draft-ietf-i2nsf-nsf-monitoring-data-model-03.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-04.txt 
Network Working Group J. Jeong Network Working Group J. Jeong, Ed.
Internet-Draft C. Chung Internet-Draft P. Lingga
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: November 8, 2020 S. Hares Expires: March 11, 2021 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
May 7, 2020 September 7, 2020
I2NSF NSF Monitoring YANG Data Model I2NSF NSF Monitoring YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-03 draft-ietf-i2nsf-nsf-monitoring-data-model-04
Abstract Abstract
This document proposes an information model and the corresponding This document proposes an information model and the corresponding
YANG data model for monitoring Network Security Functions (NSFs) in YANG data model for monitoring Network Security Functions (NSFs) in
the Interface to Network Security Functions (I2NSF) framework. If the Interface to Network Security Functions (I2NSF) framework. If
the monitoring of NSFs is performed in a comprehensive way, it is the monitoring of NSFs is performed in a comprehensive way, it is
possible to detect the indication of malicious activity, anomalous possible to detect the indication of malicious activity, anomalous
behavior or the potential sign of denial of service attacks in a behavior, the potential sign of denial of service attacks, or system
timely manner. This monitoring functionality is based on the overload in a timely manner. This monitoring functionality is based
monitoring information that is generated by NSFs. Thus, this on the monitoring information that is generated by NSFs. Thus, this
document describes not only an information model for monitoring NSFs document describes not only an information model for monitoring NSFs
along with a YANG data diagram, but also the corresponding YANG data along with a YANG data diagram, but also the corresponding YANG data
model for monitoring NSFs. model for monitoring NSFs.
Editorial Note (To be removed by RFC Editor)
Please update these statements within the document with the RFC
number to be assigned to this document:
"This version of this YANG module is part of RFC 6087;"
"RFC XXXX: I2NSF NSF Monitoring YANG Data Model"
"reference: RFC 6087"
Please update the "revision" date of the YANG module.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2020. This Internet-Draft will expire on March 11, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4
2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. YANG . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4
4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5
4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6
4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7
4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 7
4.4. I2NSF Monitoring Terminology for Retained Information . . 8 4.4. I2NSF Monitoring Terminology for Retained Information . . 8
5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9
5.1. Information Types and Acquisition Methods . . . . . . . . 10 5.1. Information Types and Acquisition Methods . . . . . . . . 10
6. Basic Information Model for All Monitoring Data . . . . . . . 11 6. Basic Information Model for All Monitoring Data . . . . . . . 10
7. Extended Information Model for Monitoring Data . . . . . . . 11 7. Extended Information Model for Monitoring Data . . . . . . . 11
7.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11 7.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11
7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 12 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11
7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11
7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12
7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 13 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12
7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12
7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13
7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13
7.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 13
7.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 7.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14
7.3.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 14 7.3.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 14
7.3.2. Session Table Event . . . . . . . . . . . . . . . . . 15 7.3.2. Session Table Event . . . . . . . . . . . . . . . . . 15
7.3.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 7.3.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 15
7.3.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 7.3.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 16
7.3.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 17 7.3.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 17
7.3.6. Web Attack Event . . . . . . . . . . . . . . . . . . 18 7.3.6. Web Attack Event . . . . . . . . . . . . . . . . . . 18
7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 19 7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18
7.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 19 7.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 19
7.4.2. Resource Utilization Log . . . . . . . . . . . . . . 19 7.4.2. Resource Utilization Log . . . . . . . . . . . . . . 19
7.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 20 7.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 20
7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 21 7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20
7.5.1. DDoS Log . . . . . . . . . . . . . . . . . . . . . . 21 7.5.1. DDoS Log . . . . . . . . . . . . . . . . . . . . . . 20
7.5.2. Virus Log . . . . . . . . . . . . . . . . . . . . . . 21 7.5.2. Virus Log . . . . . . . . . . . . . . . . . . . . . . 21
7.5.3. Intrusion Log . . . . . . . . . . . . . . . . . . . . 22 7.5.3. Intrusion Log . . . . . . . . . . . . . . . . . . . . 21
7.5.4. Botnet Log . . . . . . . . . . . . . . . . . . . . . 22 7.5.4. Botnet Log . . . . . . . . . . . . . . . . . . . . . 22
7.5.5. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 23 7.5.5. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 22
7.5.6. Vulnerability Scanning Log . . . . . . . . . . . . . 23 7.5.6. Vulnerability Scanning Log . . . . . . . . . . . . . 23
7.5.7. Web Attack Log . . . . . . . . . . . . . . . . . . . 24 7.5.7. Web Attack Log . . . . . . . . . . . . . . . . . . . 23
7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24
7.6.1. Interface counter . . . . . . . . . . . . . . . . . . 25 7.6.1. Interface counter . . . . . . . . . . . . . . . . . . 24
7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25
7.7.1. Firewall counter . . . . . . . . . . . . . . . . . . 26 7.7.1. Firewall counter . . . . . . . . . . . . . . . . . . 25
7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 27 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 26
8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27
9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28
10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 37 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 36
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 72 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71
12. Security Considerations . . . . . . . . . . . . . . . . . . . 72 12. Security Considerations . . . . . . . . . . . . . . . . . . . 72
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 73 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 72
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 73 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 73
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 73 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
15.1. Normative References . . . . . . . . . . . . . . . . . . 73 15.1. Normative References . . . . . . . . . . . . . . . . . . 74
15.2. Informative References . . . . . . . . . . . . . . . . . 75 15.2. Informative References . . . . . . . . . . . . . . . . . 77
Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-
model-02 . . . . . . . . . . . . . . . . . . . . . . 77 model-03 . . . . . . . . . . . . . . . . . . . . . . 79
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79
1. Introduction 1. Introduction
According to [I-D.ietf-i2nsf-terminology], the interface provided by According to [RFC8329], the interface provided by a Network Security
a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus
Anti-Virus function) to administrative entities (e.g., Security function) to administrative entities (e.g., Security Controller) to
Controller) to enable remote management (i.e., configuring and enable remote management (i.e., configuring and monitoring) is
monitoring) is referred to as an I2NSF NSF-Facing Interface referred to as an I2NSF NSF-Facing Interface
[I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures
intent to acquire vital types of data with respect to NSFs, (e.g., intent to acquire vital types of data with respect to NSFs, (e.g.,
alarms, records, and counters) via data in motion (e.g., queries, alarms, records, and counters) via data in motion (e.g., queries,
notifications, and events). The monitoring of NSF plays an important notifications, and events). The monitoring of NSF plays an important
role in an overall security framework, if it is done in a timely and role in an overall security framework, if it is done in a timely and
comprehensive way. The monitoring information generated by an NSF comprehensive way. The monitoring information generated by an NSF
can be a good, early indication of anomalous behavior or malicious can be a good, early indication of anomalous behavior or malicious
activity, such as denial of service attacks (DoS). activity, such as denial of service attacks (DoS).
This document defines a comprehensive NSF monitoring information This document defines a comprehensive NSF monitoring information
skipping to change at page 4, line 29 skipping to change at page 4, line 15
information model for monitoring presented in this document is a information model for monitoring presented in this document is a
complementary information model to the information model for the complementary information model to the information model for the
security policy provisioning functionality of the NSF-Facing security policy provisioning functionality of the NSF-Facing
Interface specified in [I-D.ietf-i2nsf-capability]. Interface specified in [I-D.ietf-i2nsf-capability].
This document also defines a YANG [RFC7950] data model for monitoring This document also defines a YANG [RFC7950] data model for monitoring
NSFs, which is derived from the information model for NSF monitoring. NSFs, which is derived from the information model for NSF monitoring.
2. Terminology 2. Terminology
2.1. Requirements Notation This document uses the terminology described in [RFC8329].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] [RFC8174].
2.2. Definitions
The terms, which are used in this document, are defined in the I2NSF
terminology document [I-D.ietf-i2nsf-terminology] [RFC8329].
2.3. YANG
This document follows the guidelines of [RFC6087], uses the common This document follows the guidelines of [RFC8407], uses the common
YANG types defined in [RFC6991], and adopts the Network Management YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols
in tree diagrams is defined in [RFC8340]. in tree diagrams is defined in [RFC8340].
3. Use Cases for NSF Monitoring Data 3. Use Cases for NSF Monitoring Data
As mentioned earlier, monitoring plays a critical role in an overall As mentioned earlier, monitoring plays a critical role in an overall
security framework. The monitoring of the NSF provides very valuable security framework. The monitoring of the NSF provides very valuable
information to the security controller in maintaining the provisioned information to the security controller in maintaining the provisioned
security posture. Besides this, there are various other reasons to security posture. Besides this, there are various other reasons to
skipping to change at page 6, line 14 skipping to change at page 5, line 37
o Retention and Emission o Retention and Emission
o Notifications and Events o Notifications and Events
o Unsolicited Poll and Solicited Push o Unsolicited Poll and Solicited Push
The Alarm Management Framework in [RFC3877] defines an Event as The Alarm Management Framework in [RFC3877] defines an Event as
something that happens which may be of interest. It defines a fault something that happens which may be of interest. It defines a fault
as a change in status, crossing a threshold, or an external input to as a change in status, crossing a threshold, or an external input to
the system. In the I2NSF domain, I2NSF events the system. In the I2NSF domain, I2NSF events are created and the
[I-D.ietf-i2nsf-terminology] are created and the scope of the Alarm scope of the Alarm Management Framework's Events is still applicable
Management Framework's Events is still applicable due to its broad due to its broad definition. The model presented in this document
definition. The model presented in this document elaborates on the elaborates on the workflow of creating I2NSF events in the context of
workflow of creating I2NSF events in the context of NSF monitoring NSF monitoring and on the way initial I2NSF events are created.
and on the way initial I2NSF events are created.
As with I2NSF components, every generic system entity can include a As with I2NSF components, every generic system entity can include a
set of capabilities [I-D.ietf-i2nsf-terminology] that creates set of capabilities that creates information about the context,
information about the context, composition, configuration, state or composition, configuration, state or behavior of that system entity.
behavior of that system entity. This information is intended to be This information is intended to be provided to other consumers of
provided to other consumers of information and in the scope of this information and in the scope of this document, which deals with NSF
document, which deals with NSF information monitoring in an automated information monitoring in an automated fashion.
fashion.
4.1. Retention and Emission 4.1. Retention and Emission
Typically, a system entity populates standardized interface, such as Typically, a system entity populates standardized interface, such as
SNMP, NETCONF, RESTCONF or CoMI to provide and emit created SNMP, NETCONF, RESTCONF or CoMI to provide and emit created
information directly via NSF-Facing Interface information directly via NSF-Facing Interface. Alternatively, the
[I-D.ietf-i2nsf-terminology]. Alternatively, the created information created information is retained inside the system entity (or a
is retained inside the system entity (or a hierarchy of system hierarchy of system entities in a composite device) via records or
entities in a composite device) via records or counters that are not counters that are not exposed directly via NSF-Facing Interfaces.
exposed directly via NSF-Facing Interfaces.
