can be used as NSF monitoring data. In 232 essence, this monitoring data can be leveraged to support constant 233 visibility on multiple levels of granularity and can be consumed by 234 the corresponding functions. 236 Three basic domains about the monitoring data originating from a 237 system entity [RFC4949], i.e., an NSF, are highlighted in this 238 document. 240 * Retention and Emission 242 * Notifications, Events, and Records 244 * Unsolicited Poll and Solicited Pull 246 Every system entity creates information about some context with 247 defined I2NSF monitoring data, and so every entity can be an I2NSF 248 component. This information is intended to be consumed by other 249 I2NSF components, which deals with NSF monitoring data in an 250 automated fashion. 252 4.1. Retention and Emission 254 A system entity (e.g., NSF) first retains I2NSF monitoring data 255 inside its own system before emitting the information to another 256 I2NSF component (e.g., NSF Data Collector). The I2NSF monitoring 257 information consist of I2NSF Event, I2NSF Record, and I2NSF Counter 258 as follows: 260 I2NSF Event: I2NSF Event is defined as an important occurrence at a 261 particular time, that is, a change in the system being managed or 262 a change in the environment of the system being managed. An I2NSF 263 Event requires immediate attention and should be notified as soon 264 as possible. When used in the context of an (imperative) I2NSF 265 Policy Rule, an I2NSF Event is used to determine whether the 266 Condition clause of that Policy Rule can be evaluated or not. The 267 Alarm Management Framework in [RFC3877] defines an event as 268 something that happens which may be of interest. Examples for an 269 event are a fault, a change in status, crossing a threshold, or an 270 external input to the system. In the I2NSF domain, I2NSF events 271 are created following the definition of an event in the Alarm 272 Management Framework. 274 I2NSF Record: A record is defined as an item of information that is 275 kept to be looked at and used in the future. Typically, records 276 are information generated by a system entity (e.g., NSF) that is 277 based on operational and informational data (i.e., various changes 278 in system characteristics), and are generated at particular 279 instants to be kept without any changes afterward. A set of 280 records has an ordering in time based on when they are generated. 281 Unlike I2NSF Event, records do not require immediate attention but 282 may be useful for visibility and retroactive cyber forensic. 283 Records are typically stored in log-files or databases on a system 284 entity or NSF. The examples of records include as user 285 activities, device performance, and network status. They are 286 important for debugging, auditing, and security forensic of a 287 system entity or the network having the system entity. 289 I2NSF Counter: An I2NSF Counter is defined as a specific 290 representation of an information element whose value changes very 291 frequently. Prominent examples are network interface counters for 292 protocol data unit (PDU) amount, byte amount, drop counters, and 293 error counters. Other examples are integer approximations to 294 continuous values, such as a processor temperature measured in 295 tenths of a degree or the percentage of a disk that is used. 296 Counters are useful in debugging and visibility into operational 297 behavior of a system entity (e.g., NSF). When an NSF data 298 collector asks for the value of a counter to it, a system entity 299 MUST update the counter information and emit the latest 300 information to the NSF data collector. 302 The retention of I2NSF monitoring information may be affected by the 303 importance of the data. The importance of the data could be context- 304 dependent, where it may not just be based on the type of data, but 305 may also depend on where it is deployed, e.g., a test lab and 306 testbed. The local policy and configuration will dictate the 307 policies and procedures to review, archive, or purge the collected 308 monitoring data. 310 The I2NSF monitoring information retained on a system entity (e.g., 311 NSF) may be delivered to a corresponding I2NSF User via an NSF data 312 collector. The information consists of the aggregated records, 313 typically in the form of log-files or databases. For the NSF 314 Monitoring Interface to deliver the information to the NSF data 315 collector, the NSF needs to accommodate standardized delivery 316 protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. The NSF 317 data collector can forward the information to the I2NSF User through 318 one of standardized delivery protocols. The interface for this 319 delivery is out of the scope of this document. 321 4.2. Notifications, Events, and Records 323 A specific task of I2NSF User is to process I2NSF Policy Rules. The 324 rules of a policy are composed of three clauses: Event, Condition, 325 and Action clauses. In consequence, an I2NSF Event is specified to 326 trigger the evaluation of the Condition clause of the I2NSF Policy 327 Rule. Such an I2NSF Event is defined as an important occurrence at a 328 particular time in the system being managed, and/or in the 329 environment of the system being managed whose concept aligns well 330 with the generic definition of Event from [RFC3877]. 332 Another role of the I2NSF Event is to trigger a notification for 333 monitoring the status of an NSF. A notification is defined in 334 [RFC3877] as an unsolicited transmission of management information. 335 System alarm (called alarm) is defined as a warning related to 336 service degradation in system hardware in Section 6.1. System event 337 (called alert) is defined as a warning about any changes of 338 configuration, any access violation, the information of sessions and 339 traffic flows in Section 6.2. Both an alarm and an alert are I2NSF 340 Events that can be delivered as a notification. The model 341 illustrated in this document introduces a complementary type of 342 information that can be a conveyed notification. 344 In I2NSF monitoring, a notification is used to deliver either an 345 event and a record via the I2NSF Monitoring Interface. The 346 difference between the event and record is the timing by which the 347 notifications are emitted. An event is emitted as soon as it happens 348 in order to notify an NSF Data Collector of the problem that needs 349 immediate attention. A record is not emitted immediately to the NSF 350 Data Collector, and it can be emitted periodically to the NSF Data 351 Collector every certain time interval. 353 It is important to note that an NSF Data Collector as a consumer 354 (i.e., observer) of a notification assesses the importance of the 355 notification rather than an NSF as a producer. The producer can 356 include metadata in a notification that supports the observer in 357 assessing its importance (e.g., severity). 359 4.3. Unsolicited Poll and Solicited Pull 361 An important aspect of monitoring information is the freshness of the 362 information. From the perspective of security, it is important to 363 notice the current status of the network. The I2NSF Monitoring 364 Interface provides the means of sending monitored information from 365 the NSFs to an NSF data collector in a timely manner. The method of 366 acquiring the monitoring information can be performed from a client 367 (i.e., NSF data collector) to a server (i.e., NSF) by unsolicited 368 poll or solicited pull. 370 The solicited pull is a query-based method to obtain information from 371 the NSF. In this method, the NSF will remain passive until the 372 information is requested from the NSF data collector. Once a new 373 request is accepted (with proper authentication), the NSF MUST update 374 the information before sending it to the NSF data collector. 376 The unsolicited poll is a report-based method to obtain information 377 from the NSF. The report-based method ensures the information can be 378 delivered immediately without any requests. This method is used by 379 the NSF to actively provide information to the NSF data collector. 380 To receive the information, the NSF data collector subscribes to the 381 NSF for the information. 383 These acquisition methods are used for different types of monitoring 384 information. The information that has a high level of urgency (i.e., 385 I2NSF Event) should be provided with the unsolicited poll method, 386 while information that has a lower level of urgency (i.e., I2NSF 387 Record and I2NSF Counter) can be provided with either the solicited 388 pull method or unsolicited poll method. 390 5. Basic Information Model for Monitoring Data 392 As explained in the above section, there is a wealth of data 393 available from the NSF that can be monitored. Firstly, there must be 394 some general information with each monitoring message sent from an 395 NSF that helps a consumer to identify meta data with that message, 396 which are listed as below: 398 * message: The extra detailed description on NSF monitoring data to 399 give an NSF data collector the context information as meta data. 401 * vendor-name: The vendor's name of the NSF that generates the 402 message. 404 * device-model: The model of the device, can be represented by the 405 device model name or serial number. This field is used to 406 identify the model of the device that provides the security 407 service. 409 * software-version: The version of the software used to provide the 410 security service. 412 * nsf-name: The name or IP address of the NSF generating the 413 message. If the given nsf-name is not IP address, the name can be 414 an arbitrary string including FQDN (Fully Qualified Domain Name). 415 The name MUST be unique in the scope of management domain for a 416 different NSF to identify the NSF that generates the message. 418 * severity: The severity level of the message. There are total four 419 levels, i.e., critical, high, middle, and low. 421 * timestamp: The time when the message is generated. For the 422 notification operations (i.e., System Alarms, System Events, NSF 423 Events, System Logs, and NSF Logs), this is represented by the 424 eventTime of NETCONF event notification [RFC5277] For other 425 operations (i.e., System Counter and NSF Counter), the timestamp 426 MUST be provided separately. 428 * language: describes the human language intended for the user, so 429 that it allows a user to differentiate the language that is used 430 in the notification. This field is not mandatory, but required 431 when the implementation provides more than one human language for 432 the human-readable string fields. 434 6. Extended Information Model for Monitoring Data 436 The extended information model is the specific monitoring data that 437 covers the additional information associated with the detailed 438 information of status and performance of the network and the NSF over 439 the basic information model. The extended information combined with 440 the basic information creates the monitoring information (i.e., I2NSF 441 Event, Record, and Counter). 443 The extended monitoring information has characteristics for data 444 collection setting as follows: 446 * Acquisition method: The method to obtain the message. It can be a 447 "query" or a "subscription". A "query" is a request-based method 448 to acquire the solicited information. A "subscription" is a 449 report-based method to acquire the unsolicited information. 451 * Emission type: The cause type for the message to be emitted. It 452 can be "on-change", "periodic", or "on-request". An "on-change" 453 message is emitted when an important event happens in the NSF. A 454 "periodic" message is emitted at a certain time interval. An "on- 455 request" message is emitted when the information is requested. 456 The time to periodically emit the message is configurable. 458 * Dampening type: The type of message dampening to stop the rapid 459 transmission of messages. The dampening types are "on-repetition" 460 and "no-dampening". The "on-repetition" type limits the 461 transmitted "on-change" message to one message at a certain 462 interval (e.g., 1 second). This interval is defined as dampening- 463 period in [RFC8641]. The dampening-period is configurable. The 464 "no-dampening" type does not limit the transmission for the 465 messages of the same type. In short, "on-repetition" means that 466 the dampening is active and "no-dampening" is inactive. It is 467 recommended to activate the dampening for an "on-change" type of 468 message to reduce the number of messages generated. 470 6.1. System Alarms 472 System alarms have the following characteristics: 474 * acquisition-method: subscription 475 * emission-type: on-change 477 * dampening-type: on-repetition or no-dampening 479 6.1.1. Memory Alarm 481 The memory is the hardware to store information temporarily or for a 482 short period, i.e., Random Access Memory (RAM). The memory-alarm is 483 emitted when the RAM usage exceeds the threshold. The following 484 information should be included in a Memory Alarm: 486 * event-name: memory-alarm. 488 * usage: specifies the size of memory used. 490 * threshold: The threshold triggering the alarm 492 * severity: The severity level of the message. There are total four 493 levels, i.e., critical, high, middle, and low. 495 * message: Simple information such as "The memory usage exceeded the 496 threshold" or with extra information. 498 6.1.2. CPU Alarm 500 CPU is the Central Processing Unit that executes basic operations of 501 the system. The cpu-alarm is emitted when the CPU usage exceeds the 502 threshold. The following information should be included in a CPU 503 Alarm: 505 * event-name: cpu-alarm. 507 * usage: Specifies the CPU utilization. 509 * threshold: The threshold triggering the event. 511 * severity: The severity level of the message. There are total four 512 levels, i.e., critical, high, middle, and low. 514 * message: Simple information such as "The CPU usage exceeded the 515 threshold" or with extra information. 517 6.1.3. Disk Alarm 519 Disk is the hardware to store information for a long period, i.e., 520 Hard Disk or Solid-State Drive. The disk-alarm is emitted when the 521 Disk usage exceeds the threshold. The following information should 522 be included in a Disk Alarm: 524 * event-name: disk-alarm. 526 * usage: Specifies the size of disk space used. 528 * threshold: The threshold triggering the event. 530 * severity: The severity level of the message. There are total four 531 levels, i.e., critical, high, middle, and low. 533 * message: Simple information such as "The disk usage exceeded the 534 threshold" or with extra information. 536 6.1.4. Hardware Alarm 538 The hardware-alarm is emitted when a hardware, e.g., CPU, memory, 539 disk, or interface, problem is detected. The following information 540 should be included in a Hardware Alarm: 542 * event-name: hardware-alarm. 544 * component-name: It indicates the hardware component responsible 545 for generating this alarm. 547 * severity: The severity level of the message. There are total four 548 levels, i.e., critical, high, middle, and low. 550 * message: Simple information such as "The hardware component has 551 failed or degraded" or with extra information. 553 6.1.5. Interface Alarm 555 Interface is the network interface for connecting a device with the 556 network. The interface-alarm is emitted when the state of the 557 interface is changed. The following information should be included 558 in an Interface Alarm: 560 * event-name: interface-alarm. 562 * interface-name: The name of the interface. 564 * interface-state: down, up (not congested), congested (up but 565 congested). 567 * severity: The severity level of the message. There are total four 568 levels, i.e., critical, high, middle, and low. 570 * message: Simple information such as "The interface is 'interface- 571 state'" or with extra information. 573 6.2. System Events 575 System events (as alerts) have the following characteristics: 577 * acquisition-method: subscription 579 * emission-type: on-change 581 * dampening-type: on-repetition or no-dampening 583 6.2.1. Access Violation 585 The access-violation system event is an event when a user tries to 586 access (read, write, create, or delete) any information or execute 587 commands above their privilege. The following information should be 588 included in this event: 590 * event-name: access-violation. 592 * identity: The information to identify the attempted access 593 violation. The minimum information (extensible) that should be 594 included: 596 1. user: The unique username that attempted access violation. 598 2. group: Group(s) to which a user belongs. A user can belong to 599 multiple groups. 