idnits 2.17.1 draft-ietf-i2nsf-nsf-monitoring-data-model-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There is 1 instance of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1320 has weird spacing: '...ty-time yan...' -- The document date (15 February 2022) is 773 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 8329 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-httpbis-messaging' -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-httpbis-semantics' == Outdated reference: A later version (-32) exists of draft-ietf-i2nsf-capability-data-model-26 == Outdated reference: A later version (-29) exists of draft-ietf-i2nsf-nsf-facing-interface-dm-20 == Outdated reference: A later version (-28) exists of draft-ietf-tcpm-rfc793bis-26 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-tcpm-rfc793bis' == Outdated reference: A later version (-19) exists of draft-ietf-tsvwg-rfc4960-bis-18 == Outdated reference: A later version (-31) exists of draft-ietf-i2nsf-consumer-facing-interface-dm-16 Summary: 3 errors (**), 0 flaws (~~), 8 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Jeong, Ed. 3 Internet-Draft P. Lingga 4 Intended status: Standards Track Sungkyunkwan University 5 Expires: 19 August 2022 S. Hares 6 L. Xia 7 Huawei 8 H. Birkholz 9 Fraunhofer SIT 10 15 February 2022 12 I2NSF NSF Monitoring Interface YANG Data Model 13 draft-ietf-i2nsf-nsf-monitoring-data-model-15 15 Abstract 17 This document proposes an information model and the corresponding 18 YANG data model of an interface for monitoring Network Security 19 Functions (NSFs) in the Interface to Network Security Functions 20 (I2NSF) framework. If the monitoring of NSFs is performed with the 21 NSF monitoring interface in a standard way, it is possible to detect 22 the indication of malicious activity, anomalous behavior, the 23 potential sign of denial-of-service attacks, or system overload in a 24 timely manner. This monitoring functionality is based on the 25 monitoring information that is generated by NSFs. Thus, this 26 document describes not only an information model for the NSF 27 monitoring interface along with a YANG tree diagram, but also the 28 corresponding YANG data model. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on 19 August 2022. 47 Copyright Notice 49 Copyright (c) 2022 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 54 license-info) in effect on the date of publication of this document. 55 Please review these documents carefully, as they describe your rights 56 and restrictions with respect to this document. Code Components 57 extracted from this document must include Revised BSD License text as 58 described in Section 4.e of the Trust Legal Provisions and are 59 provided without warranty as described in the Revised BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 5 66 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 67 4.1. Retention and Emission from NSFs . . . . . . . . . . . . 6 68 4.2. Notifications for Events and Records . . . . . . . . . . 7 69 4.3. Push and Pull for the retrieval of monitoring data from 70 NSFs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 5. Basic Information Model for Monitoring Data . . . . . . . . . 9 72 6. Extended Information Model for Monitoring Data . . . . . . . 10 73 6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11 74 6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11 75 6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 76 6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 77 6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12 78 6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 79 6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 80 6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 81 6.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 82 6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 15 83 6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 15 84 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 16 85 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 16 86 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 17 87 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 18 88 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 19 89 6.3.5. VoIP/VoCN Event . . . . . . . . . . . . . . . . . . . 19 90 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 20 91 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 20 92 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 21 93 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 22 94 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 23 95 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 23 96 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 23 97 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 23 98 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 99 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 25 100 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 26 101 7. YANG Tree Structure of NSF Monitoring YANG Module . . . . . . 27 102 8. YANG Data Model of NSF Monitoring YANG Module . . . . . . . . 35 103 9. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 84 104 10. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 85 105 10.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 85 106 10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 87 107 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 108 12. Security Considerations . . . . . . . . . . . . . . . . . . . 89 109 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 91 110 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 91 111 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 92 112 15.1. Normative References . . . . . . . . . . . . . . . . . . 92 113 15.2. Informative References . . . . . . . . . . . . . . . . . 96 114 Appendix A. Changes from 115 draft-ietf-i2nsf-nsf-monitoring-data-model-14 . . . . . . 97 116 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97 118 1. Introduction 120 According to [RFC8329], the interface provided by a Network Security 121 Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to enable 122 the collection of monitoring information is referred to as an I2NSF 123 Monitoring Interface. This interface enables the sharing of vital 124 data from the NSFs (e.g., events, records, and counters) to the NSF 125 data collector through a variety of mechanisms (e.g., queries and 126 notifications). The monitoring of NSF plays an important role in an 127 overall security framework, if it is done in a timely way. The 128 monitoring information generated by an NSF can be a good, early 129 indication of anomalous behavior or malicious activity, such as 130 denial-of-service (DoS) attacks. 132 This document defines an information model of an NSF monitoring 133 interface that provides visibility into an NSF for the NSF data 134 collector. Note that an NSF data collector is defined as an entity 135 to collect NSF monitoring data from an NSF, such as Security 136 Controller. It specifies the information and illustrates the methods 137 that enable an NSF to provide the information required in order to be 138 monitored in a scalable and efficient way via the NSF Monitoring 139 Interface. The information model for the NSF monitoring interface 140 presented in this document is complementary for the security policy 141 provisioning functionality of the NSF-Facing Interface specified in 142 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 144 This document also defines a YANG [RFC7950] data model for the NSF 145 monitoring interface, which is derived from the information model for 146 the NSF monitoring interface. 148 Note that this document covers a subset of monitoring data for 149 systems and NSFs, which are related to security. 151 2. Terminology 153 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 154 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 155 "OPTIONAL" in this document are to be interpreted as described in BCP 156 14 [RFC2119] [RFC8174] when, and only when, they appear in all 157 capitals, as shown here. 159 This document uses the terminology described in [RFC8329]. In 160 addition, the following terms are defined in this document: 162 * I2NSF User: An entity that delivers a high-level security policy 163 to the Security Controller and may request monitoring information 164 via the NSF data collector. 166 * Monitoring Information: Relevant data that can be processed to 167 know the status and performance of the network and the NSF. The 168 monitoring information in an I2NSF environment consists of I2NSF 169 Events, I2NSF Records, and I2NSF Counters (see Section 4.1 for the 170 detailed definition). This information is to be delivered to the 171 NSF data collector. 173 * Notification: Unsolicited transmission of monitoring information. 175 * NSF Data Collector: An entity that collects NSF monitoring 176 information from NSFs, such as Security Controllers. 178 * Subscription: An agreement initialized by the NSF data collector 179 to receive monitoring information from an NSF. The method to 180 subscribe follows the method explained in [RFC5277]. 182 This document follows the guidelines of [RFC8407], uses the common 183 YANG types defined in [RFC6991], and adopts the Network Management 184 Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols 185 in tree diagrams is defined in [RFC8340]. 187 3. Use Cases for NSF Monitoring Data 189 As mentioned earlier, monitoring plays a critical role in an overall 190 security framework. The monitoring of the NSF provides very valuable 191 information to an NSF data collector (e.g., Security Controller) in 192 maintaining the provisioned security posture. Besides this, there 193 are various other reasons to monitor the NSF as listed below: 195 * The I2NSF User that is the security administrator can configure a 196 policy that is triggered on a specific event occurring in the NSF 197 or the network [RFC8329] 198 [I-D.ietf-i2nsf-consumer-facing-interface-dm]. If an NSF data 199 collector detects the specified event, it configures additional 200 security functions as defined by policies. 202 * The events triggered by an NSF as a result of security policy 203 violation can be used by Security Information and Event Management 204 (SIEM) to detect any suspicious activity in a larger correlation 205 context. 207 * The information (i.e., events, records, and counters) from an NSF 208 can be used to build advanced analytics, such as behavior and 209 predictive models to improve security posture in large 210 deployments. 212 * The NSF data collector can use events from the NSF for achieving 213 high availability. It can take corrective actions such as 214 restarting a failed NSF and horizontally scaling up the NSF. 216 * The information (i.e., events, records, and counters) from the NSF 217 can aid in the root cause analysis of an operational issue, so it 218 can improve debugging. 220 * The records from the NSF can be used to build historical data for 221 operation and business reasons. 223 4. Classification of NSF Monitoring Data 225 In order to maintain a strong security posture, it is not only 226 necessary to configure an NSF's security policies but also to 227 continuously monitor the NSF by checking acquirable and observable 228 data. This enables security administrators to assess the state of 229 the networks in a timely fashion. It is not possible to block all 230 the internal and external threats based on static security posture. 231 A more practical approach is supported by enabling dynamic security 232 measures, for which continuous visibility is required. This document 233 defines a set of monitoring elements and their scopes that can be 234 acquired from an NSF and can be used as NSF monitoring data. In 235 essence, this monitoring data can be leveraged to support constant 236 visibility on multiple levels of granularity and can be consumed by 237 the corresponding functions. 239 Three basic domains of monitoring data originating from a system 240 entity [RFC4949], i.e., an NSF, are discussed in this document. 242 * Retention and Emission from NSFs 244 * Notifications for Events and Records 246 * Push and Pull for the retrieval of monitoring data from NSFs 248 Every system entity creates information about some context with 249 defined I2NSF monitoring data, and so every entity can be an I2NSF 250 component. This information is intended to be consumed by other 251 I2NSF components, which deals with NSF monitoring data in an 252 automated fashion. 254 4.1. Retention and Emission from NSFs 256 A system entity (e.g., NSF) first retains I2NSF monitoring data 257 inside its own system before emitting the information to another 258 I2NSF component (e.g., NSF Data Collector). The I2NSF monitoring 259 information consist of I2NSF Events, I2NSF Records, and I2NSF 260 Counters as follows: 262 I2NSF Event: I2NSF Event is defined as an important occurrence at a 263 particular time, that is, a change in the system being managed or 264 a change in the environment of the system being managed. An I2NSF 265 Event requires immediate attention and should be notified as soon 266 as possible. When used in the context of an (imperative) I2NSF 267 Policy Rule, an I2NSF Event is used to determine whether the 268 Condition clause of that Policy Rule can be evaluated or not. The 269 Alarm Management Framework in [RFC3877] defines an event as 270 something that happens which may be of interest. Examples for an 271 event are a fault, a change in status, crossing a threshold, or an 272 external input to the system. In the I2NSF domain, I2NSF events 273 are created following the definition of an event in the Alarm 274 Management Framework. 276 I2NSF Record: A record is defined as an item of information that is 277 kept to be looked at and used in the future. Typically, records 278 are information generated by a system entity (e.g., NSF) that is 279 based on operational and informational data (i.e., various changes 280 in system characteristics), and are generated at particular 281 instants to be kept without any changes afterward. A set of 282 records has an ordering in time based on when they are generated. 284 Unlike I2NSF Events, records do not require immediate attention 285 but may be useful for visibility and retroactive cyber forensics. 286 Records are typically stored in log-files or databases on a system 287 entity or NSF. The examples of records include as user 288 activities, device performance, and network status. They are 289 important for debugging, auditing, and security forensic of a 290 system entity or the network having the system entity. 292 I2NSF Counter: An I2NSF Counter is defined as a specific 293 representation of an information element whose value changes very 294 frequently. Prominent examples are network interface counters for 295 protocol data unit (PDU) amount, byte amount, drop counters, and 296 error counters. Counters are useful in debugging and visibility 297 into operational behavior of a system entity (e.g., NSF). When an 298 NSF data collector asks for the value of a counter, a system 299 entity MUST update the counter information and emit the latest 300 information to the NSF data collector. 302 Retention is defined as the storing of monitoring data in NSFs. The 303 retention of I2NSF monitoring information may be affected by the 304 importance of the data. The importance of the data could be context- 305 dependent, where it may not just be based on the type of data, but 306 may also depend on where it is deployed, e.g., a test lab and 307 testbed. The local policy and configuration will dictate the 308 policies and procedures to review, archive, or purge the collected 309 monitoring data. 311 Emission is defined as the delivery of monitoring data in NSFs to an 312 NSF data collector. The I2NSF monitoring information retained on a 313 system entity (e.g., NSF) may be delivered to a corresponding I2NSF 314 User via an NSF data collector. The information consists of the 315 aggregated records, typically in the form of log-files or databases. 316 For the NSF Monitoring Interface to deliver the information to the 317 NSF data collector, the NSF needs to accommodate standardized 318 delivery protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. 319 The NSF data collector can forward the information to the I2NSF User 320 through standardized delivery protocols (e.g., RESTCONF and NETCONF). 321 The interface for this delivery is out of the scope of this document. 323 4.2. Notifications for Events and Records 325 A specific task of an I2NSF User is to process I2NSF Policy Rules. 326 The rules of a policy are composed of three clauses: Event, 327 Condition, and Action clauses. In consequence, an I2NSF Event is 328 specified to trigger the evaluation of the Condition clause of the 329 I2NSF Policy Rule. Such an I2NSF Event is defined as an important 330 occurrence at a particular time in the system being managed, and/or 331 in the environment of the system being managed whose concept aligns 332 well with the generic definition of Event from [RFC3877]. 334 Another role of the I2NSF Event is to trigger a notification for 335 monitoring the status of an NSF. A notification is defined in 336 [RFC3877] as an unsolicited transmission of management information. 337 System alarm (called alarm) is defined as a warning related to 338 service degradation in system hardware in Section 6.1. System event 339 (called alert) is defined as a warning about any changes of 340 configuration, any access violation, information about sessions and 341 traffic flows in Section 6.2. Both an alarm and an alert are I2NSF 342 Events that can be delivered as a notification. The model 343 illustrated in this document introduces a complementary type of 344 information that can be a conveyed notification. 346 In I2NSF monitoring, a notification is used to deliver either an 347 event and a record via the I2NSF Monitoring Interface. The 348 difference between the event and record is the timing by which the 349 notifications are emitted. An event is emitted as soon as it happens 350 in order to notify an NSF Data Collector of the problem that needs 351 immediate attention. A record is not emitted immediately to the NSF 352 Data Collector, and it can be emitted periodically to the NSF Data 353 Collector. 355 It is important to note that an NSF Data Collector as a consumer 356 (i.e., observer) of a notification assesses the importance of the 357 notification rather than an NSF as a producer. The producer can 358 include metadata in a notification that supports the observer in 359 assessing its importance (e.g., severity). 