Information emitted via standardized interfaces can be consumed by an Information emitted via standardized interfaces can be consumed by an
I2NSF User [I-D.ietf-i2nsf-terminology] that includes the capability I2NSF User that includes the capability to consume information not
to consume information not only via an I2NSF Interface(e.g., only via an I2NSF Interface(e.g.,
[I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via
interfaces complementary to the standardized interfaces a generic interfaces complementary to the standardized interfaces a generic
system entity provides. system entity provides.
Information retained on a system entity requires a corresponding Information retained on a system entity requires a corresponding
I2NSF User to access aggregated records of information, typically in I2NSF User to access aggregated records of information, typically in
the form of log-files or databases. There are ways to aggregate the form of log-files or databases. There are ways to aggregate
records originating from different system entities over a network, records originating from different system entities over a network,
for examples via Syslog Protocol [RFC5424] or Syslog over TCP for examples via Syslog Protocol [RFC5424] or Syslog over TCP
[RFC6587]. But even if records are conveyed, the result is the same [RFC6587]. But even if records are conveyed, the result is the same
skipping to change at page 7, line 30 skipping to change at page 7, line 7
o a system entity that retains an aggregation of records o a system entity that retains an aggregation of records
o an I2NSF Component that includes the capabilities of using o an I2NSF Component that includes the capabilities of using
standardized interfaces provided by other system entities that are standardized interfaces provided by other system entities that are
not I2NSF Components not I2NSF Components
o an I2NSF Component that creates the information o an I2NSF Component that creates the information
4.2. Notifications and Events 4.2. Notifications and Events
A specific task of I2NSF User is to process I2NSF Policy Rules A specific task of I2NSF User is to process I2NSF Policy Rules. The
[I-D.ietf-i2nsf-terminology]. The rules of a policy are composed of rules of a policy are composed of three clauses: Events, Conditions,
three clauses: Events, Conditions, and Actions. In consequence, an and Actions. In consequence, an I2NSF Event is specified to trigger
I2NSF Event is specified to trigger an I2NSF Policy Rule. Such an an I2NSF Policy Rule. Such an I2NSF Event is defined as any
I2NSF Event is defined as any important occurrence over time in the important occurrence over time in the system being managed, and/or in
system being managed, and/or in the environment of the system being the environment of the system being managed, which aligns well with
managed in [I-D.ietf-i2nsf-terminology], which aligns well with the the generic definition of Event from [RFC3877].
generic definition of Event from [RFC3877].
The model illustrated in this document introduces a complementary The model illustrated in this document introduces a complementary
type of information that can be a conveyed notification. type of information that can be a conveyed notification.
Notification: An occurrence of a change of context, composition, Notification: An occurrence of a change of context, composition,
configuration, state or behavior of a system entity that can be configuration, state or behavior of a system entity that can be
directly or indirectly observed by an I2NSF User and can be used directly or indirectly observed by an I2NSF User and can be used
as input for an event-clause in I2NSF Policy Rules. as input for an event-clause in I2NSF Policy Rules.
A notification is similar to an I2NSF Event with the exception A notification is similar to an I2NSF Event with the exception
skipping to change at page 18, line 23 skipping to change at page 18, line 4
7. The packet from the zombie host to the victim 7. The packet from the zombie host to the victim
o botnet_info: Simple description of Botnet o botnet_info: Simple description of Botnet
o rule_id: The ID of the rule being triggered o rule_id: The ID of the rule being triggered
o rule_name: The name of the rule being triggered o rule_name: The name of the rule being triggered
o profile: Security profile that traffic matches o profile: Security profile that traffic matches
o raw_info: The information describing the packet triggering the o raw_info: The information describing the packet triggering the
event. event.
7.3.6. Web Attack Event 7.3.6. Web Attack Event
The following information should be included in a Web Attack Alarm: The following information should be included in a Web Attack Alarm:
o event_name: The name of event. e.g., SEC_EVENT_WebAttack o event_name: The name of event. e.g., SEC_EVENT_Web_Attack
o sub_attack_type: Concrete web attack type. e.g., SQL injection, o sub_attack_type: Concrete web attack type. e.g., SQL injection,
command injection, XSS, CSRF command injection, XSS, CSRF
o src_ip: The source IP address of the packet o src_ip: The source IP address of the packet
o dst_ip: The destination IP address of the packet o dst_ip: The destination IP address of the packet
o src_port: The source port number of the packet o src_port: The source port number of the packet
skipping to change at page 28, line 34 skipping to change at page 28, line 6
interface. The role of Ve-Vnfm is to request VNF lifecycle interface. The role of Ve-Vnfm is to request VNF lifecycle
management (e.g., the instantiation and de-instantiation of an management (e.g., the instantiation and de-instantiation of an
NSF, and load balancing among NSFs), exchange configuration NSF, and load balancing among NSFs), exchange configuration
information, and exchange status information for a network information, and exchange status information for a network
service. In the I2NSF framework, the DMS manages data about service. In the I2NSF framework, the DMS manages data about
resource states and network traffic for the lifecycle management resource states and network traffic for the lifecycle management
of an NSF. Therefore, the generated monitoring data from NSFs are of an NSF. Therefore, the generated monitoring data from NSFs are
delivered from the Security Controller to the DMS via Registration delivered from the Security Controller to the DMS via Registration
Interface. These data are delivered from the DMS to the VNF Interface. These data are delivered from the DMS to the VNF
Manager in the Management and Orchestration (MANO) in the NFV Manager in the Management and Orchestration (MANO) in the NFV
system [I-D.yang-i2nsf-nfv-architecture]. system [I-D.ietf-i2nsf-applicability].
o I2NSF NSF-Facing Interface o I2NSF NSF-Facing Interface
[I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level
security policy from I2NSF User is translated by security policy security policy from I2NSF User is translated by security policy
translator [I-D.yang-i2nsf-security-policy-translation] in the translator [I-D.yang-i2nsf-security-policy-translation] in the
Security Controller, the translated security policy (i.e., low- Security Controller, the translated security policy (i.e., low-
level policy) is applied to an NSF via NSF-Facing Interface. The level policy) is applied to an NSF via NSF-Facing Interface. The
monitoring data model specifies the list of events that can monitoring data model specifies the list of events that can
trigger Event-Condition-Action (ECA) policies via NSF-Facing trigger Event-Condition-Action (ECA) policies via NSF-Facing
Interface. Interface.
9. Tree Structure 9. Tree Structure
The tree structure of the NSF monitoring YANG module is provided The tree structure of the NSF monitoring YANG module is provided
below: below:
module: ietf-i2nsf-monitor module: ietf-i2nsf-nsf-monitoring
+--rw counters +--rw counters
+--rw system-interface +--rw system-interface
| +--rw acquisition-method? identityref | +--rw acquisition-method? identityref
| +--rw emission-type? identityref | +--rw emission-type? identityref
| +--rw dampening-type? identityref | +--rw dampening-type? identityref
| +--rw interface-name? string | +--rw interface-name? string
| +--rw in-total-traffic-pkts? uint32 | +--rw in-total-traffic-pkts? uint32
| +--rw out-total-traffic-pkts? uint32 | +--rw out-total-traffic-pkts? uint32
| +--rw in-total-traffic-bytes? uint32 | +--rw in-total-traffic-bytes? uint32
| +--rw out-total-traffic-bytes? uint32 | +--rw out-total-traffic-bytes? uint32
skipping to change at page 29, line 37 skipping to change at page 29, line 9
| +--rw message? string | +--rw message? string
| +--rw time-stamp? yang:date-and-time | +--rw time-stamp? yang:date-and-time
| +--rw vendor-name? string | +--rw vendor-name? string
| +--rw nsf-name? string | +--rw nsf-name? string
| +--rw module-name? string | +--rw module-name? string
| +--rw severity? severity | +--rw severity? severity
+--rw nsf-firewall +--rw nsf-firewall
| +--rw acquisition-method? identityref | +--rw acquisition-method? identityref
| +--rw emission-type? identityref | +--rw emission-type? identityref
| +--rw dampening-type? identityref | +--rw dampening-type? identityref
| +--rw src-ip? inet:ipv4-address | +--rw src-ip? inet:ip-address
| +--rw dst-ip? inet:ipv4-address | +--rw dst-ip? inet:ip-address
| +--rw src-port? inet:port-number | +--rw src-port? inet:port-number
| +--rw dst-port? inet:port-number | +--rw dst-port? inet:port-number
| +--rw src-zone? string | +--rw src-zone? string
| +--rw dst-zone? string | +--rw dst-zone? string
| +--rw src-region? string | +--rw src-region? string
| +--rw dst-region? string | +--rw dst-region? string
| +--rw policy-id? uint8 | +--rw policy-id? uint8
| +--rw policy-name? string | +--rw policy-name? string
| +--rw src-user? string | +--rw src-user? string
| +--rw protocol? identityref | +--rw protocol? identityref
skipping to change at page 30, line 15 skipping to change at page 29, line 35
| +--rw in-traffic-ave-speed? uint32 | +--rw in-traffic-ave-speed? uint32
| +--rw in-traffic-peak-speed? uint32 | +--rw in-traffic-peak-speed? uint32
| +--rw out-traffic-ave-rate? uint32 | +--rw out-traffic-ave-rate? uint32
| +--rw out-traffic-peak-rate? uint32 | +--rw out-traffic-peak-rate? uint32
| +--rw out-traffic-ave-speed? uint32 | +--rw out-traffic-ave-speed? uint32
| +--rw out-traffic-peak-speed? uint32 | +--rw out-traffic-peak-speed? uint32
+--rw nsf-policy-hits +--rw nsf-policy-hits
+--rw acquisition-method? identityref +--rw acquisition-method? identityref