601 3. ip-address: The IP address of the user that triggered the 602 event. 604 4. port-number: The port number used by the user. 606 * authentication: The method to verify the valid user, i.e., pre- 607 configured-key and certificate-authority. 609 * message: The message to give the context of the event, such as 610 "Access is denied". 612 6.2.2. Configuration Change 614 A configuration change is a system event when a new configuration is 615 added or an existing configuration is modified. The following 616 information should be included in this event: 618 * event-name: configuration-change. 620 * identity: The information to identify the attempted access 621 violation. The minimum information (extensible) that should be 622 included: 624 1. user: The unique username that changes the configuration. 626 2. group: Group(s) to which a user belongs. A user can belong to 627 multiple groups. 629 3. ip-address: The IP address of the user that triggered the 630 event. 632 4. port-number: The port number used by the user. 634 * authentication: The method to verify the valid user, i.e., pre- 635 configured-key and certificate-authority. 637 * message: The message to give the context of the event, such as 638 "Configuration is modified", "New configuration is added", or "A 639 configuration has been removed". 641 * changes: Describes the modification that was made to the 642 configuration. The minimum information that must be provided is 643 the name of the policy that has been altered (added, modified, or 644 removed). Other detailed information about the configuration 645 changes is up to the implementation. 647 6.2.3. Session Table Event 649 Session Table Event is the event triggered by the session table of an 650 NSF. A session table holds the information of the current active 651 sessions. The following information should be included in a Session 652 Table Event: 654 * event-name: detection-session-table. 656 * current-session: The number of concurrent sessions. 658 * maximum-session: The maximum number of sessions that the session 659 table can support. 661 * threshold: The threshold triggering the event. 663 * message: The message to give the context of the event, such as 664 "The number of session table exceeded the threshold". 666 6.2.4. Traffic Flows 668 Traffic flows need to be monitored because they might be used for 669 security attacks to the network. The following information should be 670 included in this event: 672 * event-name: traffic-flows. 674 * src-ip: The source IPv4 or IPv6 address of the traffic flow. 676 * dst-ip: The destination IPv4 or IPv6 address of the traffic flow. 678 * src-port: The source port of the traffic flow. 680 * dst-port: The destination port of the traffic flow. 682 * protocol: The protocol of the traffic flow. 684 * arrival-rate: Arrival rate of packets of the traffic flow in 685 packet per second. 687 * arrival-speed: Arrival rate of packets of the traffic flow in 688 bytes per second. 690 6.3. NSF Events 692 NSF events have the following characteristics: 694 * acquisition-method: subscription 696 * emission-type: on-change 698 * dampening-type: on-repetition or no-dampening 700 6.3.1. DDoS Detection 702 The following information should be included in a DDoS Event: 704 * event-name: detection-ddos. 706 * attack-type: The type of DDoS Attack, i.e., SYN flood, ACK flood, 707 SYN-ACK flood, FIN/RST flood, TCP Connection flood, UDP flood, 708 ICMP flood, HTTPS flood, HTTP flood, DNS query flood, DNS reply 709 flood, SIP flood, SSL flood, and NTP amplification flood. This 710 can be extended with additional types of DDoS attack. 712 * attack-src-ip: The IP address of the source of the DDoS attack. 714 * attack-dst-ip: The network prefix with a network mask (for IPv4) 715 or prefix length (for IPv6) of a victim under DDoS attack. 717 * dst-port: The port number that the attack traffic aims at. 719 * start-time: The time stamp indicating when the attack started. 721 * end-time: The time stamp indicating when the attack ended. If the 722 attack is still undergoing when sending out the notification, this 723 field can be empty. 725 * attack-rate: The packets per second of attack traffic. 727 * attack-speed: The bytes per second of attack traffic. 729 * rule-name: The name of the I2NSF Policy Rule being triggered. 730 Note that rule-name is used to match a detected NSF event with a 731 policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 733 6.3.2. Virus Event 735 This information is used when a virus is detected within the traffic 736 flow or inside the host. The following information should be 737 included in a Virus Event: 739 * event-name: detection-virus. 741 * virus-name: Name of the virus. 743 * virus-type: Type of the virus. e.g., trojan, worm, macro virus 744 type. 746 * dst-ip: The destination IP address of the flow where the virus is 747 found. This is used when the virus is detected within the traffic 748 flow. 750 * src-ip: The source IP address of the flow where the virus is 751 found. This is used when the virus is detected within the traffic 752 flow. 754 * src-port: The source port of the flow where the virus is found. 755 This is used when the virus is detected within the traffic flow. 757 * dst-port: The destination port of the flow where the virus is 758 found. This is used when the virus is detected within the traffic 759 flow. 761 * src-location: The geographical location (e.g., country and city) 762 of the src-ip field. This is used when the virus is detected 763 within the traffic flow. 765 * dst-location: The geographical location (e.g., country and city) 766 of the dst-ip field. This is used when the virus is detected 767 within the traffic flow. 769 * host: The name or IP address of the host/device that is infected 770 by the virus. This is used when the virus is detected within a 771 host system. If the given name is not IP address, the name can be 772 an arbitrary string including FQDN (Fully Qualified Domain Name). 773 The name MUST be unique in the scope of management domain for 774 identifying the device that has been infected with a virus. 776 * os: The operating system of the host that has the virus. This is 777 used when the virus is detected within a host system. 779 * file-type: The type of the file where the virus is hidden. This 780 is used when the virus is detected within a host system. 782 * file-name: The name of the file where the virus is hidden. This 783 is used when the virus is detected within a host system. 785 * rule-name: The name of the rule being triggered. 787 6.3.3. Intrusion Event 789 The following information should be included in an Intrusion Event: 791 * event-name: detection-intrusion. 793 * attack-type: Attack type, e.g., brutal force and buffer overflow. 795 * src-ip: The source IP address of the flow. 797 * dst-ip: The destination IP address of the flow. 799 * src-port:The source port number of the flow. 801 * dst-port: The destination port number of the flow 803 * src-location: The source geographical location (e.g., country and 804 city) of the src-ip field. 806 * dst-location: The destination geographical location (e.g., country 807 and city) of the dst-ip field. 809 * protocol: The employed transport layer protocol. e.g., TCP and 810 UDP. 812 * app: The employed application layer protocol. e.g., HTTP and FTP. 814 * rule-name: The name of the I2NSF Policy Rule being triggered. 816 6.3.4. Web Attack Event 818 The following information should be included in a Web Attack Alarm: 820 * event-name: detection-web-attack. 822 * attack-type: Concrete web attack type. e.g., SQL injection, 823 command injection, XSS, CSRF. 825 * src-ip: The source IP address of the packet. 827 * dst-ip: The destination IP address of the packet. 829 * src-port: The source port number of the packet. 831 * dst-port: The destination port number of the packet. 833 * src-location: The source geographical location (e.g., country and 834 city) of the src-ip field. 836 * dst-location: The destination geographical location (e.g., country 837 and city) of the dst-ip field. 839 * req-method: The HTTP method of the request. For instance, "PUT" 840 and "GET" in HTTP. 842 * req-target: The HTTP Request Target. 844 * response-code: The HTTP Response status code. 846 * req-user-agent: The HTTP User-Agent header field of the request. 848 * cookies: The HTTP Cookie header field of the request from the user 849 agent. 851 * req-host: The HTTP Host header field of the request. 853 * filtering-type: URL filtering type. e.g., deny-list, allow-list, 854 and unknown. 856 * rule-name: The name of the I2NSF Policy Rule being triggered. 858 6.3.5. VoIP/VoLTE Event 860 The following information should be included in a VoIP/VoLTE Event: 862 * event-name: detection-voip-volte 864 * source-voice-id: The detected source voice Call ID for VoIP and 865 VoLTE that violates the policy. 867 * destination-voice-id: The destination voice Call ID for VoIP and 868 VoLTE that violates the policy. 870 * user-agent: The user agent for VoIP and VoLTE that violates the 871 policy. 873 * src-ip: The source IP address of the VoIP/VoLTE. 875 * dst-ip: The destination IP address of the VoIP/VoLTE. 877 * src-port: The source port number of the VoIP/VoLTE. 879 * dst-port: The destination port number of VoIP/VoLTE. 881 * src-location: The source geographical location (e.g., country and 882 city) of the src-ip field. 884 * dst-location: The destination geographical location (e.g., country 885 and city) of the dst-ip field. 887 * rule-name: The name of the I2NSF Policy Rule being triggered. 889 6.4. System Logs 891 System log is a record that is used to monitor the activity of the 892 user on the NSF and the status of the NSF. System logs have the 893 following characteristics: 895 * acquisition-method: subscription or query 897 * emission-type: on-change, periodic, or on-request 899 * dampening-type: on-repetition or no-dampening 901 6.4.1. Access Log 903 Access logs record administrators' login, logout, and operations on a 904 device. By analyzing them, security vulnerabilities can be 905 identified. The following information should be included in an 906 operation report: 908 * identity: The information to identify the user. The minimum 909 information (extensible) that should be included: 911 1. user: The unique username that attempted access violation. 913 2. group: Group(s) to which a user belongs. A user can belong to 914 multiple groups. 916 3. ip-address: The IP address of the user that triggered the 917 event. 919 4. port-number: The port number used by the user. 921 * authentication: The method to verify the valid user, i.e., pre- 922 configured-key and certificate-authority. 924 * operation-type: The operation type that the administrator execute, 925 e.g., login, logout, configuration, and other. 927 * input: The operation performed by a user after login. The 928 operation is a command given by a user. 930 * output: The result after executing the input. 932 6.4.2. Resource Utilization Log 934 Running reports record the device system's running status, which is 935 useful for device monitoring. The following information should be 936 included in running report: 938 * system-status: The current system's running status. 940 * cpu-usage: Specifies the aggregated CPU usage. 942 * memory-usage: Specifies the memory usage. 944 * disk-id: Specifies the disk ID to identify the storage disk. 946 * disk-usage: Specifies the disk usage of disk-id. 948 * disk-left: Specifies the available disk space left of disk-id. 950 * session-number: Specifies total concurrent sessions. 952 * process-number: Specifies total number of systems processes. 954 * interface-id: Specifies the interface ID to identify the network 955 interface. 957 * in-traffic-rate: The total inbound traffic rate in packets per 958 second. 960 * out-traffic-rate: The total outbound traffic rate in packets per 961 second. 963 * in-traffic-speed: The total inbound traffic speed in bytes per 964 second. 966 * out-traffic-speed: The total outbound traffic speed in bytes per 967 second. 969 6.4.3. User Activity Log 971 User activity logs provide visibility into users' online records 972 (such as login time, online/lockout duration, and login IP addresses) 973 and the actions that users perform. User activity reports are 974 helpful to identify exceptions during a user's login and network 975 access activities. This information should be included in a user's 976 activity report: 978 * identity: The information to identify the user. The minimum 979 information (extensible) that should be included: 981 1. user: The unique username that attempted access violation. 983 2. group: Group(s) to which a user belongs. A user can belong to 984 multiple groups. 986 3. ip-address: The IP address of the user that triggered the 987 event. 989 4. port-number: The port number used by the user. 991 * authentication: The method to verify the valid user, i.e., pre- 992 configured-key and certificate-authority. 994 * online-duration: The duration of a user's activeness (stays in 995 login) during a session. 997 * logout-duration: The duration of a user's inactiveness (not in 998 login) from the last session. 1000 * additional-info: Additional Information for login: 1002 1. type: User activities. e.g., Successful User Login, Failed 1003 Login attempts, User Logout, Successful User Password Change, 1004 Failed User Password Change, User Lockout, and User Unlocking. 1006 2. cause: Cause of a failed user activity. 1008 6.5. NSF Logs 1010 NSF logs have the folowing characteristics: 1012 * acquisition-method: subscription or query 1014 * emission-type: on-change or on-request 1016 * dampening-type: on-repetition or no-dampening 1018 6.5.1. Deep Packet Inspection Log 1020 Deep Packet Inspection (DPI) Logs provide statistics on uploaded and 1021 downloaded files and data, sent and received emails, and alert and 1022 blocking records on websites. It is helpful to learn risky user 1023 behaviors and why access to some URLs is blocked or allowed with an 1024 alert record. 1026 * attack-type: DPI action types. e.g., File Blocking, Data 1027 Filtering, and Application Behavior Control. 1029 * src-user: The I2NSF User's name who generates the policy. 1031 * policy-name: Security policy name that traffic matches. 1033 * action: Action defined in the file blocking rule, data filtering 1034 rule, or application behavior control rule that traffic matches. 1036 6.6. System Counter 1038 System counter has the following characteristics: 1040 * acquisition-method: subscription or query 1042 * emission-type: periodic or on-request 1044 * dampening-type: no-dampening 1046 6.6.1. Interface Counter 1048 Interface counters provide visibility into traffic into and out of an 1049 NSF, and bandwidth usage. The statistics of the interface counters 1050 should be computed from the start of the service. When the service 1051 is reset, the computation of statistics per counter should restart 1052 from 0. 1054 * interface-name: Network interface name configured in NSF. 1056 * in-total-traffic-pkts: Total inbound packets. 1058 * out-total-traffic-pkts: Total outbound packets. 1060 * in-total-traffic-bytes: Total inbound bytes. 1062 * out-total-traffic-bytes: Total outbound bytes. 1064 * in-drop-traffic-pkts: Total inbound drop packets. 1066 * out-drop-traffic-pkts: Total outbound drop packets. 1068 * in-drop-traffic-bytes: Total inbound drop bytes. 1070 * out-drop-traffic-bytes: Total outbound drop bytes. 1072 * in-traffic-average-rate: Inbound traffic average rate in packets 1073 per second. 1075 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1076 second. 1078 * in-traffic-average-speed: Inbound traffic average speed in bytes 1079 per second. 1081 * in-traffic-peak-speed: Inbound traffic peak speed in bytes per 1082 second. 1084 * out-traffic-average-rate: Outbound traffic average rate in packets 1085 per second. 1087 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1088 second. 1090 * out-traffic-average-speed: Outbound traffic average speed in bytes 1091 per second. 1093 * out-traffic-peak-speed: Outbound traffic peak speed in bytes per 1094 second. 1096 * discontinuity-time: The time on the most recent occasion at which 1097 any one or more of the counters suffered a discontinuity. If no 1098 such discontinuities have occurred since the last re- 1099 initialization of the local management subsystem, then this node 1100 contains the time the local management subsystem was re- 1101 initialized. 1103 6.7. NSF Counters 1105 NSF counters have the following characteristics: 1107 * acquisition-method: subscription or query 1109 * emission-type: periodic or on-request 1111 * dampening-type: no-dampening 1113 6.7.1. Firewall Counter 1115 Firewall counters provide visibility into traffic signatures, 1116 bandwidth usage, and how the configured security and bandwidth 1117 policies have been applied. 