361 4.3. Push and Pull for the retrieval of monitoring data from NSFs 363 An important aspect of monitoring information is the freshness of the 364 information. From the perspective of security, it is important to 365 notice changes in the current status of the network. The I2NSF 366 Monitoring Interface provides the means of sending monitored 367 information from the NSFs to an NSF data collector in a timely 368 manner. Monitoring information can be acquired by a client (i.e., 369 NSF data collector) from a server (i.e., NSF) using push or pull 370 methods. 372 The pull is a query-based method to obtain information from the NSF. 373 In this method, the NSF will remain passive until the information is 374 requested from the NSF data collector. Once a request is accepted 375 (with proper authentication), the NSF MUST update the information 376 before sending it to the NSF data collector. 378 The push is a report-based method to obtain information from the NSF. 379 The report-based method ensures the information can be delivered 380 immediately without any requests. This method is used by the NSF to 381 actively provide information to the NSF data collector. To receive 382 the information, the NSF data collector subscribes to the NSF for the 383 information. 385 These acquisition methods are used for different types of monitoring 386 information. The information that has a high level of urgency (i.e., 387 I2NSF Event) should be provided with the push method, while 388 information that has a lower level of urgency (i.e., I2NSF Record and 389 I2NSF Counter) can be provided with either the pull method or push 390 method. 392 5. Basic Information Model for Monitoring Data 394 As explained in the above section, there is a wealth of data 395 available from NSFs that can be monitored. Firstly, there must be 396 some general information with each monitoring message sent from an 397 NSF that helps a consumer to identify meta data with that message, 398 which are listed as below: 400 * message: The extra detailed description of NSF monitoring data to 401 give an NSF data collector the context information as meta data. 403 * vendor-name: The vendor's name of the NSF that generates the 404 message. 406 * device-model: The model of the device, can be represented by the 407 device model name or serial number. This field is used to 408 identify the model of the device that provides the security 409 service. 411 * software-version: The version of the software used to provide the 412 security service. 414 * nsf-name: The name or IP address of the NSF generating the 415 message. If the given nsf-name is not an IP address, the name can 416 be an arbitrary string including a FQDN (Fully Qualified Domain 417 Name). The name MUST be unique in the scope of management domain 418 for a different NSF to identify the NSF that generates the 419 message. 421 * severity: The severity level of the message. There are four 422 levels, i.e., critical, high, middle, and low. 424 * timestamp: The time when the message was generated. For the 425 notification operations (i.e., System Alarms, System Events, NSF 426 Events, System Logs, and NSF Logs), this is represented by the 427 eventTime of NETCONF event notification [RFC5277] For other 428 operations (i.e., System Counter and NSF Counter), the timestamp 429 MUST be provided separately. 431 * language: describes the human language intended for the user, so 432 that it allows a user to differentiate the language that is used 433 in the notification. This field is mandatory only when the 434 implementation provides more than one human language for the 435 human-readable string fields. 437 6. Extended Information Model for Monitoring Data 439 The extended information model is the specific monitoring data that 440 covers the additional information associated with the detailed 441 information of status and performance of the network and the NSF over 442 the basic information model. The extended information combined with 443 the basic information creates the monitoring information (i.e., I2NSF 444 Event, Record, and Counter). 446 The extended monitoring information has settable characteristics for 447 data collection as follows: 449 * Acquisition method: The method to obtain the message. It can be a 450 "query" or a "subscription". A "query" is a request-based method 451 to acquire the solicited information. A "subscription" is a 452 report-based method that pushes information to the subscriber. 454 * Emission type: The cause type for the message to be emitted. It 455 can be "on-change", "periodic", or "on-request". An "on-change" 456 message is emitted when an important event happens in the NSF. A 457 "periodic" message is emitted at a certain time interval. An "on- 458 request" message is emitted when the information is requested. 459 The time to periodically emit the message is configurable. 461 * Dampening type: The type of message dampening to stop the rapid 462 transmission of messages. The dampening types are "on-repetition" 463 and "no-dampening". The "on-repetition" type limits the 464 transmitted "on-change" message to one message at a certain 465 interval (e.g., 1 second). This interval is defined as dampening- 466 period in [RFC8641]. The dampening-period is configurable. The 467 "no-dampening" type does not limit the transmission for the 468 messages of the same type. In short, "on-repetition" means that 469 the dampening is active and "no-dampening" is inactive. 470 Activating the dampening for an "on-change" type of message is 471 RECOMMENDED to reduce the number of messages generated. 473 6.1. System Alarms 475 System alarms have the following characteristics: 477 * acquisition-method: subscription 479 * emission-type: on-change 481 * dampening-type: on-repetition or no-dampening 483 6.1.1. Memory Alarm 485 The memory is the hardware to store information temporarily or for a 486 short period, i.e., Random Access Memory (RAM). The memory-alarm is 487 emitted when the RAM usage exceeds the threshold. The following 488 information should be included in a Memory Alarm: 490 * event-name: memory-alarm. 492 * usage: specifies the amount of memory used. 494 * threshold: The threshold triggering the alarm 496 * severity: The severity level of the message. There are four 497 levels, i.e., critical, high, middle, and low. 499 * message: Simple information as a human readable text string such 500 as "The memory usage exceeded the threshold" or with extra 501 information. 503 6.1.2. CPU Alarm 505 CPU is the Central Processing Unit that executes basic operations of 506 the system. The cpu-alarm is emitted when the CPU usage exceeds the 507 threshold. The following information should be included in a CPU 508 Alarm: 510 * event-name: cpu-alarm. 512 * usage: Specifies the CPU utilization. 514 * threshold: The threshold triggering the event. 516 * severity: The severity level of the message. There are four 517 levels, i.e., critical, high, middle, and low. 519 * message: Simple information as a human readable text string such 520 as "The CPU usage exceeded the threshold" or with extra 521 information. 523 6.1.3. Disk Alarm 525 Disk is the hardware to store information for a long time, i.e., Hard 526 Disk or Solid-State Drive. The disk-alarm is emitted when the Disk 527 usage exceeds the threshold. The following information should be 528 included in a Disk Alarm: 530 * event-name: disk-alarm. 532 * usage: Specifies the size of disk space used. 534 * threshold: The threshold triggering the event. 536 * severity: The severity level of the message. There are four 537 levels, i.e., critical, high, middle, and low. 539 * message: Simple information as a human readable text string such 540 as "The disk usage exceeded the threshold" or with extra 541 information. 543 6.1.4. Hardware Alarm 545 The hardware-alarm is emitted when a hardware, e.g., CPU, memory, 546 disk, or interface, problem is detected. The following information 547 should be included in a Hardware Alarm: 549 * event-name: hardware-alarm. 551 * component-name: It indicates the hardware component responsible 552 for generating this alarm. 554 * severity: The severity level of the message. There are four 555 levels, i.e., critical, high, middle, and low. 557 * message: Simple information as a human readable text string such 558 as "The hardware component has failed or degraded" or with extra 559 information. 561 6.1.5. Interface Alarm 563 Interface is the network interface for connecting a device with the 564 network. The interface-alarm is emitted when the state of the 565 interface is changed. The following information should be included 566 in an Interface Alarm: 568 * event-name: interface-alarm. 570 * interface-name: The name of the interface. 572 * interface-state: The status of the interface, i.e., down, up (not 573 congested), congested (up but congested), testing, unknown, 574 dormant, not-present, and lower-layer-down. 576 * severity: The severity level of the message. There are total 577 levels, i.e., critical, high, middle, and low. 579 * message: Simple information as a human readable text string such 580 as "The interface is 'interface-state'" or with extra information. 582 6.2. System Events 584 System events (as alerts) have the following characteristics: 586 * acquisition-method: subscription 588 * emission-type: on-change 590 * dampening-type: on-repetition or no-dampening 592 6.2.1. Access Violation 594 The access-violation system event is an event when a user tries to 595 access (read, write, create, or delete) any information or execute 596 commands above their privilege. The following information should be 597 included in this event: 599 * event-name: access-violation. 601 * identity: The information to identify the attempted access 602 violation. The minimum information (extensible) that should be 603 included: 605 1. user: The unique username that attempted access violation. 607 2. group: Group(s) to which a user belongs. A user can belong to 608 multiple groups. 610 3. ip-address: The IP address of the user that triggered the 611 event. 613 4. l4-port-number: The transport layer port number used by the 614 user. 616 * authentication: The method to verify the valid user, i.e., pre- 617 configured-key and certificate-authority. 619 * message: The message as a human readable text string to give the 620 context of the event, such as "Access is denied". 622 6.2.2. Configuration Change 624 A configuration change is a system event when a new configuration is 625 added or an existing configuration is modified. The following 626 information should be included in this event: 628 * event-name: configuration-change. 630 * identity: The information to identify the user that updated the 631 configuration. The minimum information (extensible) that should 632 be included: 634 1. user: The unique username that changes the configuration. 636 2. group: Group(s) to which a user belongs. A user can belong to 637 multiple groups. 639 3. ip-address: The IP address of the user that triggered the 640 event. 642 4. l4-port-number: The transport layer port number used by the 643 user. 645 * authentication: The method to verify the valid user, i.e., pre- 646 configured-key and certificate-authority. 648 * message: The message as a human readable text string to give the 649 context of the event, such as "Configuration is modified", "New 650 configuration is added", or "A configuration has been removed". 652 * changes: Describes the modification that was made to the 653 configuration. The minimum information that must be provided is 654 the name of the policy that has been altered (added, modified, or 655 removed). Other detailed information about the configuration 656 changes is up to the implementation. 658 6.2.3. Session Table Event 660 A session is defined as a connection (i.e., traffic flow) of a data 661 plane (e.g., TCP, UDP, and SCTP). Session Table Event is the event 662 triggered by the session table of an NSF. A session table holds the 663 information of the currently active sessions. The following 664 information should be included in a Session Table Event: 666 * event-name: detection-session-table. 668 * current-session: The number of concurrent sessions. 670 * maximum-session: The maximum number of sessions that the session 671 table can support. 673 * threshold: The threshold triggering the event. 675 * message: The message as a human readable text string to give the 676 context of the event, such as "The number of sessions exceeded the 677 table threshold". 679 6.2.4. Traffic Flows 681 Traffic flows need to be monitored because they might be used for 682 security attacks to the network. The following information should be 683 included in this event: 685 * event-name: traffic-flows. 687 * interface-name: The mnemonic name of the network interface 689 * interface-type: The type of a network interface such as an ingress 690 or egress interface. 692 * src-mac: The source MAC address of the traffic flow. 694 * dst-mac: The destination MAC address of the traffic flow. 696 * src-ip: The source IPv4 or IPv6 address of the traffic flow. 698 * dst-ip: The destination IPv4 or IPv6 address of the traffic flow. 700 * src-port: The transport layer source port number of the traffic 701 flow. 703 * dst-port: The transport layer destination port number of the 704 traffic flow. 706 * protocol: The protocol of the traffic flow. 708 * arrival-rate: Arrival rate of packets of the traffic flow in 709 packet per second calculated from the beginning of the flow. 711 * arrival-throughput: Arrival rate of packets of the traffic flow in 712 bytes per second calculated from the beginning of the flow. 714 Note that the NSF Monitoring Interface data model is focused on a 715 generic method to collect the monitoring information of systems and 716 NSFs including traffic flows related to security attacks and system 717 resource usages. On the other hand, IPFIX [RFC7011] is a standard 718 method to collect general information on traffic flows rather than 719 security. 721 6.3. NSF Events 723 The NSF events provide the event that is detected by a specific NSF 724 that supported a certain capability. This section only discusses the 725 monitoring data for the advanced NSFs discussed in 726 [I-D.ietf-i2nsf-capability-data-model]. The NSF events information 727 can be extended to support other types of NSF. NSF events have the 728 following characteristics: 730 * acquisition-method: subscription 732 * emission-type: on-change 734 * dampening-type: on-repetition or no-dampening 736 6.3.1. DDoS Detection 738 The following information should be included in a Denial-of-Service 739 (DoS) or Distributed Denial-of-Service (DDoS) Event: 741 * event-name: detection-ddos. 743 * attack-type: The type of DoS or DDoS Attack, i.e., SYN flood, ACK 744 flood, SYN-ACK flood, FIN/RST flood, TCP Connection flood, UDP 745 flood, ICMP flood, HTTPS flood, HTTP flood, DNS query flood, DNS 746 reply flood, SIP flood, SSL flood, and NTP amplification flood. 747 This can be extended with additional types of DoS or DDoS attack. 749 * attack-src-ip: The IP address of the source of the DDoS attack. 751 * attack-dst-ip: The network prefix with a network mask (for IPv4) 752 or prefix length (for IPv6) of a victim under DDoS attack. 754 * dst-port: The port number that the attack traffic aims at. 756 * start-time: The time stamp indicating when the attack started. 758 * end-time: The time stamp indicating when the attack ended. If the 759 attack is still ongoing when sending out the notification, this 760 field can be empty. 762 * attack-rate: The packets per second of attack traffic. 764 * attack-throughput: The bytes per second of attack traffic. 766 * rule-name: The name of the I2NSF Policy Rule being triggered. 767 Note that rule-name is used to match a detected NSF event with a 768 policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm]. 770 6.3.2. Virus Event 772 This information is used when a virus is detected within a traffic 773 flow or inside a host. Note that "malware" is a more generic word 774 for malicious software, including virus and worm. In the document, 775 "virus" is used to represent "malware" such that they are 776 interchangeable. The following information should be included in a 777 Virus Event: 779 * event-name: detection-virus. 781 * virus-name: Name of the virus. 783 * virus-type: Type of the virus. e.g., trojan, worm, macro virus 784 type. 786 * The following information is used only when the virus is detected 787 within the traffic flow and not yet attacking the host: 789 - dst-ip: The destination IP address of the flow where the virus 790 is found. 792 - src-ip: The source IP address of the flow where the virus is 793 found. 795 - src-port: The source port of the flow where the virus is found. 797 - dst-port: The destination port of the flow where the virus is 798 found. 800 * The following information is used only when the virus is detected 801 within a host system: 803 - host: The name or IP address of the host/device that is 804 infected by the virus. If the given name is not an IP address, 805 the name can be an arbitrary string including a FQDN (Fully 806 Qualified Domain Name). The name MUST be unique in the scope 807 of management domain for identifying the device that has been 808 infected with a virus. 810 - os: The operating system of the host that has the virus. 812 - file-type: The type of the file where the virus is hidden. 814 - file-name: The name of the file where the virus is hidden. 816 * rule-name: The name of the rule being triggered. 818 Note "host" is used only when the virus is detected within a host 819 itself. Thus, the traffic flow information such as the source and 820 destination IP addresses is not important, so the elements of the 821 traffic flow (i.e., dst-ip, src-ip, src-port, and dst-port) are not 822 specified above. On the other hand, when the virus is detected 823 within a traffic flow and not yet attacking a host, the element of 824 "host" is not specified above. 826 6.3.3. Intrusion Event 828 The following information should be included in an Intrusion Event: 830 * event-name: detection-intrusion. 832 * attack-type: Attack type, e.g., brutal force or buffer overflow. 834 * src-ip: The source IP address of the flow. 836 * dst-ip: The destination IP address of the flow. 838 * src-port:The source port number of the flow. 840 * dst-port: The destination port number of the flow 842 * protocol: The employed transport layer protocol. e.g., TCP or UDP. 844 * app: The employed application layer protocol. e.g., HTTP or FTP. 846 * rule-name: The name of the I2NSF Policy Rule being triggered. 