draft-ietf-i2nsf-nsf-monitoring-data-model-09.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-10.txt 
Network Working Group J. Jeong, Ed. Network Working Group J. Jeong, Ed.
Internet-Draft P. Lingga Internet-Draft P. Lingga
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 25 February 2022 S. Hares Expires: 19 March 2022 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
24 August 2021 15 September 2021
I2NSF NSF Monitoring Interface YANG Data Model I2NSF NSF Monitoring Interface YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-09 draft-ietf-i2nsf-nsf-monitoring-data-model-10
Abstract Abstract
This document proposes an information model and the corresponding This document proposes an information model and the corresponding
YANG data model of an interface for monitoring Network Security YANG data model of an interface for monitoring Network Security
Functions (NSFs) in the Interface to Network Security Functions Functions (NSFs) in the Interface to Network Security Functions
(I2NSF) framework. If the monitoring of NSFs is performed with the (I2NSF) framework. If the monitoring of NSFs is performed with the
NSF monitoring interface in a comprehensive way, it is possible to NSF monitoring interface in a comprehensive way, it is possible to
detect the indication of malicious activity, anomalous behavior, the detect the indication of malicious activity, anomalous behavior, the
potential sign of denial of service attacks, or system overload in a potential sign of denial of service attacks, or system overload in a
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 25 February 2022. This Internet-Draft will expire on 19 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 13 skipping to change at page 3, line 13
6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20
6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20
6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21
6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22
6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22
6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23
7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24
8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25
9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32
10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 76 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 77
11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 77 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 78
11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 77 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 78
11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 79 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 79
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80
13. Security Considerations . . . . . . . . . . . . . . . . . . . 81 13. Security Considerations . . . . . . . . . . . . . . . . . . . 81
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 82 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 82
15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 83 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 83
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 83 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 83
16.1. Normative References . . . . . . . . . . . . . . . . . . 83 16.1. Normative References . . . . . . . . . . . . . . . . . . 83
16.2. Informative References . . . . . . . . . . . . . . . . . 85 16.2. Informative References . . . . . . . . . . . . . . . . . 86
Appendix A. Changes from Appendix A. Changes from
draft-ietf-i2nsf-nsf-monitoring-data-model-08 . . . . . . 87 draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 88
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 88
1. Introduction 1. Introduction
According to [RFC8329], the interface provided by a Network Security According to [RFC8329], the interface provided by a Network Security
Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to
administrative entities (e.g., Security Controller) to enable remote administrative entities (e.g., Security Controller) to enable remote
management (i.e., configuring and monitoring) is referred to as an management (i.e., configuring and monitoring) is referred to as an
I2NSF Monitoring Interface. This interface enables the sharing of I2NSF Monitoring Interface. This interface enables the sharing of
vital data from the NSFs (e.g., alarms, records, and counters) to the vital data from the NSFs (e.g., alarms, records, and counters) to the
Security Controller through a variety of mechanisms (e.g., queries, Security Controller through a variety of mechanisms (e.g., queries,
skipping to change at page 7, line 11 skipping to change at page 7, line 11
Typically, records are information generated by a system entity Typically, records are information generated by a system entity
(e.g., NSF) that is based on operational and informational data, (e.g., NSF) that is based on operational and informational data,
that is, various changes in system characteristics. The examples that is, various changes in system characteristics. The examples
of records include as user activities, network/traffic status, and of records include as user activities, network/traffic status, and
network activity. They are important for debugging, auditing and network activity. They are important for debugging, auditing and
security forensic of a system entity or the network having the security forensic of a system entity or the network having the
system entity. system entity.