+--rw emission-type? identityref +--rw emission-type? identityref
+--rw dampening-type? identityref +--rw dampening-type? identityref
+--rw src-ip? inet:ipv4-address +--rw src-ip? inet:ip-address
+--rw dst-ip? inet:ipv4-address +--rw dst-ip? inet:ip-address
+--rw src-port? inet:port-number +--rw src-port? inet:port-number
+--rw dst-port? inet:port-number +--rw dst-port? inet:port-number
+--rw src-zone? string +--rw src-zone? string
+--rw dst-zone? string +--rw dst-zone? string
+--rw src-region? string +--rw src-region? string
+--rw dst-region? string +--rw dst-region? string
+--rw policy-id? uint8 +--rw policy-id? uint8
+--rw policy-name? string +--rw policy-name? string
+--rw src-user? string +--rw src-user? string
+--rw protocol? identityref +--rw protocol? identityref
skipping to change at page 31, line 9 skipping to change at page 30, line 29
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n system-detection-event +---n system-detection-event
| +--ro event-category? identityref | +--ro event-category? identityref
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro user string | +--ro user string
| +--ro group string | +--ro group string
| +--ro login-ip-addr inet:ipv4-address | +--ro login-ip-addr inet:ip-address
| +--ro authentication? identityref | +--ro authentication? identityref
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-detection-flood +---n nsf-detection-flood
| +--ro event-name? identityref | +--ro event-name? identityref
| +--ro dst-ip? inet:ipv4-address | +--ro dst-ip? inet:ip-address
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-id uint8 | +--ro rule-id uint8
| +--ro rule-name string | +--ro rule-name string
| +--ro profile? string | +--ro profile? string
| +--ro raw-info? string | +--ro raw-info? string
| +--ro sub-attack-type? identityref | +--ro sub-attack-type? identityref
| +--ro start-time yang:date-and-time | +--ro start-time yang:date-and-time
| +--ro end-time yang:date-and-time | +--ro end-time yang:date-and-time
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint32
skipping to change at page 31, line 47 skipping to change at page 31, line 19
| +--ro current-session? uint8 | +--ro current-session? uint8
| +--ro maximum-session? uint8 | +--ro maximum-session? uint8
| +--ro threshold? uint8 | +--ro threshold? uint8
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-detection-virus +---n nsf-detection-virus
| +--ro src-ip? inet:ipv4-address | +--ro src-ip? inet:ip-address
| +--ro dst-ip? inet:ipv4-address | +--ro dst-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro rule-id uint8 | +--ro rule-id uint8
| +--ro rule-name string | +--ro rule-name string
| +--ro profile? string | +--ro profile? string
| +--ro raw-info? string | +--ro raw-info? string
| +--ro virus? identityref | +--ro virus? identityref
| +--ro virus-name? string | +--ro virus-name? string
| +--ro file-type? string | +--ro file-type? string
| +--ro file-name? string | +--ro file-name? string
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-detection-intrusion +---n nsf-detection-intrusion
| +--ro src-ip? inet:ipv4-address | +--ro src-ip? inet:ip-address
| +--ro dst-ip? inet:ipv4-address | +--ro dst-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro rule-id uint8 | +--ro rule-id uint8
| +--ro rule-name string | +--ro rule-name string
| +--ro profile? string | +--ro profile? string
| +--ro raw-info? string | +--ro raw-info? string
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro app? string | +--ro app? string
| +--ro sub-attack-type? identityref | +--ro sub-attack-type? identityref
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-detection-botnet +---n nsf-detection-botnet
| +--ro src-ip? inet:ipv4-address | +--ro src-ip? inet:ip-address
| +--ro dst-ip? inet:ipv4-address | +--ro dst-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro rule-id uint8 | +--ro rule-id uint8
| +--ro rule-name string | +--ro rule-name string
| +--ro profile? string | +--ro profile? string
| +--ro raw-info? string | +--ro raw-info? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro botnet-name? string | +--ro botnet-name? string
| +--ro role? string | +--ro role? string
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-detection-web-attack +---n nsf-detection-web-attack
| +--ro src-ip? inet:ipv4-address | +--ro src-ip? inet:ip-address
| +--ro dst-ip? inet:ipv4-address | +--ro dst-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro rule-id uint8 | +--ro rule-id uint8
| +--ro rule-name string | +--ro rule-name string
| +--ro profile? string | +--ro profile? string
| +--ro raw-info? string | +--ro raw-info? string
| +--ro sub-attack-type? identityref | +--ro sub-attack-type? identityref
| +--ro request-method? identityref | +--ro request-method? identityref
| +--ro req-uri? string | +--ro req-uri? string
| +--ro uri-category? string | +--ro uri-category? string
| +--ro filtering-type* identityref | +--ro filtering-type* identityref
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n system-access-log +---n system-access-log
| +--ro login-ip inet:ipv4-address | +--ro login-ip inet:ip-address
| +--ro administrator? string | +--ro administrator? string
| +--ro login-mode? login-mode | +--ro login-mode? login-mode
| +--ro operation-type? operation-type | +--ro operation-type? operation-type
| +--ro result? string | +--ro result? string
| +--ro content? string | +--ro content? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
+---n system-res-util-log +---n system-res-util-log
| +--ro system-status? string | +--ro system-status? string
skipping to change at page 34, line 17 skipping to change at page 33, line 37
| +--ro out-traffic-speed? uint32 | +--ro out-traffic-speed? uint32
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
+---n system-user-activity-log +---n system-user-activity-log
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro user string | +--ro user string
| +--ro group string | +--ro group string
| +--ro login-ip-addr inet:ipv4-address | +--ro login-ip-addr inet:ip-address
| +--ro authentication? identityref | +--ro authentication? identityref
| +--ro access? identityref | +--ro access? identityref
| +--ro online-duration? string | +--ro online-duration? string
| +--ro logout-duration? string | +--ro logout-duration? string
| +--ro additional-info? string | +--ro additional-info? string
+---n nsf-log-ddos +---n nsf-log-ddos
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro attack-ave-rate? uint32 | +--ro attack-ave-rate? uint32
| +--ro attack-ave-speed? uint32 | +--ro attack-ave-speed? uint32
| +--ro attack-pkt-num? uint32 | +--ro attack-pkt-num? uint32
| +--ro attack-src-ip? inet:ipv4-address | +--ro attack-src-ip? inet:ip-address
| +--ro action? log-action | +--ro action? log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
skipping to change at page 35, line 39 skipping to change at page 35, line 11
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-log-dpi +---n nsf-log-dpi
| +--ro attack-type? dpi-type | +--ro attack-type? dpi-type
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro src-ip? inet:ipv4-address | +--ro src-ip? inet:ip-address
| +--ro dst-ip? inet:ipv4-address | +--ro dst-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro src-region? string | +--ro src-region? string
| +--ro dst-region? string | +--ro dst-region? string
| +--ro policy-id? uint8 | +--ro policy-id? uint8
| +--ro policy-name? string | +--ro policy-name? string
| +--ro src-user? string | +--ro src-user? string
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro app? string | +--ro app? string
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n nsf-log-vuln-scan +---n nsf-log-vuln-scan
| +--ro vulnerability-id? uint8 | +--ro vulnerability-id? uint8
| +--ro victim-ip? inet:ipv4-address | +--ro victim-ip? inet:ip-address
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro port-num? inet:port-number | +--ro port-num? inet:port-number
| +--ro level? severity | +--ro level? severity
| +--ro os? string | +--ro os? string
| +--ro vulnerability-info? string | +--ro vulnerability-info? string
| +--ro fix-suggestion? string | +--ro fix-suggestion? string
| +--ro service? string | +--ro service? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
skipping to change at page 37, line 7 skipping to change at page 36, line 22
+--ro time-stamp? yang:date-and-time +--ro time-stamp? yang:date-and-time
+--ro vendor-name? string +--ro vendor-name? string
+--ro nsf-name? string +--ro nsf-name? string
+--ro module-name? string +--ro module-name? string
+--ro severity? severity +--ro severity? severity
Figure 1: Information Model for NSF Monitoring Figure 1: Information Model for NSF Monitoring
10. YANG Data Model 10. YANG Data Model
This section introduces a YANG data model for the information model This section describes a YANG module of I2NSF NSF Monitoring. This
of the NSF monitoring information model. YANG module imports from [RFC6991], and makes references to [RFC0768]
[RFC0791][RFC0792][RFC0793][RFC0956][RFC2616][RFC4443][RFC8200].
<CODE BEGINS> file "ietf-i2nsf-monitor@2020-05-07.yang"
module ietf-i2nsf-monitor {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor";
prefix
iim;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2020-09-07.yang"
<mailto:Linda.duhbar@huawei.com> module ietf-i2nsf-nsf-monitoring {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix
nsfmi;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Chaehong Chung Editor: Patrick Lingga
<mailto:darkhong@skku.edu>"; <mailto:patricklink@skku.edu>";
description description
"This module is a YANG module for monitoring NSFs. "This module is a YANG module for I2NSF NSF Monitoring.
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 6087; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2020-05-07" { // RFC Ed.: replace XXXX with an actual RFC number and remove
description "The third revision"; // this note.
reference
"RFC XXXX: I2NSF NSF Monitoring YANG Data Model";
}
typedef severity { revision "2020-09-07" {
type enumeration { description "Initial revision";
enum high { reference
description "RFC XXXX: I2NSF NSF Monitoring YANG Data Model";
"high-level";
}
enum middle {
description
"middle-level";
}
enum low {
description
"low-level";
}
}
description
"An indicator representing severity";
}
typedef log-action {
type enumeration {
enum allow {
description
"If action is allowed";
}
enum alert {
description
"If action is alert";
}
enum block {
description
"If action is block";
}
enum discard {
description
"If action is discarded";
} // RFC Ed.: replace XXXX with an actual RFC number and remove
enum declare { // this note.