848 6.3.4. Web Attack Event 850 The following information should be included in a Web Attack Alarm: 852 * event-name: detection-web-attack. 854 * attack-type: Concrete web attack type. e.g., SQL injection, 855 command injection, XSS, or CSRF. 857 * src-ip: The source IP address of the packet. 859 * dst-ip: The destination IP address of the packet. 861 * src-port: The source port number of the packet. 863 * dst-port: The destination port number of the packet. 865 * req-method: The HTTP method of the request. For instance, "PUT" 866 and "GET" in HTTP. 868 * req-target: The HTTP Request Target. 870 * response-code: The HTTP Response status code. 872 * req-user-agent: The HTTP User-Agent header field of the request. 874 * cookies: The HTTP Cookie header field of the request from the user 875 agent. 877 * req-host: The HTTP Host header field of the request. 879 * filtering-type: URL filtering type. e.g., deny-list, allow-list, 880 and unknown. 882 * rule-name: The name of the I2NSF Policy Rule being triggered. 884 6.3.5. VoIP/VoCN Event 886 The following information should be included in a VoIP (Voice over 887 Internet Protocol) and VoCN (Voice over Cellular Network, such as 888 Voice over LTE or 5G) Event: 890 * event-name: detection-voip-vocn 892 * source-voice-id: The detected source voice Call ID for VoIP and 893 VoCN that violates the policy. 895 * destination-voice-id: The destination voice Call ID for VoIP and 896 VoCN that violates the policy. 898 * user-agent: The user agent for VoIP and VoCN that violates the 899 policy. 901 * src-ip: The source IP address of the VoIP/VoCN. 903 * dst-ip: The destination IP address of the VoIP/VoCN. 905 * src-port: The source port number of the VoIP/VoCN. 907 * dst-port: The destination port number of VoIP/VoCN. 909 * rule-name: The name of the I2NSF Policy Rule being triggered. 911 6.4. System Logs 913 System log is a record that is used to monitor the activity of the 914 user on the NSF and the status of the NSF. System logs have the 915 following characteristics: 917 * acquisition-method: subscription or query 919 * emission-type: on-change, periodic, or on-request 921 * dampening-type: on-repetition or no-dampening 923 6.4.1. Access Log 925 Access logs record administrators' login, logout, and operations on a 926 device. By analyzing them, security vulnerabilities can be 927 identified. The following information should be included in an 928 operation report: 930 * identity: The information to identify the user. The minimum 931 information (extensible) that should be included: 933 1. user: The unique username that attempted access violation. 935 2. group: Group(s) to which a user belongs. A user can belong to 936 multiple groups. 938 3. ip-address: The IP address of the user that triggered the 939 event. 941 4. l4-port-number: The transport layer port number used by the 942 user. 944 * authentication: The method to verify the valid user, i.e., pre- 945 configured-key and certificate-authority. 947 * operation-type: The operation type that the administrator 948 executed, e.g., login, logout, configuration, and other. 950 * input: The operation performed by a user after login. The 951 operation is a command given by a user. 953 * output: The result after executing the input. 955 6.4.2. Resource Utilization Log 957 Running reports record the device system's running status, which is 958 useful for device monitoring. The following information should be 959 included in running report: 961 * system-status: The current system's running status. 963 * cpu-usage: Specifies the aggregated CPU usage. 965 * memory-usage: Specifies the memory usage. 967 * disk-id: Specifies the disk ID to identify the storage disk. 969 * disk-usage: Specifies the disk usage of disk-id. 971 * disk-space-left: Specifies the available disk space left of disk- 972 id. 974 * session-number: Specifies total concurrent sessions. 976 * process-number: Specifies total number of systems processes. 978 * interface-id: Specifies the interface ID to identify the network 979 interface. 981 * in-traffic-rate: The total inbound data plane traffic rate in 982 packets per second. 984 * out-traffic-rate: The total outbound data plane traffic rate in 985 packets per second. 987 * in-traffic-throughput: The total inbound data plane traffic 988 throughput in bytes per second. 990 * out-traffic-throughput: The total outbound data plane traffic 991 throughput in bytes per second. 993 Note that "traffic" includes only the data plane since the monitoring 994 interface focuses on the monitoring of traffic flows for 995 applications, rather than the control plane. In the document, 996 "packet" includes a layer-2 frame, so "packet" and "frame" are 997 interchangeable. 999 6.4.3. User Activity Log 1001 User activity logs provide visibility into users' online records 1002 (such as login time, online/lockout duration, and login IP addresses) 1003 and the actions that users perform. User activity reports are 1004 helpful to identify exceptions during a user's login and network 1005 access activities. This information should be included in a user's 1006 activity report: 1008 * identity: The information to identify the user. The minimum 1009 information (extensible) that should be included is as follows: 1011 1. user: The unique username that attempted access violation. 1013 2. group: Group(s) to which a user belongs. A user can belong to 1014 multiple groups. 1016 3. ip-address: The IP address of the user that triggered the 1017 event. 1019 4. l4-port-number: The transport layer port number used by the 1020 user. 1022 * authentication: The method to verify the valid user, i.e., pre- 1023 configured-key and certificate-authority. 1025 * online-duration: The duration of a user's activeness (stays in 1026 login) during a session. 1028 * logout-duration: The duration of a user's inactiveness (not in 1029 login) from the last session. 1031 * additional-info: Additional Information for login: 1033 1. type: User activities. e.g., Successful User Login, Failed 1034 Login attempts, User Logout, Successful User Password Change, 1035 Failed User Password Change, User Lockout, and User Unlocking. 1037 2. cause: Cause of a failed user activity. 1039 6.5. NSF Logs 1041 NSF logs have the folowing characteristics: 1043 * acquisition-method: subscription or query 1045 * emission-type: on-change or on-request 1047 * dampening-type: on-repetition or no-dampening 1049 6.5.1. Deep Packet Inspection Log 1051 Deep Packet Inspection (DPI) Logs provide statistics of transit 1052 traffic at an NSF such that the traffic includes uploaded and 1053 downloaded files/data, sent/received emails, and blocking/alert 1054 records on websites. It is helpful to learn risky user behaviors and 1055 why access to some URLs is blocked or allowed with an alert record. 1057 * attack-type: DPI action types. e.g., File Blocking, Data 1058 Filtering, and Application Behavior Control. 1060 * src-user: The I2NSF User's name who generates the policy. 1062 * policy-name: Security policy name that traffic matches. 1064 * action: Action defined in the file blocking rule, data filtering 1065 rule, or application behavior control rule that traffic matches. 1067 6.6. System Counter 1069 System counter has the following characteristics: 1071 * acquisition-method: subscription or query 1073 * emission-type: periodic or on-request 1075 * dampening-type: no-dampening 1077 6.6.1. Interface Counter 1079 Interface counters provide visibility into traffic into and out of an 1080 NSF, and bandwidth usage. The statistics of the interface counters 1081 should be computed from the start of the service up to the last 1082 measure time instant. When the service is reset, the computation of 1083 statistics per counter should use the reset time instant as the start 1084 of the service for measurement. 1086 * interface-name: Network interface name configured in NSF. 1088 * protocol: The type of network protocol (e.g., IPv4, IPv6, TCP, and 1089 UDP). If this field is empty, then the counter is used for all 1090 protocols. 1092 * in-total-traffic-pkts: Total inbound packets. 1094 * out-total-traffic-pkts: Total outbound packets. 1096 * in-total-traffic-bytes: Total inbound bytes. 1098 * out-total-traffic-bytes: Total outbound bytes. 1100 * in-drop-traffic-pkts: Total inbound drop packets caused by a 1101 policy or hardware/resource error. 1103 * out-drop-traffic-pkts: Total outbound drop packets caused by a 1104 policy or hardware/resource error. 1106 * in-drop-traffic-bytes: Total inbound drop bytes caused by a policy 1107 or hardware/resource error. 1109 * out-drop-traffic-bytes: Total outbound drop bytes caused by a 1110 policy or hardware/resource error. 1112 * in-traffic-average-rate: Inbound traffic average rate in packets 1113 per second. 1115 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1116 second. 1118 * in-traffic-average-throughput: Inbound traffic average throughput 1119 in bytes per second. 1121 * in-traffic-peak-throughput: Inbound traffic peak throughput in 1122 bytes per second. 1124 * out-traffic-average-rate: Outbound traffic average rate in packets 1125 per second. 1127 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1128 second. 1130 * out-traffic-average-throughput: Outbound traffic average 1131 throughput in bytes per second. 1133 * out-traffic-peak-throughput: Outbound traffic peak throughput in 1134 bytes per second. 1136 * discontinuity-time: The time of the most recent occasion at which 1137 any one or more of the counters suffered a discontinuity. If no 1138 such discontinuities have occurred since the last re- 1139 initialization of the local management subsystem, then this node 1140 contains the time the local management subsystem was re- 1141 initialized. 1143 6.7. NSF Counters 1145 NSF counters have the following characteristics: 1147 * acquisition-method: subscription or query 1149 * emission-type: periodic or on-request 1151 * dampening-type: no-dampening 1153 6.7.1. Firewall Counter 1155 Firewall counters provide visibility into traffic signatures, 1156 bandwidth usage, and how the configured security and bandwidth 1157 policies have been applied. 1159 * src-ip: Source IP address of traffic. 1161 * src-user: The I2NSF User's name who generates the policy. 1163 * dst-ip: Destination IP address of traffic. 1165 * src-port: Source port of traffic. 1167 * dst-port: Destination port of traffic. 1169 * protocol: Protocol type of traffic. 1171 * app: Application type of traffic. 1173 * policy-id: Security policy id that traffic matches. 1175 * policy-name: Security policy name that traffic matches. 1177 * in-interface: Inbound interface of traffic. 1179 * out-interface: Outbound interface of traffic. 1181 * total-traffic: Total traffic volume. 1183 * in-traffic-average-rate: Inbound traffic average rate in packets 1184 per second. 1186 * in-traffic-peak-rate: Inbound traffic peak rate in packets per 1187 second. 1189 * in-traffic-average-throughput: Inbound traffic average throughput 1190 in bytes per second. 1192 * in-traffic-peak-throughput: Inbound traffic peak throughput in 1193 bytes per second. 1195 * out-traffic-average-rate: Outbound traffic average rate in packets 1196 per second. 1198 * out-traffic-peak-rate: Outbound traffic peak rate in packets per 1199 second. 1201 * out-traffic-average-throughput: Outbound traffic average 1202 throughput in bytes per second. 1204 * out-traffic-peak-throughput: Outbound traffic peak throughput in 1205 bytes per second. 1207 * discontinuity-time: The time on the most recent occasion at which 1208 any one or more of the counters suffered a discontinuity. If no 1209 such discontinuities have occurred since the last re- 1210 initialization of the local management subsystem, then this node 1211 contains the time the local management subsystem was re- 1212 initialized. 1214 6.7.2. Policy Hit Counter 1216 Policy hit counters record the security policy that traffic matches 1217 and its hit count. That is, when a packet actually matches a policy, 1218 it should be added to the statistics of a "policy hit counter" of the 1219 policy. The "policy hit counter" provides the "policy-name" that 1220 matches the policy's name in the NSF-Facing Interface YANG data model 1221 [I-D.ietf-i2nsf-nsf-facing-interface-dm]. It can check if policy 1222 configurations are correct or not. 1224 * src-ip: Source IP address of traffic. 1226 * src-user: The I2NSF User's name who generates the policy. 1228 * dst-ip: Destination IP address of traffic. 1230 * src-port: Source port of traffic. 1232 * dst-port: Destination port of traffic. 1234 * protocol: Protocol type of traffic. 1236 * app: Application type of traffic. 1238 * policy-id: Security policy id that traffic matches. 1240 * policy-name: Security policy name that traffic matches. 1242 * hit-times: The number of times that the security policy matches 1243 the specified traffic. 1245 * discontinuity-time: The time on the most recent occasion at which 1246 any one or more of the counters suffered a discontinuity. If no 1247 such discontinuities have occurred since the last re- 1248 initialization of the local management subsystem, then this node 1249 contains the time the local management subsystem was re- 1250 initialized. 1252 7. YANG Tree Structure of NSF Monitoring YANG Module 1254 The tree structure of the NSF monitoring YANG module is provided 1255 below: 1257 module: ietf-i2nsf-nsf-monitoring 1258 +--ro i2nsf-counters 1259 | +--ro language? string 1260 | +--ro system-interface* [interface-name] 1261 | | +--ro acquisition-method? identityref 1262 | | +--ro emission-type? identityref 1263 | | +--ro dampening-type? identityref 1264 | | +--ro interface-name if:interface-ref 1265 | | +--ro protocol? identityref 1266 | | +--ro in-total-traffic-pkts? yang:counter64 1267 | | +--ro out-total-traffic-pkts? yang:counter64 1268 | | +--ro in-total-traffic-bytes? uint64 1269 | | +--ro out-total-traffic-bytes? uint64 1270 | | +--ro in-drop-traffic-pkts? yang:counter64 1271 | | +--ro out-drop-traffic-pkts? yang:counter64 1272 | | +--ro in-drop-traffic-bytes? uint64 1273 | | +--ro out-drop-traffic-bytes? uint64 1274 | | +--ro discontinuity-time yang:date-and-time 1275 | | +--ro total-traffic? yang:counter64 1276 | | +--ro in-traffic-average-rate? uint32 1277 | | +--ro in-traffic-peak-rate? uint32 1278 | | +--ro in-traffic-average-throughput? uint64 1279 | | +--ro in-traffic-peak-throughput? uint64 1280 | | +--ro out-traffic-average-rate? uint32 1281 | | +--ro out-traffic-peak-rate? uint32 1282 | | +--ro out-traffic-average-throughput? uint64 1283 | | +--ro out-traffic-peak-throughput? uint64 1284 | | +--ro message? string 1285 | | +--ro vendor-name? string 1286 | | +--ro nsf-name? union 1287 | | +--ro severity? severity 1288 | | +--ro timestamp? yang:date-and-time 1289 | +--ro nsf-firewall* [policy-name] 1290 | | +--ro acquisition-method? identityref 1291 | | +--ro emission-type? identityref 1292 | | +--ro dampening-type? identityref 1293 | | +--ro policy-name -> /nsfintf:i2nsf-security-policy/name 1294 | | +--ro src-user? string 1295 | | +--ro discontinuity-time yang:date-and-time 1296 | | +--ro total-traffic? yang:counter64 1297 | | +--ro in-traffic-average-rate? uint32 1298 | | +--ro in-traffic-peak-rate? uint32 1299 | | +--ro in-traffic-average-throughput? uint64 1300 | | +--ro in-traffic-peak-throughput? uint64 1301 | | +--ro out-traffic-average-rate? uint32 1302 | | +--ro out-traffic-peak-rate? uint32 1303 | | +--ro out-traffic-average-throughput? uint64 1304 | | +--ro out-traffic-peak-throughput? uint64 1305 | | +--ro message? string 1306 | | +--ro vendor-name? string 1307 | | +--ro nsf-name? union 1308 | | +--ro severity? severity 1309 | | +--ro timestamp? yang:date-and-time 1310 | +--ro nsf-policy-hits* [policy-name] 1311 | +--ro acquisition-method? identityref 1312 | +--ro emission-type? identityref 1313 | +--ro dampening-type? identityref 1314 | +--ro policy-name -> /nsfintf:i2nsf-security-policy/name 1315 | +--ro src-user? string 1316 | +--ro message? string 1317 | +--ro vendor-name? string 1318 | +--ro nsf-name? union 1319 | +--ro severity? severity 1320 | +--ro discontinuity-time yang:date-and-time 1321 | +--ro hit-times? yang:counter64 1322 | +--ro timestamp? yang:date-and-time 1323 +--rw i2nsf-monitoring-configuration 1324 +--rw i2nsf-system-detection-alarm 1325 | +--rw enabled? boolean 1326 | +--rw system-alarm* [alarm-type] 1327 | +--rw alarm-type enumeration 1328 | +--rw threshold? uint8 1329 | +--rw dampening-period? uint32 1330 +--rw i2nsf-system-detection-event 1331 | +--rw enabled? boolean 1332 | +--rw dampening-period? uint32 1333 +--rw i2nsf-traffic-flows 1334 | +--rw dampening-period? uint32 1335 | +--rw enabled? boolean 1336 +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? 1337 | +--rw enabled? boolean 1338 | +--rw dampening-period? uint32 1339 +--rw i2nsf-nsf-detection-session-table 1340 | +--rw enabled? boolean 1341 | +--rw dampening-period? uint32 1342 +--rw i2nsf-nsf-detection-intrusion 1343 {i2nsf-nsf-detection-intrusion}? 1344 | +--rw enabled? boolean 1345 | +--rw dampening-period? uint32 1346 +--rw i2nsf-nsf-detection-web-attack 1347 {i2nsf-nsf-detection-web-attack}? 1348 | +--rw enabled? boolean 1349 | +--rw dampening-period? uint32 1350 +--rw i2nsf-nsf-system-access-log 1351 | +--rw enabled? boolean 1352 | +--rw dampening-period? uint32 1353 +--rw i2nsf-system-res-util-log 1354 | +--rw enabled? boolean 1355 | +--rw dampening-period? uint32 1356 +--rw i2nsf-system-user-activity-log 1357 | +--rw enabled? boolean 1358 | +--rw dampening-period? uint32 1359 +--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? 1360 | +--rw enabled? boolean 1361 | +--rw dampening-period? uint32 1362 +--rw i2nsf-counter 1363 +--rw period? uint16 1365 notifications: 1366 +---n i2nsf-event 1367 | +--ro language? string 1368 | +--ro (sub-event-type)? 