I2NSF Counter: An I2NSF Counter is defined as a specific I2NSF Counter: An I2NSF Counter is defined as a specific
representation of continuous value changes of information elements representation of continuous value changes of information elements
that potentially occur in high frequency. Prominent examples are that occur very frequently. Prominent examples are network
network interface counters for protocol data unit (PDU) amount, interface counters for protocol data unit (PDU) amount, byte
byte amount, drop counters, and error counters. Counters are amount, drop counters, and error counters. Counters are useful in
useful in debugging and visibility into operational behavior of a debugging and visibility into operational behavior of a system
system entity (e.g., NSF). When an NSF data collector asks for entity (e.g., NSF). When an NSF data collector asks for the value
the value of a counter to it, a system entity emits of a counter to it, a system entity emits
For the utilization of the storage space for accumulated NSF For the utilization of the storage space for accumulated NSF
monitoring data, all of the information MUST provide the general monitoring data, all of the information MUST provide the general
information (e.g., timestamp) for purging existing records, which is information (e.g., timestamp) for purging existing records, which is
discussed in Section 5. This document provides a YANG data model in discussed in Section 5. This document provides a YANG data model in
Section 9 for the important I2NSF monitoring information that should Section 9 for the important I2NSF monitoring information that should
be retained. All of the information in the data model is considered be retained. All of the information in the data model is considered
important and should be kept permanently as the information might be important and should be kept permanently as the information might be
useful in many circumstances in the future. The allowed cases for useful in many circumstances in the future. The allowed cases for
removing some monitoring information include the following: removing some monitoring information include the following:
skipping to change at page 15, line 39 skipping to change at page 15, line 39
is found. is found.
* src-ip: The source IP address of the packet where the virus is * src-ip: The source IP address of the packet where the virus is
found. found.
* src-port: The source port of the packet where the virus is found. * src-port: The source port of the packet where the virus is found.
* dst-port: The destination port of the packet where the virus is * dst-port: The destination port of the packet where the virus is
found. found.
* src-zone: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the virus. city) of the virus.
* dst-zone: The destination geographical location (e.g., country and * dst-location: The destination geographical location (e.g., country
city) of the virus. and city) of the virus.
* file-type: The type of the file where the virus is hided within. * file-type: The type of the file where the virus is hided within.
* file-name: The name of the file where the virus is hided within. * file-name: The name of the file where the virus is hided within.
* raw-info: The information describing the packet triggering the * raw-info: The information describing the packet triggering the
event. event.
* rule-name: The name of the rule being triggered. * rule-name: The name of the rule being triggered.
skipping to change at page 16, line 21 skipping to change at page 16, line 21
* attack-type: Attack type, e.g., brutal force and buffer overflow. * attack-type: Attack type, e.g., brutal force and buffer overflow.
* src-ip: The source IP address of the flow. * src-ip: The source IP address of the flow.
* dst-ip: The destination IP address of the flow. * dst-ip: The destination IP address of the flow.
* src-port:The source port number of the flow. * src-port:The source port number of the flow.
* dst-port: The destination port number of the flow * dst-port: The destination port number of the flow
* src-zone: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the flow. city) of the flow.
* dst-zone: The destination geographical location (e.g., country and * dst-location: The destination geographical location (e.g., country
city) of the flow. and city) of the flow.
* protocol: The employed transport layer protocol. e.g., TCP and * protocol: The employed transport layer protocol. e.g., TCP and
UDP. UDP.
* app: The employed application layer protocol. e.g., HTTP and FTP. * app: The employed application layer protocol. e.g., HTTP and FTP.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
* raw-info: The information describing the flow triggering the * raw-info: The information describing the flow triggering the
event. event.
skipping to change at page 17, line 5 skipping to change at page 17, line 5
command injection, XSS, CSRF. command injection, XSS, CSRF.
* src-ip: The source IP address of the packet. * src-ip: The source IP address of the packet.
* dst-ip: The destination IP address of the packet. * dst-ip: The destination IP address of the packet.
* src-port: The source port number of the packet. * src-port: The source port number of the packet.
* dst-port: The destination port number of the packet. * dst-port: The destination port number of the packet.
* src-zone: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the packet. city) of the packet.
* dst-zone: The destination geographical location (e.g., country and * dst-location: The destination geographical location (e.g., country
city) of the packet. and city) of the packet.