description
"If action is declared";
}
enum block-ip {
description
"If action is block-ip";
}
enum block-service{
description
"If action is block-service";
}
}
description
"This is used for protocol";
}
typedef dpi-type{
type enumeration {
enum file-blocking{
description
"DPI for blocking file";
}
enum data-filtering{
description
"DPI for filtering data";
}
enum application-behavior-control{
description
"DPI for controlling application behavior";
}
}
description
"This is used for dpi type";
}
typedef operation-type{
type enumeration {
enum login{
description
"Login operation";
}
enum logout{
description
"Logout operation";
}
enum configuration{
description
"Configuration operation";
} }
}
description
"An indicator representing operation-type";
}
typedef login-mode{
type enumeration {
enum root{
description
"Root login-mode";
}
enum user{
description
"User login-mode";
}
enum guest{
description
"Guest login-mode";
}
}
description
"An indicator representing login-mode";
}
identity characteristics { typedef severity {
description type enumeration {
"Base identity for monitoring information enum high {
characteristics"; description
} "high-level";
identity acquisition-method { }
base characteristics; enum middle {
description description
"The type of acquisition-method. Can be multiple "middle-level";
types at once."; }
} enum low {
identity subscription { description
base acquisition-method; "low-level";
description }
"The acquisition-method type is subscription";
}
identity query {
base acquisition-method;
description
"The acquisition-method type is query";
}
identity emission-type {
base characteristics;
description
"The type of emission-type.";
}
identity periodical {
base emission-type;
description
"The emission-type type is periodical.";
}
identity on-change {
base emission-type;
description
"The emission-type type is on-change.";
}
identity dampening-type {
base characteristics;
description
"The type of dampening-type.";
}
identity no-dampening {
base dampening-type;
description
"The dampening-type is no-dampening.";
}
identity on-repetition {
base dampening-type;
description
"The dampening-type is on-repetition.";
}
identity none {
base dampening-type;
description
"The dampening-type is none.";
}
identity authentication-mode { }
description description
"User authentication mode types: "An indicator representing severity";
e.g., Local Authentication, }
Third-Party Server Authentication, typedef log-action {
Authentication Exemption, or Single Sign-On (SSO) type enumeration {
Authentication."; enum allow {
} description
identity local-authentication { "If action is allowed";
base authentication-mode; }
description enum alert {
"Authentication-mode : local authentication."; description
} "If action is alert";
identity third-party-server-authentication { }
base authentication-mode; enum block {
description description
"If authentication-mode is "If action is block";
third-part-server-authentication"; }
} enum discard {
identity exemption-authentication { description
base authentication-mode; "If action is discarded";
description }
"If authentication-mode is enum declare {
exemption-authentication"; description
} "If action is declared";
identity sso-authentication { }
base authentication-mode; enum block-ip {
description description
"If authentication-mode is "If action is block-ip";
sso-authentication"; }
} enum block-service{
description
"If action is block-service";
}
}
description
"This is used for protocol";
}
typedef dpi-type{
type enumeration {
enum file-blocking{
description
"DPI for blocking file";
}
enum data-filtering{
description
"DPI for filtering data";
}
enum application-behavior-control{
description
"DPI for controlling application behavior";
}
}
description
"This is used for DPI type";
}
typedef operation-type{
type enumeration {
enum login{
description
"Login operation";
}
enum logout{
description
"Logout operation";
}
enum configuration{
description
"Configuration operation";
}
}
description
"An indicator representing operation-type";
}
typedef login-mode{
type enumeration {
enum root{
description
"Root login-mode";
}
enum user{
description
"User login-mode";
}
enum guest{
description
"Guest login-mode";
}
}
description
"An indicator representing login-mode";
}
identity alarm-type { identity characteristics {
description description
"Base identity for detectable alarm types"; "Base identity for monitoring information
} characteristics";
identity MEM-USAGE-ALARM { }
base alarm-type; identity acquisition-method {
description base characteristics;
"A memory alarm is alerted"; description
} "The type of acquisition-method. It can be multiple
identity CPU-USAGE-ALARM { types at once.";
base alarm-type; }
description identity subscription {
"A CPU alarm is alerted"; base acquisition-method;
} description
identity DISK-USAGE-ALARM { "The acquisition-method type is subscription.";
base alarm-type; }
description identity query {
"A disk alarm is alerted"; base acquisition-method;
} description
identity HW-FAILURE-ALARM { "The acquisition-method type is query.";
base alarm-type; }
description identity emission-type {
"A hardware alarm is alerted"; base characteristics;
} description
identity IFNET-STATE-ALARM { "The type of emission-type.";
base alarm-type; }
description identity periodical {
"An interface alarm is alerted"; base emission-type;
} description
identity event-type { "The emission-type type is periodical.";
description }
"Base identity for detectable event types"; identity on-change {
} base emission-type;
identity ACCESS-DENIED { description
base event-type; "The emission-type type is on-change.";
description }
"The system event is access-denied."; identity dampening-type {
} base characteristics;
identity CONFIG-CHANGE { description
base event-type; "The type of dampening-type.";
description }
"The system event is config-change."; identity no-dampening {
} base dampening-type;
description
"The dampening-type is no-dampening.";
}
identity on-repetition {
base dampening-type;
description
"The dampening-type is on-repetition.";
}
identity none {
base dampening-type;
description
"The dampening-type is none.";
}
identity flood-type { identity authentication-mode {
description description
"Base identity for detectable flood types"; "User authentication mode types:
} e.g., Local Authentication,
identity syn-flood { Third-Party Server Authentication,
base flood-type; Authentication Exemption, or Single Sign-On (SSO)
description Authentication.";
"A SYN flood is detected"; }
} identity local-authentication {
identity ack-flood { base authentication-mode;
base flood-type; description
description "Authentication-mode : local authentication.";
"An ACK flood is detected"; }
} identity third-party-server-authentication {
identity syn-ack-flood { base authentication-mode;
base flood-type; description
description "If authentication-mode is
"An SYN-ACK flood is detected"; third-part-server-authentication";
} }
identity fin-rst-flood { identity exemption-authentication {
base flood-type; base authentication-mode;
description description
"A FIN-RST flood is detected"; "If authentication-mode is
} exemption-authentication";
identity tcp-con-flood { }
base flood-type; identity sso-authentication {
description base authentication-mode;
"A TCP connection flood is detected"; description
} "If authentication-mode is
identity udp-flood { sso-authentication";
base flood-type; }
description identity alarm-type {
"A UDP flood is detected"; description
} "Base identity for detectable alarm types";
identity icmp-flood { }
base flood-type; identity MEM-USAGE-ALARM {
description base alarm-type;
"An ICMP flood is detected"; description
} "A memory alarm is alerted.";
identity https-flood { }
base flood-type; identity CPU-USAGE-ALARM {
description base alarm-type;
"A HTTPS flood is detected"; description
} "A CPU alarm is alerted.";
identity http-flood { }
base flood-type; identity DISK-USAGE-ALARM {
description base alarm-type;
"A HTTP flood is detected"; description
} "A disk alarm is alerted.";
identity dns-reply-flood { }
base flood-type; identity HW-FAILURE-ALARM {
description base alarm-type;
"A DNS reply flood is detected"; description
} "A hardware alarm is alerted.";
identity dns-query-flood { }
base flood-type; identity IFNET-STATE-ALARM {
description base alarm-type;
"A DNS query flood is detected"; description
} "An interface alarm is alerted.";
identity sip-flood { }
base flood-type; identity event-type {
description description
"A SIP flood is detected"; "Base identity for detectable event types";
} }
identity ACCESS-DENIED {
base event-type;
description
"The system event is access-denied.";
}
identity CONFIG-CHANGE {
base event-type;
description
"The system event is config-change.";
}
identity nsf-event-name { identity flood-type {
description description
"Base identity for detectable nsf event types"; "Base identity for detectable flood types";
} }
identity SEC-EVENT-DDOS { identity syn-flood {
base nsf-event-name; base flood-type;
description description
"The nsf event is sec-event-ddos."; "A SYN flood is detected.";
} }
identity SESSION-USAGE-HIGH { identity ack-flood {
base nsf-event-name; base flood-type;
description description
"The nsf event is session-usage-high"; "An ACK flood is detected.";
} }
identity SEC-EVENT-VIRUS { identity syn-ack-flood {
base nsf-event-name; base flood-type;
description description
"The nsf event is sec-event-virus"; "A SYN-ACK flood is detected.";
}
identity fin-rst-flood {
base flood-type;
description
"A FIN-RST flood is detected.";
}
identity tcp-con-flood {
base flood-type;
description
"A TCP connection flood is detected.";
}
identity udp-flood {
base flood-type;
description
"A UDP flood is detected.";
}
identity icmp-flood {
base flood-type;
description
"Either an ICMPv4 or ICMPv6 flood is detected.";
}
identity icmpv4-flood {
base flood-type;
description
"An ICMPv4 flood is detected.";
}
identity icmpv6-flood {
base flood-type;
description
"An ICMPv6 flood is detected.";
}
identity http-flood {
base flood-type;
description
"An HTTP flood is detected.";
}
identity https-flood {
base flood-type;
description
"An HTTPS flood is detected.";
}
identity dns-query-flood {
base flood-type;
description
"A DNS query flood is detected.";
} }
identity SEC-EVENT-INTRUSION { identity dns-reply-flood {
base nsf-event-name; base flood-type;
description description
"The nsf event is sec-event-intrusion"; "A DNS reply flood is detected.";
} }
identity SEC-EVENT-BOTNET { identity sip-flood {
base nsf-event-name; base flood-type;
description description
"The nsf event is sec-event-botnet"; "An SIP flood is detected.";
} }
identity SEC-EVENT-WEBATTACK { identity nsf-event-name {
base nsf-event-name; description
description "Base identity for detectable NSF event types";
"The nsf event is sec-event-webattack"; }
} identity SEC-EVENT-DDOS {
identity attack-type { base nsf-event-name;
description description
"The root ID of attack-based notification "The NSF event is sec-event-ddos.";
}
identity SESSION-USAGE-HIGH {
base nsf-event-name;
description
"The NSF event is session-usage-high.";
}
identity SEC-EVENT-VIRUS {
base nsf-event-name;
description
"The NSF event is sec-event-virus.";
}
identity SEC-EVENT-INTRUSION {
base nsf-event-name;
description
"The NSF event is sec-event-intrusion.";
}
identity SEC-EVENT-BOTNET {
base nsf-event-name;
description
"The NSF event is sec-event-botnet.";
}
identity SEC-EVENT-WEB-ATTACK {
base nsf-event-name;
description
"The NSF event is sec-event-web-attack.";
}
identity attack-type {
description
"The root ID of attack-based notification
in the notification taxonomy"; in the notification taxonomy";
} }
identity system-attack-type { identity system-attack-type {
base attack-type; base attack-type;
description description
"This ID is intended to be used "This ID is intended to be used
in the context of system events"; in the context of system events.";
} }
identity nsf-attack-type { identity nsf-attack-type {
base attack-type; base attack-type;
description description
"This ID is intended to be used "This ID is intended to be used
in the context of nsf event"; in the context of NSF event.";
} }
identity botnet-attack-type { identity botnet-attack-type {
base nsf-attack-type; base nsf-attack-type;
description description
"This is an ID stub limited to indicating "This indicates that this attack type is botnet.
that this attack type is botnet.
The usual semantic and taxonomy is missing The usual semantic and taxonomy is missing
and name is used."; and a name is used.";
} }
identity virus-type { identity virus-type {
base nsf-attack-type; base nsf-attack-type;
description description
"The type of virus. Can be multiple types at once. "The type of virus. It caan be multiple types at once.
This attack type is associated with a detected This attack type is associated with a detected
system-log virus-attack"; system-log virus-attack.";
} }
identity trojan { identity trojan {
base virus-type; base virus-type;
description description
"The detected virus type is trojan"; "The detected virus type is trojan.";
} }
identity worm { identity worm {
base virus-type; base virus-type;
description description
"The detected virus type is worm"; "The detected virus type is worm.";
} }
identity macro { identity macro {
base virus-type; base virus-type;
description description
"The detected virus type is macro"; "The detected virus type is macro.";
} }
identity intrusion-attack-type { identity intrusion-attack-type {
base nsf-attack-type; base nsf-attack-type;
description description
"The attack type is associated with "The attack type is associated with a detected
a detected system-log intrusion"; system-log intrusion.";
}
identity brute-force {
base intrusion-attack-type;
description
"The intrusion type is brute-force";
}
identity buffer-overflow {
base intrusion-attack-type;
description
"The intrusion type is buffer-overflow";
}
identity web-attack-type {
base nsf-attack-type;
description
"The attack type associated with
a detected system-log web-attack";
}
identity command-injection {
base web-attack-type;
description
"The detected web attack type is command injection";
}
identity xss {
base web-attack-type;
description
"The detected web attack type is XSS";
}
identity csrf {
base web-attack-type;
description
"The detected web attack type is CSRF";
}
identity ddos-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
nsf-log event";
}
identity req-method { }
description identity brute-force {
"A set of request types (if applicable). base intrusion-attack-type;
For instance, PUT or GET in HTTP"; description
} "The intrusion type is brute-force.";
identity put-req { }
base req-method; identity buffer-overflow {
description base intrusion-attack-type;
"The detected request type is PUT"; description
} "The intrusion type is buffer-overflow.";
identity get-req { }
base req-method; identity web-attack-type {
description base nsf-attack-type;
"The detected request type is GET"; description
} "The attack type is associated with a detected
system-log web-attack.";
}
identity command-injection {
base web-attack-type;
description
"The detected web attack type is command injection.";
}
identity xss {
base web-attack-type;
description
"The detected web attack type is XSS.";
}
identity csrf {
base web-attack-type;
description
"The detected web attack type is CSRF.";
}
identity ddos-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
nsf-log event.";
}
identity filter-type { identity req-method {
description description
"The type of filter used to detect, for example, "A set of request types (if applicable).