1119 * src-ip: Source IP address of traffic. 1121 * src-user: The I2NSF User's name who generates the policy. 1123 * dst-ip: Destination IP address of traffic. 1125 * src-port: Source port of traffic. 1127 * dst-port: Destination port of traffic. 1129 * protocol: Protocol type of traffic. 1131 * app: Application type of traffic. 1133 * policy-id: Security policy id that traffic matches. 1135 * policy-name: Security policy name that traffic matches. 1137 * in-interface: Inbound interface of traffic. 1139 * out-interface: Outbound interface of traffic. 1141 * total-traffic: Total traffic volume. 1143 * in-traffic-average-rate: Inbound traffic average rate in packets 1144 per second. 1146 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1147 second. 1149 * in-traffic-average-speed: Inbound traffic average speed in bytes 1150 per second. 1152 * in-traffic-peak-speed: Inbound traffic peak speed in bytes per 1153 second. 1155 * out-traffic-average-rate: Outbound traffic average rate in packets 1156 per second. 1158 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1159 second. 1161 * out-traffic-average-speed: Outbound traffic average speed in bytes 1162 per second. 1164 * out-traffic-peak-speed: Outbound traffic peak speed in bytes per 1165 second. 1167 * discontinuity-time: The time on the most recent occasion at which 1168 any one or more of the counters suffered a discontinuity. If no 1169 such discontinuities have occurred since the last re- 1170 initialization of the local management subsystem, then this node 1171 contains the time the local management subsystem was re- 1172 initialized. 1174 6.7.2. Policy Hit Counter 1176 Policy Hit Counters record the security policy that traffic matches 1177 and its hit count. It can check if policy configurations are 1178 correct. 1180 * src-ip: Source IP address of traffic. 1182 * src-user: The I2NSF User's name who generates the policy. 1184 * dst-ip: Destination IP address of traffic. 1186 * src-port: Source port of traffic. 1188 * dst-port: Destination port of traffic. 1190 * protocol: Protocol type of traffic. 1192 * app: Application type of traffic. 1194 * policy-id: Security policy id that traffic matches. 1196 * policy-name: Security policy name that traffic matches. 1198 * hit-times: The number of times that the security policy matches 1199 the specified traffic. 1201 * discontinuity-time: The time on the most recent occasion at which 1202 any one or more of the counters suffered a discontinuity. If no 1203 such discontinuities have occurred since the last re- 1204 initialization of the local management subsystem, then this node 1205 contains the time the local management subsystem was re- 1206 initialized. 1208 7. YANG Tree Structure of NSF Monitoring YANG Module 1210 The tree structure of the NSF monitoring YANG module is provided 1211 below: 1213 module: ietf-i2nsf-nsf-monitoring 1214 +--ro i2nsf-counters 1215 | +--ro language? string 1216 | +--ro system-interface* [interface-name] 1217 | | +--ro acquisition-method? identityref 1218 | | +--ro emission-type? identityref 1219 | | +--ro dampening-type? identityref 1220 | | +--ro interface-name if:interface-ref 1221 | | +--ro in-total-traffic-pkts? yang:counter64 1222 | | +--ro out-total-traffic-pkts? yang:counter64 1223 | | +--ro in-total-traffic-bytes? uint64 1224 | | +--ro out-total-traffic-bytes? uint64 1225 | | +--ro in-drop-traffic-pkts? yang:counter64 1226 | | +--ro out-drop-traffic-pkts? yang:counter64 1227 | | +--ro in-drop-traffic-bytes? uint64 1228 | | +--ro out-drop-traffic-bytes? uint64 1229 | | +--ro discontinuity-time yang:date-and-time 1230 | | +--ro total-traffic? yang:counter64 1231 | | +--ro in-traffic-average-rate? uint32 1232 | | +--ro in-traffic-peak-rate? uint32 1233 | | +--ro in-traffic-average-speed? uint64 1234 | | +--ro in-traffic-peak-speed? uint64 1235 | | +--ro out-traffic-average-rate? uint32 1236 | | +--ro out-traffic-peak-rate? uint32 1237 | | +--ro out-traffic-average-speed? uint64 1238 | | +--ro out-traffic-peak-speed? uint64 1239 | | +--ro message? string 1240 | | +--ro vendor-name? string 1241 | | +--ro nsf-name? union 1242 | | +--ro severity? severity 1243 | | +--ro timestamp? yang:date-and-time 1244 | +--ro nsf-firewall* [policy-name] 1245 | | +--ro acquisition-method? identityref 1246 | | +--ro emission-type? identityref 1247 | | +--ro dampening-type? identityref 1248 | | +--ro policy-name 1249 -> /nsfintf:i2nsf-security-policy/name 1250 | | +--ro src-user? string 1251 | | +--ro discontinuity-time yang:date-and-time 1252 | | +--ro total-traffic? yang:counter64 1253 | | +--ro in-traffic-average-rate? uint32 1254 | | +--ro in-traffic-peak-rate? uint32 1255 | | +--ro in-traffic-average-speed? uint64 1256 | | +--ro in-traffic-peak-speed? uint64 1257 | | +--ro out-traffic-average-rate? uint32 1258 | | +--ro out-traffic-peak-rate? uint32 1259 | | +--ro out-traffic-average-speed? uint64 1260 | | +--ro out-traffic-peak-speed? uint64 1261 | | +--ro message? string 1262 | | +--ro vendor-name? string 1263 | | +--ro nsf-name? union 1264 | | +--ro severity? severity 1265 | | +--ro timestamp? yang:date-and-time 1266 | +--ro nsf-policy-hits* [policy-name] 1267 | +--ro acquisition-method? identityref 1268 | +--ro emission-type? identityref 1269 | +--ro dampening-type? identityref 1270 | +--ro policy-name 1271 -> /nsfintf:i2nsf-security-policy/name 1272 | +--ro src-user? string 1273 | +--ro message? string 1274 | +--ro vendor-name? string 1275 | +--ro nsf-name? union 1276 | +--ro severity? severity 1277 | +--ro discontinuity-time yang:date-and-time 1278 | +--ro hit-times? yang:counter64 1279 | +--ro timestamp? yang:date-and-time 1280 +--rw i2nsf-monitoring-configuration 1281 +--rw i2nsf-system-detection-alarm 1282 | +--rw enabled? boolean 1283 | +--rw system-alarm* [alarm-type] 1284 | +--rw alarm-type enumeration 1285 | +--rw threshold? uint8 1286 | +--rw dampening-period? uint32 1287 +--rw i2nsf-system-detection-event 1288 | +--rw enabled? boolean 1289 | +--rw dampening-period? uint32 1290 +--rw i2nsf-traffic-flows 1291 | +--rw dampening-period? uint32 1292 | +--rw enabled? boolean 1293 +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? 1294 | +--rw enabled? boolean 1295 | +--rw dampening-period? uint32 1296 +--rw i2nsf-nsf-detection-session-table 1297 | +--rw enabled? boolean 1298 | +--rw dampening-period? uint32 1299 +--rw i2nsf-nsf-detection-intrusion 1300 {i2nsf-nsf-detection-intrusion}? 1301 | +--rw enabled? boolean 1302 | +--rw dampening-period? uint32 1303 +--rw i2nsf-nsf-detection-web-attack 1304 {i2nsf-nsf-detection-web-attack}? 1305 | +--rw enabled? boolean 1306 | +--rw dampening-period? uint32 1307 +--rw i2nsf-nsf-system-access-log 1308 | +--rw enabled? boolean 1309 | +--rw dampening-period? uint32 1310 +--rw i2nsf-system-res-util-log 1311 | +--rw enabled? boolean 1312 | +--rw dampening-period? uint32 1313 +--rw i2nsf-system-user-activity-log 1314 | +--rw enabled? boolean 1315 | +--rw dampening-period? uint32 1316 +--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? 1317 | +--rw enabled? boolean 1318 | +--rw dampening-period? uint32 1319 +--rw i2nsf-counter 1320 +--rw period? uint16 1322 notifications: 1323 +---n i2nsf-event 1324 | +--ro language? string 1325 | +--ro (sub-event-type)? 1326 | +--:(i2nsf-system-detection-alarm) 1327 | | +--ro i2nsf-system-detection-alarm 1328 | | +--ro alarm-category? identityref 1329 | | +--ro component-name? string 1330 | | +--ro interface-name? if:interface-ref 1331 | | +--ro interface-state? enumeration 1332 | | +--ro acquisition-method? identityref 1333 | | +--ro emission-type? identityref 1334 | | +--ro dampening-type? identityref 1335 | | +--ro usage? uint8 1336 | | +--ro threshold? uint8 1337 | | +--ro message? string 1338 | | +--ro vendor-name? string 1339 | | +--ro nsf-name? union 1340 | | +--ro severity? severity 1341 | +--:(i2nsf-system-detection-event) 1342 | | +--ro i2nsf-system-detection-event 1343 | | +--ro event-category? identityref 1344 | | +--ro acquisition-method? identityref 1345 | | +--ro emission-type? identityref 1346 | | +--ro dampening-type? identityref 1347 | | +--ro user string 1348 | | +--ro group* string 1349 | | +--ro ip-address inet:ip-address-no-zone 1350 | | +--ro port-number inet:port-number 1351 | | +--ro authentication? identityref 1352 | | +--ro message? string 1353 | | +--ro vendor-name? string 1354 | | +--ro nsf-name? union 1355 | | +--ro severity? severity 1356 | | +--ro changes* [policy-name] 1357 | | +--ro policy-name 1358 -> /nsfintf:i2nsf-security-policy/name 1359 | +--:(i2nsf-traffic-flows) 1360 | | +--ro i2nsf-traffic-flows 1361 | | +--ro src-ip? inet:ip-address-no-zone 1362 | | +--ro dst-ip? inet:ip-address-no-zone 1363 | | +--ro protocol? identityref 1364 | | +--ro src-port? inet:port-number 1365 | | +--ro dst-port? inet:port-number 1366 | | +--ro arrival-rate? uint32 1367 | | +--ro arrival-speed? uint32 1368 | | +--ro acquisition-method? identityref 1369 | | +--ro emission-type? identityref 1370 | | +--ro dampening-type? identityref 1371 | | +--ro message? string 1372 | | +--ro vendor-name? string 1373 | | +--ro nsf-name? union 1374 | | +--ro severity? severity 1375 | +--:(i2nsf-nsf-detection-session-table) 1376 | +--ro i2nsf-nsf-detection-session-table 1377 | +--ro current-session? uint32 1378 | +--ro maximum-session? uint32 1379 | +--ro threshold? uint32 1380 | +--ro message? string 1381 | +--ro vendor-name? string 1382 | +--ro nsf-name? union 1383 | +--ro severity? severity 1384 +---n i2nsf-log 1385 | +--ro language? string 1386 | +--ro (sub-logs-type)? 1387 | +--:(i2nsf-nsf-system-access-log) 1388 | | +--ro i2nsf-nsf-system-access-log 1389 | | +--ro user string 1390 | | +--ro group* string 1391 | | +--ro ip-address inet:ip-address-no-zone 1392 | | +--ro port-number inet:port-number 1393 | | +--ro authentication? identityref 1394 | | +--ro operation-type? operation-type 1395 | | +--ro input? string 1396 | | +--ro output? string 1397 | | +--ro acquisition-method? identityref 1398 | | +--ro emission-type? identityref 1399 | | +--ro dampening-type? identityref 1400 | | +--ro message? string 1401 | | +--ro vendor-name? string 1402 | | +--ro nsf-name? union 1403 | | +--ro severity? severity 1404 | +--:(i2nsf-system-res-util-log) 1405 | | +--ro i2nsf-system-res-util-log 1406 | | +--ro system-status? enumeration 1407 | | +--ro cpu-usage? uint8 1408 | | +--ro memory-usage? uint8 1409 | | +--ro disk* [disk-id] 1410 | | | +--ro disk-id string 1411 | | | +--ro disk-usage? uint8 1412 | | | +--ro disk-left? uint8 1413 | | +--ro session-num? uint32 1414 | | +--ro process-num? uint32 1415 | | +--ro interface* [interface-id] 1416 | | | +--ro interface-id string 1417 | | | +--ro in-traffic-rate? uint32 1418 | | | +--ro out-traffic-rate? uint32 1419 | | | +--ro in-traffic-speed? uint64 1420 | | | +--ro out-traffic-speed? uint64 1421 | | +--ro acquisition-method? identityref 1422 | | +--ro emission-type? identityref 1423 | | +--ro dampening-type? identityref 1424 | | +--ro message? string 1425 | | +--ro vendor-name? string 1426 | | +--ro nsf-name? union 1427 | | +--ro severity? severity 1428 | +--:(i2nsf-system-user-activity-log) 1429 | | +--ro i2nsf-system-user-activity-log 1430 | | +--ro acquisition-method? identityref 1431 | | +--ro emission-type? identityref 1432 | | +--ro dampening-type? identityref 1433 | | +--ro user string 1434 | | +--ro group* string 1435 | | +--ro ip-address inet:ip-address-no-zone 1436 | | +--ro port-number inet:port-number 1437 | | +--ro authentication? identityref 1438 | | +--ro message? string 1439 | | +--ro vendor-name? string 1440 | | +--ro nsf-name? union 1441 | | +--ro severity? severity 1442 | | +--ro online-duration? uint32 1443 | | +--ro logout-duration? uint32 1444 | | +--ro additional-info? enumeration 1445 | +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? 1446 | +--ro i2nsf-nsf-log-dpi 1447 | +--ro attack-type? dpi-type 1448 | +--ro acquisition-method? identityref 1449 | +--ro emission-type? identityref 1450 | +--ro dampening-type? identityref 1451 | +--ro policy-name 1452 -> /nsfintf:i2nsf-security-policy/name 1453 | +--ro src-user? string 1454 | +--ro message? string 1455 | +--ro vendor-name? string 1456 | +--ro nsf-name? union 1457 | +--ro severity? severity 1458 +---n i2nsf-nsf-event 1459 +--ro (sub-event-type)? 1460 +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? 1461 | +--ro i2nsf-nsf-detection-ddos 1462 | +--ro attack-type? identityref 1463 | +--ro start-time yang:date-and-time 1464 | +--ro end-time? yang:date-and-time 1465 | +--ro attack-src-ip* inet:ip-address-no-zone 1466 | +--ro attack-dst-ip* inet:ip-address-no-zone 1467 | +--ro attack-src-port* inet:port-number 1468 | +--ro attack-dst-port* inet:port-number 1469 | +--ro rule-name 1470 -> /nsfintf:i2nsf-security-policy/rules/name 1471 | +--ro attack-rate? uint32 1472 | +--ro attack-speed? uint64 1473 | +--ro action* log-action 1474 | +--ro acquisition-method? identityref 1475 | +--ro emission-type? identityref 1476 | +--ro dampening-type? identityref 1477 | +--ro message? string 1478 | +--ro vendor-name? string 1479 | +--ro nsf-name? union 1480 | +--ro severity? severity 1481 +--:(i2nsf-nsf-detection-virus) 1482 {i2nsf-nsf-detection-virus}? 1483 | +--ro i2nsf-nsf-detection-virus 1484 | +--ro dst-ip? inet:ip-address-no-zone 1485 | +--ro dst-port? inet:port-number 1486 | +--ro rule-name 1487 -> /nsfintf:i2nsf-security-policy/rules/name 1488 | +--ro src-ip? inet:ip-address-no-zone 1489 | +--ro src-port? inet:port-number 1490 | +--ro src-location? string 1491 | +--ro dst-location? string 1492 | +--ro virus-name? string 1493 | +--ro virus-type? identityref 1494 | +--ro host? union 1495 | +--ro file-type? string 1496 | +--ro file-name? string 1497 | +--ro os? string 1498 | +--ro action* log-action 1499 | +--ro acquisition-method? identityref 1500 | +--ro emission-type? identityref 1501 | +--ro dampening-type? identityref 1502 | +--ro message? string 1503 | +--ro vendor-name? string 1504 | +--ro nsf-name? union 1505 | +--ro severity? severity 1506 +--:(i2nsf-nsf-detection-intrusion) 1507 {i2nsf-nsf-detection-intrusion}? 1508 | +--ro i2nsf-nsf-detection-intrusion 1509 | +--ro dst-ip? inet:ip-address-no-zone 1510 | +--ro dst-port? inet:port-number 1511 | +--ro rule-name 1512 -> /nsfintf:i2nsf-security-policy/rules/name 1513 | +--ro src-ip? inet:ip-address-no-zone 1514 | +--ro src-port? inet:port-number 1515 | +--ro src-location? string 1516 | +--ro dst-location? string 1517 | +--ro protocol? identityref 1518 | +--ro app? identityref 1519 | +--ro attack-type? identityref 1520 | +--ro action* log-action 1521 | +--ro attack-rate? uint32 1522 | +--ro attack-speed? uint64 1523 | +--ro acquisition-method? identityref 1524 | +--ro emission-type? identityref 1525 | +--ro dampening-type? identityref 1526 | +--ro message? string 1527 | +--ro vendor-name? string 1528 | +--ro nsf-name? union 1529 | +--ro severity? severity 1530 +--:(i2nsf-nsf-detection-web-attack) 1531 {i2nsf-nsf-detection-web-attack}? 1532 | +--ro i2nsf-nsf-detection-web-attack 1533 | +--ro dst-ip? inet:ip-address-no-zone 1534 | +--ro dst-port? inet:port-number 1535 | +--ro rule-name 1536 -> /nsfintf:i2nsf-security-policy/rules/name 1537 | +--ro src-ip? inet:ip-address-no-zone 1538 | +--ro src-port? inet:port-number 1539 | +--ro src-location? string 1540 | +--ro dst-location? string 1541 | +--ro attack-type? identityref 1542 | +--ro req-method? identityref 1543 | +--ro req-target? string 1544 | +--ro filtering-type* identityref 1545 | +--ro req-user-agent? string 1546 | +--ro cookie? string 1547 | +--ro req-host? string 1548 | +--ro response-code? string 1549 | +--ro acquisition-method? identityref 1550 | +--ro emission-type? identityref 1551 | +--ro dampening-type? identityref 1552 | +--ro action* log-action 1553 | +--ro message? string 1554 | +--ro vendor-name? string 1555 | +--ro nsf-name? union 1556 | +--ro severity? severity 1557 +--:(i2nsf-nsf-detection-voip-volte) 1558 {i2nsf-nsf-detection-voip-volte}? 