* request-method: The method of requirement. For instance, "PUT" * request-method: The method of requirement. For instance, "PUT"
and "GET" in HTTP. and "GET" in HTTP.
* req-uri: Requested URI. * req-uri: Requested URI.
* response-code: The HTTP Response code. * response-code: The HTTP Response code.
* req-user-agent: The HTTP request user agent header field. * req-user-agent: The HTTP request user agent header field.
skipping to change at page 18, line 5 skipping to change at page 18, line 5
policy. policy.
* src-ip: The source IP address of the VoIP/VoLTE. * src-ip: The source IP address of the VoIP/VoLTE.
* dst-ip: The destination IP address of the VoIP/VoLTE. * dst-ip: The destination IP address of the VoIP/VoLTE.
* src-port: The source port number of the VoIP/VoLTE. * src-port: The source port number of the VoIP/VoLTE.
* dst-port: The destination port number of VoIP/VoLTE. * dst-port: The destination port number of VoIP/VoLTE.
* src-zone: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the VoIP/VoLTE. city) of the VoIP/VoLTE.
* dst-zone: The destination geographical location (e.g., country and * dst-location: The destination geographical location (e.g., country
city) of the VoIP/VoLTE. and city) of the VoIP/VoLTE.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
6.4. System Logs 6.4. System Logs
System log is a record that is used to monitor the activity of the System log is a record that is used to monitor the activity of the
user on the NSF and the status of the NSF. System logs have the user on the NSF and the status of the NSF. System logs have the
following characteristics: following characteristics:
* acquisition-method: subscription * acquisition-method: subscription
skipping to change at page 25, line 44 skipping to change at page 25, line 44
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| | +--ro timestamp? yang:date-and-time | | +--ro timestamp? yang:date-and-time
| +--ro nsf-firewall* [policy-name] | +--ro nsf-firewall* [policy-name]
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro policy-name | | +--ro policy-name
-> /nsfi:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
| | +--ro src-user? string | | +--ro src-user? string
| | +--ro total-traffic? yang:counter32 | | +--ro total-traffic? yang:counter32
| | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-average-rate? uint32
| | +--ro in-traffic-peak-rate? uint32 | | +--ro in-traffic-peak-rate? uint32
| | +--ro in-traffic-average-speed? uint32 | | +--ro in-traffic-average-speed? uint32
| | +--ro in-traffic-peak-speed? uint32 | | +--ro in-traffic-peak-speed? uint32
| | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-average-rate? uint32
| | +--ro out-traffic-peak-rate? uint32 | | +--ro out-traffic-peak-rate? uint32
| | +--ro out-traffic-average-speed? uint32 | | +--ro out-traffic-average-speed? uint32
| | +--ro out-traffic-peak-speed? uint32 | | +--ro out-traffic-peak-speed? uint32
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| | +--ro timestamp? yang:date-and-time | | +--ro timestamp? yang:date-and-time
| +--ro nsf-policy-hits* [policy-name] | +--ro nsf-policy-hits* [policy-name]
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro policy-name | +--ro policy-name
-> /nsfi:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
| +--ro src-user? string | +--ro src-user? string
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
| +--ro hit-times? yang:counter32 | +--ro hit-times? yang:counter32
| +--ro timestamp? yang:date-and-time | +--ro timestamp? yang:date-and-time
+--rw i2nsf-monitoring-configuration +--rw i2nsf-monitoring-configuration
+--rw i2nsf-system-detection-alarm +--rw i2nsf-system-detection-alarm
| +--rw enabled? boolean | +--rw enabled? boolean
skipping to change at page 26, line 44 skipping to change at page 26, line 44
+--rw i2nsf-traffic-flows +--rw i2nsf-traffic-flows
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
| +--rw enabled? boolean | +--rw enabled? boolean
+--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-session-table-configuration +--rw i2nsf-nsf-detection-session-table-configuration
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-intrusion +--rw i2nsf-nsf-detection-intrusion