a web-attack. Can be applicable to more than For instance, PUT or GET in HTTP.";
web-attacks. Can be more than one type."; }
} identity put-req {
identity whitelist { base req-method;
base filter-type; description
description "The detected request type is PUT.";
"The applied filter type is whitelist";
}
identity blacklist {
base filter-type;
description
"The applied filter type is blacklist";
}
identity user-defined {
base filter-type;
description
"The applied filter type is user-defined";
}
identity balicious-category {
base filter-type;
description
"The applied filter is balicious category";
}
identity unknown-filter {
base filter-type;
description
"The applied filter is unknown";
}
identity access-mode { }
description identity get-req {
"Base identity for detectable access mode."; base req-method;
} description
identity ppp { "The detected request type is GET.";
base access-mode; }
description identity filter-type {
"Access-mode : ppp"; description
} "The type of filter used to detect an attack,
identity svn { for example, a web-attack. It can be applicable to
base access-mode; more than web-attacks. It can be more than one type.";
description }
"Access-mode : svn"; identity whitelist {
} base filter-type;
identity local { description
base access-mode; "The applied filter type is whitelist.";
description }
"Access-mode : local"; identity blacklist {
} base filter-type;
description
"The applied filter type is blacklist.";
}
identity user-defined {
base filter-type;
description
"The applied filter type is user-defined.";
}
identity balicious-category {
base filter-type;
description
"The applied filter is balicious category.";
}
identity unknown-filter {
base filter-type;
description
"The applied filter is unknown.";
}
identity protocol-type { identity access-mode {
description description
"An identity used to enable type choices in leaves "Base identity for detectable access mode.";
and leaflists wrt protocol metadata."; }
} identity ppp {
identity tcp { base access-mode;
base ipv4; description
base ipv6; "Access-mode: ppp";
description }
"TCP protocol type."; identity svn {
reference base access-mode;
"RFC 793: Transmission Control Protocol"; description
} "Access-mode: svn";
identity udp { }
base ipv4; identity local {
base ipv6; base access-mode;
description description
"UDP protocol type."; "Access-mode: local";
reference }
"RFC 768: User Datagram Protocol";
}
identity icmp {
base ipv4;
base ipv6;
description
"General ICMP protocol type.";
reference
"RFC 792: Internet Control Message Protocol";
}
identity icmpv4 {
base ipv4;
description
"ICMPv4 protocol type.";
}
identity icmpv6 {
base ipv6;
description
"ICMPv6 protocol type.";
}
identity ip {
base protocol-type;
description
"General IP protocol type.";
reference
"RFC 791: Internet Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC 791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)";
}
identity http {
base tcp;
description
"HTPP protocol type.";
reference
"RFC 2616: Hypertext Transfer Protocol";
}
identity ftp {
base tcp;
description
"FTP protocol type.";
reference
"RFC 959: File Transfer Protocol";
}
grouping common-monitoring-data {
description
"The data set of common monitoring";
leaf message {
type string;
description
"This is a freetext annotation of
monitoring notification content";
}
leaf time-stamp {
type yang:date-and-time;
description
"Indicates the time of message generation";
}
leaf vendor-name {
type string;
description
"The name of the NSF vendor";
}
leaf nsf-name {
type string;
description
"The name (or IP) of the NSF
generating the message";
}
leaf module-name {
type string;
description
"The module name outputting the message";
}
leaf severity {
type severity;
description
"The severity of the alarm such
as critical, high, middle, low.";
}
}
grouping characteristics{
description
"A set of monitoring information characteristics";
leaf acquisition-method {
type identityref {
base acquisition-method;
}
description
"The acquisition-method for characteristics";
}
leaf emission-type {
type identityref {
base emission-type;
}
description
"The emission-type for characteristics";
}
leaf dampening-type {
type identityref {
base dampening-type;
}
description
"The dampening-type for characteristics";
}
}
grouping i2nsf-system-alarm-type-content {
description
"A set of system alarm type contents";
leaf usage {
type uint8;
description
"specifies the amount of usage";
}
leaf threshold {
type uint8;
description
"The threshold triggering the alarm or the event";
}
}
grouping i2nsf-system-event-type-content {
description
"System event metadata associated
with system events caused by user activity.";
leaf user {
type string;
mandatory true;
description
"Name of a user";
}
leaf group {
type string;
mandatory true;
description
"Group to which a user belongs.";
}
leaf login-ip-addr {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user.";
}
leaf authentication {
type identityref {
base authentication-mode;
}
description
"The authentication-mode for authentication";
}
}
grouping i2nsf-nsf-event-type-content-extend {
description
"A set of common IPv4-related NSF event
content elements";
leaf src-ip {
type inet:ipv4-address;
description
"The source IP address of the packet";
}
leaf dst-ip {
type inet:ipv4-address;
description
"The destination IP address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
} identity protocol-type {
leaf dst-zone { description
type string; "An identity used to enable type choices in leaves
description and leaflists with respect to protocol metadata.";
"The destination security zone of the packet"; }
} identity tcp {
leaf rule-id { base ipv4;
type uint8; base ipv6;
mandatory true; description
description "TCP protocol type.";
"The ID of the rule being triggered"; reference
} "RFC 793: Transmission Control Protocol";
leaf rule-name { }
type string; identity udp {
mandatory true; base ipv4;
description base ipv6;
"The name of the rule being triggered"; description
} "UDP protocol type.";
leaf profile { reference
type string; "RFC 768: User Datagram Protocol";
description }
"Security profile that traffic matches."; identity icmp {
} base ipv4;
leaf raw-info { base ipv6;
type string; description
description "General ICMP protocol type.";
"The information describing the packet reference
triggering the event."; "RFC 792: Internet Control Message Protocol
} RFC 4443: Internet Control Message Protocol
} (ICMPv6) for the Internet Protocol Version 6
grouping i2nsf-nsf-event-type-content { (IPv6) Specification";
description }
"A set of common IPv4-related NSF event identity icmpv4 {
base ipv4;
description
"ICMPv4 protocol type.";
reference
"RFC 791: Internet Protocol
RFC 792: Internet Control Message Protocol";
}
identity icmpv6 {
base ipv6;
description
"ICMPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
identity ip {
base protocol-type;
description
"General IP protocol type.";
reference
"RFC 791: Internet Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC 791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity http {
base tcp;
description
"HTPP protocol type.";
reference
"RFC 2616: Hypertext Transfer Protocol";
}
identity ftp {
base tcp;
description
"FTP protocol type.";
reference
"RFC 959: File Transfer Protocol";
}
grouping common-monitoring-data {
description
"The data set of common monitoring";
leaf message {
type string;
description
"This is a freetext annotation for
monitoring a notification's content.";
}
leaf time-stamp {
type yang:date-and-time;
description
"It indicates the time of a message's generation.";
}
leaf vendor-name {
type string;
description
"The name of the NSF vendor";
}
leaf nsf-name {
type string;
description
"The name (or IP) of the NSF generating the message.";
}
leaf module-name {
type string;
description
"The module name outputting the message.";
}
leaf severity {
type severity;
description
"The severity of the alarm such as critical, high,
middle, low.";
}
}
grouping characteristics{
description
"A set of monitoring information characteristics";
leaf acquisition-method {
type identityref {
base acquisition-method;
}
description
"The acquisition-method for characteristics";
}
leaf emission-type {
type identityref {
base emission-type;
}
description
"The emission-type for characteristics";
}
leaf dampening-type {
type identityref {
base dampening-type;
}
description
"The dampening-type for characteristics";
}
}
grouping i2nsf-system-alarm-type-content {
description
"A set of system alarm type contents";
leaf usage {
type uint8;
description
"specifies the amount of usage";
}
leaf threshold {
type uint8;
description
"The threshold triggering the alarm or the event";
}
}
grouping i2nsf-system-event-type-content {
description
"System event metadata associated with system events
caused by user activity.";
leaf user {
type string;
mandatory true;
description
"The name of a user";
}
leaf group {
type string;
mandatory true;
description
"The group to which a user belongs.";
}
leaf login-ip-addr {
type inet:ip-address;
mandatory true;
description
"Th login IPv4 (or IPv6) address of a user.";
}
leaf authentication {
type identityref {
base authentication-mode;
}
description
"The authentication-mode for authentication";
}
}
grouping i2nsf-nsf-event-type-content-extend {
description
"A set of common IPv4-related NSF event content
elements";
leaf src-ip {
type inet:ip-address;
description
"The source IPv4 (or IPv6) address of the packet";
}
leaf dst-ip {
type inet:ip-address;
description
"The destination IPv4 (or IPv6) address of the
packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule being triggered";
}
leaf rule-name {
type string;
mandatory true;
description
"The name of the rule being triggered";
}
leaf profile {
type string;
description
"Security profile that traffic matches.";
}
leaf raw-info {
type string;
description
"The information describing the packet triggering
the event.";
}
}
grouping i2nsf-nsf-event-type-content {
description
"A set of common IPv4 (or IPv6)-related NSF event
content elements"; content elements";
leaf dst-ip { leaf dst-ip {
type inet:ipv4-address; type inet:ip-address;
description description
"The destination IP address of the packet"; "The destination IPv4 (IPv6) address of the packet";
} }
leaf dst-port { leaf dst-port {
type inet:port-number; type inet:port-number;
description description
"The destination port of the packet"; "The destination port of the packet";
} }
leaf rule-id { leaf rule-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"The ID of the rule being triggered"; "The ID of the rule being triggered";
} }
leaf rule-name { leaf rule-name {
type string; type string;
mandatory true; mandatory true;
description description
"The name of the rule being triggered"; "The name of the rule being triggered";
} }
leaf profile { leaf profile {
type string; type string;
description description
"Security profile that traffic matches."; "Security profile that traffic matches";
} }
leaf raw-info { leaf raw-info {
type string; type string;
description description
"The information describing the packet "The information describing the packet
triggering the event."; triggering the event";
} }
} }
grouping traffic-rates { grouping traffic-rates {
description description
"A set of traffic rates "A set of traffic rates for statistics data";
for statistics data"; leaf total-traffic {
leaf total-traffic { type uint32;
type uint32; description
description "Total traffic";
"Total traffic"; }
} leaf in-traffic-ave-rate {
leaf in-traffic-ave-rate { type uint32;
type uint32; description
description "Inbound traffic average rate in pps";
"Inbound traffic average rate in pps"; }
} leaf in-traffic-peak-rate {
leaf in-traffic-peak-rate { type uint32;
type uint32; description
description "Inbound traffic peak rate in pps";
"Inbound traffic peak rate in pps"; }
} leaf in-traffic-ave-speed {
leaf in-traffic-ave-speed { type uint32;
type uint32; description
description "Inbound traffic average speed in bps";
"Inbound traffic average speed in bps"; }
} leaf in-traffic-peak-speed {
leaf in-traffic-peak-speed { type uint32;
type uint32; description
description "Inbound traffic peak speed in bps";
"Inbound traffic peak speed in bps"; }
leaf out-traffic-ave-rate {
type uint32;
description
"Outbound traffic average rate in pps";
}
leaf out-traffic-peak-rate {
type uint32;
description
"Outbound traffic peak rate in pps";
}
leaf out-traffic-ave-speed {
type uint32;
description
"Outbound traffic average speed in bps";
}
leaf out-traffic-peak-speed {
type uint32;
description
"Outbound traffic peak speed in bps";
}
}
grouping i2nsf-system-counter-type-content{
description
"A set of system counter type contents";
leaf interface-name {
type string;
description
"Network interface name configured in an NSF";
}
leaf in-total-traffic-pkts {
type uint32;
description
"Total inbound packets";
}
leaf out-total-traffic-pkts {
type uint32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint32;
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint32;
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type uint32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type uint32;
description
"Total outbound drop packets";
} }
leaf out-traffic-ave-rate { leaf in-drop-traffic-bytes {
type uint32; type uint32;
description description
"Outbound traffic average rate in pps"; "Total inbound drop bytes";
} }
leaf out-traffic-peak-rate { leaf out-drop-traffic-bytes {
type uint32; type uint32;
description description
"Outbound traffic peak rate in pps"; "Total outbound drop bytes";