1369 | +--:(i2nsf-system-detection-alarm) 1370 | | +--ro i2nsf-system-detection-alarm 1371 | | +--ro alarm-category? identityref 1372 | | +--ro component-name? string 1373 | | +--ro interface-name? if:interface-ref 1374 | | +--ro interface-state? enumeration 1375 | | +--ro acquisition-method? identityref 1376 | | +--ro emission-type? identityref 1377 | | +--ro dampening-type? identityref 1378 | | +--ro usage? uint8 1379 | | +--ro threshold? uint8 1380 | | +--ro message? string 1381 | | +--ro vendor-name? string 1382 | | +--ro nsf-name? union 1383 | | +--ro severity? severity 1384 | +--:(i2nsf-system-detection-event) 1385 | | +--ro i2nsf-system-detection-event 1386 | | +--ro event-category? identityref 1387 | | +--ro acquisition-method? identityref 1388 | | +--ro emission-type? identityref 1389 | | +--ro dampening-type? identityref 1390 | | +--ro user string 1391 | | +--ro group* string 1392 | | +--ro ip-address inet:ip-address-no-zone 1393 | | +--ro l4-port-number inet:port-number 1394 | | +--ro authentication? identityref 1395 | | +--ro message? string 1396 | | +--ro vendor-name? string 1397 | | +--ro nsf-name? union 1398 | | +--ro severity? severity 1399 | | +--ro changes* [policy-name] 1400 | | +--ro policy-name 1401 -> /nsfintf:i2nsf-security-policy/name 1402 | +--:(i2nsf-traffic-flows) 1403 | | +--ro i2nsf-traffic-flows 1404 | | +--ro interface-name? if:interface-ref 1405 | | +--ro interface-type? enumeration 1406 | | +--ro src-mac? yang:mac-address 1407 | | +--ro dst-mac? yang:mac-address 1408 | | +--ro src-ip? inet:ip-address-no-zone 1409 | | +--ro dst-ip? inet:ip-address-no-zone 1410 | | +--ro protocol? identityref 1411 | | +--ro src-port? inet:port-number 1412 | | +--ro dst-port? inet:port-number 1413 | | +--ro arrival-rate? uint32 1414 | | +--ro arrival-throughput? uint32 1415 | | +--ro acquisition-method? identityref 1416 | | +--ro emission-type? identityref 1417 | | +--ro dampening-type? identityref 1418 | | +--ro message? string 1419 | | +--ro vendor-name? string 1420 | | +--ro nsf-name? union 1421 | | +--ro severity? severity 1422 | +--:(i2nsf-nsf-detection-session-table) 1423 | +--ro i2nsf-nsf-detection-session-table 1424 | +--ro current-session? uint32 1425 | +--ro maximum-session? uint32 1426 | +--ro threshold? uint32 1427 | +--ro message? string 1428 | +--ro vendor-name? string 1429 | +--ro nsf-name? union 1430 | +--ro severity? severity 1431 +---n i2nsf-log 1432 | +--ro language? string 1433 | +--ro (sub-logs-type)? 1434 | +--:(i2nsf-nsf-system-access-log) 1435 | | +--ro i2nsf-nsf-system-access-log 1436 | | +--ro user string 1437 | | +--ro group* string 1438 | | +--ro ip-address inet:ip-address-no-zone 1439 | | +--ro l4-port-number inet:port-number 1440 | | +--ro authentication? identityref 1441 | | +--ro operation-type? operation-type 1442 | | +--ro input? string 1443 | | +--ro output? string 1444 | | +--ro acquisition-method? identityref 1445 | | +--ro emission-type? identityref 1446 | | +--ro dampening-type? identityref 1447 | | +--ro message? string 1448 | | +--ro vendor-name? string 1449 | | +--ro nsf-name? union 1450 | | +--ro severity? severity 1451 | +--:(i2nsf-system-res-util-log) 1452 | | +--ro i2nsf-system-res-util-log 1453 | | +--ro system-status? enumeration 1454 | | +--ro cpu-usage? uint8 1455 | | +--ro memory-usage? uint8 1456 | | +--ro disk* [disk-id] 1457 | | | +--ro disk-id string 1458 | | | +--ro disk-usage? uint8 1459 | | | +--ro disk-space-left? uint8 1460 | | +--ro session-num? uint32 1461 | | +--ro process-num? uint32 1462 | | +--ro interface* [interface-id] 1463 | | | +--ro interface-id string 1464 | | | +--ro in-traffic-rate? uint32 1465 | | | +--ro out-traffic-rate? uint32 1466 | | | +--ro in-traffic-throughput? uint64 1467 | | | +--ro out-traffic-throughput? uint64 1468 | | +--ro acquisition-method? identityref 1469 | | +--ro emission-type? identityref 1470 | | +--ro dampening-type? identityref 1471 | | +--ro message? string 1472 | | +--ro vendor-name? string 1473 | | +--ro nsf-name? union 1474 | | +--ro severity? severity 1475 | +--:(i2nsf-system-user-activity-log) 1476 | | +--ro i2nsf-system-user-activity-log 1477 | | +--ro acquisition-method? identityref 1478 | | +--ro emission-type? identityref 1479 | | +--ro dampening-type? identityref 1480 | | +--ro user string 1481 | | +--ro group* string 1482 | | +--ro ip-address inet:ip-address-no-zone 1483 | | +--ro l4-port-number inet:port-number 1484 | | +--ro authentication? identityref 1485 | | +--ro message? string 1486 | | +--ro vendor-name? string 1487 | | +--ro nsf-name? union 1488 | | +--ro severity? severity 1489 | | +--ro online-duration? uint32 1490 | | +--ro logout-duration? uint32 1491 | | +--ro additional-info? enumeration 1492 | +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? 1493 | +--ro i2nsf-nsf-log-dpi 1494 | +--ro attack-type? dpi-type 1495 | +--ro acquisition-method? identityref 1496 | +--ro emission-type? identityref 1497 | +--ro dampening-type? identityref 1498 | +--ro policy-name 1499 -> /nsfintf:i2nsf-security-policy/name 1500 | +--ro src-user? string 1501 | +--ro message? string 1502 | +--ro vendor-name? string 1503 | +--ro nsf-name? union 1504 | +--ro severity? severity 1505 +---n i2nsf-nsf-event 1506 +--ro language? string 1507 +--ro (sub-event-type)? 1508 +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? 1509 | +--ro i2nsf-nsf-detection-ddos 1510 | +--ro attack-type? identityref 1511 | +--ro start-time yang:date-and-time 1512 | +--ro end-time? yang:date-and-time 1513 | +--ro attack-src-ip* inet:ip-address-no-zone 1514 | +--ro attack-dst-ip* inet:ip-address-no-zone 1515 | +--ro attack-src-port* inet:port-number 1516 | +--ro attack-dst-port* inet:port-number 1517 | +--ro rule-name 1518 -> /nsfintf:i2nsf-security-policy/rules/name 1519 | +--ro attack-rate? uint32 1520 | +--ro attack-throughput? uint64 1521 | +--ro action* log-action 1522 | +--ro acquisition-method? identityref 1523 | +--ro emission-type? identityref 1524 | +--ro dampening-type? identityref 1525 | +--ro message? string 1526 | +--ro vendor-name? string 1527 | +--ro nsf-name? union 1528 | +--ro severity? severity 1529 +--:(i2nsf-nsf-detection-virus) 1530 {i2nsf-nsf-detection-virus}? 1531 | +--ro i2nsf-nsf-detection-virus 1532 | +--ro dst-ip? inet:ip-address-no-zone 1533 | +--ro dst-port? inet:port-number 1534 | +--ro rule-name 1535 -> /nsfintf:i2nsf-security-policy/rules/name 1536 | +--ro src-ip? inet:ip-address-no-zone 1537 | +--ro src-port? inet:port-number 1538 | +--ro virus-name? string 1539 | +--ro virus-type? identityref 1540 | +--ro host? union 1541 | +--ro file-type? string 1542 | +--ro file-name? string 1543 | +--ro os? string 1544 | +--ro action* log-action 1545 | +--ro acquisition-method? identityref 1546 | +--ro emission-type? identityref 1547 | +--ro dampening-type? identityref 1548 | +--ro message? string 1549 | +--ro vendor-name? string 1550 | +--ro nsf-name? union 1551 | +--ro severity? severity 1552 +--:(i2nsf-nsf-detection-intrusion) 1553 {i2nsf-nsf-detection-intrusion}? 1554 | +--ro i2nsf-nsf-detection-intrusion 1555 | +--ro dst-ip? inet:ip-address-no-zone 1556 | +--ro dst-port? inet:port-number 1557 | +--ro rule-name 1558 -> /nsfintf:i2nsf-security-policy/rules/name 1559 | +--ro src-ip? inet:ip-address-no-zone 1560 | +--ro src-port? inet:port-number 1561 | +--ro protocol? identityref 1562 | +--ro app? identityref 1563 | +--ro attack-type? identityref 1564 | +--ro action* log-action 1565 | +--ro attack-rate? uint32 1566 | +--ro attack-throughput? uint64 1567 | +--ro acquisition-method? identityref 1568 | +--ro emission-type? identityref 1569 | +--ro dampening-type? identityref 1570 | +--ro message? string 1571 | +--ro vendor-name? string 1572 | +--ro nsf-name? union 1573 | +--ro severity? severity 1574 +--:(i2nsf-nsf-detection-web-attack) 1575 {i2nsf-nsf-detection-web-attack}? 1576 | +--ro i2nsf-nsf-detection-web-attack 1577 | +--ro dst-ip? inet:ip-address-no-zone 1578 | +--ro dst-port? inet:port-number 1579 | +--ro rule-name 1580 -> /nsfintf:i2nsf-security-policy/rules/name 1581 | +--ro src-ip? inet:ip-address-no-zone 1582 | +--ro src-port? inet:port-number 1583 | +--ro attack-type? identityref 1584 | +--ro req-method? identityref 1585 | +--ro req-target? string 1586 | +--ro filtering-type* identityref 1587 | +--ro req-user-agent? string 1588 | +--ro cookie? string 1589 | +--ro req-host? string 1590 | +--ro response-code? string 1591 | +--ro acquisition-method? identityref 1592 | +--ro emission-type? identityref 1593 | +--ro dampening-type? identityref 1594 | +--ro action* log-action 1595 | +--ro message? string 1596 | +--ro vendor-name? string 1597 | +--ro nsf-name? union 1598 | +--ro severity? severity 1599 +--:(i2nsf-nsf-detection-voip-vocn) 1600 {i2nsf-nsf-detection-voip-vocn}? 1601 +--ro i2nsf-nsf-detection-voip-vocn 1602 +--ro dst-ip? inet:ip-address-no-zone 1603 +--ro dst-port? inet:port-number 1604 +--ro rule-name 1605 -> /nsfintf:i2nsf-security-policy/rules/name 1606 +--ro src-ip? inet:ip-address-no-zone 1607 +--ro src-port? inet:port-number 1608 +--ro source-voice-id* string 1609 +--ro destination-voice-id* string 1610 +--ro user-agent* string 1611 +--ro message? string 1612 +--ro vendor-name? string 1613 +--ro nsf-name? union 1614 +--ro severity? severity 1616 Figure 1: NSF Monitoring YANG Module Tree 1618 8. YANG Data Model of NSF Monitoring YANG Module 1620 This section describes a YANG module of I2NSF NSF Monitoring. The 1621 data model provided in this document uses identities to be used to 1622 get information of the monitored of an NSF's monitoring data. Every 1623 identity used in the document gives information or status about the 1624 current situation of an NSF. This YANG module imports from 1625 [RFC6991], [RFC8343], and [I-D.ietf-i2nsf-nsf-facing-interface-dm], 1626 and makes references to [RFC0768] [RFC0791] [RFC0792] [RFC0793] 1627 [RFC0854] [RFC1939] [RFC0959] [RFC2595] [RFC4340] [RFC4443] [RFC5321] 1628 [RFC5646] [RFC6242] [RFC6265] [RFC8200] [RFC8641] [RFC9051] 1629 [I-D.ietf-httpbis-http2bis] [I-D.ietf-httpbis-messaging] 1630 [I-D.ietf-httpbis-semantics] [I-D.ietf-tcpm-rfc793bis] 1631 [I-D.ietf-tsvwg-rfc4960-bis] [IANA-HTTP-Status-Code] 1632 [IANA-Media-Types]. 1634 file "ietf-i2nsf-nsf-monitoring@2022-02-15.yang" 1635 module ietf-i2nsf-nsf-monitoring { 1636 yang-version 1.1; 1637 namespace 1638 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; 1639 prefix 1640 nsfmi; 1641 import ietf-inet-types{ 1642 prefix inet; 1643 reference 1644 "Section 4 of RFC 6991"; 1645 } 1646 import ietf-yang-types { 1647 prefix yang; 1648 reference 1649 "Section 3 of RFC 6991"; 1650 } 1651 import ietf-i2nsf-policy-rule-for-nsf { 1652 prefix nsfintf; 1653 reference 1654 "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-17"; 1655 } 1656 import ietf-interfaces { 1657 prefix if; 1658 reference 1659 "Section 5 of RFC 8343"; 1660 } 1661 organization 1662 "IETF I2NSF (Interface to Network Security Functions) 1663 Working Group"; 1665 contact 1666 "WG Web: 1667 WG List: 1669 Editor: Jaehoon Paul Jeong 1670 1672 Editor: Patrick Lingga 1673 "; 1675 description 1676 "This module is a YANG module for I2NSF NSF Monitoring. 1678 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1679 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1680 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 1681 document are to be interpreted as described in BCP 14 1682 (RFC 2119) (RFC 8174) when, and only when, they appear 1683 in all capitals, as shown here. 1685 Copyright (c) 2022 IETF Trust and the persons identified as 1686 authors of the code. All rights reserved. 1688 Redistribution and use in source and binary forms, with or 1689 without modification, is permitted pursuant to, and subject to 1690 the license terms contained in, the Simplified BSD License set 1691 forth in Section 4.c of the IETF Trust's Legal Provisions 1692 Relating to IETF Documents 1693 (https://trustee.ietf.org/license-info). 1695 This version of this YANG module is part of RFC XXXX 1696 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 1697 for full legal notices."; 1699 revision "2022-02-15" { 1700 description "Latest revision"; 1701 reference 1702 "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; 1704 // RFC Ed.: replace XXXX with an actual RFC number and remove 1705 // this note. 1706 } 1708 /* 1709 * Typedefs 1710 */ 1712 typedef severity { 1713 type enumeration { 1714 enum critical { 1715 description 1716 "The 'critical' severity level indicates that 1717 an immediate corrective action is required. 1718 A 'critical' severity is reported when a service 1719 becomes totally out of service and must be restored."; 1720 } 1721 enum high { 1722 description 1723 "The 'high' severity level indicates that 1724 an urgent corrective action is required. 1725 A 'high' severity is reported when there is 1726 a severe degradation in the capability of the 1727 service and its full capability must be restored."; 1728 } 1729 enum middle { 1730 description 1731 "The 'middle' severity level indicates the 1732 existence of a non-service-affecting fault 1733 condition and corrective action should be done 1734 to prevent a more serious fault. The 'middle' 1735 severity is reported when the detected problem 1736 is not degrading the capability of the service, but 1737 some service degradation might happen if not 1738 prevented."; 1739 } 1740 enum low { 1741 description 1742 "The 'low' severity level indicates the detection 1743 of a potential fault before any effect is observed. 1744 The 'low' severity is reported when an action should 1745 be done before a fault happen."; 1746 } 1747 } 1748 description 1749 "An indicator representing severity levels. The severity 1750 levels starting from the highest are critical, high, middle, 1751 and low."; 1752 } 1754 typedef log-action { 1755 type enumeration { 1756 enum allow { 1757 description 1758 "If action is allow"; 1759 } 1760 enum alert { 1761 description 1762 "If action is alert"; 1763 } 1764 enum block { 1765 description 1766 "If action is block"; 1767 } 1768 enum discard { 1769 description 1770 "If action is discard"; 1771 } 1772 enum declare { 1773 description 1774 "If action is declare"; 1775 } 1776 enum block-ip { 1777 description 1778 "If action is block-ip"; 1779 } 1780 enum block-service{ 1781 description 1782 "If action is block-service"; 1783 } 1784 } 1785 description 1786 "The type representing action for 1787 logging."; 1788 } 1790 typedef dpi-type{ 1791 type enumeration { 1792 enum file-blocking{ 1793 description 1794 "DPI for preventing the specified file types from flowing 1795 in the network."; 1796 } 1797 enum data-filtering{ 1798 description 1799 "DPI for preventing sensitive information (e.g., Credit 1800 Card Number or Social Security Numbers) leaving a 1801 protected network."; 1802 } 1803 enum application-behavior-control{ 1804 description 1805 "DPI for filtering packet based on the application or 1806 network behavior analysis to identify malicious or 1807 unusual activity."; 1808 } 1810 } 1811 description 1812 "The type of Deep Packet Inspection (DPI). 1813 The defined types are file-blocking, data-filtering, and 1814 application-behavior-control."; 1815 } 1817 typedef operation-type{ 1818 type enumeration { 1819 enum login { 1820 description 1821 "The operation type is Login."; 1822 } 1823 enum logout { 1824 description 1825 "The operation type is Logout."; 1826 } 1827 enum configuration { 1828 description 1829 "The operation type is Configuration. The configuration 1830 operation includes the command for writing a new 1831 configuration and modifying an existing configuration."; 1832 } 1833 enum other { 1834 description 1835 "The operation type is Other operation. This other 1836 includes all operations done by a user except login, 1837 logout, and configuration."; 1838 } 1839 } 1840 description 1841 "The type of operation done by a user during a session. 1842 The user operation is not considering their privileges."; 1843 } 1845 typedef login-role { 1846 type enumeration { 1847 enum administrator { 1848 description 1849 "Administrator (i.e., Superuser)'s login role. 1850 Non-restricted role."; 1851 } 1852 enum user { 1853 description 1854 "User login role. Semi-restricted role, some data and 1855 configurations are available but confidential or important 1856 data and configuration are restricted."; 1857 } 1858 enum guest { 1859 description 1860 "Guest login role. Restricted role, only few read data are 1861 available and write configurations are restricted."; 1862 } 1863 } 1864 description 1865 "The privilege level of the user account."; 1866 } 1868 /* 1869 * Identity 1870 */ 1872 identity characteristics { 1873 description 1874 "Base identity for monitoring information 1875 characteristics"; 1876 } 1877 identity acquisition-method { 1878 base characteristics; 1879 description 1880 "The type of acquisition-method. It can be multiple 1881 types at once."; 1882 } 1883 identity subscription { 1884 base acquisition-method; 1885 description 1886 "The acquisition-method type is subscription."; 1887 } 1888 identity query { 1889 base acquisition-method; 1890 description 1891 "The acquisition-method type is query."; 1892 } 1893 identity emission-type { 1894 base characteristics; 1895 description 1896 "The type of emission-type."; 1897 } 1898 identity periodic { 1899 base emission-type; 1900 description 1901 "The emission-type type is periodic."; 1902 } 1903 identity on-change { 1904 base emission-type; 1905 description 1906 "The emission-type type is on-change."; 1907 } 1908 identity on-request { 1909 base emission-type; 1910 description 1911 "The emission-type type is on-request."; 1912 } 1913 identity dampening-type { 1914 base characteristics; 1915 description 1916 "The type of message dampening to stop the rapid transmission 1917 of messages. The dampening types are on-repetition and 1918 no-dampening"; 1919 } 1920 identity no-dampening { 1921 base dampening-type; 1922 description 1923 "The dampening-type is no-dampening. No-dampening type does 1924 not limit the transmission for the messages of the same 1925 type."; 1926 } 1927 identity on-repetition { 1928 base dampening-type; 1929 description 1930 "The dampening-type is on-repetition. On-repetition type limits 1931 the transmitted on-change message to one message at a certain 1932 interval."; 1933 } 1935 identity authentication-mode { 1936 description 1937 "The authentication mode for a user to connect to the NSF, 1938 e.g., pre-configured-key and certificate-authority"; 1939 } 1940 identity pre-configured-key { 1941 base authentication-mode; 1942 description 1943 "The pre-configured-key is an authentication using a key 1944 authentication."; 1945 } 1946 identity certificate-authority { 1947 base authentication-mode; 1948 description 1949 "The certificate-authority (CA) is an authentication using a 1950 digital certificate."; 1951 } 1953 identity event { 1954 description 1955 "Base identity for I2NSF events."; 1956 } 1958 identity system-event { 1959 base event; 1960 description 1961 "Identity for system event"; 1962 } 1964 identity system-alarm { 1965 base event; 1966 description 1967 "Base identity for detectable system alarm types"; 1968 } 1970 identity memory-alarm { 1971 base system-alarm; 1972 description 1973 "A memory alarm is alerted."; 1974 } 1975 identity cpu-alarm { 1976 base system-alarm; 1977 description 1978 "A CPU alarm is alerted."; 1979 } 1980 identity disk-alarm { 1981 base system-alarm; 1982 description 1983 "A disk alarm is alerted."; 1984 } 1985 identity hardware-alarm { 1986 base system-alarm; 1987 description 1988 "A hardware alarm (i.e., hardware failure) is alerted."; 1989 } 1990 identity interface-alarm { 1991 base system-alarm; 1992 description 1993 "An interface alarm is alerted."; 1994 } 1996 identity access-violation { 1997 base system-event; 1998 description 1999 "The access-violation system event is an event when a user 2000 tries to access (read, write, create, or delete) any 2001 information or execute commands above their privilege."; 2003 } 2004 identity configuration-change { 2005 base system-event; 2006 description 2007 "The configuration-change system event is an event when a user 2008 adds a new configuration or modify an existing configuration 2009 (write configuration)."; 2010 } 2012 identity attack-type { 2013 description 2014 "The root ID of attack-based notification 2015 in the notification taxonomy"; 2016 } 2017 identity nsf-attack-type { 2018 base attack-type; 2019 description 2020 "This ID is intended to be used 2021 in the context of NSF event."; 2022 } 2024 identity virus-type { 2025 base nsf-attack-type; 2026 description 2027 "The type of virus. It can be multiple types at once. 2028 This attack type is associated with a detected 2029 system-log virus-attack."; 2030 } 2031 identity trojan { 2032 base virus-type; 2033 description 2034 "The virus type is a trojan. Trojan is able to disguise the 2035 intent of the files or programs to misleads the users."; 2036 } 2037 identity worm { 2038 base virus-type; 2039 description 2040 "The virus type is a worm. Worm can self-replicate and 2041 spread through the network automatically."; 2042 } 2043 identity macro { 2044 base virus-type; 2045 description 2046 "The virus type is a macro virus. Macro causes a series of 2047 threats automatically after the program is executed."; 2048 } 2049 identity boot-sector { 2050 base virus-type; 2051 description 2052 "The virus type is a boot sector virus. Boot sector is a virus 2053 that infects the core of the computer, affecting the startup 2054 process."; 2055 } 2056 identity polymorphic { 2057 base virus-type; 2058 description 2059 "The virus type is a polymorphic virus. Polymorphic can 2060 modify its version when it replicates, making it hard to 2061 detect."; 2062 } 2063 identity overwrite { 2064 base virus-type; 2065 description 2066 "The virus type is an overwrite virus. Overwrite can remove 2067 existing software and replace it with malicious code by 2068 overwriting it."; 2069 } 2070 identity resident { 2071 base virus-type; 2072 description 2073 "The virus-type is a resident virus. Resident saves itself in 2074 the computer's memory and infects other files and software."; 2075 } 2076 identity non-resident { 2077 base virus-type; 2078 description 2079 "The virus-type is a non-resident virus. Non-resident attaches 2080 directly to an executable file and enters the device when 2081 executed."; 2082 } 2083 identity multipartite { 2084 base virus-type; 2085 description 2086 "The virus-type is a multipartite virus. Multipartite attacks 2087 both the boot sector and executables files of a computer."; 2088 } 2089 identity spacefiller { 2090 base virus-type; 2091 description 2092 "The virus-type is a spacefiller virus. Spacefiller fills empty 2093 spaces of a file or software with malicious code."; 2094 } 2096 identity intrusion-attack-type { 2097 base nsf-attack-type; 2098 description 2099 "The attack type is associated with a detected 2100 system-log intrusion."; 2101 } 2102 identity brute-force { 2103 base intrusion-attack-type; 2104 description 2105 "The intrusion type is brute-force."; 2106 } 2107 identity buffer-overflow { 2108 base intrusion-attack-type; 2109 description 2110 "The intrusion type is buffer-overflow."; 2111 } 2112 identity web-attack-type { 2113 base nsf-attack-type; 2114 description 2115 "The attack type is associated with a detected 2116 system-log web-attack."; 2117 } 2118 identity command-injection { 2119 base web-attack-type; 2120 description 2121 "The detected web attack type is command injection."; 2122 } 2123 identity xss { 2124 base web-attack-type; 2125 description 2126 "The detected web attack type is Cross Site Scripting (XSS)."; 2127 } 2128 identity csrf { 2129 base web-attack-type; 2130 description 2131 "The detected web attack type is Cross Site Request Forgery."; 2132 } 2134 identity ddos-type { 2135 base nsf-attack-type; 2136 description 2137 "Base identity for detectable flood types"; 2138 } 2139 identity syn-flood { 2140 base ddos-type; 2141 description 2142 "A SYN flood is detected."; 2143 } 2144 identity ack-flood { 2145 base ddos-type; 2146 description 2147 "An ACK flood is detected."; 2148 } 2149 identity syn-ack-flood { 2150 base ddos-type; 2151 description 2152 "A SYN-ACK flood is detected."; 2153 } 2154 identity fin-rst-flood { 2155 base ddos-type; 2156 description 2157 "A FIN-RST flood is detected."; 2158 } 2159 identity tcp-con-flood { 2160 base ddos-type; 2161 description 2162 "A TCP connection flood is detected."; 2163 } 2164 identity udp-flood { 2165 base ddos-type; 2166 description 2167 "A UDP flood is detected."; 2168 } 2169 identity icmpv4-flood { 2170 base ddos-type; 2171 description 2172 "An ICMPv4 flood is detected."; 2173 } 2174 identity icmpv6-flood { 2175 base ddos-type; 2176 description 2177 "An ICMPv6 flood is detected."; 2178 } 2179 identity http-flood { 2180 base ddos-type; 2181 description 2182 "An HTTP flood is detected."; 2183 } 2184 identity https-flood { 2185 base ddos-type; 2186 description 2187 "An HTTPS flood is detected."; 2188 } 2189 identity dns-query-flood { 2190 base ddos-type; 2191 description 2192 "A Domain Name System (DNS) query flood is detected."; 2193 } 2194 identity dns-reply-flood { 2195 base ddos-type; 2196 description 2197 "A Domain Name System (DNS) reply flood is detected."; 2198 } 2199 identity sip-flood { 2200 base ddos-type; 2201 description 2202 "A Session Initiation Protocol (SIP) flood is detected."; 2203 } 2204 identity tls-flood { 2205 base ddos-type; 2206 description 2207 "A Transport Layer Security (TLS) flood is detected"; 2208 } 2209 identity ntp-amp-flood { 2210 base ddos-type; 2211 description 2212 "A Network Time Protocol (NTP) amplification is detected"; 2213 } 2215 identity req-method { 2216 description 2217 "A set of request types in HTTP (if applicable)."; 2218 } 2219 identity put { 2220 base req-method; 2221 description 2222 "The detected request type is PUT."; 2223 reference 2224 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2225 - Request Method PUT"; 2226 } 2227 identity post { 2228 base req-method; 2229 description 2230 "The detected request type is POST."; 2231 reference 2232 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2233 - Request Method POST"; 2234 } 2235 identity get { 2236 base req-method; 2237 description 2238 "The detected request type is GET."; 2239 reference 2240 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2241 - Request Method GET"; 2242 } 2243 identity head { 2244 base req-method; 2245 description 2246 "The detected request type is HEAD."; 2247 reference 2248 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2249 - Request Method HEAD"; 2250 } 2251 identity delete { 2252 base req-method; 2253 description 2254 "The detected request type is DELETE."; 2255 reference 2256 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2257 - Request Method DELETE"; 2258 } 2259 identity connect { 2260 base req-method; 2261 description 2262 "The detected request type is CONNECT."; 2263 reference 2264 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2265 - Request Method CONNECT"; 2266 } 2267 identity options { 2268 base req-method; 2269 description 2270 "The detected request type is OPTIONS."; 2271 reference 2272 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2273 - Request Method OPTIONS"; 2274 } 2275 identity trace { 2276 base req-method; 2277 description 2278 "The detected request type is TRACE."; 2279 reference 2280 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2281 - Request Method TRACE"; 2282 } 2284 identity filter-type { 2285 description 2286 "The type of filter used to detect an attack, 2287 for example, a web-attack. It can be applicable to 2288 more than web-attacks."; 2289 } 2290 identity allow-list { 2291 base filter-type; 2292 description 2293 "The applied filter type is an allow list. This filter blocks 2294 all connection except the specified list."; 2295 } 2296 identity deny-list { 2297 base filter-type; 2298 description 2299 "The applied filter type is a deny list. This filter opens all 2300 connection except the specified list."; 2301 } 2302 identity unknown-filter { 2303 base filter-type; 2304 description 2305 "The applied filter is unknown."; 2306 } 2308 identity protocol { 2309 description 2310 "An identity used to enable type choices in leaves 2311 and leaflists with respect to protocol metadata. This is used 2312 to identify the type of protocol that goes through the NSF."; 2313 } 2314 identity ip { 2315 base protocol; 2316 description 2317 "General IP protocol type."; 2318 reference 2319 "RFC 791: Internet Protocol 2320 RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2321 } 2322 identity ipv4 { 2323 base ip; 2324 description 2325 "IPv4 protocol type."; 2326 reference 2327 "RFC 791: Internet Protocol"; 2328 } 2329 identity ipv6 { 2330 base ip; 2331 description 2332 "IPv6 protocol type."; 2333 reference 2334 "RFC 8200: Internet Protocol, Version 6 (IPv6)"; 2335 } 2336 identity icmp { 2337 base protocol; 2338 description 2339 "Base identity for ICMPv4 and ICMPv6 condition capability"; 2340 reference 2341 "RFC 792: Internet Control Message Protocol 2342 RFC 4443: Internet Control Message Protocol (ICMPv6) 2343 for the Internet Protocol Version 6 (IPv6) Specification 2344 - ICMPv6"; 2345 } 2346 identity icmpv4 { 2347 base icmp; 2348 description 2349 "ICMPv4 protocol type."; 2350 reference 2351 "RFC 791: Internet Protocol 2352 RFC 792: Internet Control Message Protocol"; 2353 } 2354 identity icmpv6 { 2355 base icmp; 2356 description 2357 "ICMPv6 protocol type."; 2358 reference 2359 "RFC 8200: Internet Protocol, Version 6 (IPv6) 2360 RFC 4443: Internet Control Message Protocol (ICMPv6) 2361 for the Internet Protocol Version 6 (IPv6) 2362 Specification"; 2363 } 2364 identity transport-protocol { 2365 base protocol; 2366 description 2367 "Base identity for Layer 4 protocol condition capabilities, 2368 e.g., TCP, UDP, SCTP, DCCP, and ICMP"; 2369 } 2370 identity tcp { 2371 base transport-protocol; 2372 description 2373 "TCP protocol type."; 2374 reference 2375 "RFC 793: Transmission Control Protocol 2376 draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol 2377 (TCP) Specification"; 2378 } 2379 identity udp { 2380 base transport-protocol; 2381 description 2382 "UDP protocol type."; 2383 reference 2384 "RFC 768: User Datagram Protocol"; 2385 } 2386 identity sctp { 2387 base transport-protocol; 2388 description 2389 "Identity for SCTP condition capabilities"; 2390 reference 2391 "draft-ietf-tsvwg-rfc4960-bis-18: Stream Control Transmission 2392 Protocol"; 2393 } 2394 identity dccp { 2395 base transport-protocol; 2396 description 2397 "Identity for DCCP condition capabilities"; 2398 reference 2399 "RFC 4340: Datagram Congestion Control Protocol"; 2400 } 2401 identity application-protocol { 2402 base protocol; 2403 description 2404 "Base identity for Application protocol. Note that popular 2405 application protocols (e.g., HTTP, HTTPS, FTP, POP3, and 2406 IMAP) are handled in this YANG module, rather than all 2407 the existing application protocols."; 2408 } 2409 identity http { 2410 base application-protocol; 2411 description 2412 "The identity for Hypertext Transfer Protocol version 1.X 2413 (HTTP/1.X)."; 2414 reference 2415 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2416 draft-ietf-httpbis-messaging-19: HTTP/1.1"; 2417 } 2418 identity https { 2419 base application-protocol; 2420 description 2421 "The identity for Hypertext Transfer Protocol version 1.X 2422 (HTTP/1.X) over TLS."; 2423 reference 2424 "draft-ietf-httpbis-semantics-19: HTTP Semantics 2425 draft-ietf-httpbis-messaging-19: HTTP/1.1"; 2426 } 2427 identity http2 { 2428 base application-protocol; 2429 description 2430 "The identity for Hypertext Transfer Protocol version 2 2431 (HTTP/2)."; 2432 reference 2433 "draft-ietf-httpbis-http2bis-07: HTTP/2"; 2434 } 2435 identity https2 { 2436 base application-protocol; 2437 description 2438 "The identity for Hypertext Transfer Protocol version 2 2439 (HTTP/2) over TLS."; 2440 reference 2441 "draft-ietf-httpbis-http2bis-07: HTTP/2"; 2442 } 2443 identity ftp { 2444 base application-protocol; 2445 description 2446 "FTP protocol type."; 2447 reference 2448 "RFC 959: File Transfer Protocol"; 2449 } 2450 identity ssh { 2451 base application-protocol; 2452 description 2453 "SSH protocol type."; 2454 reference 2455 "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; 2456 } 2457 identity telnet { 2458 base application-protocol; 2459 description 2460 "The identity for telnet."; 2461 reference 2462 "RFC 854: Telnet Protocol"; 2463 } 2464 identity smtp { 2465 base application-protocol; 2466 description 2467 "The identity for smtp."; 2468 reference 2469 "RFC 5321: Simple Mail Transfer Protocol (SMTP)"; 2470 } 2471 identity pop3 { 2472 base application-protocol; 2473 description 2474 "The identity for Post Office Protocol 3 (POP3)."; 2475 reference 2476 "RFC 1939: Post Office Protocol - Version 3 (POP3)"; 2477 } 2478 identity pop3s { 2479 base application-protocol; 2480 description 2481 "The identity for Post Office Protocol 3 (POP3) over TLS"; 2482 reference 2483 "RFC 1939: Post Office Protocol - Version 3 (POP3) 2484 RFC 2595: Using TLS with IMAP, POP3 and ACAP"; 2485 } 2486 identity imap { 2487 base application-protocol; 2488 description 2489 "The identity for Internet Message Access Protocol (IMAP)."; 2490 reference 2491 "RFC 9051: Internet Message Access Protocol (IMAP) - Version 2492 4rev2"; 2493 } 2494 identity imaps { 2495 base application-protocol; 2496 description 2497 "The identity for Internet Message Access Protocol (IMAP) over 2498 TLS"; 2499 reference 2500 "RFC 9051: Internet Message Access Protocol (IMAP) - Version 2501 4rev2 2502 RFC 2595: Using TLS with IMAP, POP3 and ACAP"; 2503 } 2505 /* 2506 * Grouping 2507 */ 2509 grouping timestamp { 2510 description 2511 "Grouping for identifying the time of the message."; 2512 leaf timestamp { 2513 type yang:date-and-time; 2514 description 2515 "Specify the time of a message being delivered."; 2516 } 2517 } 2519 grouping common-monitoring-data { 2520 description 2521 "A set of common monitoring data that is needed 2522 as the basic information."; 2523 leaf message { 2524 type string; 2525 description 2526 "This is a freetext annotation for 2527 monitoring a notification's content."; 2528 } 2529 leaf vendor-name { 2530 type string; 2531 description 2532 "The name of the NSF vendor. The string is unrestricted to 2533 identify the provider or vendor of the NSF."; 2534 } 2535 leaf nsf-name { 2536 type union { 2537 type string; 2538 type inet:ip-address-no-zone; 2539 } 2540 description 2541 "The name or IP address of the NSF generating the message. 2542 If the given nsf-name is not an IP address, the name can be 2543 an arbitrary string including a FQDN (Fully Qualified Domain 2544 Name). The name MUST be unique in the scope of management 2545 domain for a different NSF to identify the NSF that 2546 generates the message."; 2547 } 2548 leaf severity { 2549 type severity; 2550 description 2551 "The severity of the alarm such as critical, high, 2552 middle, and low."; 2553 } 2554 } 2555 grouping characteristics { 2556 description 2557 "A set of characteristics of a notification."; 2558 leaf acquisition-method { 2559 type identityref { 2560 base acquisition-method; 2561 } 2562 description 2563 "The acquisition-method for characteristics"; 2564 } 2565 leaf emission-type { 2566 type identityref { 2567 base emission-type; 2568 } 2569 description 2570 "The emission-type for characteristics"; 2571 } 2572 leaf dampening-type { 2573 type identityref { 2574 base dampening-type; 2575 } 2576 description 2577 "The dampening-type for characteristics"; 2578 } 2580 } 2581 grouping i2nsf-system-alarm-type-content { 2582 description 2583 "A set of contents for alarm type notification."; 2584 leaf usage { 2585 type uint8 { 2586 range "0..100"; 2587 } 2588 units "percent"; 2589 description 2590 "Specifies the used percentage"; 2591 } 2592 leaf threshold { 2593 type uint8 { 2594 range "0..100"; 2595 } 2596 units "percent"; 2597 description 2598 "The threshold percentage triggering the alarm or 2599 the event"; 2600 } 2601 } 2602 grouping i2nsf-system-event-type-content { 2603 description 2604 "System event metadata associated with system events 2605 caused by user activity. This can be extended to provide 2606 additional information."; 2607 leaf user { 2608 type string; 2609 mandatory true; 2610 description 2611 "The name of a user"; 2612 } 2613 leaf-list group { 2614 type string; 2615 min-elements 1; 2616 description 2617 "The group(s) to which a user belongs."; 2618 } 2619 leaf ip-address { 2620 type inet:ip-address-no-zone; 2621 mandatory true; 2622 description 2623 "The IPv4 (or IPv6) address of a user that trigger the 2624 event."; 2625 } 2626 leaf l4-port-number { 2627 type inet:port-number; 2628 mandatory true; 2629 description 2630 "The transport layer port number used by the user."; 2631 } 2632 leaf authentication { 2633 type identityref { 2634 base authentication-mode; 2635 } 2636 description 2637 "The authentication-mode of a user."; 2638 } 2639 } 2640 grouping i2nsf-nsf-event-type-content { 2641 description 2642 "A set of common IPv4 (or IPv6)-related NSF event 2643 content elements"; 2644 leaf dst-ip { 2645 type inet:ip-address-no-zone; 2646 description 2647 "The destination IPv4 (IPv6) address of the packet"; 2648 } 2649 leaf dst-port { 2650 type inet:port-number; 2651 description 2652 "The destination port of the packet"; 2653 } 2654 leaf rule-name { 2655 type leafref { 2656 path 2657 "/nsfintf:i2nsf-security-policy" 2658 +"/nsfintf:rules/nsfintf:name"; 2659 } 2660 mandatory true; 2661 description 2662 "The name of the I2NSF Policy Rule being triggered"; 2663 } 2664 } 2665 grouping i2nsf-nsf-event-type-content-extend { 2666 description 2667 "A set of extended common IPv4 (or IPv6)-related NSF 2668 event content elements"; 2669 uses i2nsf-nsf-event-type-content; 2670 leaf src-ip { 2671 type inet:ip-address-no-zone; 2672 description 2673 "The source IPv4 (or IPv6) address of the packet or flow"; 2674 } 2675 leaf src-port { 2676 type inet:port-number; 2677 description 2678 "The source port of the packet or flow"; 2679 } 2680 } 2681 grouping log-action { 2682 description 2683 "A grouping for logging action."; 2684 leaf-list action { 2685 type log-action; 2686 description 2687 "Action type: allow, alert, block, discard, declare, 2688 block-ip, block-service"; 2689 } 2690 } 2691 grouping attack-rates { 2692 description 2693 "A set of traffic rates for monitoring attack traffic 2694 data"; 2695 leaf attack-rate { 2696 type uint32; 2697 units "pps"; 2698 description 2699 "The average packets per second (pps) rate of attack 2700 traffic"; 2701 } 2702 leaf attack-throughput { 2703 type uint64; 2704 units "Bps"; 2705 description 2706 "The average bytes per second (Bps) throughput of attack 2707 traffic"; 2708 } 2709 } 2710 grouping traffic-rates { 2711 description 2712 "A set of traffic rates for statistics data"; 2713 leaf discontinuity-time { 2714 type yang:date-and-time; 2715 mandatory true; 2716 description 2717 "The time on the most recent occasion at which any one or 2718 more of the counters suffered a discontinuity. 