1559 +--ro i2nsf-nsf-detection-voip-volte 1560 +--ro dst-ip? inet:ip-address-no-zone 1561 +--ro dst-port? inet:port-number 1562 +--ro rule-name 1563 -> /nsfintf:i2nsf-security-policy/rules/name 1564 +--ro src-ip? inet:ip-address-no-zone 1565 +--ro src-port? inet:port-number 1566 +--ro src-location? string 1567 +--ro dst-location? string 1568 +--ro source-voice-id* string 1569 +--ro destination-voice-id* string 1570 +--ro user-agent* string 1571 +--ro message? string 1572 +--ro vendor-name? string 1573 +--ro nsf-name? union 1574 +--ro severity? severity 1576 Figure 1: NSF Monitoring YANG Module Tree 1578 8. YANG Data Model of NSF Monitoring YANG Module 1580 This section describes a YANG module of I2NSF NSF Monitoring. The 1581 data model provided in this document uses identities to be used to 1582 get information of the monitored of an NSF's monitoring data. Every 1583 identity used in the document gives information or status about the 1584 current situation of an NSF. This YANG module imports from 1585 [RFC6991], [RFC8343], and [I-D.ietf-i2nsf-nsf-facing-interface-dm], 1586 and makes references to [RFC0768][RFC0791] 1587 [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC4340] 1588 [RFC4443][RFC4960][RFC5321] [RFC5646] [RFC6242][RFC6265][RFC7230] 1589 [RFC7231][RFC8200] [RFC8641][RFC9051] [I-D.ietf-tcpm-rfc793bis] 1590 [IANA-HTTP-Status-Code] [IANA-Media-Types]. 1592 file "ietf-i2nsf-nsf-monitoring@2022-01-28.yang" 1593 module ietf-i2nsf-nsf-monitoring { 1594 yang-version 1.1; 1595 namespace 1596 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1597 prefix 1598 nsfmi; 1599 import ietf-inet-types{ 1600 prefix inet; 1601 reference 1602 "Section 4 of RFC 6991"; 1603 } 1604 import ietf-yang-types { 1605 prefix yang; 1606 reference 1607 "Section 3 of RFC 6991"; 1608 } 1609 import ietf-i2nsf-policy-rule-for-nsf { 1610 prefix nsfintf; 1611 reference 1612 "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-17"; 1613 } 1614 import ietf-interfaces { 1615 prefix if; 1616 reference 1617 "Section 5 of RFC 8343"; 1618 } 1619 organization 1620 "IETF I2NSF (Interface to Network Security Functions) 1621 Working Group"; 1622 contact 1623 "WG Web: 1624 WG List: 1626 Editor: Jaehoon Paul Jeong 1627 1629 Editor: Patrick Lingga 1630 "; 1632 description 1633 "This module is a YANG module for I2NSF NSF Monitoring. 1635 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1636 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1637 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 1638 document are to be interpreted as described in BCP 14 1639 (RFC 2119) (RFC 8174) when, and only when, they appear 1640 in all capitals, as shown here. 1642 Copyright (c) 2022 IETF Trust and the persons identified as 1643 authors of the code. All rights reserved. 1645 Redistribution and use in source and binary forms, with or 1646 without modification, is permitted pursuant to, and subject to 1647 the license terms contained in, the Simplified BSD License set 1648 forth in Section 4.c of the IETF Trust's Legal Provisions 1649 Relating to IETF Documents 1650 (https://trustee.ietf.org/license-info). 1652 This version of this YANG module is part of RFC XXXX 1653 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 1654 for full legal notices."; 1656 revision "2022-01-28" { 1657 description "Latest revision"; 1658 reference 1659 "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; 1661 // RFC Ed.: replace XXXX with an actual RFC number and remove 1662 // this note. 1663 } 1665 /* 1666 * Typedefs 1667 */ 1669 typedef severity { 1670 type enumeration { 1671 enum critical { 1672 description 1673 "The 'critical' severity level indicates that 1674 an immediate corrective action is required. 1675 A 'critical' severity is reported when a service 1676 becomes totally out of service and must be restored."; 1677 } 1678 enum high { 1679 description 1680 "The 'high' severity level indicates that 1681 an urgent corrective action is required. 1682 A 'high' severity is reported when there is 1683 a severe degradation in the capability of the 1684 service and its full capability must be restored."; 1685 } 1686 enum middle { 1687 description 1688 "The 'middle' severity level indicates the 1689 existence of a non-service-affecting fault 1690 condition and corrective action should be done 1691 to prevent a more serious fault. The 'middle' 1692 severity is reported when the detected problem 1693 is not degrading the capability of the service, but 1694 some service degradation might happen if not 1695 prevented."; 1696 } 1697 enum low { 1698 description 1699 "The 'low' severity level indicates the detection 1700 of a potential fault before any effect is observed. 1701 The 'low' severity is reported when an action should 1702 be done before a fault happen."; 1703 } 1704 } 1705 description 1706 "An indicator representing severity levels. The severity 1707 levels starting from the highest are critical, high, middle, 1708 and low."; 1709 } 1711 typedef log-action { 1712 type enumeration { 1713 enum allow { 1714 description 1715 "If action is allowed"; 1716 } 1717 enum alert { 1718 description 1719 "If action is alert"; 1720 } 1721 enum block { 1722 description 1723 "If action is block"; 1724 } 1725 enum discard { 1726 description 1727 "If action is discarded"; 1728 } 1729 enum declare { 1730 description 1731 "If action is declared"; 1732 } 1733 enum block-ip { 1734 description 1735 "If action is block-ip"; 1736 } 1737 enum block-service{ 1738 description 1739 "If action is block-service"; 1740 } 1741 } 1742 description 1743 "The type representing action for logging."; 1744 } 1746 typedef dpi-type{ 1747 type enumeration { 1748 enum file-blocking{ 1749 description 1750 "DPI for preventing the specified file types from flowing 1751 in the network."; 1752 } 1753 enum data-filtering{ 1754 description 1755 "DPI for preventing sensitive information (e.g., Credit 1756 Card Number or Social Security Numbers) leaving a 1757 protected network."; 1758 } 1759 enum application-behavior-control{ 1760 description 1761 "DPI for filtering packet based on the application or 1762 network behavior analysis to identify malicious or 1763 unusual activity."; 1764 } 1766 } 1767 description 1768 "The type of Deep Packet Inspection (DPI). 1769 The defined types are file-blocking, data-filtering, and 1770 application-behavior-control."; 1771 } 1773 typedef operation-type{ 1774 type enumeration { 1775 enum login { 1776 description 1777 "The operation type is Login."; 1778 } 1779 enum logout { 1780 description 1781 "The operation type is Logout."; 1782 } 1783 enum configuration { 1784 description 1785 "The operation type is Configuration. The configuration 1786 operation includes the command for writing a new 1787 configuration and modifying an existing configuration."; 1788 } 1789 enum other { 1790 description 1791 "The operation type is Other operation. This other 1792 includes all operations done by a user except login, 1793 logout, and configuration."; 1794 } 1795 } 1796 description 1797 "The type of operation done by a user during a session. 1798 The user operation is not considering their privileges."; 1799 } 1801 typedef login-role { 1802 type enumeration { 1803 enum administrator { 1804 description 1805 "Administrator (i.e., Superuser)'s login role. 1806 Non-restricted role."; 1807 } 1808 enum user { 1809 description 1810 "User login role. Semi-restricted role, some data and 1811 configurations are available but confidential or important 1812 data and configuration are restricted."; 1813 } 1814 enum guest { 1815 description 1816 "Guest login role. Restricted role, only few read data are 1817 available and write configurations are restricted."; 1818 } 1819 } 1820 description 1821 "The privilege level of the user account."; 1822 } 1824 /* 1825 * Identity 1826 */ 1828 identity characteristics { 1829 description 1830 "Base identity for monitoring information 1831 characteristics"; 1832 } 1833 identity acquisition-method { 1834 base characteristics; 1835 description 1836 "The type of acquisition-method. It can be multiple 1837 types at once."; 1838 } 1839 identity subscription { 1840 base acquisition-method; 1841 description 1842 "The acquisition-method type is subscription."; 1843 } 1844 identity query { 1845 base acquisition-method; 1846 description 1847 "The acquisition-method type is query."; 1848 } 1849 identity emission-type { 1850 base characteristics; 1851 description 1852 "The type of emission-type."; 1853 } 1854 identity periodic { 1855 base emission-type; 1856 description 1857 "The emission-type type is periodic."; 1858 } 1859 identity on-change { 1860 base emission-type; 1861 description 1862 "The emission-type type is on-change."; 1863 } 1864 identity on-request { 1865 base emission-type; 1866 description 1867 "The emission-type type is on-request."; 1868 } 1869 identity dampening-type { 1870 base characteristics; 1871 description 1872 "The type of message dampening to stop the rapid transmission 1873 of messages. The dampening types are on-repetition and 1874 no-dampening"; 1875 } 1876 identity no-dampening { 1877 base dampening-type; 1878 description 1879 "The dampening-type is no-dampening. No-dampening type does 1880 not limit the transmission for the messages of the same 1881 type."; 1882 } 1883 identity on-repetition { 1884 base dampening-type; 1885 description 1886 "The dampening-type is on-repetition. On-repetition type limits 1887 the transmitted on-change message to one message at a certain 1888 interval."; 1889 } 1891 identity authentication-mode { 1892 description 1893 "The authentication mode for a user to connect to the NSF, 1894 e.g., pre-configured-key and certificate-authority"; 1895 } 1896 identity pre-configured-key { 1897 base authentication-mode; 1898 description 1899 "The pre-configured-key is an authentication using a key 1900 authentication."; 1901 } 1902 identity certificate-authority { 1903 base authentication-mode; 1904 description 1905 "The certificate-authority (CA) is an authentication using a 1906 digital certificate."; 1907 } 1909 identity event { 1910 description 1911 "Base identity for I2NSF events."; 1912 } 1914 identity system-event { 1915 base event; 1916 description 1917 "Identity for system event"; 1918 } 1920 identity system-alarm { 1921 base event; 1922 description 1923 "Base identity for detectable system alarm types"; 1924 } 1926 identity memory-alarm { 1927 base system-alarm; 1928 description 1929 "A memory alarm is alerted."; 1930 } 1931 identity cpu-alarm { 1932 base system-alarm; 1933 description 1934 "A CPU alarm is alerted."; 1935 } 1936 identity disk-alarm { 1937 base system-alarm; 1938 description 1939 "A disk alarm is alerted."; 1940 } 1941 identity hardware-alarm { 1942 base system-alarm; 1943 description 1944 "A hardware alarm (i.e., hardware failure) is alerted."; 1945 } 1946 identity interface-alarm { 1947 base system-alarm; 1948 description 1949 "An interface alarm is alerted."; 1950 } 1952 identity access-violation { 1953 base system-event; 1954 description 1955 "The access-violation system event is an event when a user 1956 tries to access (read, write, create, or delete) any 1957 information or execute commands above their privilege."; 1959 } 1960 identity configuration-change { 1961 base system-event; 1962 description 1963 "The configuration-change system event is an event when a user 1964 adds a new configuration or modify an existing configuration 1965 (write configuration)."; 1966 } 1968 identity attack-type { 1969 description 1970 "The root ID of attack-based notification 1971 in the notification taxonomy"; 1972 } 1973 identity nsf-attack-type { 1974 base attack-type; 1975 description 1976 "This ID is intended to be used 1977 in the context of NSF event."; 1978 } 1980 identity virus-type { 1981 base nsf-attack-type; 1982 description 1983 "The type of virus. It can be multiple types at once. 1984 This attack type is associated with a detected 1985 system-log virus-attack."; 1986 } 1987 identity trojan { 1988 base virus-type; 1989 description 1990 "The virus type is a trojan. Trojan is able to disguise the 1991 intent of the files or programs to misleads the users."; 1992 } 1993 identity worm { 1994 base virus-type; 1995 description 1996 "The virus type is a worm. Worm can self-replicate and 1997 spread through the network automatically."; 1998 } 1999 identity macro { 2000 base virus-type; 2001 description 2002 "The virus type is a macro virus. Macro causes a series of 2003 threats automatically after the program is executed."; 2004 } 2005 identity boot-sector { 2006 base virus-type; 2007 description 2008 "The virus type is a boot sector virus. Boot sector is a virus 2009 that infects the core of the computer, affecting the startup 2010 process."; 2011 } 2012 identity polymorphic { 2013 base virus-type; 2014 description 2015 "The virus type is a polymorphic virus. Polymorphic can 2016 modify its version when it replicates, making it hard to 2017 detect."; 2018 } 2019 identity overwrite { 2020 base virus-type; 2021 description 2022 "The virus type is an overwrite virus. Overwrite can remove 2023 existing software and replace it with malicious code by 2024 overwriting it."; 2025 } 2026 identity resident { 2027 base virus-type; 2028 description 2029 "The virus-type is a resident virus. Resident saves itself in 2030 the computer's memory and infects other files and software."; 2031 } 2032 identity non-resident { 2033 base virus-type; 2034 description 2035 "The virus-type is a non-resident virus. Non-resident attaches 2036 directly to an executable file and enters the device when 2037 executed."; 2038 } 2039 identity multipartite { 2040 base virus-type; 2041 description 2042 "The virus-type is a multipartite virus. Multipartite attacks 2043 both the boot sector and executables files of a computer."; 2044 } 2045 identity spacefiller { 2046 base virus-type; 2047 description 2048 "The virus-type is a spacefiller virus. Spacefiller fills empty 2049 spaces of a file or software with malicious code."; 2050 } 2052 identity intrusion-attack-type { 2053 base nsf-attack-type; 2054 description 2055 "The attack type is associated with a detected 2056 system-log intrusion."; 2057 } 2058 identity brute-force { 2059 base intrusion-attack-type; 2060 description 2061 "The intrusion type is brute-force."; 2062 } 2063 identity buffer-overflow { 2064 base intrusion-attack-type; 2065 description 2066 "The intrusion type is buffer-overflow."; 2067 } 2068 identity web-attack-type { 2069 base nsf-attack-type; 2070 description 2071 "The attack type is associated with a detected 2072 system-log web-attack."; 2073 } 2074 identity command-injection { 2075 base web-attack-type; 2076 description 2077 "The detected web attack type is command injection."; 2078 } 2079 identity xss { 2080 base web-attack-type; 2081 description 2082 "The detected web attack type is Cross Site Scripting (XSS)."; 2083 } 2084 identity csrf { 2085 base web-attack-type; 2086 description 2087 "The detected web attack type is Cross Site Request Forgery."; 2088 } 2090 identity ddos-type { 2091 base nsf-attack-type; 2092 description 2093 "Base identity for detectable flood types"; 2094 } 2095 identity syn-flood { 2096 base ddos-type; 2097 description 2098 "A SYN flood is detected."; 2099 } 2100 identity ack-flood { 2101 base ddos-type; 2102 description 2103 "An ACK flood is detected."; 2104 } 2105 identity syn-ack-flood { 2106 base ddos-type; 2107 description 2108 "A SYN-ACK flood is detected."; 2109 } 2110 identity fin-rst-flood { 2111 base ddos-type; 2112 description 2113 "A FIN-RST flood is detected."; 2114 } 2115 identity tcp-con-flood { 2116 base ddos-type; 2117 description 2118 "A TCP connection flood is detected."; 2119 } 2120 identity udp-flood { 2121 base ddos-type; 2122 description 2123 "A UDP flood is detected."; 2124 } 2125 identity icmpv4-flood { 2126 base ddos-type; 2127 description 2128 "An ICMPv4 flood is detected."; 2129 } 2130 identity icmpv6-flood { 2131 base ddos-type; 2132 description 2133 "An ICMPv6 flood is detected."; 2134 } 2135 identity http-flood { 2136 base ddos-type; 2137 description 2138 "An HTTP flood is detected."; 2139 } 2140 identity https-flood { 2141 base ddos-type; 2142 description 2143 "An HTTPS flood is detected."; 2144 } 2145 identity dns-query-flood { 2146 base ddos-type; 2147 description 2148 "A Domain Name System (DNS) query flood is detected."; 2149 } 2150 identity dns-reply-flood { 2151 base ddos-type; 2152 description 2153 "A Domain Name System (DNS) reply flood is detected."; 2154 } 2155 identity sip-flood { 2156 base ddos-type; 2157 description 2158 "A Session Initiation Protocol (SIP) flood is detected."; 2159 } 2160 identity ssl-flood { 2161 base ddos-type; 2162 description 2163 "An Secure Sockets Layer (SSL) flood is detected"; 2164 } 2165 identity ntp-amp-flood { 2166 base ddos-type; 2167 description 2168 "A Network Time Protocol (NTP) amplification is detected"; 2169 } 2171 identity req-method { 2172 description 2173 "A set of request types in HTTP (if applicable)."; 2174 } 2175 identity put { 2176 base req-method; 2177 description 2178 "The detected request type is PUT."; 2179 reference 2180 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2181 and Content - Request Method PUT"; 2182 } 2183 identity post { 2184 base req-method; 2185 description 2186 "The detected request type is POST."; 2187 reference 2188 