} }
leaf out-traffic-ave-speed { uses traffic-rates;
type uint32; }
description grouping i2nsf-nsf-counters-type-content{
"Outbound traffic average speed in bps"; description
} "A set of NSF counters type contents";
leaf out-traffic-peak-speed { leaf src-ip {
type uint32; type inet:ip-address;
description description
"Outbound traffic peak speed in bps"; "The source IPv4 (or IPv6) address of the packet";
} }
} leaf dst-ip {
grouping i2nsf-system-counter-type-content{ type inet:ip-address;
description description
"A set of system counter type contents"; "The destination IPv4 (or IPv6) address of the
leaf interface-name { packet";
type string; }
description leaf src-port {
"Network interface name configured in NSF"; type inet:port-number;
} description
leaf in-total-traffic-pkts { "The source port of the packet";
type uint32; }
description leaf dst-port {
"Total inbound packets"; type inet:port-number;
} description
leaf out-total-traffic-pkts { "The destination port of the packet";
type uint32; }
description leaf src-zone {
"Total outbound packets"; type string;
} description
leaf in-total-traffic-bytes { "The source security zone of the packet";
type uint32; }
description leaf dst-zone {
"Total inbound bytes"; type string;
} description
leaf out-total-traffic-bytes { "The destination security zone of the packet";
type uint32; }
description leaf src-region {
"Total outbound bytes"; type string;
} description
leaf in-drop-traffic-pkts { "Source region of the traffic";
type uint32; }
description leaf dst-region{
"Total inbound drop packets"; type string;
} description
leaf out-drop-traffic-pkts { "Destination region of the traffic";
type uint32; }
description leaf policy-id {
"Total outbound drop packets"; type uint8;
} description
leaf in-drop-traffic-bytes { "The ID of the policy being triggered";
type uint32; }
description leaf policy-name {
"Total inbound drop bytes"; type string;
} description
leaf out-drop-traffic-bytes { "The name of the policy being triggered";
type uint32; }
description leaf src-user{
"Total outbound drop bytes"; type string;
} description
uses traffic-rates; "User who generates traffic";
} }
grouping i2nsf-nsf-counters-type-content{ leaf protocol {
description type identityref {
"A set of nsf counters type contents"; base protocol-type;
leaf src-ip { }
type inet:ipv4-address; description
description "Protocol type of traffic";
"The source IP address of the packet"; }
} leaf app {
leaf dst-ip { type string;
type inet:ipv4-address; description
description "Application type of traffic";
"The destination IP address of the packet"; }
} }
leaf src-port {
type inet:port-number; notification system-detection-alarm {
description description
"The source port of the packet"; "This notification is sent, when a system alarm
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf src-region {
type string;
description
"Source region of the traffic";
}
leaf dst-region{
type string;
description
"Destination region of the traffic";
}
leaf policy-id {
type uint8;
description
"The ID of the policy being triggered";
}
leaf policy-name {
type string;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"User who generates traffic";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"Protocol type of traffic";
}
leaf app {
type string;
description
"Application type of traffic";
}
}
notification system-detection-alarm {
description
"This notification is sent, when a system alarm
is detected."; is detected.";
leaf alarm-category { leaf alarm-category {
type identityref { type identityref {
base alarm-type; base alarm-type;
} }
description description
"The alarm category for "The alarm category for
system-detection-alarm notification"; system-detection-alarm notification";
} }
uses characteristics; uses characteristics;
uses i2nsf-system-alarm-type-content; uses i2nsf-system-alarm-type-content;
uses common-monitoring-data; uses common-monitoring-data;
} }
notification system-detection-event { notification system-detection-event {
description description
"This notification is sent, when a security-sensitive "This notification is sent, when a security-sensitive
authentication action fails."; authentication action fails.";
leaf event-category { leaf event-category {
type identityref { type identityref {
base event-type; base event-type;
} }
description description
"The event category for system-detection-event"; "The event category for system-detection-event";
} }
uses characteristics; uses characteristics;
uses i2nsf-system-event-type-content; uses i2nsf-system-event-type-content;
uses common-monitoring-data; uses common-monitoring-data;
} }
notification nsf-detection-flood { notification nsf-detection-flood {
description description
"This notification is sent, "This notification is sent, when a specific flood type
when a specific flood type is detected"; is detected.";
leaf event-name { leaf event-name {
type identityref { type identityref {
base SEC-EVENT-DDOS; base SEC-EVENT-DDOS;
} }
description description
"The event name for nsf-detection-flood"; "The event name for nsf-detection-flood";
} }
uses i2nsf-nsf-event-type-content; uses i2nsf-nsf-event-type-content;
leaf sub-attack-type { leaf sub-attack-type {
type identityref { type identityref {
base flood-type; base flood-type;
} }
description description
"Any one of Syn flood, ACK flood, SYN-ACK flood, "Any one of Syn flood, ACK flood, SYN-ACK flood,
FIN/RST flood, TCP Connection flood, UDP flood, FIN/RST flood, TCP Connection flood, UDP flood,
Icmp flood, HTTPS flood, HTTP flood, DNS query flood, ICMP (i.e., ICMPv4 or ICMPv6)cmp flood, HTTP flood,
DNS reply flood, SIP flood, etc."; HTTPS flood, DNS query flood, DNS reply flood, SIP
} flood, etc.";
leaf start-time { }
type yang:date-and-time; leaf start-time {
mandatory true; type yang:date-and-time;
description mandatory true;
"The time stamp indicating when the attack started"; description
} "The time stamp indicating when the attack started";
leaf end-time { }
type yang:date-and-time; leaf end-time {
mandatory true; type yang:date-and-time;
description mandatory true;
"The time stamp indicating when the attack ended"; description
} "The time stamp indicating when the attack ended";
leaf attack-rate { }
type uint32; leaf attack-rate {
description type uint32;
"The PPS rate of attack traffic"; description
} "The PPS rate of attack traffic";
leaf attack-speed { }
type uint32; leaf attack-speed {
description type uint32;
"The BPS speed of attack traffic"; description
} "The BPS speed of attack traffic";
uses common-monitoring-data; }
} uses common-monitoring-data;
notification nsf-detection-session-table { }
description notification nsf-detection-session-table {
"This notification is sent, when a session table description
event is detected"; "This notification is sent, when a session table
leaf current-session { event is detected.";
type uint8; leaf current-session {
description type uint8;
"The number of concurrent sessions"; description
} "The number of concurrent sessions";
leaf maximum-session { }
type uint8; leaf maximum-session {
description type uint8;
"The maximum number of sessions that the session description
table can support"; "The maximum number of sessions that the session
} table can support";
leaf threshold { }
type uint8; leaf threshold {
description type uint8;
"The threshold triggering the event"; description
"The threshold triggering the event";
}
uses common-monitoring-data;
}
notification nsf-detection-virus {
description
"This notification is sent, when a virus is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf virus {
type identityref {
base virus-type;
}
description
"The virus type for nsf-detection-virus notification";
}
leaf virus-name {
type string;
description
"The name of the detected virus";
}
} leaf file-type {
uses common-monitoring-data; type string;
} description
notification nsf-detection-virus { "The type of file virus code is found in (if
description applicable).";
"This notification is sent, when a virus is detected"; }
uses i2nsf-nsf-event-type-content-extend; leaf file-name {
leaf virus { type string;
type identityref { description
base virus-type; "The name of file virus code is found in (if
} applicable).";
description }
"The virus type for nsf-detection-virus notification"; uses common-monitoring-data;
} }
leaf virus-name { notification nsf-detection-intrusion {
type string; description
description "This notification is sent, when an intrusion event
"The name of the detected virus"; is detected.";
} uses i2nsf-nsf-event-type-content-extend;
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-detection-intrusion
notification";
}
leaf app {
type string;
description
"The employed application layer protocol";
}
leaf sub-attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The sub attack type for intrusion attack";
}
uses common-monitoring-data;
}
notification nsf-detection-botnet {
description
"This notification is sent, when a botnet event is
detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description
"The attack type for botnet attack";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-detection-botnet notification";
}
leaf botnet-name {
type string;
description
"The name of the detected botnet";
}
leaf role {
type string;
description
"The role of the communicating
parties within the botnet";
}
uses common-monitoring-data;
}
notification nsf-detection-web-attack {
description
"This notification is sent, when an attack event is
detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf sub-attack-type {
type identityref {
base web-attack-type;
}
description
"Concrete web attack type, e.g., SQL injection,
command injection, XSS, and CSRF.";
leaf file-type { }
type string; leaf request-method {
description type identityref {
"The type of file virus code base req-method;
is found in (if applicable)."; }
} description
leaf file-name { "The method of requirement. For instance, PUT or
type string; GET in HTTP.";
description }
"The name of file virus code leaf req-uri {
is found in (if applicable)."; type string;
} description
uses common-monitoring-data; "Requested URI";
} }
notification nsf-detection-intrusion { leaf uri-category {
description type string;
"This notification is sent, when an intrusion event description
is detected."; "Matched URI category";
uses i2nsf-nsf-event-type-content-extend; }
leaf protocol { leaf-list filtering-type {
type identityref { type identityref {
base protocol-type; base filter-type;
} }
description description
"The protocol type for "URL filtering type, e.g., Blacklist, Whitelist,
nsf-detection-intrusion notification"; User-Defined, Predefined, Malicious Category,
} and Unknown";
leaf app { }
type string; uses common-monitoring-data;
description }
"The employed application layer protocol"; notification system-access-log {
} description
leaf sub-attack-type { "The notification is sent, if there is a new system
type identityref { log entry about a system access event.";
base intrusion-attack-type; leaf login-ip {
} type inet:ip-address;
description mandatory true;
"The sub attack type for intrusion attack"; description
} "Login IP address of a user";
uses common-monitoring-data; }
} leaf administrator {
notification nsf-detection-botnet { type string;
description description
"This notification is sent, when a botnet event is "Administrator that maintains the device";
detected"; }
uses i2nsf-nsf-event-type-content-extend; leaf login-mode {
leaf attack-type { type login-mode;
type identityref { description
base botnet-attack-type; "Specifies the administrator log-in mode";
} }
description leaf operation-type {
"The attack type for botnet attack"; type operation-type;
} description
leaf protocol { "The operation type that the administrator executes";
type identityref { }
base protocol-type; leaf result {
} type string;
description description
"The protocol type for nsf-detection-botnet notification"; "Command execution result";
} }
leaf botnet-name { leaf content {
type string; type string;
description description
"The name of the detected botnet"; "The Operation performed by an administrator after
} login";
leaf role { }
type string; uses characteristics;
description }
"The role of the communicating notification system-res-util-log {
parties within the botnet"; description
} "This notification is sent, if there is a new log
uses common-monitoring-data; entry representing resource utilization updates.";
} leaf system-status {
notification nsf-detection-web-attack {
description
"This notification is sent, when an attack event is
detected";
uses i2nsf-nsf-event-type-content-extend;
leaf sub-attack-type {
type identityref {
base web-attack-type;
}
description
"Concrete web attack type, e.g., sql injection,
command injection, XSS, CSRF";
}
leaf request-method {
type identityref {
base req-method;
}
description
"The method of requirement. For instance, PUT or
GET in HTTP";
}
leaf req-uri {
type string;
description
"Requested URI";
}
leaf uri-category {
type string;
description
"Matched URI category";
}
leaf-list filtering-type {
type identityref {
base filter-type;
}
description
"URL filtering type, e.g., Blacklist, Whitelist,
User-Defined, Predefined, Malicious Category,
Unknown";
}
uses common-monitoring-data;
}
notification system-access-log {
description
"The notification is sent, if there is
a new system log entry about
a system access event";
leaf login-ip {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user";
}
leaf administrator {
type string;
description