2719 If no such discontinuities have occurred since the last 2720 re-initialization of the local management subsystem, then 2721 this node contains the time the local management subsystem 2722 was re-initialized."; 2723 } 2724 leaf total-traffic { 2725 type yang:counter64; 2726 units "packets"; 2727 description 2728 "The total number of traffic packets (in and out) in the 2729 NSF."; 2730 } 2731 leaf in-traffic-average-rate { 2732 type uint32; 2733 units "pps"; 2734 description 2735 "Inbound traffic average rate in packets per second (pps). 2736 The average is calculated from the start of the NSF service 2737 until the generation of this record."; 2738 } 2739 leaf in-traffic-peak-rate { 2740 type uint32; 2741 units "pps"; 2742 description 2743 "Inbound traffic peak rate in packets per second (pps)."; 2744 } 2745 leaf in-traffic-average-throughput { 2746 type uint64; 2747 units "Bps"; 2748 description 2749 "Inbound traffic average throughput in bytes per second 2750 (Bps). The average is calculated from the start of the NSF 2751 service until the generation of this record."; 2752 } 2753 leaf in-traffic-peak-throughput { 2754 type uint64; 2755 units "Bps"; 2756 description 2757 "Inbound traffic peak throughput in bytes per second (Bps)."; 2758 } 2759 leaf out-traffic-average-rate { 2760 type uint32; 2761 units "pps"; 2762 description 2763 "Outbound traffic average rate in packets per second (pps). 2764 The average is calculated from the start of the NSF service 2765 until the generation of this record."; 2766 } 2767 leaf out-traffic-peak-rate { 2768 type uint32; 2769 units "pps"; 2770 description 2771 "Outbound traffic peak rate in packets per second (pps)."; 2773 } 2774 leaf out-traffic-average-throughput { 2775 type uint64; 2776 units "Bps"; 2777 description 2778 "Outbound traffic average throughput in bytes per second 2779 (Bps). The average is calculated from the start of the NSF 2780 service until the generation of this record."; 2781 } 2782 leaf out-traffic-peak-throughput { 2783 type uint64; 2784 units "Bps"; 2785 description 2786 "Outbound traffic peak throughput in bytes per second 2787 (Bps)."; 2788 } 2789 } 2790 grouping i2nsf-system-counter-type-content{ 2791 description 2792 "A set of counters for an interface traffic data."; 2793 leaf interface-name { 2794 type if:interface-ref; 2795 description 2796 "Network interface name configured in an NSF"; 2797 reference 2798 "RFC 8343: A YANG Data Model for Interface Management"; 2799 } 2800 leaf protocol { 2801 type identityref { 2802 base protocol; 2803 } 2804 description 2805 "The type of network protocol for the interface counter. 2806 If this field is empty, then the counter includes all 2807 protocols (e.g., IPv4, IPv6, TCP, and UDP)"; 2808 } 2809 leaf in-total-traffic-pkts { 2810 type yang:counter64; 2811 description 2812 "Total inbound packets"; 2813 } 2814 leaf out-total-traffic-pkts { 2815 type yang:counter64; 2816 description 2817 "Total outbound packets"; 2818 } 2819 leaf in-total-traffic-bytes { 2820 type uint64; 2821 units "bytes"; 2822 description 2823 "Total inbound bytes"; 2824 } 2825 leaf out-total-traffic-bytes { 2826 type uint64; 2827 units "bytes"; 2828 description 2829 "Total outbound bytes"; 2830 } 2831 leaf in-drop-traffic-pkts { 2832 type yang:counter64; 2833 description 2834 "Total inbound drop packets"; 2835 } 2836 leaf out-drop-traffic-pkts { 2837 type yang:counter64; 2838 description 2839 "Total outbound drop packets"; 2840 } 2841 leaf in-drop-traffic-bytes { 2842 type uint64; 2843 units "bytes"; 2844 description 2845 "Total inbound drop bytes"; 2846 } 2847 leaf out-drop-traffic-bytes { 2848 type uint64; 2849 units "bytes"; 2850 description 2851 "Total outbound drop bytes"; 2852 } 2853 uses traffic-rates; 2854 } 2856 grouping i2nsf-nsf-counters-type-content{ 2857 description 2858 "A set of contents of a policy in an NSF."; 2859 leaf policy-name { 2860 type leafref { 2861 path 2862 "/nsfintf:i2nsf-security-policy" 2863 +"/nsfintf:name"; 2864 } 2865 mandatory true; 2866 description 2867 "The name of the policy being triggered"; 2868 } 2869 leaf src-user{ 2870 type string; 2871 description 2872 "The I2NSF User's name who generates the policy."; 2873 } 2874 } 2876 grouping enable-notification { 2877 description 2878 "A grouping for enabling or disabling notification"; 2879 leaf enabled { 2880 type boolean; 2881 default "true"; 2882 description 2883 "Enables or Disables the notification. 2884 If 'true', then the notification is enabled. 2885 If 'false, then the notification is disabled."; 2886 } 2887 } 2889 grouping dampening { 2890 description 2891 "A grouping for dampening period of notification."; 2892 leaf dampening-period { 2893 type uint32; 2894 units "centiseconds"; 2895 default "0"; 2896 description 2897 "Specifies the minimum interval between the assembly of 2898 successive update records for a single receiver of a 2899 subscription. Whenever subscribed objects change and 2900 a dampening-period interval (which may be zero) has 2901 elapsed since the previous update record creation for 2902 a receiver, any subscribed objects and properties 2903 that have changed since the previous update record 2904 will have their current values marshalled and placed 2905 in a new update record. But if the subscribed objects change 2906 when the dampening-period is active, it should update the 2907 record without sending the notification until the dampening- 2908 period is finished. If multiple changes happen during the 2909 active dampening-period, it should update the record with 2910 the latest data. And at the end of the dampening-period, it 2911 should send the record as a notification with the latest 2912 updated record and restart the countdown."; 2913 reference 2914 "RFC 8641: Subscription to YANG Notifications for 2915 Datastore Updates - Section 5."; 2916 } 2918 } 2920 grouping language { 2921 description 2922 "A grouping for language tag"; 2923 leaf language { 2924 type string { 2925 pattern 2926 "^((en-GB-oed|i-ami|i-bnn|i-default|" 2927 + "i-enochian|i-hak|i-klingon|i-lux|i-mingo|i-navajo|i-pwn|" 2928 + "i-tao|i-tay|i-tsu|sgn-BE-FR|sgn-BE-NL|sgn-CH-DE)|" 2929 + "(art-lojban|cel-gaulish|no-bok|no-nyn|zh-guoyu|zh-hakka|" 2930 + "zh-min|zh-min-nan|zh-xiang)|" 2931 + "(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?)|" 2932 + "[A-Za-z]{4}|[A-Za-z]{5,8}" 2933 + "(-[A-Za-z]{4})?" 2934 + "(-[A-Za-z]{2}|[0-9]{3})?" 2935 + "(-[A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3})*" 2936 + "(-[0-9A-WY-Za-wy-z](-[A-Za-z0-9]{2,8})+)*" 2937 + "(-x(-[A-Za-z0-9]{1,8})+)?)|" 2938 + "x(-[A-Za-z0-9]{1,8})+)$"; 2939 } 2940 description 2941 "The value in this field describes the human language 2942 intended for the user, so that it allows a user to 2943 differentiate the language that is used in the 2944 notification. This field is mandatory only 2945 when the implementation provides more than one human 2946 language for the human-readable string fields. 2948 This field uses the language-tag production in Section 2.1 2949 in RFC 5646. See the document for more details."; 2950 reference 2951 "RFC 5646: Tags for Identifying Languages"; 2952 } 2953 } 2955 /* 2956 * Feature Nodes 2957 */ 2959 feature i2nsf-nsf-detection-ddos { 2960 description 2961 "This feature means it supports I2NSF nsf-detection-ddos 2962 notification"; 2963 } 2964 feature i2nsf-nsf-detection-virus { 2965 description 2966 "This feature means it supports I2NSF nsf-detection-virus 2967 notification"; 2968 } 2969 feature i2nsf-nsf-detection-intrusion { 2970 description 2971 "This feature means it supports I2NSF nsf-detection-intrusion 2972 notification"; 2973 } 2974 feature i2nsf-nsf-detection-web-attack { 2975 description 2976 "This feature means it supports I2NSF nsf-detection-web-attack 2977 notification"; 2978 } 2979 feature i2nsf-nsf-detection-voip-vocn { 2980 description 2981 "This feature means it supports I2NSF nsf-detection-voip-vocn 2982 notification"; 2983 } 2984 feature i2nsf-nsf-log-dpi { 2985 description 2986 "This feature means it supports I2NSF nsf-log-dpi 2987 notification"; 2988 } 2990 /* 2991 * Notification nodes 2992 */ 2994 notification i2nsf-event { 2995 description 2996 "Notification for I2NSF Event."; 2998 uses language; 3000 choice sub-event-type { 3001 description 3002 "This choice must be augmented with cases for each allowed 3003 sub-event. Only 1 sub-event will be instantiated in each 3004 i2nsf-event message. Each case is expected to define one 3005 container with all the sub-event fields."; 3006 case i2nsf-system-detection-alarm { 3007 container i2nsf-system-detection-alarm{ 3008 description 3009 "This notification is sent, when a system alarm 3010 is detected."; 3011 leaf alarm-category { 3012 type identityref { 3013 base system-alarm; 3015 } 3016 description 3017 "The alarm category for 3018 system-detection-alarm notification"; 3019 } 3020 leaf component-name { 3021 type string; 3022 description 3023 "The hardware component responsible for generating 3024 the message. Applicable for Hardware Failure 3025 Alarm."; 3026 } 3027 leaf interface-name { 3028 type if:interface-ref; 3029 description 3030 "The interface name responsible for generating 3031 the message. Applicable for Network Interface 3032 Failure Alarm."; 3033 reference 3034 "RFC 8343: A YANG Data Model for Interface Management"; 3035 } 3036 leaf interface-state { 3037 type enumeration { 3038 enum up { 3039 value 1; 3040 description 3041 "The interface state is up and not congested. 3042 The interface is ready to pass packets."; 3043 } 3044 enum down { 3045 value 2; 3046 description 3047 "The interface state is down, i.e., does not pass 3048 any packets."; 3049 } 3050 enum congested { 3051 value 3; 3052 description 3053 "The interface state is up but congested."; 3054 } 3055 enum testing { 3056 value 4; 3057 description 3058 "In some test mode. No operational packets can 3059 be passed."; 3060 } 3061 enum unknown { 3062 value 5; 3063 description 3064 "Status cannot be determined for some reason."; 3065 } 3066 enum dormant { 3067 value 6; 3068 description 3069 "Waiting for some external event."; 3070 } 3071 enum not-present { 3072 value 7; 3073 description 3074 "Some component (typically hardware) is missing."; 3075 } 3076 enum lower-layer-down { 3077 value 8; 3078 description 3079 "Down due to state of lower-layer interface(s)."; 3080 } 3081 } 3082 description 3083 "The state of the interface. Applicable for Network 3084 Interface Failure Alarm."; 3085 reference 3086 "RFC 8343: A YANG Data Model for Interface Management - 3087 Operational States"; 3088 } 3089 uses characteristics; 3090 uses i2nsf-system-alarm-type-content; 3091 uses common-monitoring-data; 3092 } 3093 } 3095 case i2nsf-system-detection-event { 3096 container i2nsf-system-detection-event { 3097 description 3098 "This notification is sent when a security-sensitive 3099 authentication action fails."; 3100 leaf event-category { 3101 type identityref { 3102 base system-event; 3103 } 3104 description 3105 "The event category for system-detection-event"; 3106 } 3107 uses characteristics; 3108 uses i2nsf-system-event-type-content; 3109 uses common-monitoring-data; 3110 list changes { 3111 key policy-name; 3112 description 3113 "Describes the modification that was made to the 3114 configuration. The minimum information that must be 3115 provided is the name of the policy that has been 3116 altered (added, modified, or removed). 3117 This list can be extended with the detailed 3118 information about the specific changes made to the 3119 configuration based on the implementation."; 3120 leaf policy-name { 3121 type leafref { 3122 path 3123 "/nsfintf:i2nsf-security-policy" 3124 +"/nsfintf:name"; 3125 } 3126 description 3127 "The name of the policy configuration that has been 3128 added, modified, or removed."; 3129 } 3130 } 3131 } 3132 } 3134 case i2nsf-traffic-flows { 3135 container i2nsf-traffic-flows { 3136 description 3137 "This notification is sent to inform about the traffic 3138 flows."; 3139 leaf interface-name { 3140 type if:interface-ref; 3141 description 3142 "The mnemonic name of the network interface"; 3143 } 3144 leaf interface-type { 3145 type enumeration { 3146 enum ingress { 3147 description 3148 "The corresponding interface-name indicates an 3149 ingress interface."; 3150 } 3151 enum egress { 3152 description 3153 "The corresponding interface-name indicates an 3154 egress interface."; 3155 } 3156 } 3157 description 3158 "The type of a network interface such as an ingress or 3159 egress interface."; 3160 } 3161 leaf src-mac { 3162 type yang:mac-address; 3163 description 3164 "The source MAC address of the traffic flow."; 3165 } 3166 leaf dst-mac { 3167 type yang:mac-address; 3168 description 3169 "The destination MAC address of the traffic flow."; 3170 } 3171 leaf src-ip { 3172 type inet:ip-address-no-zone; 3173 description 3174 "The source IPv4 (or IPv6) address of the flow"; 3175 } 3176 leaf dst-ip { 3177 type inet:ip-address-no-zone; 3178 description 3179 "The destination IPv4 (or IPv6) address of the flow"; 3180 } 3181 leaf protocol { 3182 type identityref { 3183 base protocol; 3184 } 3185 description 3186 "The protocol type for nsf-detection-intrusion 3187 notification"; 3188 } 3189 leaf src-port { 3190 type inet:port-number; 3191 description 3192 "The transport layer source port number of the flow"; 3193 } 3194 leaf dst-port { 3195 type inet:port-number; 3196 description 3197 "The transport layer destination port number of the 3198 flow"; 3199 } 3200 leaf arrival-rate { 3201 type uint32; 3202 units "pps"; 3203 description 3204 "The average arrival rate of the flow in packets per 3205 second. The average is calculated from the start of 3206 the NSF service until the generation of this 3207 record."; 3208 } 3209 leaf arrival-throughput { 3210 type uint32; 3211 units "Bps"; 3212 description 3213 "The average arrival rate of the flow in bytes per 3214 second. The average is calculated from the start of 3215 the NSF service until the generation of this 3216 record."; 3217 } 3218 uses characteristics; 3219 uses common-monitoring-data; 3220 } 3221 } 3223 case i2nsf-nsf-detection-session-table { 3224 container i2nsf-nsf-detection-session-table { 3225 description 3226 "This notification is sent, when a session table 3227 event is detected."; 3228 leaf current-session { 3229 type uint32; 3230 description 3231 "The number of concurrent sessions"; 3232 } 3233 leaf maximum-session { 3234 type uint32; 3235 description 3236 "The maximum number of sessions that the session 3237 table can support"; 3238 } 3239 leaf threshold { 3240 type uint32; 3241 description 3242 "The threshold triggering the event"; 3243 } 3244 uses common-monitoring-data; 3245 } 3246 } 3247 } 3248 } 3250 notification i2nsf-log { 3251 description 3252 "Notification for I2NSF log. The notification is generated 3253 from the logs of the NSF."; 3255 uses language; 3257 choice sub-logs-type { 3258 description 3259 "This choice must be augmented with cases for each allowed 3260 sub-logs. Only 1 sub-event will be instantiated in each 3261 i2nsf-logs message. Each case is expected to define one 3262 container with all the sub-logs fields."; 3263 case i2nsf-nsf-system-access-log { 3264 container i2nsf-nsf-system-access-log { 3265 description 3266 "The notification is sent, if there is a new system 3267 log entry about a system access event."; 3268 uses i2nsf-system-event-type-content; 3269 leaf operation-type { 3270 type operation-type; 3271 description 3272 "The operation type that the user executes"; 3273 } 3274 leaf input { 3275 type string; 3276 description 3277 "The operation performed by a user after login. The 3278 operation is a command given by a user."; 3279 } 3280 leaf output { 3281 type string; 3282 description 3283 "The result in text format after executing the 3284 input."; 3285 } 3286 uses characteristics; 3287 uses common-monitoring-data; 3288 } 3289 } 3291 case i2nsf-system-res-util-log { 3292 container i2nsf-system-res-util-log { 3293 description 3294 "This notification is sent, if there is a new log 3295 entry representing resource utilization updates."; 3296 leaf system-status { 3297 type enumeration { 3298 enum running { 3299 description 3300 "The system is active and running the security 3301 service."; 3302 } 3303 enum waiting { 3304 description 3305 "The system is active but waiting for an event to 3306 provide the security service."; 3307 } 3308 enum inactive { 3309 description 3310 "The system is inactive and not running the 3311 security service."; 3312 } 3313 } 3314 description 3315 "The current system's running status"; 3316 } 3317 leaf cpu-usage { 3318 type uint8; 3319 units "percent"; 3320 description 3321 "Specifies the relative percentage of CPU utilization 3322 with respect to platform resources"; 3323 } 3324 leaf memory-usage { 3325 type uint8; 3326 units "percent"; 3327 description 3328 "Specifies the percentage of memory usage."; 3329 } 3330 list disk { 3331 key disk-id; 3332 description 3333 "Disk is the hardware to store information for a 3334 long period, i.e., Hard Disk or Solid-State Drive."; 3335 leaf disk-id { 3336 type string; 3337 description 3338 "The ID of the storage disk. It is a free form 3339 identifier to identify the storage disk."; 3340 } 3341 leaf disk-usage { 3342 type uint8; 3343 units "percent"; 3344 description 3345 "Specifies the percentage of disk usage"; 3346 } 3347 leaf disk-space-left { 3348 type uint8; 3349 units "percent"; 3350 description 3351 "Specifies the percentage of disk space left"; 3352 } 3353 } 3354 leaf session-num { 3355 type uint32; 3356 description 3357 "The total number of sessions"; 3358 } 3359 leaf process-num { 