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2189 and Content - Request Method POST"; 2190 } 2191 identity get { 2192 base req-method; 2193 description 2194 "The detected request type is GET."; 2195 reference 2196 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2197 and Content - Request Method GET"; 2198 } 2199 identity head { 2200 base req-method; 2201 description 2202 "The detected request type is HEAD."; 2203 reference 2204 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2205 and Content - Request Method HEAD"; 2206 } 2207 identity delete { 2208 base req-method; 2209 description 2210 "The detected request type is DELETE."; 2211 reference 2212 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2213 and Content - Request Method DELETE"; 2214 } 2215 identity connect { 2216 base req-method; 2217 description 2218 "The detected request type is CONNECT."; 2219 reference 2220 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2221 and Content - Request Method CONNECT"; 2222 } 2223 identity options { 2224 base req-method; 2225 description 2226 "The detected request type is OPTIONS."; 2227 reference 2228 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2229 and Content - Request Method OPTIONS"; 2230 } 2231 identity trace { 2232 base req-method; 2233 description 2234 "The detected request type is TRACE."; 2235 reference 2236 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2237 and Content - Request Method TRACE"; 2238 } 2240 identity filter-type { 2241 description 2242 "The type of filter used to detect an attack, 2243 for example, a web-attack. It can be applicable to 2244 more than web-attacks."; 2245 } 2246 identity allow-list { 2247 base filter-type; 2248 description 2249 "The applied filter type is an allow list. This filter blocks 2250 all connection except the specified list."; 2251 } 2252 identity deny-list { 2253 base filter-type; 2254 description 2255 "The applied filter type is a deny list. This filter opens all 2256 connection except the specified list."; 2257 } 2258 identity unknown-filter { 2259 base filter-type; 2260 description 2261 "The applied filter is unknown."; 2262 } 2264 identity protocol { 2265 description 2266 "An identity used to enable type choices in leaves 2267 and leaflists with respect to protocol metadata. This is used 2268 to identify the type of protocol that goes through the NSF."; 2269 } 2270 identity ip { 2271 base protocol; 2272 description 2273 "General IP protocol type."; 2274 reference 2275 "RFC 791: Internet Protocol 2276 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2277 } 2278 identity ipv4 { 2279 base ip; 2280 description 2281 "IPv4 protocol type."; 2282 reference 2283 "RFC 791: Internet Protocol"; 2284 } 2285 identity ipv6 { 2286 base ip; 2287 description 2288 "IPv6 protocol type."; 2289 reference 2290 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2291 } 2292 identity icmp { 2293 base protocol; 2294 description 2295 "Base identity for ICMPv4 and ICMPv6 condition capability"; 2296 reference 2297 "RFC 792: Internet Control Message Protocol 2298 RFC 4443: Internet Control Message Protocol (ICMPv6) 2299 for the Internet Protocol Version 6 (IPv6) Specification 2300 - ICMPv6"; 2301 } 2302 identity icmpv4 { 2303 base icmp; 2304 description 2305 "ICMPv4 protocol type."; 2306 reference 2307 "RFC 791: Internet Protocol 2308 RFC 792: Internet Control Message Protocol"; 2309 } 2310 identity icmpv6 { 2311 base icmp; 2312 description 2313 "ICMPv6 protocol type."; 2314 reference 2315 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2316 RFC 4443: Internet Control Message Protocol (ICMPv6) 2317 for the Internet Protocol Version 6 (IPv6) 2318 Specification"; 2319 } 2320 identity transport-protocol { 2321 base protocol; 2322 description 2323 "Base identity for Layer 4 protocol condition capabilities, 2324 e.g., TCP, UDP, SCTP, DCCP, and ICMP"; 2325 } 2326 identity tcp { 2327 base transport-protocol; 2328 description 2329 "TCP protocol type."; 2330 reference 2331 "RFC 793: Transmission Control Protocol 2332 draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 2333 (TCP) Specification"; 2334 } 2335 identity udp { 2336 base transport-protocol; 2337 description 2338 "UDP protocol type."; 2339 reference 2340 "RFC 768: User Datagram Protocol"; 2341 } 2342 identity sctp { 2343 base transport-protocol; 2344 description 2345 "Identity for SCTP condition capabilities"; 2346 reference 2347 "RFC 4960: Stream Control Transmission Protocol"; 2348 } 2349 identity dccp { 2350 base transport-protocol; 2351 description 2352 "Identity for DCCP condition capabilities"; 2353 reference 2354 "RFC 4340: Datagram Congestion Control Protocol"; 2355 } 2356 identity application-protocol { 2357 base protocol; 2358 description 2359 "Base identity for Application protocol, e.g., HTTP, FTP"; 2360 } 2361 identity http { 2362 base application-protocol; 2363 description 2364 "HTTP protocol type."; 2365 reference 2366 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2367 Syntax and Routing 2368 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2369 and Content"; 2370 } 2371 identity https { 2372 base application-protocol; 2373 description 2374 "HTTPS protocol type."; 2375 reference 2376 "RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message 2377 Syntax and Routing 2378 RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics 2379 and Content"; 2380 } 2381 identity ftp { 2382 base application-protocol; 2383 description 2384 "FTP protocol type."; 2385 reference 2386 "RFC 959: File Transfer Protocol"; 2387 } 2388 identity ssh { 2389 base application-protocol; 2390 description 2391 "SSH protocol type."; 2392 reference 2393 "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; 2394 } 2395 identity telnet { 2396 base application-protocol; 2397 description 2398 "The identity for telnet."; 2399 reference 2400 "RFC 854: Telnet Protocol"; 2401 } 2402 identity smtp { 2403 base application-protocol; 2404 description 2405 "The identity for smtp."; 2406 reference 2407 "RFC 5321: Simple Mail Transfer Protocol (SMTP)"; 2408 } 2409 identity pop3 { 2410 base application-protocol; 2411 description 2412 "The identity for pop3. This includes POP3 over TLS"; 2413 reference 2414 "RFC 1939: Post Office Protocol - Version 3 (POP3)"; 2415 } 2416 identity imap { 2417 base application-protocol; 2418 description 2419 "The identity for Internet Message Access Protocol. This 2420 includes IMAP over TLS"; 2421 reference 2422 "RFC 9051: Internet Message Access Protocol (IMAP) - Version 2423 4rev2"; 2424 } 2426 /* 2427 * Grouping 2428 */ 2430 grouping timestamp { 2431 description 2432 "Grouping for identifying the time of the message."; 2433 leaf timestamp { 2434 type yang:date-and-time; 2435 description 2436 "Specify the time of a message being delivered."; 2437 } 2438 } 2439 grouping common-monitoring-data { 2440 description 2441 "A set of common monitoring data that is needed 2442 as the basic information."; 2443 leaf message { 2444 type string; 2445 description 2446 "This is a freetext annotation for 2447 monitoring a notification's content."; 2448 } 2449 leaf vendor-name { 2450 type string; 2451 description 2452 "The name of the NSF vendor. The string is unrestricted to 2453 identify the provider or vendor of the NSF."; 2454 } 2455 leaf nsf-name { 2456 type union { 2457 type string; 2458 type inet:ip-address-no-zone; 2459 } 2460 description 2461 "The name or IP address of the NSF generating the message. 2462 If the given nsf-name is not IP address, the name can be an 2463 arbitrary string including FQDN (Fully Qualified Domain 2464 Name). The name MUST be unique in the scope of management 2465 domain for a different NSF to identify the NSF that 2466 generates the message."; 2467 } 2468 leaf severity { 2469 type severity; 2470 description 2471 "The severity of the alarm such as critical, high, 2472 middle, and low."; 2473 } 2474 } 2475 grouping characteristics { 2476 description 2477 "A set of characteristics of a notification."; 2478 leaf acquisition-method { 2479 type identityref { 2480 base acquisition-method; 2481 } 2482 description 2483 "The acquisition-method for characteristics"; 2484 } 2485 leaf emission-type { 2486 type identityref { 2487 base emission-type; 2488 } 2489 description 2490 "The emission-type for characteristics"; 2491 } 2492 leaf dampening-type { 2493 type identityref { 2494 base dampening-type; 2495 } 2496 description 2497 "The dampening-type for characteristics"; 2498 } 2499 } 2500 grouping i2nsf-system-alarm-type-content { 2501 description 2502 "A set of contents for alarm type notification."; 2503 leaf usage { 2504 type uint8 { 2505 range "0..100"; 2506 } 2507 units "percent"; 2508 description 2509 "Specifies the used percentage"; 2510 } 2511 leaf threshold { 2512 type uint8 { 2513 range "0..100"; 2514 } 2515 units "percent"; 2516 description 2517 "The threshold percentage triggering the alarm or 2518 the event"; 2519 } 2520 } 2521 grouping i2nsf-system-event-type-content { 2522 description 2523 "System event metadata associated with system events 2524 caused by user activity. This can be extended to provide 2525 additional information."; 2526 leaf user { 2527 type string; 2528 mandatory true; 2529 description 2530 "The name of a user"; 2531 } 2532 leaf-list group { 2533 type string; 2534 min-elements 1; 2535 description 2536 "The group(s) to which a user belongs."; 2537 } 2538 leaf ip-address { 2539 type inet:ip-address-no-zone; 2540 mandatory true; 2541 description 2542 "The IPv4 (or IPv6) address of a user that trigger the 2543 event."; 2544 } 2545 leaf port-number { 2546 type inet:port-number; 2547 mandatory true; 2548 description 2549 "The port number used by the user."; 2550 } 2551 leaf authentication { 2552 type identityref { 2553 base authentication-mode; 2554 } 2555 description 2556 "The authentication-mode of a user."; 2557 } 2558 } 2559 grouping i2nsf-nsf-event-type-content { 2560 description 2561 "A set of common IPv4 (or IPv6)-related NSF event 2562 content elements"; 2563 leaf dst-ip { 2564 type inet:ip-address-no-zone; 2565 description 2566 "The destination IPv4 (IPv6) address of the packet"; 2567 } 2568 leaf dst-port { 2569 type inet:port-number; 2570 description 2571 "The destination port of the packet"; 2572 } 2573 leaf rule-name { 2574 type leafref { 2575 path 2576 "/nsfintf:i2nsf-security-policy" 2577 +"/nsfintf:rules/nsfintf:name"; 2578 } 2579 mandatory true; 2580 description 2581 "The name of the I2NSF Policy Rule being triggered"; 2582 } 2584 } 2585 grouping i2nsf-nsf-event-type-content-extend { 2586 description 2587 "A set of extended common IPv4 (or IPv6)-related NSF 2588 event content elements"; 2589 uses i2nsf-nsf-event-type-content; 2590 leaf src-ip { 2591 type inet:ip-address-no-zone; 2592 description 2593 "The source IPv4 (or IPv6) address of the packet or flow"; 2594 } 2595 leaf src-port { 2596 type inet:port-number; 2597 description 2598 "The source port of the packet or flow"; 2599 } 2600 leaf src-location { 2601 type string { 2602 length "1..100"; 2603 pattern "[0-9a-zA-Z ]*"; 2604 } 2605 description 2606 "The source geographical location (e.g., country and city) 2607 of the src-ip field."; 2608 } 2609 leaf dst-location { 2610 type string { 2611 length "1..100"; 2612 pattern "[0-9a-zA-Z ]*"; 2613 } 2614 description 2615 "The destination geographical location (e.g., country and 2616 city) of the dst-ip field."; 2617 } 2618 } 2619 grouping log-action { 2620 description 2621 "A grouping for logging action."; 2622 leaf-list action { 2623 type log-action; 2624 description 2625 "Action type: allow, alert, block, discard, declare, 2626 block-ip, block-service"; 2627 } 2628 } 2629 grouping attack-rates { 2630 description 2631 "A set of traffic rates for monitoring attack traffic 2632 data"; 2633 leaf attack-rate { 2634 type uint32; 2635 units "pps"; 2636 description 2637 "The average packets per second (pps) rate of attack 2638 traffic"; 2639 } 2640 leaf attack-speed { 2641 type uint64; 2642 units "Bps"; 2643 description 2644 "The average bytes per second (Bps) speed of attack traffic"; 2645 } 2646 } 2647 grouping traffic-rates { 2648 description 2649 "A set of traffic rates for statistics data"; 2650 leaf discontinuity-time { 2651 type yang:date-and-time; 2652 mandatory true; 2653 description 2654 "The time on the most recent occasion at which any one or 2655 more of the counters suffered a discontinuity. 2656 If no such discontinuities have occurred since the last 2657 re-initialization of the local management subsystem, then 2658 this node contains the time the local management subsystem 2659 was re-initialized."; 2660 } 2661 leaf total-traffic { 2662 type yang:counter64; 2663 units "packets"; 2664 description 2665 "The total number of traffic packets (in and out) in the 2666 NSF."; 2667 } 2668 leaf in-traffic-average-rate { 2669 type uint32; 2670 units "pps"; 2671 description 2672 "Inbound traffic average rate in packets per second (pps). 2673 The average is calculated from the start of the NSF service 2674 until the generation of this record."; 2675 } 2676 leaf in-traffic-peak-rate { 2677 type uint32; 2678 units "pps"; 2679 description 2680 "Inbound traffic peak rate in packets per second (pps)."; 2681 } 2682 leaf in-traffic-average-speed { 2683 type uint64; 2684 units "Bps"; 2685 description 2686 "Inbound traffic average speed in bytes per second (Bps). 2687 The average is calculated from the start of the NSF service 2688 until the generation of this record."; 2689 } 2690 leaf in-traffic-peak-speed { 2691 type uint64; 2692 units "Bps"; 2693 description 2694 "Inbound traffic peak speed in bytes per second (Bps)."; 2695 } 2696 leaf out-traffic-average-rate { 2697 type uint32; 2698 units "pps"; 2699 description 2700 "Outbound traffic average rate in packets per second (pps). 2701 The average is calculated from the start of the NSF service 2702 until the generation of this record."; 2703 } 2704 leaf out-traffic-peak-rate { 2705 type uint32; 2706 units "pps"; 2707 description 2708 "Outbound traffic peak rate in packets per second (pps)."; 2709 } 2710 leaf out-traffic-average-speed { 2711 type uint64; 2712 units "Bps"; 2713 description 2714 "Outbound traffic average speed in bytes per second (Bps). 2715 The average is calculated from the start of the NSF service 2716 until the generation of this record."; 2717 } 2718 leaf out-traffic-peak-speed { 2719 type uint64; 2720 units "Bps"; 2721 description 2722 "Outbound traffic peak speed in bytes per second (Bps)."; 2723 } 2724 } 2725 grouping i2nsf-system-counter-type-content{ 2726 description 2727 "A set of counters for an interface traffic data."; 2729 leaf interface-name { 2730 type if:interface-ref; 2731 description 2732 "Network interface name configured in an NSF"; 2733 reference 2734 "RFC 8343: A YANG Data Model for Interface Management"; 2735 } 2736 leaf in-total-traffic-pkts { 2737 type yang:counter64; 2738 description 2739 "Total inbound packets"; 2740 } 2741 leaf out-total-traffic-pkts { 2742 type yang:counter64; 2743 description 2744 "Total outbound packets"; 2745 } 2746 leaf in-total-traffic-bytes { 2747 type uint64; 2748 units "bytes"; 2749 description 2750 "Total inbound bytes"; 2751 } 2752 leaf out-total-traffic-bytes { 2753 type uint64; 2754 units "bytes"; 2755 description 2756 "Total outbound bytes"; 2757 } 2758 leaf in-drop-traffic-pkts { 2759 type yang:counter64; 2760 description 2761 "Total inbound drop packets"; 2762 } 2763 leaf out-drop-traffic-pkts { 2764 type yang:counter64; 2765 description 2766 "Total outbound drop packets"; 2767 } 2768 leaf in-drop-traffic-bytes { 2769 type uint64; 2770 units "bytes"; 2771 description 2772 "Total inbound drop bytes"; 2773 } 2774 leaf out-drop-traffic-bytes { 2775 type uint64; 2776 units "bytes"; 2777 description 2778 "Total outbound drop bytes"; 2779 } 2780 uses traffic-rates; 2781 } 2783 grouping i2nsf-nsf-counters-type-content{ 2784 description 2785 "A set of contents of a policy in an NSF."; 2786 leaf policy-name { 2787 type leafref { 2788 path 2789 "/nsfintf:i2nsf-security-policy" 2790 +"/nsfintf:name"; 2791 } 2792 mandatory true; 2793 description 2794 "The name of the policy being triggered"; 2795 } 2796 leaf src-user{ 2797 type string; 2798 description 2799 "The I2NSF User's name who generates the policy."; 2800 } 2801 } 2803 grouping enable-notification { 2804 description 2805 "A grouping for enabling or disabling notification"; 2806 leaf enabled { 2807 type boolean; 2808 default "true"; 2809 description 2810 "Enables or Disables the notification. 2811 If 'true', then the notification is enabled. 