"Administrator that maintains the device";
}
leaf login-mode {
type login-mode;
description
"Specifies the administrator log-in mode";
}
leaf operation-type {
type operation-type;
description
"The operation type that the administrator executes";
}
leaf result {
type string;
description
"Command execution result";
}
leaf content {
type string; type string;
description description
"The Operation performed by an administrator "The current systems running status";
after login"; }
} leaf cpu-usage {
uses characteristics; type uint8;
} description
notification system-res-util-log { "Specifies the relative amount of CPU usage with
description respect to platform resources";
"This notification is sent, if there is }
a new log entry representing resource leaf memory-usage {
utilization updates.";
leaf system-status {
type string;
description
"The current systems
running status";
}
leaf cpu-usage {
type uint8; type uint8;
description description
"Specifies the relative amount of "Specifies the amount of memory usage.";
cpu usage wrt platform resources"; }
} leaf disk-usage {
leaf memory-usage { type uint8;
type uint8; description
description "Specifies the amount of disk usage";
"Specifies the amount of memory usage"; }
} leaf disk-left {
leaf disk-usage {
type uint8; type uint8;
description description
"Specifies the amount of disk usage"; "Specifies the amount of disk left";
} }
leaf disk-left { leaf session-num {
type uint8; type uint8;
description
"The total number of sessions";
}
leaf process-num {
type uint8;
description
"The total number of process";
}
leaf in-traffic-rate {
type uint32;
description
"The total inbound traffic rate in pps";
}
leaf out-traffic-rate {
type uint32;
description
"The total outbound traffic rate in pps";
}
leaf in-traffic-speed {
type uint32;
description
"The total inbound traffic speed in bps";
}
leaf out-traffic-speed {
type uint32;
description
"The total outbound traffic speed in bps";
}
uses characteristics;
}
notification system-user-activity-log {
description
"This notification is sent, if there is a new user
activity log entry.";
uses characteristics;
uses i2nsf-system-event-type-content;
leaf access {
type identityref {
base access-mode;
}
description
"The access type for system-user-activity-log
notification";
}
leaf online-duration {
type string;
description
"Online duration";
}
leaf logout-duration {
type string;
description
"Lockout duration";
}
leaf additional-info {
type string;
description
"User activities, e.g., Successful User Login,
Failed Login attempts, User Logout, Successful User
Password Change, Failed User Password Change, User
Lockout, User Unlocking, and Unknown.";
}
}
notification nsf-log-ddos {
description
"This notification is sent, if there is a new DDoS
event log entry in the NSF log.";
leaf attack-type {
type identityref {
base ddos-attack-type;
}
description
"The DDoS attack type for nsf-log-ddos notification";
}
leaf attack-ave-rate {
type uint32;
description
"The average PPS of attack traffic";
}
leaf attack-ave-speed {
type uint32;
description
"the average bps of attack traffic";
}
leaf attack-pkt-num {
type uint32;
description
"the number of attack packets";
}
leaf attack-src-ip {
type inet:ip-address;
description
"The source IPv4 (or IPv6) addresses of attack
traffic. If there are a large amount of IPv4
(or IPv6) addresses, then pick a certain number
of resources according to different rules.";
}
leaf action {
type log-action;
description
"Action type: allow, alert, block, discard, declare,
block-ip, block-service";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-virus {
description
"This notification is sent, if there is a new virus
event log entry in the NSF log.";
leaf attack-type {
type identityref {
base virus-type;
}
description
"The virus type for nsf-log-virus notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert, block, discard, declare,
block-ip, block-service";
}
leaf os{
type string;
description
"simple OS information";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"It is the time when the message is generated.";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-intrusion {
description
"This notification is sent, if there is a new
intrusion event log entry in the NSF log.";
leaf attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The intrusion attack type for nsf-log-intrusion
notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert, block, discard, declare,
block-ip, block-service";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"It is the time when the message is generated.";
}
leaf attack-rate {
type uint32;
description
"The PPS of attack traffic";
}
leaf attack-speed {
type uint32;
description
"The bps of attack traffic";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-botnet {
description
"This notification is sent, if there is a new botnet
event log in the NSF log.";
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description
"The botnet attack type for nsf-log-botnet notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert, block, discard, declare,
block-ip, block-service";
}
leaf botnet-pkt-num{
type uint8;
description
"The number of the packets sent to or from the detected botnet";
}
leaf os{
type string;
description
"simple OS information";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-dpi {
description
"This notification is sent, if there is a new DPI
event in the NSF log.";
leaf attack-type {
type dpi-type;
description
"The type of the DPI";
}
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
}
notification nsf-log-vuln-scan {
description
"This notification is sent, if there is a new
vulnerability-scan report in the NSF log.";
leaf vulnerability-id {
type uint8;
description
"The vulnerability ID";
}
leaf victim-ip {
type inet:ip-address;
description
"IPv4 (or IPv6) address of the victim host which
has vulnerabilities";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-log-vuln-scan
notification";
}
leaf port-num {
type inet:port-number;
description description
"Specifies the amount of disk left"; "The port number";
} }
leaf session-num { leaf level {
type uint8; type severity;
description description
"The total number of sessions"; "The vulnerability severity";
} }
leaf process-num { leaf os {
type uint8; type string;
description description
"The total number of process"; "simple OS information";
} }
leaf in-traffic-rate { leaf vulnerability-info {
type uint32; type string;
description description
"The total inbound traffic rate in pps"; "The information about the vulnerability";
} }
leaf out-traffic-rate { leaf fix-suggestion {
type uint32; type string;
description description
"The total outbound traffic rate in pps"; "The fix suggestion to the vulnerability";
} }
leaf in-traffic-speed { leaf service {
type uint32; type string;
description description
"The total inbound traffic speed in bps"; "The service which has vulnerability in the victim
} host";
leaf out-traffic-speed { }
type uint32; uses characteristics;
description uses common-monitoring-data;
"The total outbound traffic speed in bps"; }
} notification nsf-log-web-attack {
uses characteristics; description
} "This notification is sent, if there is a new
notification system-user-activity-log { web-attack event in the NSF log.";
description leaf attack-type {
"This notification is sent, if there is type identityref {
a new user activity log entry"; base web-attack-type;
uses characteristics; }
uses i2nsf-system-event-type-content; description
leaf access { "The web attack type for nsf-log-web-attack
type identityref { notification";
base access-mode; }
} leaf rsp-code {
description type string;
"The access type for description
system-user-activity-log notification"; "Response code";
} }
leaf online-duration { leaf req-clientapp {
type string; type string;
description description
"Online duration"; "The client application";
} }
leaf logout-duration { leaf req-cookies {
type string; type string;
description description
"Lockout duration"; "Cookies";
} }
leaf additional-info { leaf req-host {
type string; type string;
description description
"User activities. e.g., Successful "The domain name of the requested host";
User Login, Failed Login attempts, }
User Logout, Successful User leaf raw-info {
Password Change, Failed User type string;
Password Change, User Lockout, description
User Unlocking, Unknown"; "The information describing the packet triggering
} the event.";
} }
notification nsf-log-ddos { uses characteristics;
description uses common-monitoring-data;
"This notification is sent, if there is }
a new DDoS event log entry in the nsf log"; container counters {
leaf attack-type { description
type identityref { "This is probably better covered by an import as this
base ddos-attack-type; will not be notifications. Counters are not very
} suitable as telemetry, maybe via periodic
description subscriptions, which would still violate the principle
"The ddos attack type for of least surprise.";
nsf-log-ddos notification"; container system-interface {
} description
leaf attack-ave-rate { "The system counter type is interface counter.";
type uint32; uses characteristics;
description uses i2nsf-system-counter-type-content;
"The ave PPS of attack traffic"; uses common-monitoring-data;
} }
leaf attack-ave-speed { container nsf-firewall {
type uint32; description
description "The NSF counter type is firewall counter.";
"the ave bps of attack traffic";
}
leaf attack-pkt-num {
type uint32;
description
"the number of attack packets";
}
leaf attack-src-ip {
type inet:ipv4-address;
description
"The source IP addresses of attack
traffics. If there are a large
amount of IP addresses, then
pick a certain number of resources
according to different rules.";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-virus {
description
"This notification is sent, if there is
a new virus event log entry in the nsf log";
leaf attack-type {
type identityref {
base virus-type;
}
description
"The virus type for nsf-log-virus notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf os{
type string;
description
"simple os information";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message
is generated";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-intrusion {
description
"This notification is sent, if there is
a new intrusion event log entry in the nsf log";
leaf attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The intrusion attack type for
nsf-log-intrusion notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message
is generated";
}
leaf attack-rate {
type uint32;
description
"The PPS of attack traffic";
}
leaf attack-speed {
type uint32;
description
"The bps of attack traffic";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-botnet {
description
"This notification is sent, if there is
a new botnet event log in the nsf log";
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description
"The botnet attack type for
nsf-log-botnet notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf botnet-pkt-num{
type uint8;
description
"The number of the packets sent to
or from the detected botnet";
}
leaf os{
type string;
description
"simple os information";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-dpi {
description
"This notification is sent, if there is
a new dpi event in the nsf log";
leaf attack-type {
type dpi-type;
description
"The type of the dpi";
} uses characteristics;
uses characteristics; uses i2nsf-nsf-counters-type-content;
uses i2nsf-nsf-counters-type-content; uses traffic-rates;
uses common-monitoring-data; }
} container nsf-policy-hits {
notification nsf-log-vuln-scan { description
description "The counters of policy hit";
"This notification is sent, if there is uses characteristics;
a new vulnerability-scan report in the nsf log"; uses i2nsf-nsf-counters-type-content;
leaf vulnerability-id { uses common-monitoring-data;
type uint8; leaf hit-times {
description type uint32;
"The vulnerability id"; description
} "The hit times for policy";
leaf victim-ip { }
type inet:ipv4-address; }
description }
"IP address of the victim host }
which has vulnerabilities"; <CODE ENDS>
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for
nsf-log-vuln-scan notification";
}
leaf port-num {
type inet:port-number;
description
"The port number";
}
leaf level {
type severity;
description
"The vulnerability severity";
}
leaf os {
type string;
description
"simple os information";
}
leaf vulnerability-info {
type string;
description
"The information about the vulnerability";
}
leaf fix-suggestion {
type string;
description
"The fix suggestion to the vulnerability";
}
leaf service {
type string;
description
"The service which has vulnerability in the victim host";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-web-attack {
description
"This notification is sent, if there is
a new web-attack event in the nsf log";
leaf attack-type {
type identityref {
base web-attack-type;
}
description
"The web attack type for
nsf-log-web-attack notification";
}
leaf rsp-code {
type string;
description
"Response code";
}
leaf req-clientapp {
type string;
description
"The client application";
}
leaf req-cookies {
type string;
description
"Cookies";
}
leaf req-host {
type string;
description
"The domain name of the requested host";
}
leaf raw-info {
type string;
description
"The information describing
the packet triggering the event.";
}
uses characteristics;
uses common-monitoring-data;
}
container counters {
description
"This is probably better covered by an import
as this will not be notifications.