3360 type uint32; 3361 description 3362 "The total number of processes"; 3363 } 3364 list interface { 3365 key interface-id; 3366 description 3367 "The network interface for connecting a device 3368 with the network."; 3369 leaf interface-id { 3370 type string; 3371 description 3372 "The ID of the network interface. It is a free form 3373 identifier to identify the network interface."; 3374 } 3375 leaf in-traffic-rate { 3376 type uint32; 3377 units "pps"; 3378 description 3379 "The total inbound traffic rate in packets per 3380 second"; 3381 } 3382 leaf out-traffic-rate { 3383 type uint32; 3384 units "pps"; 3385 description 3386 "The total outbound traffic rate in packets per 3387 second"; 3388 } 3389 leaf in-traffic-throughput { 3390 type uint64; 3391 units "Bps"; 3392 description 3393 "The total inbound traffic throughput in bytes per 3394 second"; 3395 } 3396 leaf out-traffic-throughput { 3397 type uint64; 3398 units "Bps"; 3399 description 3400 "The total outbound traffic throughput in bytes per 3401 second"; 3402 } 3403 } 3404 uses characteristics; 3405 uses common-monitoring-data; 3406 } 3407 } 3409 case i2nsf-system-user-activity-log { 3410 container i2nsf-system-user-activity-log { 3411 description 3412 "This notification is sent, if there is a new user 3413 activity log entry."; 3414 uses characteristics; 3415 uses i2nsf-system-event-type-content; 3416 uses common-monitoring-data; 3417 leaf online-duration { 3418 type uint32; 3419 units "seconds"; 3420 description 3421 "The duration of a user's activeness (stays in login) 3422 during a session."; 3424 } 3425 leaf logout-duration { 3426 type uint32; 3427 units "seconds"; 3428 description 3429 "The duration of a user's inactiveness (not in login) 3430 from the last session."; 3431 } 3432 leaf additional-info { 3433 type enumeration { 3434 enum successful-login { 3435 description 3436 "The user has succeeded in login."; 3437 } 3438 enum failed-login { 3439 description 3440 "The user has failed in login (e.g., wrong 3441 password)"; 3442 } 3443 enum logout { 3444 description 3445 "The user has succeeded in logout"; 3446 } 3447 enum successful-password-changed { 3448 description 3449 "The password has been changed successfully"; 3450 } 3451 enum failed-password-changed{ 3452 description 3453 "The attempt to change password has failed"; 3454 } 3455 enum lock { 3456 description 3457 "The user has been locked. A locked user cannot 3458 login."; 3459 } 3460 enum unlock { 3461 description 3462 "The user has been unlocked."; 3463 } 3464 } 3465 description 3466 "User activities, e.g., Successful User Login, 3467 Failed Login attempts, User Logout, Successful User 3468 Password Change, Failed User Password Change, User 3469 Lockout, User Unlocking, and Unknown."; 3470 } 3471 } 3472 } 3473 case i2nsf-nsf-log-dpi { 3474 if-feature "i2nsf-nsf-log-dpi"; 3475 container i2nsf-nsf-log-dpi { 3476 description 3477 "This notification is sent, if there is a new DPI 3478 event in the NSF log."; 3479 leaf attack-type { 3480 type dpi-type; 3481 description 3482 "The type of the DPI"; 3483 } 3484 uses characteristics; 3485 uses i2nsf-nsf-counters-type-content; 3486 uses common-monitoring-data; 3487 } 3488 } 3489 } 3490 } 3492 notification i2nsf-nsf-event { 3493 description 3494 "Notification for I2NSF NSF Event. This notification is 3495 used for a specific NSF that supported such feature."; 3497 uses language; 3499 choice sub-event-type { 3500 description 3501 "This choice must be augmented with cases for each allowed 3502 sub-event. Only 1 sub-event will be instantiated in each 3503 i2nsf-event message. Each case is expected to define one 3504 container with all the sub-event fields."; 3505 case i2nsf-nsf-detection-ddos { 3506 if-feature "i2nsf-nsf-detection-ddos"; 3507 container i2nsf-nsf-detection-ddos { 3508 description 3509 "This notification is sent, when a specific flood type 3510 is detected."; 3511 leaf attack-type { 3512 type identityref { 3513 base ddos-type; 3514 } 3515 description 3516 "Any one of Syn flood, ACK flood, SYN-ACK flood, 3517 FIN/RST flood, TCP Connection flood, UDP flood, 3518 ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood, 3519 HTTPS flood, DNS query flood, DNS reply flood, SIP 3520 flood, etc."; 3521 } 3522 leaf start-time { 3523 type yang:date-and-time; 3524 mandatory true; 3525 description 3526 "The time stamp indicating when the attack started"; 3527 } 3528 leaf end-time { 3529 type yang:date-and-time; 3530 description 3531 "The time stamp indicating when the attack ended. If 3532 the attack is still undergoing when sending out the 3533 notification, this field can be empty."; 3534 } 3535 leaf-list attack-src-ip { 3536 type inet:ip-address-no-zone; 3537 description 3538 "The source IPv4 (or IPv6) addresses of attack 3539 traffic. It can hold multiple IPv4 (or IPv6) 3540 addresses."; 3541 } 3542 leaf-list attack-dst-ip { 3543 type inet:ip-address-no-zone; 3544 description 3545 "The destination IPv4 (or IPv6) addresses of attack 3546 traffic. It can hold multiple IPv4 (or IPv6) 3547 addresses."; 3548 } 3549 leaf-list attack-src-port { 3550 type inet:port-number; 3551 description 3552 "The transport layer source ports of the DDoS attack"; 3553 } 3554 leaf-list attack-dst-port { 3555 type inet:port-number; 3556 description 3557 "The transport layer destination ports of the DDoS 3558 attack"; 3559 } 3560 leaf rule-name { 3561 type leafref { 3562 path 3563 "/nsfintf:i2nsf-security-policy" 3564 +"/nsfintf:rules/nsfintf:name"; 3565 } 3566 mandatory true; 3567 description 3568 "The name of the I2NSF Policy Rule being triggered"; 3569 } 3571 uses attack-rates; 3572 uses log-action; 3573 uses characteristics; 3574 uses common-monitoring-data; 3575 } 3576 } 3577 case i2nsf-nsf-detection-virus { 3578 if-feature "i2nsf-nsf-detection-virus"; 3579 container i2nsf-nsf-detection-virus { 3580 description 3581 "This notification is sent, when a virus is detected."; 3582 uses i2nsf-nsf-event-type-content-extend; 3583 leaf virus-name { 3584 type string; 3585 description 3586 "The name of the detected virus"; 3587 } 3588 leaf virus-type { 3589 type identityref { 3590 base virus-type; 3592 } 3593 description 3594 "The virus type of the detected virus"; 3595 } 3596 leaf host { 3597 type union { 3598 type string; 3599 type inet:ip-address-no-zone; 3600 } 3601 description 3602 "The name or IP address of the host/device. This is 3603 used to identify the host/device that is infected by 3604 the virus. If the given name is not an IP address, the 3605 name can be an arbitrary string including a FQDN 3606 (Fully Qualified Domain Name). The name MUST be unique 3607 in the scope of management domain for identifying the 3608 device that has been infected with a virus."; 3609 } 3610 leaf file-type { 3611 type string; 3612 description 3613 "The type of file virus code is found in (if 3614 applicable)."; 3615 reference 3616 "IANA Website: Media Types"; 3617 } 3618 leaf file-name { 3619 type string; 3620 description 3621 "The name of file virus code is found in (if 3622 applicable)."; 3623 } 3624 leaf os { 3625 type string; 3626 description 3627 "The operating system of the device."; 3628 } 3629 uses log-action; 3630 uses characteristics; 3631 uses common-monitoring-data; 3632 } 3633 } 3634 case i2nsf-nsf-detection-intrusion { 3635 if-feature "i2nsf-nsf-detection-intrusion"; 3636 container i2nsf-nsf-detection-intrusion { 3637 description 3638 "This notification is sent, when an intrusion event 3639 is detected."; 3641 uses i2nsf-nsf-event-type-content-extend; 3642 leaf protocol { 3643 type identityref { 3644 base transport-protocol; 3645 } 3646 description 3647 "The transport protocol type for 3648 nsf-detection-intrusion notification"; 3649 } 3650 leaf app { 3651 type identityref { 3652 base application-protocol; 3653 } 3654 description 3655 "The employed application layer protocol"; 3656 } 3657 leaf attack-type { 3658 type identityref { 3659 base intrusion-attack-type; 3660 } 3661 description 3662 "The sub attack type for intrusion attack"; 3663 } 3664 uses log-action; 3665 uses attack-rates; 3666 uses characteristics; 3667 uses common-monitoring-data; 3668 } 3669 } 3670 case i2nsf-nsf-detection-web-attack { 3671 if-feature "i2nsf-nsf-detection-web-attack"; 3672 container i2nsf-nsf-detection-web-attack { 3673 description 3674 "This notification is sent, when an attack event is 3675 detected."; 3676 uses i2nsf-nsf-event-type-content-extend; 3677 leaf attack-type { 3678 type identityref { 3679 base web-attack-type; 3680 } 3681 description 3682 "Concrete web attack type, e.g., SQL injection, 3683 command injection, XSS, and CSRF."; 3684 } 3685 leaf req-method { 3686 type identityref { 3687 base req-method; 3688 } 3689 description 3690 "The HTTP method of the request, e.g., PUT or GET."; 3691 reference 3692 "draft-ietf-httpbis-semantics-19: HTTP Semantics - Request 3693 Methods"; 3694 } 3695 leaf req-target { 3696 type string; 3697 description 3698 "The HTTP Request Target. This field can be filled in 3699 the format of origin-form, absolute-form, 3700 authority-form, or asterisk-form"; 3701 reference 3702 "draft-ietf-httpbis-messaging-19: HTTP/1.1 - Request 3703 Target"; 3704 } 3705 leaf-list filtering-type { 3706 type identityref { 3707 base filter-type; 3708 } 3709 description 3710 "URL filtering type, e.g., deny-list, allow-list, 3711 and Unknown"; 3712 } 3713 leaf req-user-agent { 3714 type string; 3715 description 3716 "The HTTP User-Agent header field of the request"; 3717 reference 3718 "draft-ietf-httpbis-semantics-19: HTTP Semantics - User 3719 Agent"; 3720 } 3721 leaf cookie { 3722 type string; 3723 description 3724 "The HTTP Cookie header field of the request from 3725 the user agent."; 3726 reference 3727 "RFC 6265: HTTP State Management Mechanism - Cookie"; 3728 } 3729 leaf req-host { 3730 type string; 3731 description 3732 "The HTTP Host header field of the request"; 3733 reference 3734 "draft-ietf-httpbis-semantics-19: HTTP Semantics - Host"; 3735 } 3736 leaf response-code { 3737 type string; 3738 description 3739 "The HTTP Response status code"; 3740 reference 3741 "IANA Website: Hypertext Transfer Protocol (HTTP) 3742 Status Code Registry"; 3743 } 3744 uses characteristics; 3745 uses log-action; 3746 uses common-monitoring-data; 3747 } 3748 } 3749 case i2nsf-nsf-detection-voip-vocn { 3750 if-feature "i2nsf-nsf-detection-voip-vocn"; 3751 container i2nsf-nsf-detection-voip-vocn { 3752 description 3753 "This notification is sent, when a VoIP/VoCN violation 3754 is detected."; 3755 uses i2nsf-nsf-event-type-content-extend; 3756 leaf-list source-voice-id { 3757 type string; 3758 description 3759 "The detected source voice ID for VoIP and VoCN that 3760 violates the security policy."; 3761 } 3762 leaf-list destination-voice-id { 3763 type string; 3764 description 3765 "The detected destination voice ID for VoIP and VoCN 3766 that violates the security policy."; 3767 } 3768 leaf-list user-agent { 3769 type string; 3770 description 3771 "The detected user-agent for VoIP and VoCN that 3772 violates the security policy."; 3773 } 3774 uses common-monitoring-data; 3775 } 3776 } 3777 } 3778 } 3779 /* 3780 * Data nodes 3781 */ 3782 container i2nsf-counters { 3783 config false; 3784 description 3785 "The state data representing continuous value changes of 3786 information elements that occur very frequently. The value 3787 should be calculated from the start of the service of the 3788 NSF."; 3790 uses language; 3792 list system-interface { 3793 key interface-name; 3794 description 3795 "Interface counters provide the visibility of traffic into 3796 and out of an NSF, and bandwidth usage."; 3797 uses characteristics; 3798 uses i2nsf-system-counter-type-content; 3799 uses common-monitoring-data; 3800 uses timestamp; 3801 } 3802 list nsf-firewall { 3803 key policy-name; 3804 description 3805 "Firewall counters provide the visibility of traffic 3806 signatures, bandwidth usage, and how the configured security 3807 and bandwidth policies have been applied."; 3808 uses characteristics; 3809 uses i2nsf-nsf-counters-type-content; 3810 uses traffic-rates; 3811 uses common-monitoring-data; 3812 uses timestamp; 3813 } 3814 list nsf-policy-hits { 3815 key policy-name; 3816 description 3817 "Policy hit counters record the number of hits that traffic 3818 packets match a security policy. It can check if policy 3819 configurations are correct or not."; 3820 uses characteristics; 3821 uses i2nsf-nsf-counters-type-content; 3822 uses common-monitoring-data; 3823 leaf discontinuity-time { 3824 type yang:date-and-time; 3825 mandatory true; 3826 description 3827 "The time on the most recent occasion at which any one or 3828 more of the counters suffered a discontinuity. If no such 3829 discontinuities have occurred since the last 3830 re-initialization of the local management subsystem, then 3831 this node contains the time the local management subsystem 3832 was re-initialized."; 3834 } 3835 leaf hit-times { 3836 type yang:counter64; 3837 description 3838 "The number of times that the security policy matches the 3839 specified traffic."; 3840 } 3841 uses timestamp; 3842 } 3843 } 3845 container i2nsf-monitoring-configuration { 3846 description 3847 "The container for configuring I2NSF monitoring."; 3848 container i2nsf-system-detection-alarm { 3849 description 3850 "The container for configuring I2NSF system-detection-alarm 3851 notification"; 3852 uses enable-notification; 3853 list system-alarm { 3854 key alarm-type; 3855 description 3856 "Configuration for system alarm (i.e., CPU, Memory, and 3857 Disk Usage)"; 3858 leaf alarm-type { 3859 type enumeration { 3860 enum cpu { 3861 description 3862 "To configure the CPU usage threshold to trigger the 3863 cpu-alarm"; 3864 } 3865 enum memory { 3866 description 3867 "To configure the Memory usage threshold to trigger 3868 the memory-alarm"; 3869 } 3870 enum disk { 3871 description 3872 "To configure the Disk (storage) usage threshold to 3873 trigger the disk-alarm"; 3874 } 3875 } 3876 description 3877 "Type of alarm to be configured. The three alarm-types 3878 defined here are used to configure the threshold of the 3879 monitoring notification. The threshold is used to 3880 determine when the notification should be sent. 3881 The other two alarms defined in the module (i.e., 3882 hardware-alarm and interface-alarm) do not use any 3883 threshold value to create a notification. These alarms 3884 detect a failure or a change of state to create a 3885 notification."; 3886 } 3887 leaf threshold { 3888 type uint8 { 3889 range "1..100"; 3890 } 3891 units "percent"; 3892 description 3893 "The configuration for threshold percentage to trigger 3894 the alarm. The alarm will be triggered if the usage 3895 is exceeded the threshold."; 3896 } 3897 uses dampening; 3898 } 3899 } 3900 container i2nsf-system-detection-event { 3901 description 3902 "The container for configuring I2NSF system-detection-event 3903 notification"; 3904 uses enable-notification; 3905 uses dampening; 3906 } 3907 container i2nsf-traffic-flows { 3908 description 3909 "The container for configuring I2NSF traffic-flows 3910 notification"; 3911 uses dampening; 3912 uses enable-notification; 3913 } 3914 container i2nsf-nsf-detection-ddos { 3915 if-feature "i2nsf-nsf-detection-ddos"; 3916 description 3917 "The container for configuring I2NSF nsf-detection-ddos 3918 notification"; 3919 uses enable-notification; 3920 uses dampening; 3921 } 3922 container i2nsf-nsf-detection-session-table { 3923 description 3924 "The container for configuring I2NSF nsf-detection-session- 3925 table notification"; 3926 uses enable-notification; 3927 uses dampening; 3928 } 3929 container i2nsf-nsf-detection-intrusion { 3930 if-feature "i2nsf-nsf-detection-intrusion"; 3931 description 3932 "The container for configuring I2NSF nsf-detection-intrusion 3933 notification"; 3934 uses enable-notification; 3935 uses dampening; 3936 } 3937 container i2nsf-nsf-detection-web-attack { 3938 if-feature "i2nsf-nsf-detection-web-attack"; 3939 description 3940 "The container for configuring I2NSF nsf-detection-web-attack 3941 notification"; 3942 uses enable-notification; 3943 uses dampening; 3944 } 3945 container i2nsf-nsf-system-access-log { 3946 description 3947 "The container for configuring I2NSF system-access-log 3948 notification"; 3949 uses enable-notification; 3950 uses dampening; 3951 } 3952 container i2nsf-system-res-util-log { 3953 description 3954 "The container for configuring I2NSF system-res-util-log 3955 notification"; 3956 uses enable-notification; 3957 uses dampening; 3958 } 3959 container i2nsf-system-user-activity-log { 3960 description 3961 "The container for configuring I2NSF system-user-activity-log 3962 notification"; 3963 uses enable-notification; 3964 uses dampening; 3965 } 3966 container i2nsf-nsf-log-dpi { 3967 if-feature "i2nsf-nsf-log-dpi"; 3968 description 3969 "The container for configuring I2NSF nsf-log-dpi 3970 notification"; 3971 uses enable-notification; 3972 uses dampening; 3973 } 3974 container i2nsf-counter { 3975 description 3976 "This is used to configure the counters 3977 for monitoring an NSF"; 3979 leaf period { 3980 type uint16; 3981 units "minutes"; 3982 default 0; 3983 description 3984 "The configuration for the period interval of reporting 3985 the counter. If 0, then the counter period is disabled. 3986 If value is not 0, then the counter will be reported 3987 following the period value."; 3988 } 3989 } 3990 } 3991 } 3992 3994 Figure 2: Data Model of Monitoring 3996 9. I2NSF Event Stream 3998 This section discusses the NETCONF event stream for an I2NSF NSF 3999 Monitoring subscription. The YANG module in this document supports 4000 "ietf-subscribed-notifications" YANG module [RFC8639] for 4001 subscription. The reserved event stream name for this document is 4002 "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support 4003 "I2NSF-Monitoring" event stream for an NSF data collector (e.g., 4004 Security Controller). The "I2NSF-Monitoring" event stream contains 4005 all I2NSF events described in this document. 4007 The following XML example shows the capabilities of the event streams 4008 generated by an NSF (e.g., "NETCONF" and "I2NSF-Monitoring" event 4009 streams) for the subscription of an NSF data collector. Refer to 4010 [RFC5277] for more detailed explanation of Event Streams. The XML 4011 examples in this document follow the line breaks as per [RFC8792]. 