2812 If 'false, then the notification is disabled."; 2813 } 2814 } 2816 grouping dampening { 2817 description 2818 "A grouping for dampening period of notification."; 2819 leaf dampening-period { 2820 type uint32; 2821 units "centiseconds"; 2822 default "0"; 2823 description 2824 "Specifies the minimum interval between the assembly of 2825 successive update records for a single receiver of a 2826 subscription. Whenever subscribed objects change and 2827 a dampening-period interval (which may be zero) has 2828 elapsed since the previous update record creation for 2829 a receiver, any subscribed objects and properties 2830 that have changed since the previous update record 2831 will have their current values marshalled and placed 2832 in a new update record. But if the subscribed objects change 2833 when the dampening-period is active, it should update the 2834 record without sending the notification until the dampening- 2835 period is finished. If multiple changes happen during the 2836 active dampening-period, it should update the record with 2837 the latest data. And at the end of the dampening-period, it 2838 should send the record as a notification with the latest 2839 updated record and restart the countdown."; 2840 reference 2841 "RFC 8641: Subscription to YANG Notifications for 2842 Datastore Updates - Section 5."; 2843 } 2844 } 2846 /* 2847 * Feature Nodes 2848 */ 2850 feature i2nsf-nsf-detection-ddos { 2851 description 2852 "This feature means it supports I2NSF nsf-detection-ddos 2853 notification"; 2854 } 2855 feature i2nsf-nsf-detection-virus { 2856 description 2857 "This feature means it supports I2NSF nsf-detection-virus 2858 notification"; 2859 } 2860 feature i2nsf-nsf-detection-intrusion { 2861 description 2862 "This feature means it supports I2NSF nsf-detection-intrusion 2863 notification"; 2864 } 2865 feature i2nsf-nsf-detection-web-attack { 2866 description 2867 "This feature means it supports I2NSF nsf-detection-web-attack 2868 notification"; 2869 } 2870 feature i2nsf-nsf-detection-voip-volte { 2871 description 2872 "This feature means it supports I2NSF nsf-detection-voip-volte 2873 notification"; 2874 } 2875 feature i2nsf-nsf-log-dpi { 2876 description 2877 "This feature means it supports I2NSF nsf-log-dpi 2878 notification"; 2879 } 2881 /* 2882 * Notification nodes 2883 */ 2885 notification i2nsf-event { 2886 description 2887 "Notification for I2NSF Event."; 2889 leaf language { 2890 type string { 2891 pattern 2892 "^((en-GB-oed|i-ami|i-bnn|i-default|" 2893 + "i-enochian|i-hak|i-klingon|i-lux|i-mingo|i-navajo|i-pwn|" 2894 + "i-tao|i-tay|i-tsu|sgn-BE-FR|sgn-BE-NL|sgn-CH-DE)|" 2895 + "(art-lojban|cel-gaulish|no-bok|no-nyn|zh-guoyu|zh-hakka|" 2896 + "zh-min|zh-min-nan|zh-xiang)|" 2897 + "(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?)|" 2898 + "[A-Za-z]{4}|[A-Za-z]{5,8}" 2899 + "(-[A-Za-z]{4})?" 2900 + "(-[A-Za-z]{2}|[0-9]{3})?" 2901 + "(-[A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3})*" 2902 + "(-[0-9A-WY-Za-wy-z](-[A-Za-z0-9]{2,8})+)*" 2903 + "(-x(-[A-Za-z0-9]{1,8})+)?)|" 2904 + "x(-[A-Za-z0-9]{1,8})+)$"; 2905 } 2906 description 2907 "The value in this field describes the human language 2908 intended for the user, so that it allows a user to 2909 differentiate the language that is used in the 2910 notification. This field is not mandatory, but required 2911 when the implementation provides more than one human 2912 language for the human-readable string fields, 2913 e.g., /i2nsf-nsf-event/i2nsf-nsf-detection-ddos/message. 2915 This field uses the language-tag production in Section 2.1 2916 in RFC 5646. See the document for more details."; 2917 reference 2918 "RFC 5646: Tags for Identifying Languages"; 2919 } 2920 choice sub-event-type { 2921 description 2922 "This choice must be augmented with cases for each allowed 2923 sub-event. Only 1 sub-event will be instantiated in each 2924 i2nsf-event message. Each case is expected to define one 2925 container with all the sub-event fields."; 2926 case i2nsf-system-detection-alarm { 2927 container i2nsf-system-detection-alarm{ 2928 description 2929 "This notification is sent, when a system alarm 2930 is detected."; 2931 leaf alarm-category { 2932 type identityref { 2933 base system-alarm; 2934 } 2935 description 2936 "The alarm category for 2937 system-detection-alarm notification"; 2938 } 2939 leaf component-name { 2940 type string; 2941 description 2942 "The hardware component responsible for generating 2943 the message. Applicable for Hardware Failure 2944 Alarm."; 2945 } 2946 leaf interface-name { 2947 type if:interface-ref; 2948 description 2949 "The interface name responsible for generating 2950 the message. Applicable for Network Interface 2951 Failure Alarm."; 2952 reference 2953 "RFC 8343: A YANG Data Model for Interface Management"; 2954 } 2955 leaf interface-state { 2956 type enumeration { 2957 enum down { 2958 description 2959 "The interface state is down."; 2960 } 2961 enum up { 2962 description 2963 "The interface state is up and not congested."; 2964 } 2965 enum congested { 2966 description 2967 "The interface state is up but congested."; 2969 } 2970 } 2971 description 2972 "The state of the interface (i.e., up, down, 2973 congested). Applicable for Network Interface Failure 2974 Alarm."; 2975 } 2976 uses characteristics; 2977 uses i2nsf-system-alarm-type-content; 2978 uses common-monitoring-data; 2979 } 2980 } 2982 case i2nsf-system-detection-event { 2983 container i2nsf-system-detection-event { 2984 description 2985 "This notification is sent when a security-sensitive 2986 authentication action fails."; 2987 leaf event-category { 2988 type identityref { 2989 base system-event; 2990 } 2991 description 2992 "The event category for system-detection-event"; 2993 } 2994 uses characteristics; 2995 uses i2nsf-system-event-type-content; 2996 uses common-monitoring-data; 2997 list changes { 2998 key policy-name; 2999 description 3000 "Describes the modification that was made to the 3001 configuration. The minimum information that must be 3002 provided is the name of the policy that has been 3003 altered (added, modified, or removed). 3005 This list can be extended with the detailed 3006 information about the specific changes made to the 3007 configuration based on the implementation."; 3009 leaf policy-name { 3010 type leafref { 3011 path 3012 "/nsfintf:i2nsf-security-policy" 3013 +"/nsfintf:name"; 3014 } 3015 description 3016 "The name of the policy configuration that has been 3017 added, modified, or removed."; 3018 } 3019 } 3020 } 3021 } 3023 case i2nsf-traffic-flows { 3024 container i2nsf-traffic-flows { 3025 description 3026 "This notification is sent to inform about the traffic 3027 flows."; 3028 leaf src-ip { 3029 type inet:ip-address-no-zone; 3030 description 3031 "The source IPv4 (or IPv6) address of the flow"; 3032 } 3033 leaf dst-ip { 3034 type inet:ip-address-no-zone; 3035 description 3036 "The destination IPv4 (or IPv6) address of the flow"; 3037 } 3038 leaf protocol { 3039 type identityref { 3040 base protocol; 3041 } 3042 description 3043 "The protocol type for nsf-detection-intrusion 3044 notification"; 3045 } 3046 leaf src-port { 3047 type inet:port-number; 3048 description 3049 "The source port of the flow"; 3050 } 3051 leaf dst-port { 3052 type inet:port-number; 3053 description 3054 "The destination port of the flow"; 3055 } 3056 leaf arrival-rate { 3057 type uint32; 3058 units "pps"; 3059 description 3060 "The average arrival rate of the flow in packets per 3061 second. The average is calculated from the start of 3062 the NSF service until the generation of this 3063 record."; 3064 } 3065 leaf arrival-speed { 3066 type uint32; 3067 units "Bps"; 3068 description 3069 "The average arrival rate of the flow in bytes per 3070 second. The average is calculated from the start of 3071 the NSF service until the generation of this 3072 record."; 3073 } 3074 uses characteristics; 3075 uses common-monitoring-data; 3076 } 3077 } 3079 case i2nsf-nsf-detection-session-table { 3080 container i2nsf-nsf-detection-session-table { 3081 description 3082 "This notification is sent, when a session table 3083 event is detected."; 3084 leaf current-session { 3085 type uint32; 3086 description 3087 "The number of concurrent sessions"; 3088 } 3089 leaf maximum-session { 3090 type uint32; 3091 description 3092 "The maximum number of sessions that the session 3093 table can support"; 3094 } 3095 leaf threshold { 3096 type uint32; 3097 description 3098 "The threshold triggering the event"; 3099 } 3100 uses common-monitoring-data; 3101 } 3102 } 3103 } 3104 } 3106 notification i2nsf-log { 3107 description 3108 "Notification for I2NSF log. The notification is generated 3109 from the logs of the NSF."; 3111 leaf language { 3112 type string { 3113 pattern 3114 "^((en-GB-oed|i-ami|i-bnn|i-default|" 3115 + "i-enochian|i-hak|i-klingon|i-lux|i-mingo|i-navajo|i-pwn|" 3116 + "i-tao|i-tay|i-tsu|sgn-BE-FR|sgn-BE-NL|sgn-CH-DE)|" 3117 + "(art-lojban|cel-gaulish|no-bok|no-nyn|zh-guoyu|zh-hakka|" 3118 + "zh-min|zh-min-nan|zh-xiang)|" 3119 + "(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?)|" 3120 + "[A-Za-z]{4}|[A-Za-z]{5,8}" 3121 + "(-[A-Za-z]{4})?" 3122 + "(-[A-Za-z]{2}|[0-9]{3})?" 3123 + "(-[A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3})*" 3124 + "(-[0-9A-WY-Za-wy-z](-[A-Za-z0-9]{2,8})+)*" 3125 + "(-x(-[A-Za-z0-9]{1,8})+)?)|" 3126 + "x(-[A-Za-z0-9]{1,8})+)$"; 3127 } 3128 description 3129 "The value in this field describes the human language 3130 intended for the user, so that it allows a user to 3131 differentiate the language that is used in the 3132 notification. This field is not mandatory, but required 3133 when the implementation provides more than one human 3134 language for the human-readable string fields, 3135 e.g., /i2nsf-nsf-log/i2nsf-system-res-util-log/message. 3137 This field uses the language-tag production in Section 2.1 3138 in RFC 5646. See the document for more details."; 3139 reference 3140 "RFC 5646: Tags for Identifying Languages"; 3141 } 3143 choice sub-logs-type { 3144 description 3145 "This choice must be augmented with cases for each allowed 3146 sub-logs. Only 1 sub-event will be instantiated in each 3147 i2nsf-logs message. Each case is expected to define one 3148 container with all the sub-logs fields."; 3149 case i2nsf-nsf-system-access-log { 3150 container i2nsf-nsf-system-access-log { 3151 description 3152 "The notification is sent, if there is a new system 3153 log entry about a system access event."; 3154 uses i2nsf-system-event-type-content; 3155 leaf operation-type { 3156 type operation-type; 3157 description 3158 "The operation type that the user executes"; 3159 } 3160 leaf input { 3161 type string; 3162 description 3163 "The operation performed by a user after login. The 3164 operation is a command given by a user."; 3165 } 3166 leaf output { 3167 type string; 3168 description 3169 "The result in text format after executing the 3170 input."; 3171 } 3172 uses characteristics; 3173 uses common-monitoring-data; 3174 } 3175 } 3177 case i2nsf-system-res-util-log { 3178 container i2nsf-system-res-util-log { 3179 description 3180 "This notification is sent, if there is a new log 3181 entry representing resource utilization updates."; 3182 leaf system-status { 3183 type enumeration { 3184 enum running { 3185 description 3186 "The system is active and running the security 3187 service."; 3188 } 3189 enum waiting { 3190 description 3191 "The system is active but waiting for an event to 3192 provide the security service."; 3193 } 3194 enum inactive { 3195 description 3196 "The system is inactive and not running the 3197 security service."; 3198 } 3199 } 3200 description 3201 "The current system's running status"; 3202 } 3203 leaf cpu-usage { 3204 type uint8; 3205 units "percent"; 3206 description 3207 "Specifies the relative percentage of CPU utilization 3208 with respect to platform resources"; 3210 } 3211 leaf memory-usage { 3212 type uint8; 3213 units "percent"; 3214 description 3215 "Specifies the percentage of memory usage."; 3216 } 3217 list disk { 3218 key disk-id; 3219 description 3220 "Disk is the hardware to store information for a 3221 long period, i.e., Hard Disk or Solid-State Drive."; 3222 leaf disk-id { 3223 type string; 3224 description 3225 "The ID of the storage disk. It is a free form 3226 identifier to identify the storage disk."; 3227 } 3228 leaf disk-usage { 3229 type uint8; 3230 units "percent"; 3231 description 3232 "Specifies the percentage of disk usage"; 3233 } 3234 leaf disk-left { 3235 type uint8; 3236 units "percent"; 3237 description 3238 "Specifies the percentage of disk left"; 3239 } 3240 } 3241 leaf session-num { 3242 type uint32; 3243 description 3244 "The total number of sessions"; 3245 } 3246 leaf process-num { 3247 type uint32; 3248 description 3249 "The total number of processes"; 3250 } 3251 list interface { 3252 key interface-id; 3253 description 3254 "The network interface for connecting a device 3255 with the network."; 3256 leaf interface-id { 3257 type string; 3258 description 3259 "The ID of the network interface. It is a free form 3260 identifier to identify the network interface."; 3261 } 3262 leaf in-traffic-rate { 3263 type uint32; 3264 units "pps"; 3265 description 3266 "The total inbound traffic rate in packets per 3267 second"; 3268 } 3269 leaf out-traffic-rate { 3270 type uint32; 3271 units "pps"; 3272 description 3273 "The total outbound traffic rate in packets per 3274 second"; 3275 } 3276 leaf in-traffic-speed { 3277 type uint64; 3278 units "Bps"; 3279 description 3280 "The total inbound traffic speed in bytes per 3281 second"; 3282 } 3283 leaf out-traffic-speed { 3284 type uint64; 3285 units "Bps"; 3286 description 3287 "The total outbound traffic speed in bytes per 3288 second"; 3289 } 3290 } 3291 uses characteristics; 3292 uses common-monitoring-data; 3293 } 3294 } 3296 case i2nsf-system-user-activity-log { 3297 container i2nsf-system-user-activity-log { 3298 description 3299 "This notification is sent, if there is a new user 3300 activity log entry."; 3301 uses characteristics; 3302 uses i2nsf-system-event-type-content; 3303 uses common-monitoring-data; 3304 leaf online-duration { 3305 type uint32; 3306 units "seconds"; 3307 description 3308 "The duration of a user's activeness (stays in login) 3309 during a session."; 3311 } 3312 leaf logout-duration { 3313 type uint32; 3314 units "seconds"; 3315 description 3316 "The duration of a user's inactiveness (not in login) 3317 from the last session."; 3318 } 3319 leaf additional-info { 3320 type enumeration { 3321 enum successful-login { 3322 description 3323 "The user has succeeded in login."; 3324 } 3325 enum failed-login { 3326 description 3327 "The user has failed in login (e.g., wrong 3328 password)"; 3329 } 3330 enum logout { 3331 description 3332 "The user has succeeded in logout"; 3333 } 3334 enum successful-password-changed { 3335 description 3336 "The password has been changed successfully"; 3337 } 3338 enum failed-password-changed{ 3339 description 3340 "The attempt to change password has failed"; 3341 } 3342 enum lock { 3343 description 3344 "The user has been locked. A locked user cannot 3345 login."; 3346 } 3347 enum unlock { 3348 description 3349 "The user has been unlocked."; 3350 } 3351 } 3352 description 3353 "User activities, e.g., Successful User Login, 3354 Failed Login attempts, User Logout, Successful User 3355 Password Change, Failed User Password Change, User 3356 Lockout, User Unlocking, and Unknown."; 3357 } 3358 } 3359 } 3360 case i2nsf-nsf-log-dpi { 3361 if-feature "i2nsf-nsf-log-dpi"; 3362 container i2nsf-nsf-log-dpi { 3363 description 3364 "This notification is sent, if there is a new DPI 3365 event in the NSF log."; 3366 leaf attack-type { 3367 type dpi-type; 3368 description 3369 "The type of the DPI"; 3370 } 3371 uses characteristics; 3372 uses i2nsf-nsf-counters-type-content; 3373 uses common-monitoring-data; 3374 } 3375 } 3376 } 3377 } 3379 notification i2nsf-nsf-event { 3380 description 3381 "Notification for I2NSF NSF Event. This notification is 3382 used for a specific NSF that supported such feature."; 3383 choice sub-event-type { 3384 description 3385 "This choice must be augmented with cases for each allowed 3386 sub-event. Only 1 sub-event will be instantiated in each 3387 i2nsf-event message. Each case is expected to define one 3388 container with all the sub-event fields."; 3389 case i2nsf-nsf-detection-ddos { 3390 if-feature "i2nsf-nsf-detection-ddos"; 3391 container i2nsf-nsf-detection-ddos { 3392 description 3393 "This notification is sent, when a specific flood type 3394 is detected."; 3395 leaf attack-type { 3396 type identityref { 3397 base ddos-type; 3398 } 3399 description 3400 "Any one of Syn flood, ACK flood, SYN-ACK flood, 3401 FIN/RST flood, TCP Connection flood, UDP flood, 3402 ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood, 3403 HTTPS flood, DNS query flood, DNS reply flood, SIP 