Counter are not very suitable as telemetry, maybe
via periodic subscriptions, which would still
violate principle of least surprise.";
container system-interface {
description
"The system counter type is interface counter";
uses characteristics;
uses i2nsf-system-counter-type-content;
uses common-monitoring-data;
}
container nsf-firewall {
description
"The nsf counter type is firewall counter";
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses traffic-rates;
}
container nsf-policy-hits {
description
"The counters of policy hit";
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
leaf hit-times {
type uint32;
description
"The hit times for policy";
}
}
}
}
<CODE ENDS>
Figure 2: Data Model of Monitoring Figure 2: Data Model of Monitoring
11. IANA Considerations 11. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC6020][RFC7950]. the "YANG Module Names" registry [RFC7950][RFC8525]:
name: ietf-i2nsf-monitor name: ietf-i2nsf-nsf-monitoring
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring
prefix: iim prefix: nsfmi
reference: RFC XXXX reference: RFC XXXX
// RFC Ed.: replace XXXX with an actual RFC number and remove
// this note.
12. Security Considerations 12. Security Considerations
The YANG module described in this document defines a schema for data The YANG module described in this document defines a schema for data
that is designed to be accessed via network management protocols such that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446]. [RFC8446].
skipping to change at page 72, line 48 skipping to change at page 72, line 31
modified and deleted (i.e., config true, which is the default) are modified and deleted (i.e., config true, which is the default) are
considered sensitive. Write operations (e.g., edit-config) applied considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
framework operations. The monitoring YANG module should be protected framework operations. The monitoring YANG module should be protected
by the secure communication channel, to ensure its confidentiality by the secure communication channel, to ensure its confidentiality
and integrity. In another side, the NSF and security controller can and integrity. In another side, the NSF and security controller can
all be faked, which lead to undesirable results (i.e., leakage of an all be faked, which lead to undesirable results (i.e., leakage of an
NSF's important operational information, and faked NSF sending false NSF's important operational information, and faked NSF sending false
information to mislead security controller). The mutual information to mislead security controller). The mutual
authentication is essential to protected against this kind of attack. authentication is essential to protected against this kind of attack.
The current mainstream security technologies (i.e., TLS, DTLS, IPSEC, The current mainstream security technologies (i.e., TLS, DTLS, IPsec,
and X.509 PKI) can be employed appropriately to provide the above and X.509 PKI) can be employed appropriately to provide the above
security functions. security functions.
In addition, to defend against the DDoS attack caused by a lot of In addition, to defend against the DDoS attack caused by a lot of
NSFs sending massive notifications to the security controller, the NSFs sending massive notifications to the security controller, the
rate limiting or similar mechanisms should be considered in an NSF rate limiting or similar mechanisms should be considered in an NSF
and security controller, whether in advance or just in the process of and security controller, whether in advance or just in the process of
DDoS attack. DDoS attack.
13. Acknowledgments 13. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Ministry Technology Planning & Evaluation (IITP) grant funded by the Korea
of Science and ICT (MSIT), Korea, (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). Security Service Provisioning). This work was supported in part by
the IITP (2020-0-00395, Standard Development of Blockchain based
This work was supported in part by the MSIT under the Information Network Management Automation Technology). This work was supported
Technology Research Center (ITRC) support program (IITP- in part by the MSIT under the Information Technology Research Center
2019-2017-0-01633) supervised by the IITP. (ITRC) support program (IITP-2020-2017-0-01633) supervised by the
IITP.
14. Contributors 14. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The authors
considered co-authors: sincerely appreciate their contributions.
o Jinyong Tim Kim (Sungkyunkwan University) The following are co-authors of this document:
o Dongjin Hong (Sungkyunkwan University) Chaehong Chung
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
o Dacheng Zhang (Huawei) EMail: darkhong@skku.edu
o Yi Wu (Aliababa Group) Jinyong Tim Kim
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
o Rakesh Kumar (Juniper Networks) EMail: timkim@skku.edu
o Anil Lohiya (Juniper Networks) Dongjin Hong
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: dong.jin@skku.edu
Dacheng Zhang
Huawei
EMail: dacheng.zhang@huawei.com
Yi Wu
Aliababa Group
EMail: anren.wy@alibaba-inc.com
Rakesh Kumar
Juniper Networks
1133 Innovation Way
Sunnyvale, CA 94089
USA
EMail: rkkumar@juniper.net
Anil Lohiya
Juniper Networks
EMail: alohiya@juniper.net
15. References 15. References
15.1. Normative References 15.1. Normative References
[I-D.ietf-netconf-subscribed-notifications] [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and DOI 10.17487/RFC0768, August 1980,
A. Tripathy, "Subscription to YANG Event Notifications", <https://www.rfc-editor.org/info/rfc768>.
draft-ietf-netconf-subscribed-notifications-26 (work in
progress), May 2019.
[I-D.ietf-netconf-yang-push] [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
Clemm, A. and E. Voit, "Subscription to YANG Datastores", DOI 10.17487/RFC0791, September 1981,
draft-ietf-netconf-yang-push-25 (work in progress), May <https://www.rfc-editor.org/info/rfc791>.
2019.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC0956] Mills, D., "Algorithms for synchronizing network clocks",
RFC 956, DOI 10.17487/RFC0956, September 1985,
<https://www.rfc-editor.org/info/rfc956>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management
Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877,
September 2004, <https://www.rfc-editor.org/info/rfc3877>. September 2004, <https://www.rfc-editor.org/info/rfc3877>.
[RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export
Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004,
<https://www.rfc-editor.org/info/rfc3954>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424,
DOI 10.17487/RFC5424, March 2009, DOI 10.17487/RFC5424, March 2009,
<https://www.rfc-editor.org/info/rfc5424>. <https://www.rfc-editor.org/info/rfc5424>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog
skipping to change at page 75, line 19 skipping to change at page 76, line 19
<https://www.rfc-editor.org/info/rfc7011>. <https://www.rfc-editor.org/info/rfc7011>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, (IPv6) Specification", STD 86, RFC 8200,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of
Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>.
15.2. Informative References 15.2. Informative References
[I-D.ietf-i2nsf-applicability]
Jeong, J., Hyun, S., Ahn, T., Hares, S., and D. Lopez,
"Applicability of Interfaces to Network Security Functions
to Network-Based Security Services", draft-ietf-i2nsf-
applicability-18 (work in progress), September 2019.
[I-D.ietf-i2nsf-capability] [I-D.ietf-i2nsf-capability]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-05 (work in progress), April 2019. i2nsf-capability-05 (work in progress), April 2019.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", draft- "I2NSF Consumer-Facing Interface YANG Data Model", draft-
ietf-i2nsf-consumer-facing-interface-dm-08 (work in ietf-i2nsf-consumer-facing-interface-dm-11 (work in
progress), March 2020. progress), September 2020.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q.
Lin, "I2NSF Network Security Function-Facing Interface Lin, "I2NSF Network Security Function-Facing Interface
YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface-
dm-08 (work in progress), November 2019. dm-10 (work in progress), August 2020.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK,
"I2NSF Registration Interface YANG Data Model", draft- "I2NSF Registration Interface YANG Data Model", draft-
ietf-i2nsf-registration-interface-dm-08 (work in ietf-i2nsf-registration-interface-dm-09 (work in
progress), March 2020. progress), August 2020.
[I-D.ietf-i2nsf-terminology] [I-D.ietf-netconf-subscribed-notifications]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and
Birkholz, "Interface to Network Security Functions (I2NSF) A. Tripathy, "Subscription to YANG Event Notifications",
Terminology", draft-ietf-i2nsf-terminology-08 (work in draft-ietf-netconf-subscribed-notifications-26 (work in
progress), July 2019. progress), May 2019.
[I-D.yang-i2nsf-nfv-architecture] [I-D.ietf-netconf-yang-push]
Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the Clemm, A. and E. Voit, "Subscription to YANG Datastores",
NFV Reference Architecture", draft-yang-i2nsf-nfv- draft-ietf-netconf-yang-push-25 (work in progress), May
architecture-05 (work in progress), July 2019. 2019.
[I-D.yang-i2nsf-security-policy-translation] [I-D.yang-i2nsf-security-policy-translation]
Jeong, J., Yang, J., Chung, C., and J. Kim, "Security Jeong, J., Yang, J., Chung, C., and J. Kim, "Security
Policy Translation in Interface to Network Security Policy Translation in Interface to Network Security
Functions", draft-yang-i2nsf-security-policy- Functions", draft-yang-i2nsf-security-policy-
translation-05 (work in progress), November 2019. translation-06 (work in progress), May 2020.
[RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export
Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004,
<https://www.rfc-editor.org/info/rfc3954>.
[RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
January 2011, <https://www.rfc-editor.org/info/rfc6087>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-03
Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", The following changes are made from draft-ietf-i2nsf-nsf-monitoring-
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, data-model-03:
<https://www.rfc-editor.org/info/rfc8340>.
Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-02 o This version updates the author list by replacing Chaehong Chung
with with Patrick Lingga as an active co-author for the YANG
module update.
The following changes are made from draft-ietf-i2nsf-nsf-monitoring- o This version updates the YANG module name, prefix, and
data-model-02: descriptions in the YANG module.
o This version has a submission date update to maintain the active o This updated YANG module supports both IPv4 and IPv6.
status of the draft.
o This version updates the version numbers of the referenced drafts. o This version updates the version numbers of the referenced RFCs
and drafts.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong (editor)
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
Fax: +82 31 290 7996 Fax: +82 31 290 7996
EMail: pauljeong@skku.edu EMail: pauljeong@skku.edu
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
Chaehong Chung Patrick Lingga
Department of Electronic, Electrical and Computer Engineering Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
EMail: darkhong@skku.edu EMail: patricklink@skku.edu
Susan Hares Susan Hares
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI 48176
USA USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
EMail: shares@ndzh.com EMail: shares@ndzh.com
Liang Xia (Frank) Liang Xia (Frank)
Huawei Huawei
101 Software Avenue, Yuhuatai District 101 Software Avenue, Yuhuatai District
Nanjing, Jiangsu Nanjing, Jiangsu
China China
EMail: Frank.xialiang@huawei.com EMail: Frank.xialiang@huawei.com
Henk Birkholz Henk Birkholz
Fraunhofer Institute for Secure Information Technology Fraunhofer Institute for Secure Information Technology
 End of changes. 123 change blocks. 
1841 lines changed or deleted 1896 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/