4013 4014 4016 4017 4018 4019 4020 NETCONF 4021 Default NETCONF Event Stream 4022 false 4023 4024 4025 I2NSF-Monitoring 4026 I2NSF Monitoring Event Stream 4027 true 4028 4029 2021-04-29T09:37:39+00:00 4030 4031 4032 4033 4034 4035 4037 Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring 4038 Event Stream 4040 10. XML Examples for I2NSF NSF Monitoring 4042 This section shows XML examples of I2NSF NSF Monitoring data 4043 delivered via Monitoring Interface from an NSF. In order for the XML 4044 data to be used correctly, the prefix (i.e., the characters before 4045 the colon or 'nsfmi' in the example) in the content of the element 4046 that uses the "identityref" type (e.g., /i2nsf-event/i2nsf-system- 4047 detection-alarm/alarm-category/) in the YANG module described in this 4048 document MUST be the same as the namespace prefix (i.e., 'nsfmi' in 4049 the example) for urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf- 4050 monitoring. Therefore, XML software MUST be chosen that makes the 4051 namespace prefix information available. 4053 10.1. I2NSF System Detection Alarm 4055 The following example shows an alarm triggered by Memory Usage on the 4056 server; this example XML file is delivered by an NSF to an NSF data 4057 collector: 4059 4060 4062 2021-04-29T07:43:52.181088+00:00 4063 4065 4066 4069 nsfmi:memory-alarm 4070 4071 4074 nsfmi:subscription 4075 4076 4079 nsfmi:on-change 4080 4081 4084 nsfmi:on-repetition 4085 4086 91 4087 90 4088 Memory Usage Exceeded the Threshold 4089 time_based_firewall 4090 high 4091 4092 4093 4095 Figure 4: Example of I2NSF System Detection Alarm triggered by 4096 Memory Usage 4098 The XML data above shows: 4100 1. The NSF that sends the information is named 4101 "time_based_firewall". 4103 2. The memory usage of the NSF triggered the alarm. 4105 3. The monitoring information is received by subscription method. 4107 4. The monitoring information is emitted "on-change". 4109 5. The monitoring information is dampened "on-repetition". 4111 6. The memory usage of the NSF is 91 percent. 4113 7. The memory threshold to trigger the alarm is 90 percent. 4115 8. The severity level of the notification is high. 4117 10.2. I2NSF Interface Counters 4119 To get the I2NSF system interface counters information by query, 4120 NETCONF Client (e.g., NSF data collector) needs to initiate GET 4121 connection with NETCONF Server (e.g., NSF). The following XML file 4122 can be used to get the state data and filter the information. 4124 4125 4126 4127 4129 4130 4131 4132 4133 4134 4136 Figure 5: XML Example for NETCONF GET with System Interface Filter 4138 The following XML file shows the reply from the NETCONF Server (e.g., 4139 NSF): 4141 4142 4144 4145 4147 4148 4149 2021-04-29T08:43:52.181088+00:00 4150 4151 ens3 4152 4155 nsfmi:query 4156 4157 549050 4158 814956 4159 0 4160 5078 4161 time_based_firewall 4162 4163 4164 4165 2021-04-29T08:43:52.181088+00:00 4166 4167 lo 4168 4171 nsfmi:query 4172 4173 48487 4174 48487 4175 0 4176 0 4177 time_based_firewall 4178 4179 4180 4181 4183 Figure 6: Example of I2NSF System Interface Counters XML Information 4185 11. IANA Considerations 4187 This document requests IANA to register the following URI in the 4188 "IETF XML Registry" [RFC3688]: 4190 URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 4191 Registrant Contact: The IESG. 4192 XML: N/A; the requested URI is an XML namespace. 4194 This document requests IANA to register the following YANG module in 4195 the "YANG Module Names" registry [RFC7950][RFC8525]: 4197 name: ietf-i2nsf-nsf-monitoring 4198 namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring 4199 prefix: nsfmi 4200 reference: RFC XXXX 4202 // RFC Ed.: replace XXXX with an actual RFC number and remove 4203 // this note. 4205 12. Security Considerations 4207 The YANG module described in this document defines a schema for data 4208 that is designed to be accessed via network management protocols such 4209 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 4210 is the secure transport layer, and the required secure transport is 4211 Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, 4212 and the required secure transport is TLS [RFC8446]. 4214 The NETCONF access control model [RFC8341] provides a means of 4215 restricting access by specific NETCONF or RESTCONF users to a 4216 preconfigured subset of all available NETCONF or RESTCONF protocol 4217 operations and content. 4219 All data nodes defined in the YANG module which can be created, 4220 modified and deleted (i.e., config true, which is the default) are 4221 considered sensitive as they all could potentially impact security 4222 monitoring and mitigation activities. Write operations (e.g., edit- 4223 config) applied to these data nodes without proper protection could 4224 result in missed alarms or incorrect alarms information being 4225 returned to the NSF data collector. The following are threats that 4226 need to be considered and mitigated: 4228 Compromised NSF with valid credentials: It can send falsified 4229 information to the NSF data collector to mislead detection or 4230 mitigation activities; and/or to hide activity. Currently, there 4231 is no in-framework mechanism to mitigate this and it is an issue 4232 for all monitoring infrastructures. It is important to keep 4233 confidential information from unauthorized persons to mitigate the 4234 possibility of compromising the NSF with this information. 4236 Compromised NSF data collector with valid credentials: It has 4237 visibility to all collected security alarms; the entire detection 4238 and mitigation infrastructure may be suspect. It is important to 4239 keep confidential information from unauthorized persons to 4240 mitigate the possibility of compromising the NSF with this 4241 information. 4243 Impersonating NSF: This involves a system trying to send false 4244 information while imitating an NSF; client authentication would 4245 help the NSF data collector to identify this invalid NSF in the 4246 "push" model (NSF-to-collector), while the "pull" model 4247 (collector-to-NSF) should already be addressed with the 4248 authentication. 4250 Impersonating NSF data collector: This is a rogue NSF data collector 4251 with which a legitimate NSF is tricked into communicating; for 4252 "push" model (NSF-to-collector), it is important to have valid 4253 credentials, without which it should not work; for "pull" model 4254 (collector-to-NSF), mutual authentication should be used to 4255 mitigate the threat. 4257 In addition, to defend against the DDoS attack caused by a lot of 4258 NSFs sending massive notifications to the NSF data collector, the 4259 rate limiting or similar mechanisms should be considered in both an 4260 NSF and NSF data collector, whether in advance or just in the process 4261 of DDoS attack. 4263 All of the readable data nodes in this YANG module may be considered 4264 sensitive in some network environments. These data nodes represent 4265 information consistent with the logging commonly performed in network 4266 and security operations. They may reveal the specific configuration 4267 of a network; vulnerabilities in specific systems; and the deployed 4268 security controls and their relative efficacy in detecting or 4269 mitigating an attack. To an attacker, this information could inform 4270 how to (further) compromise the network, evade detection, or confirm 4271 whether they have been observed by the network operator. 4273 Additionally, many of the data nodes in this YANG module such as 4274 containers "i2nsf-system-user-activity-log", "i2nsf-system-detection- 4275 event", and "i2nsf-nsf-detection-voip-vocn" are privacy sensitive. 4276 They may describe specific or aggregate user activity including 4277 associating user names with specific IP addresses; or users with 4278 specific network usage. 4280 13. Acknowledgments 4282 This document is a product by the I2NSF Working Group (WG) including 4283 WG Chairs (i.e., Linda Dunbar and Yoav Nir) and Diego Lopez. This 4284 document took advantage of the review and comments from the following 4285 people: Roman Danyliw, Tim Bray (IANA), Kyle Rose (TSV-ART), Dale R. 4286 Worley (Gen-ART), Melinda Shore (SecDir), Valery Smyslov (ART-ART), 4287 and Tom Petch. The authors sincerely appreciate their sincere 4288 efforts and kind help. 4290 This work was supported by Institute of Information & Communications 4291 Technology Planning & Evaluation (IITP) grant funded by the Korea 4292 MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based 4293 Security Intelligence Technology Development for the Customized 4294 Security Service Provisioning). This work was supported in part by 4295 the IITP (2020-0-00395, Standard Development of Blockchain based 4296 Network Management Automation Technology). This work was supported 4297 in part by the MSIT under the Information Technology Research Center 4298 (ITRC) support program (IITP-2021-2017-0-01633) supervised by the 4299 IITP. 4301 14. Contributors 4303 The following are co-authors of this document: 4305 Chaehong Chung - Department of Electronic, Electrical and Computer 4306 Engineering, Sungkyunkwan University, 2066 Seobu-ro Jangan-gu, Suwon, 4307 Gyeonggi-do 16419, Republic of Korea, Email: darkhong@skku.edu 4309 Jinyong (Tim) Kim - Department of Electronic, Electrical and Computer 4310 Engineering, Sungkyunkwan University, 2066 Seobu-ro Jangan-gu, Suwon, 4311 Gyeonggi-do 16419, Republic of Korea, Email: timkim@skku.edu 4313 Dongjin Hong - Department of Electronic, Electrical and Computer 4314 Engineering, Sungkyunkwan University, 2066 Seobu-ro Jangan-gu, Suwon, 4315 Gyeonggi-do 16419, Republic of Korea, Email: dong.jin@skku.edu 4317 Dacheng Zhang - Huawei, Email: dacheng.zhang@huawei.com 4319 Yi Wu - Aliababa Group, Email: anren.wy@alibaba-inc.com 4320 Rakesh Kumar - Juniper Networks, 1133 Innovation Way, Sunnyvale, CA 4321 94089, USA, Email: rkkumar@juniper.net 4323 Anil Lohiya - Juniper Networks, Email: alohiya@juniper.net 4325 15. References 4327 15.1. Normative References 4329 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 4330 DOI 10.17487/RFC0768, August 1980, 4331 . 4333 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 4334 DOI 10.17487/RFC0791, September 1981, 4335 . 4337 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 4338 RFC 792, DOI 10.17487/RFC0792, September 1981, 4339 . 4341 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 4342 RFC 793, DOI 10.17487/RFC0793, September 1981, 4343 . 4345 [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol 4346 Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May 4347 1983, . 4349 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 4350 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 4351 . 4353 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 4354 STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, 4355 . 4357 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4358 Requirement Levels", BCP 14, RFC 2119, 4359 DOI 10.17487/RFC2119, March 1997, 4360 . 4362 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP", 4363 RFC 2595, DOI 10.17487/RFC2595, June 1999, 4364 . 4366 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 4367 DOI 10.17487/RFC3688, January 2004, 4368 . 4370 [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management 4371 Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, 4372 September 2004, . 4374 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 4375 Congestion Control Protocol (DCCP)", RFC 4340, 4376 DOI 10.17487/RFC4340, March 2006, 4377 . 4379 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 4380 Control Message Protocol (ICMPv6) for the Internet 4381 Protocol Version 6 (IPv6) Specification", STD 89, 4382 RFC 4443, DOI 10.17487/RFC4443, March 2006, 4383 . 4385 [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event 4386 Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, 4387 . 4389 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 4390 DOI 10.17487/RFC5321, October 2008, 4391 . 4393 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 4394 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 4395 September 2009, . 4397 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 4398 and A. Bierman, Ed., "Network Configuration Protocol 4399 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 4400 . 4402 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 4403 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 4404 . 4406 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 4407 DOI 10.17487/RFC6265, April 2011, 4408 . 4410 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 4411 RFC 6991, DOI 10.17487/RFC6991, July 2013, 4412 . 4414 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 4415 "Specification of the IP Flow Information Export (IPFIX) 4416 Protocol for the Exchange of Flow Information", STD 77, 4417 RFC 7011, DOI 10.17487/RFC7011, September 2013, 4418 . 4420 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 4421 RFC 7950, DOI 10.17487/RFC7950, August 2016, 4422 . 4424 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 4425 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 4426 . 4428 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 4429 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 4430 May 2017, . 4432 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 4433 (IPv6) Specification", STD 86, RFC 8200, 4434 DOI 10.17487/RFC8200, July 2017, 4435 . 4437 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 4438 Kumar, "Framework for Interface to Network Security 4439 Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, 4440 . 4442 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 4443 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 4444 . 4446 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 4447 Access Control Model", STD 91, RFC 8341, 4448 DOI 10.17487/RFC8341, March 2018, 4449 . 4451 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 4452 and R. Wilton, "Network Management Datastore Architecture 4453 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 4454 . 4456 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 4457 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 4458 . 4460 [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of 4461 Documents Containing YANG Data Models", BCP 216, RFC 8407, 4462 DOI 10.17487/RFC8407, October 2018, 4463 . 4465 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 4466 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 4467 . 4469 [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., 4470 and R. Wilton, "YANG Library", RFC 8525, 4471 DOI 10.17487/RFC8525, March 2019, 4472 . 4474 [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, 4475 E., and A. Tripathy, "Subscription to YANG Notifications", 4476 RFC 8639, DOI 10.17487/RFC8639, September 2019, 4477 . 4479 [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications 4480 for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, 4481 September 2019, . 4483 [RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet Message 4484 Access Protocol (IMAP) - Version 4rev2", RFC 9051, 4485 DOI 10.17487/RFC9051, August 2021, 4486 . 4488 [I-D.ietf-httpbis-http2bis] 4489 Thomson, M. and C. Benfield, "HTTP/2", Work in Progress, 4490 Internet-Draft, draft-ietf-httpbis-http2bis-07, 24 January 4491 2022, . 4494 [I-D.ietf-httpbis-messaging] 4495 Fielding, R. T., Nottingham, M., and J. Reschke, 4496 "HTTP/1.1", Work in Progress, Internet-Draft, draft-ietf- 4497 httpbis-messaging-19, 12 September 2021, 4498 . 4501 [I-D.ietf-httpbis-semantics] 4502 Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP 4503 Semantics", Work in Progress, Internet-Draft, draft-ietf- 4504 httpbis-semantics-19, 12 September 2021, 4505 . 4508 [I-D.ietf-i2nsf-capability-data-model] 4509 Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. 4510 Lin, "I2NSF Capability YANG Data Model", Work in Progress, 4511 Internet-Draft, draft-ietf-i2nsf-capability-data-model-26, 4512 10 February 2022, . 4515 [I-D.ietf-i2nsf-nsf-facing-interface-dm] 4516 Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, 4517 "I2NSF Network Security Function-Facing Interface YANG 4518 Data Model", Work in Progress, Internet-Draft, draft-ietf- 4519 i2nsf-nsf-facing-interface-dm-20, 31 January 2022, 4520 . 4523 [I-D.ietf-tcpm-rfc793bis] 4524 Eddy, W. M., "Transmission Control Protocol (TCP) 4525 Specification", Work in Progress, Internet-Draft, draft- 4526 ietf-tcpm-rfc793bis-26, 8 February 2022, 4527 . 4530 [I-D.ietf-tsvwg-rfc4960-bis] 4531 Stewart, R. R., Tüxen, M., and K. E. E. Nielsen, "Stream 4532 Control Transmission Protocol", Work in Progress, 4533 Internet-Draft, draft-ietf-tsvwg-rfc4960-bis-18, 16 4534 January 2022, . 4537 15.2. Informative References 4539 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 4540 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 4541 . 4543 [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, 4544 "Handling Long Lines in Content of Internet-Drafts and 4545 RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, 4546 . 4548 [I-D.ietf-i2nsf-consumer-facing-interface-dm] 4549 Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, 4550 "I2NSF Consumer-Facing Interface YANG Data Model", Work in 4551 Progress, Internet-Draft, draft-ietf-i2nsf-consumer- 4552 facing-interface-dm-16, 28 January 2022, 4553 . 4556 [IANA-HTTP-Status-Code] 4557 Internet Assigned Numbers Authority (IANA), "Hypertext 4558 Transfer Protocol (HTTP) Status Code Registry", September 4559 2018, . 4562 [IANA-Media-Types] 4563 Internet Assigned Numbers Authority (IANA), "Media Types", 4564 August 2021, . 4567 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-14 4569 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- 4570 data-model-14: 4572 * This version is added to update the references. 4574 Authors' Addresses 4576 Jaehoon (Paul) Jeong (editor) 4577 Department of Computer Science and Engineering 4578 Sungkyunkwan University 4579 2066 Seobu-Ro, Jangan-Gu 4580 Suwon 4581 Gyeonggi-Do 4582 16419 4583 Republic of Korea 4585 Phone: +82 31 299 4957 4586 Email: pauljeong@skku.edu 4587 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 4589 Patrick Lingga 4590 Department of Electrical and Computer Engineering 4591 Sungkyunkwan University 4592 2066 Seobu-Ro, Jangan-Gu 4593 Suwon 4594 Gyeonggi-Do 4595 16419 4596 Republic of Korea 4598 Phone: +82 31 299 4957 4599 Email: patricklink@skku.edu 4600 Susan Hares 4601 Huawei 4602 7453 Hickory Hill 4603 Saline, MI 48176 4604 United States of America 4606 Phone: +1-734-604-0332 4607 Email: shares@ndzh.com 4609 Liang (Frank) Xia 4610 Huawei 4611 101 Software Avenue, Yuhuatai District 4612 Nanjing 4613 Jiangsu, 4614 China 4616 Email: Frank.xialiang@huawei.com 4618 Henk Birkholz 4619 Fraunhofer Institute for Secure Information Technology 4620 Rheinstrasse 75 4621 64295 Darmstadt 4622 Germany 4624 Email: henk.birkholz@sit.fraunhofer.de