3404 flood, etc."; 3405 } 3406 leaf start-time { 3407 type yang:date-and-time; 3408 mandatory true; 3409 description 3410 "The time stamp indicating when the attack started"; 3411 } 3412 leaf end-time { 3413 type yang:date-and-time; 3414 description 3415 "The time stamp indicating when the attack ended. If 3416 the attack is still undergoing when sending out the 3417 notification, this field can be empty."; 3418 } 3419 leaf-list attack-src-ip { 3420 type inet:ip-address-no-zone; 3421 description 3422 "The source IPv4 (or IPv6) addresses of attack 3423 traffic. It can hold multiple IPv4 (or IPv6) 3424 addresses."; 3425 } 3426 leaf-list attack-dst-ip { 3427 type inet:ip-address-no-zone; 3428 description 3429 "The destination IPv4 (or IPv6) addresses of attack 3430 traffic. It can hold multiple IPv4 (or IPv6) 3431 addresses."; 3432 } 3433 leaf-list attack-src-port { 3434 type inet:port-number; 3435 description 3436 "The source ports of the DDoS attack"; 3437 } 3438 leaf-list attack-dst-port { 3439 type inet:port-number; 3440 description 3441 "The destination ports of the DDoS attack"; 3442 } 3443 leaf rule-name { 3444 type leafref { 3445 path 3446 "/nsfintf:i2nsf-security-policy" 3447 +"/nsfintf:rules/nsfintf:name"; 3448 } 3449 mandatory true; 3450 description 3451 "The name of the I2NSF Policy Rule being triggered"; 3452 } 3454 uses attack-rates; 3455 uses log-action; 3456 uses characteristics; 3457 uses common-monitoring-data; 3458 } 3459 } 3460 case i2nsf-nsf-detection-virus { 3461 if-feature "i2nsf-nsf-detection-virus"; 3462 container i2nsf-nsf-detection-virus { 3463 description 3464 "This notification is sent, when a virus is detected."; 3465 uses i2nsf-nsf-event-type-content-extend; 3466 leaf virus-name { 3467 type string; 3468 description 3469 "The name of the detected virus"; 3470 } 3471 leaf virus-type { 3472 type identityref { 3473 base virus-type; 3474 } 3475 description 3476 "The virus type of the detected virus"; 3477 } 3478 leaf host { 3479 type union { 3480 type string; 3481 type inet:ip-address-no-zone; 3482 } 3483 description 3484 "The name or IP address of the host/device. This is 3485 used to identify the host/device that is infected by 3486 the virus. If the given name is not IP address, the 3487 name can be an arbitrary string including FQDN 3488 (Fully Qualified Domain Name). The name MUST be unique 3489 in the scope of management domain for identifying the 3490 device that has been infected with a virus."; 3491 } 3492 leaf file-type { 3493 type string; 3494 description 3495 "The type of file virus code is found in (if 3496 applicable)."; 3497 reference 3498 "IANA Website: Media Types"; 3499 } 3500 leaf file-name { 3501 type string; 3502 description 3503 "The name of file virus code is found in (if 3504 applicable)."; 3505 } 3506 leaf os { 3507 type string; 3508 description 3509 "The operating system of the device."; 3510 } 3511 uses log-action; 3512 uses characteristics; 3513 uses common-monitoring-data; 3514 } 3515 } 3516 case i2nsf-nsf-detection-intrusion { 3517 if-feature "i2nsf-nsf-detection-intrusion"; 3518 container i2nsf-nsf-detection-intrusion { 3519 description 3520 "This notification is sent, when an intrusion event 3521 is detected."; 3522 uses i2nsf-nsf-event-type-content-extend; 3523 leaf protocol { 3524 type identityref { 3525 base transport-protocol; 3526 } 3527 description 3528 "The transport protocol type for 3529 nsf-detection-intrusion notification"; 3530 } 3531 leaf app { 3532 type identityref { 3533 base application-protocol; 3534 } 3535 description 3536 "The employed application layer protocol"; 3537 } 3538 leaf attack-type { 3539 type identityref { 3540 base intrusion-attack-type; 3541 } 3542 description 3543 "The sub attack type for intrusion attack"; 3544 } 3545 uses log-action; 3546 uses attack-rates; 3547 uses characteristics; 3548 uses common-monitoring-data; 3549 } 3550 } 3551 case i2nsf-nsf-detection-web-attack { 3552 if-feature "i2nsf-nsf-detection-web-attack"; 3553 container i2nsf-nsf-detection-web-attack { 3554 description 3555 "This notification is sent, when an attack event is 3556 detected."; 3557 uses i2nsf-nsf-event-type-content-extend; 3558 leaf attack-type { 3559 type identityref { 3560 base web-attack-type; 3561 } 3562 description 3563 "Concrete web attack type, e.g., SQL injection, 3564 command injection, XSS, and CSRF."; 3565 } 3566 leaf req-method { 3567 type identityref { 3568 base req-method; 3569 } 3570 description 3571 "The HTTP method of the request, e.g., PUT or GET."; 3572 reference 3573 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): 3574 Semantics and Content - Request Methods"; 3575 } 3576 leaf req-target { 3577 type string; 3578 description 3579 "The HTTP Request Target. This field can be filled in 3580 the format of origin-form, absolute-form, 3581 authority-form, or asterisk-form"; 3582 reference 3583 "RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): 3584 Message Syntax and Routing - Request Target"; 3585 } 3586 leaf-list filtering-type { 3587 type identityref { 3588 base filter-type; 3589 } 3590 description 3591 "URL filtering type, e.g., deny-list, allow-list, 3592 and Unknown"; 3593 } 3594 leaf req-user-agent { 3595 type string; 3596 description 3597 "The HTTP User-Agent header field of the request"; 3598 reference 3599 "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): 3600 Semantics and Content - User Agent"; 3601 } 3602 leaf cookie { 3603 type string; 3604 description 3605 "The HTTP Cookie header field of the request from 3606 the user agent."; 3607 reference 3608 "RFC 6265: HTTP State Management Mechanism - Cookie"; 3609 } 3610 leaf req-host { 3611 type string; 3612 description 3613 "The HTTP Host header field of the request"; 3614 reference 3615 "RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): 3616 Message Syntax and Routing - Host"; 3617 } 3618 leaf response-code { 3619 type string; 3620 description 3621 "The HTTP Response status code"; 3622 reference 3623 "IANA Website: Hypertext Transfer Protocol (HTTP) 3624 Status Code Registry"; 3625 } 3626 uses characteristics; 3627 uses log-action; 3628 uses common-monitoring-data; 3629 } 3630 } 3631 case i2nsf-nsf-detection-voip-volte{ 3632 if-feature "i2nsf-nsf-detection-voip-volte"; 3633 container i2nsf-nsf-detection-voip-volte { 3634 description 3635 "This notification is sent, when a VoIP/VoLTE violation 3636 is detected."; 3637 uses i2nsf-nsf-event-type-content-extend; 3638 leaf-list source-voice-id { 3639 type string; 3640 description 3641 "The detected source voice ID for VoIP and VoLTE that 3642 violates the security policy."; 3643 } 3644 leaf-list destination-voice-id { 3645 type string; 3646 description 3647 "The detected destination voice ID for VoIP and VoLTE 3648 that violates the security policy."; 3649 } 3650 leaf-list user-agent { 3651 type string; 3652 description 3653 "The detected user-agent for VoIP and VoLTE that 3654 violates the security policy."; 3655 } 3656 uses common-monitoring-data; 3657 } 3658 } 3659 } 3660 } 3661 /* 3662 * Data nodes 3663 */ 3664 container i2nsf-counters { 3665 config false; 3666 description 3667 "The state data representing continuous value changes of 3668 information elements that occur very frequently. The value 3669 should be calculated from the start of the service of the 3670 NSF."; 3672 leaf language { 3673 type string { 3674 pattern 3675 "^((en-GB-oed|i-ami|i-bnn|i-default|" 3676 + "i-enochian|i-hak|i-klingon|i-lux|i-mingo|i-navajo|i-pwn|" 3677 + "i-tao|i-tay|i-tsu|sgn-BE-FR|sgn-BE-NL|sgn-CH-DE)|" 3678 + "(art-lojban|cel-gaulish|no-bok|no-nyn|zh-guoyu|zh-hakka|" 3679 + "zh-min|zh-min-nan|zh-xiang)|" 3680 + "(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?)|" 3681 + "[A-Za-z]{4}|[A-Za-z]{5,8}" 3682 + "(-[A-Za-z]{4})?" 3683 + "(-[A-Za-z]{2}|[0-9]{3})?" 3684 + "(-[A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3})*" 3685 + "(-[0-9A-WY-Za-wy-z](-[A-Za-z0-9]{2,8})+)*" 3686 + "(-x(-[A-Za-z0-9]{1,8})+)?)|" 3687 + "x(-[A-Za-z0-9]{1,8})+)$"; 3688 } 3689 description 3690 "The value in this field describes the human language 3691 intended for the user, so that it allows a user to 3692 differentiate the language that is used in the 3693 notification. This field is not mandatory, but required 3694 when the implementation provides more than one human 3695 language for the human-readable string fields, 3696 e.g., /i2nsf-counters/system-interface/message. 3698 This field uses the language-tag production in Section 2.1 3699 in RFC 5646. See the document for more details."; 3700 reference 3701 "RFC 5646: Tags for Identifying Languages"; 3702 } 3704 list system-interface { 3705 key interface-name; 3706 description 3707 "Interface counters provide the visibility of traffic into 3708 and out of an NSF, and bandwidth usage."; 3709 uses characteristics; 3710 uses i2nsf-system-counter-type-content; 3711 uses common-monitoring-data; 3712 uses timestamp; 3713 } 3714 list nsf-firewall { 3715 key policy-name; 3716 description 3717 "Firewall counters provide the visibility of traffic 3718 signatures, bandwidth usage, and how the configured security 3719 and bandwidth policies have been applied."; 3720 uses characteristics; 3721 uses i2nsf-nsf-counters-type-content; 3722 uses traffic-rates; 3723 uses common-monitoring-data; 3724 uses timestamp; 3725 } 3726 list nsf-policy-hits { 3727 key policy-name; 3728 description 3729 "Policy Hit Counters record the number of hits that traffic 3730 packets match a security policy. It can check if policy 3731 configurations are correct or not."; 3732 uses characteristics; 3733 uses i2nsf-nsf-counters-type-content; 3734 uses common-monitoring-data; 3735 leaf discontinuity-time { 3736 type yang:date-and-time; 3737 mandatory true; 3738 description 3739 "The time on the most recent occasion at which any one or 3740 more of the counters suffered a discontinuity. If no such 3741 discontinuities have occurred since the last 3742 re-initialization of the local management subsystem, then 3743 this node contains the time the local management subsystem 3744 was re-initialized."; 3745 } 3746 leaf hit-times { 3747 type yang:counter64; 3748 description 3749 "The number of times that the security policy matches the 3750 specified traffic."; 3751 } 3752 uses timestamp; 3753 } 3754 } 3756 container i2nsf-monitoring-configuration { 3757 description 3758 "The container for configuring I2NSF monitoring."; 3759 container i2nsf-system-detection-alarm { 3760 description 3761 "The container for configuring I2NSF system-detection-alarm 3762 notification"; 3763 uses enable-notification; 3764 list system-alarm { 3765 key alarm-type; 3766 description 3767 "Configuration for system alarm (i.e., CPU, Memory, and 3768 Disk Usage)"; 3769 leaf alarm-type { 3770 type enumeration { 3771 enum cpu { 3772 description 3773 "To configure the CPU usage threshold to trigger the 3774 cpu-alarm"; 3775 } 3776 enum memory { 3777 description 3778 "To configure the Memory usage threshold to trigger 3779 the memory-alarm"; 3780 } 3781 enum disk { 3782 description 3783 "To configure the Disk (storage) usage threshold to 3784 trigger the disk-alarm"; 3785 } 3787 } 3788 description 3789 "Type of alarm to be configured. The three alarm-types 3790 defined here are used to configure the threshold of the 3791 monitoring notification. The threshold is used to 3792 determine when the notification should be sent. 3793 The other two alarms defined in the module (i.e., 3794 hardware-alarm and interface-alarm) do not use any 3795 threshold value to create a notification. These alarms 3796 detect a failure or a change of state to create a 3797 notification."; 3798 } 3799 leaf threshold { 3800 type uint8 { 3801 range "1..100"; 3802 } 3803 units "percent"; 3804 description 3805 "The configuration for threshold percentage to trigger 3806 the alarm. The alarm will be triggered if the usage 3807 is exceeded the threshold."; 3808 } 3809 uses dampening; 3810 } 3811 } 3812 container i2nsf-system-detection-event { 3813 description 3814 "The container for configuring I2NSF system-detection-event 3815 notification"; 3816 uses enable-notification; 3817 uses dampening; 3818 } 3819 container i2nsf-traffic-flows { 3820 description 3821 "The container for configuring I2NSF traffic-flows 3822 notification"; 3823 uses dampening; 3824 uses enable-notification; 3825 } 3826 container i2nsf-nsf-detection-ddos { 3827 if-feature "i2nsf-nsf-detection-ddos"; 3828 description 3829 "The container for configuring I2NSF nsf-detection-ddos 3830 notification"; 3831 uses enable-notification; 3832 uses dampening; 3833 } 3834 container i2nsf-nsf-detection-session-table { 3835 description 3836 "The container for configuring I2NSF nsf-detection-session- 3837 table notification"; 3838 uses enable-notification; 3839 uses dampening; 3840 } 3841 container i2nsf-nsf-detection-intrusion { 3842 if-feature "i2nsf-nsf-detection-intrusion"; 3843 description 3844 "The container for configuring I2NSF nsf-detection-intrusion 3845 notification"; 3846 uses enable-notification; 3847 uses dampening; 3848 } 3849 container i2nsf-nsf-detection-web-attack { 3850 if-feature "i2nsf-nsf-detection-web-attack"; 3851 description 3852 "The container for configuring I2NSF nsf-detection-web-attack 3853 notification"; 3854 uses enable-notification; 3855 uses dampening; 3856 } 3857 container i2nsf-nsf-system-access-log { 3858 description 3859 "The container for configuring I2NSF system-access-log 3860 notification"; 3861 uses enable-notification; 3862 uses dampening; 3863 } 3864 container i2nsf-system-res-util-log { 3865 description 3866 "The container for configuring I2NSF system-res-util-log 3867 notification"; 3868 uses enable-notification; 3869 uses dampening; 3870 } 3871 container i2nsf-system-user-activity-log { 3872 description 3873 "The container for configuring I2NSF system-user-activity-log 3874 notification"; 3875 uses enable-notification; 3876 uses dampening; 3877 } 3878 container i2nsf-nsf-log-dpi { 3879 if-feature "i2nsf-nsf-log-dpi"; 3880 description 3881 "The container for configuring I2NSF nsf-log-dpi 3882 notification"; 3884 uses enable-notification; 3885 uses dampening; 3886 } 3887 container i2nsf-counter { 3888 description 3889 "This is used to configure the counters 3890 for monitoring an NSF"; 3891 leaf period { 3892 type uint16; 3893 units "minutes"; 3894 default 0; 3895 description 3896 "The configuration for the period interval of reporting 3897 the counter. If 0, then the counter period is disabled. 3898 If value is not 0, then the counter will be reported 3899 following the period value."; 3900 } 3901 } 3902 } 3903 } 3904 3906 Figure 2: Data Model of Monitoring 3908 9. I2NSF Event Stream 3910 This section discusses the NETCONF event stream for I2NSF NSF 3911 Monitoring subscription. The YANG module in this document supports 3912 "ietf-subscribed-notifications" YANG module [RFC8639] for 3913 subscription. The reserved event stream name for this document is 3914 "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support 3915 "I2NSF-Monitoring" event stream for an NSF data collector (e.g., 3916 Security Controller). The "I2NSF-Monitoring" event stream contains 3917 all I2NSF events described in this document. 3919 The following XML example shows the capabilities of the event streams 3920 generated by an NSF (e.g., "NETCONF" and "I2NSF-Monitoring" event 3921 streams) for the subscription of an NSF data collector. Refer to 3922 [RFC5277] for more detailed explanation of Event Streams. The XML 3923 examples in this document follow the line breaks as per [RFC8792]. 3925 3926 3928 3929 3930 3931 3932 NETCONF 3933 Default NETCONF Event Stream 3934 false 3935 3936 3937 I2NSF-Monitoring 3938 I2NSF Monitoring Event Stream 3939 true 3940 3941 2021-04-29T09:37:39+00:00 3942 3943 3944 3945 3946 3947 3949 Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring 3950 Event Stream 3952 10. XML Examples for I2NSF NSF Monitoring 3954 This section shows XML examples of I2NSF NSF Monitoring data 3955 delivered via Monitoring Interface from an NSF. In order for the XML 3956 data to be used correctly, the prefix (i.e., the characters before 3957 the colon or 'nsfmi' in the example) in the content of the element 3958 that uses the "identityref" type (e.g., /i2nsf-event/i2nsf-system- 3959 detection-alarm/alarm-category/) in the YANG module described in this 3960 document MUST be the same as the namespace prefix (i.e., 'nsfmi' in 3961 the example) for urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf- 3962 monitoring. Therefore, XML software MUST be chosen that makes the 3963 namespace prefix information available. 3965 10.1. I2NSF System Detection Alarm 3967 The following example shows an alarm triggered by Memory Usage of the 3968 server; note that this example XML file is delivered by an NSF to an 3969 NSF data collector: 3971 3972 3974 2021-04-29T07:43:52.181088+00:00 3975 3977 3978 3981 nsfmi:memory-alarm 3982 3983 3986 nsfmi:subscription 3987 3988 3991 nsfmi:on-change 3992 3993 3996 nsfmi:on-repetition 3997 3998 91 3999 90 4000 Memory Usage Exceeded the Threshold 4001 time_based_firewall 4002 high 4003 4004 4005 4007 Figure 4: Example of I2NSF System Detection Alarm triggered by 4008 Memory Usage 4010 The XML data above shows: 4012 1. The NSF that sends the information is named 4013 "time_based_firewall". 4015 2. The memory usage of the NSF triggered the alarm. 4017 3. The monitoring information is received by subscription method. 4019 4. The monitoring information is emitted "on-change". 4021 5. The monitoring information is dampened "on-repetition". 4023 6. The memory usage of the NSF is 91 percent. 4025 7. The memory threshold to trigger the alarm is 90 percent. 4027 8. The severity level of the notification is high. 4029 10.2. I2NSF Interface Counters 4031 To get the I2NSF system interface counters information by query, 4032 NETCONF Client (e.g., NSF data collector) needs to initiate GET 4033 connection with NETCONF Server (e.g., NSF). The following XML file 4034 can be used to get the state data and filter the information. 4036 4037 4038 4039 4041 4042 4043 4044 4045 4046 4048 Figure 5: XML Example for NETCONF GET with System Interface Filter 4050 The following XML file shows the reply from the NETCONF Server (e.g., 4051 NSF): 4053 4054 4056 4057 4059 4060 4061 2021-04-29T08:43:52.181088+00:00 4062 4063 ens3 4064 4067 nsfmi:query 4068 4069 549050 4070 814956 4071 0 4072 5078 4073 time_based_firewall 4074 4075 4076 4077 2021-04-29T08:43:52.181088+00:00 4078 4079 lo 4080 4083 nsfmi:query 4084 4085 48487 4086 48487 4087 0 4088 0 4089 time_based_firewall 4090 4091 4092 4093 4095 Figure 6: Example of I2NSF System Interface Counters XML Information 4097 11. IANA Considerations 4099 This document requests IANA to register the following URI in the 4100 "IETF XML Registry" [RFC3688]: 4102 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 4103 Registrant Contact: The IESG. 4104 XML: N/A; the requested URI is an XML namespace. 4106 This document requests IANA to register the following YANG module in 4107 the "YANG Module Names" registry [RFC7950][RFC8525]: 4109 name: ietf-i2nsf-nsf-monitoring 4110 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 4111 prefix: nsfmi 4112 reference: RFC XXXX 4114 // RFC Ed.: replace XXXX with an actual RFC number and remove 4115 // this note. 4117 12. Security Considerations 4119 The YANG module described in this document defines a schema for data 4120 that is designed to be accessed via network management protocols such 4121 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 4122 is the secure transport layer, and the required secure transport is 4123 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4124 and the required secure transport is TLS [RFC8446]. 4126 The NETCONF access control model [RFC8341] provides a means of 4127 restricting access to specific NETCONF or RESTCONF users to a 4128 preconfigured subset of all available NETCONF or RESTCONF protocol 4129 operations and content. 4131 All data nodes defined in the YANG module which can be created, 4132 modified and deleted (i.e., config true, which is the default) are 4133 considered sensitive as they all could potentially impact security 4134 monitoring and mitigation activities. Write operations (e.g., edit- 4135 config) applied to these data nodes without proper protection could 4136 result in missed alarms or incorrect alarms information being 4137 returned to the NSF data collector. There are threats that need to 4138 be considered and mitigated: 4140 Compromised NSF with valid credentials: It can send falsified 4141 information to the NSF data collector to mislead detection or 4142 mitigation activities; and/or to hide activity. Currently, there 4143 is no in-framework mechanism to mitigate this and an issue for all 4144 monitoring infrastructures. It is important to keep the enclosure 4145 of confidential information to unauthorized persons to mitigate 4146 the possibility of compromising the NSF with this information. 4148 Compromised NSF data collector with valid credentials: It has 4149 visibility to all collected security alarms; entire detection and 4150 mitigation infrastructure may be suspect. It is important to keep 4151 the enclosure of confidential information to unauthorized persons 4152 to mitigate the possibility of compromising the NSF with this 4153 information. 4155 Impersonating NSF: It is a system trying to send false information 4156 while imitating an NSF; client authentication would help the NSF 4157 data collector to identify this invalid NSF in the "push" model 4158 (NSF-to-collector), while the "pull" model (collector-to-NSF) 4159 should already be addressed with the authentication. 4161 Impersonating NSF data collector: It is a rogue NSF data collector 4162 with which a legitimate NSF is tricked into communicating; for 4163 "push" model (NSF-to-collector), it is important to have valid 4164 credentials, without it it should not work; for "pull" model 4165 (collector-to-NSF), mutual authentication should be used to 4166 mitigate the threat. 4168 In addition, to defend against the DDoS attack caused by a lot of 4169 NSFs sending massive notifications to the NSF data collector, the 4170 rate limiting or similar mechanisms should be considered in both an 4171 NSF and NSF data collector, whether in advance or just in the process 4172 of DDoS attack. 4174 All of the readable data nodes in this YANG module may be considered 4175 sensitive in some network environments. These data nodes represent 4176 information consistent with the logging commonly performed in network 4177 and security operations. They may reveal the specific configuration 4178 of a network; vulnerabilities in specific systems; and the deployed 4179 security controls and their relative efficacy in detecting or 4180 mitigating an attack. To an attacker, this information could inform 4181 how to (further) compromise the network, evade detection, or confirm 4182 whether they have been observed by the network operator. 4184 Additionally, many of the data nodes in this YANG module such as 4185 containers "i2nsf-system-user-activity-log", "i2nsf-system-detection- 4186 event", and "i2nsf-nsf-detection-voip-volte" are privacy sensitive. 4187 They may describe specific or aggregate user activity to include 4188 associating user names with specific IP addresses; or users with 4189 specific network usage. 4191 13. Acknowledgments 4193 This document is a product by the I2NSF Working Group (WG) including 4194 WG Chairs (i.e., Linda Dunbar and Yoav Nir) and Diego Lopez. This 4195 document took advantage of the review and comments from the following 4196 people: Roman Danyliw, Tim Bray (IANA), Kyle Rose (TSV-ART), Dale R. 4197 Worley (Gen-ART), Melinda Shore (SecDir), Valery Smyslov (ART-ART), 4198 and Tom Petch. We authors sincerely appreciate their sincere efforts 4199 and kind help. 4201 This work was supported by Institute of Information & Communications 4202 Technology Planning & Evaluation (IITP) grant funded by the Korea 4203 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 4204 Security Intelligence Technology Development for the Customized 4205 Security Service Provisioning). This work was supported in part by 4206 the IITP (2020-0-00395, Standard Development of Blockchain based 4207 Network Management Automation Technology). This work was supported 4208 in part by the MSIT under the Information Technology Research Center 4209 (ITRC) support program (IITP-2021-2017-0-01633) supervised by the 4210 IITP. 4212 14. Contributors 4214 The following are co-authors of this document: 4216 Chaehong Chung - Department of Electronic, Electrical and Computer 4217 Engineering, Sungkyunkwan University, 2066 Seobu-ro Jangan-gu, Suwon, 4218 Gyeonggi-do 16419, Republic of Korea, Email: darkhong@skku.edu 4220 Jinyong (Tim) Kim - Department of Electronic, Electrical and Computer 4221 Engineering, Sungkyunkwan University, 2066 Seobu-ro Jangan-gu, Suwon, 4222 Gyeonggi-do 16419, Republic of Korea, Email: timkim@skku.edu 4224 Dongjin Hong - Department of Electronic, Electrical and Computer 4225 Engineering, Sungkyunkwan University, 2066 Seobu-ro Jangan-gu, Suwon, 4226 Gyeonggi-do 16419, Republic of Korea, Email: dong.jin@skku.edu 4228 Dacheng Zhang - Huawei, Email: dacheng.zhang@huawei.com 4230 Yi Wu - Aliababa Group, Email: anren.wy@alibaba-inc.com 4231 Rakesh Kumar - Juniper Networks, 1133 Innovation Way, Sunnyvale, CA 4232 94089, USA, Email: rkkumar@juniper.net 4234 Anil Lohiya - Juniper Networks, Email: alohiya@juniper.net 4236 15. References 4238 15.1. Normative References 4240 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 4241 DOI 10.17487/RFC0768, August 1980, 4242 . 4244 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 4245 DOI 10.17487/RFC0791, September 1981, 4246 . 4248 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 4249 RFC 792, DOI 10.17487/RFC0792, September 1981, 4250 . 4252 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 4253 RFC 793, DOI 10.17487/RFC0793, September 1981, 4254 . 4256 [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol 4257 Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May 4258 1983, . 4260 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 4261 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 4262 . 4264 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 4265 STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, 4266 . 4268 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4269 Requirement Levels", BCP 14, RFC 2119, 4270 DOI 10.17487/RFC2119, March 1997, 4271 . 4273 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 4274 DOI 10.17487/RFC3688, January 2004, 4275 . 4277 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 4278 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 4279 September 2004, . 4281 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 4282 Congestion Control Protocol (DCCP)", RFC 4340, 4283 DOI 10.17487/RFC4340, March 2006, 4284 . 4286 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 4287 Control Message Protocol (ICMPv6) for the Internet 4288 Protocol Version 6 (IPv6) Specification", STD 89, 4289 RFC 4443, DOI 10.17487/RFC4443, March 2006, 4290 . 4292 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 4293 RFC 4960, DOI 10.17487/RFC4960, September 2007, 4294 . 4296 [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event 4297 Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, 4298 . 4300 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 4301 DOI 10.17487/RFC5321, October 2008, 4302 . 4304 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 4305 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 4306 September 2009, . 4308 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4309 and A. Bierman, Ed., "Network Configuration Protocol 4310 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4311 . 4313 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4314 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4315 . 4317 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 4318 DOI 10.17487/RFC6265, April 2011, 4319 . 4321 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4322 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4323 . 4325 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4326 Protocol (HTTP/1.1): Message Syntax and Routing", 4327 RFC 7230, DOI 10.17487/RFC7230, June 2014, 4328 . 4330 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 4331 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 4332 DOI 10.17487/RFC7231, June 2014, 4333 . 4335 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4336 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4337 . 4339 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4340 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4341 . 4343 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4344 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4345 May 2017, . 4347 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4348 (IPv6) Specification", STD 86, RFC 8200, 4349 DOI 10.17487/RFC8200, July 2017, 4350 . 4352 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4353 Kumar, "Framework for Interface to Network Security 4354 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4355 . 4357 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4358 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4359 . 4361 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4362 Access Control Model", STD 91, RFC 8341, 4363 DOI 10.17487/RFC8341, March 2018, 4364 . 4366 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 4367 and R. Wilton, "Network Management Datastore Architecture 4368 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 4369 . 4371 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 4372 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 4373 . 4375 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4376 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4377 DOI 10.17487/RFC8407, October 2018, 4378 . 4380 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4381 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4382 . 4384 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4385 and R. Wilton, "YANG Library", RFC 8525, 4386 DOI 10.17487/RFC8525, March 2019, 4387 . 4389 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, 4390 E., and A. Tripathy, "Subscription to YANG Notifications", 4391 RFC 8639, DOI 10.17487/RFC8639, September 2019, 4392 . 4394 [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications 4395 for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, 4396 September 2019, . 4398 [RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet Message 4399 Access Protocol (IMAP) - Version 4rev2", RFC 9051, 4400 DOI 10.17487/RFC9051, August 2021, 4401 . 4403 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 4404 Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, 4405 "I2NSF Network Security Function-Facing Interface YANG 4406 Data Model", Work in Progress, Internet-Draft, draft-ietf- 4407 i2nsf-nsf-facing-interface-dm-16, 13 November 2021, 4408 . 4411 [I-D.ietf-tcpm-rfc793bis] 4412 Eddy, W. M., "Transmission Control Protocol (TCP) 4413 Specification", Work in Progress, Internet-Draft, draft- 4414 ietf-tcpm-rfc793bis-25, 7 September 2021, 4415 . 4418 15.2. Informative References 4420 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 4421 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 4422 . 4424 [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, 4425 "Handling Long Lines in Content of Internet-Drafts and 4426 RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, 4427 . 4429 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 4430 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 4431 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 4432 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 4433 facing-interface-dm-15, 15 September 2021, 4434 . 4437 [IANA-HTTP-Status-Code] 4438 Internet Assigned Numbers Authority (IANA), "Hypertext 4439 Transfer Protocol (HTTP) Status Code Registry", September 4440 2018, . 4443 [IANA-Media-Types] 4444 Internet Assigned Numbers Authority (IANA), "Media Types", 4445 August 2021, . 4448 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-13 4450 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 4451 data-model-13: 4453 * This version is added to update the references. 4455 Authors' Addresses 4457 Jaehoon (Paul) Jeong (editor) 4458 Department of Computer Science and Engineering 4459 Sungkyunkwan University 4460 2066 Seobu-Ro, Jangan-Gu 4461 Suwon 4462 Gyeonggi-Do 4463 16419 4464 Republic of Korea 4466 Phone: +82 31 299 4957 4467 Email: pauljeong@skku.edu 4468 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4470 Patrick Lingga 4471 Department of Electrical and Computer Engineering 4472 Sungkyunkwan University 4473 2066 Seobu-Ro, Jangan-Gu 4474 Suwon 4475 Gyeonggi-Do 4476 16419 4477 Republic of Korea 4479 Phone: +82 31 299 4957 4480 Email: patricklink@skku.edu 4482 Susan Hares 4483 Huawei 4484 7453 Hickory Hill 4485 Saline, MI 48176 4486 United States of America 4488 Phone: +1-734-604-0332 4489 Email: shares@ndzh.com 4491 Liang (Frank) Xia 4492 Huawei 4493 101 Software Avenue, Yuhuatai District 4494 Nanjing 4495 Jiangsu, 4496 China 4498 Email: Frank.xialiang@huawei.com 4500 Henk Birkholz 4501 Fraunhofer Institute for Secure Information Technology 4502 Rheinstrasse 75 4503 64295 Darmstadt 4504 Germany 4506 Email: henk.birkholz@sit.fraunhofer.de