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-web-attack +--rw i2nsf-nsf-detection-web-attack
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-system-access-log +--rw i2nsf-nsf-system-access-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-res-util-log +--rw i2nsf-system-res-util-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-user-activity-log +--rw i2nsf-system-user-activity-log
| +--rw enabled? boolean | +--rw enabled? boolean
skipping to change at page 27, line 44 skipping to change at page 27, line 44
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-system-detection-event) | +--:(i2nsf-system-detection-event)
| | +--ro i2nsf-system-detection-event | | +--ro i2nsf-system-detection-event
| | +--ro event-category? identityref | | +--ro event-category? identityref
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro user string | | +--ro user string
| | +--ro group* string | | +--ro group* string
| | +--ro ip-address inet:ip-address | | +--ro ip-address inet:ip-address-no-zone
| | +--ro authentication? identityref | | +--ro authentication? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-traffic-flows) | +--:(i2nsf-traffic-flows)
| | +--ro i2nsf-traffic-flows | | +--ro i2nsf-traffic-flows
| | +--ro src-ip? inet:ip-address | | +--ro src-ip? inet:ip-address-no-zone
| | +--ro dst-ip? inet:ip-address | | +--ro dst-ip? inet:ip-address-no-zone
| | +--ro protocol? identityref | | +--ro protocol? identityref
| | +--ro src-port? inet:port-number | | +--ro src-port? inet:port-number
| | +--ro dst-port? inet:port-number | | +--ro dst-port? inet:port-number
| | +--ro arrival-rate? uint32 | | +--ro arrival-rate? uint32
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
skipping to change at page 28, line 30 skipping to change at page 28, line 30
| +--ro maximum-session? uint32 | +--ro maximum-session? uint32
| +--ro threshold? uint32 | +--ro threshold? uint32
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+---n i2nsf-log +---n i2nsf-log
| +--ro (sub-logs-type)? | +--ro (sub-logs-type)?
| +--:(i2nsf-nsf-system-access-log) | +--:(i2nsf-nsf-system-access-log)
| | +--ro i2nsf-nsf-system-access-log | | +--ro i2nsf-nsf-system-access-log
| | +--ro login-ip inet:ip-address | | +--ro login-ip inet:ip-address-no-zone
| | +--ro username? string | | +--ro username? string
| | +--ro login-role? login-role | | +--ro login-role? login-role
| | +--ro operation-type? operation-type | | +--ro operation-type? operation-type
| | +--ro input? string | | +--ro input? string
| | +--ro output? string | | +--ro output? string
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
skipping to change at page 29, line 26 skipping to change at page 29, line 26
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-system-user-activity-log) | +--:(i2nsf-system-user-activity-log)
| +--ro i2nsf-system-user-activity-log | +--ro i2nsf-system-user-activity-log
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro user string | +--ro user string
| +--ro group* string | +--ro group* string
| +--ro ip-address inet:ip-address | +--ro ip-address inet:ip-address-no-zone
| +--ro authentication? identityref | +--ro authentication? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
| +--ro online-duration? uint32 | +--ro online-duration? uint32
| +--ro logout-duration? uint32 | +--ro logout-duration? uint32
| +--ro additional-info? enumeration | +--ro additional-info? enumeration
+---n i2nsf-nsf-event +---n i2nsf-nsf-event
+--ro (sub-event-type)? +--ro (sub-event-type)?
+--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}?
| +--ro i2nsf-nsf-detection-ddos | +--ro i2nsf-nsf-detection-ddos
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro start-time yang:date-and-time | +--ro start-time yang:date-and-time
| +--ro end-time yang:date-and-time | +--ro end-time yang:date-and-time
| +--ro attack-src-ip* inet:ip-address | +--ro attack-src-ip* inet:ip-address-no-zone
| +--ro attack-dst-ip* inet:ip-prefix | +--ro attack-dst-ip* inet:ip-prefix
| +--ro attack-src-port* inet:port-number | +--ro attack-src-port* inet:port-number
| +--ro attack-dst-port* inet:port-number | +--ro attack-dst-port* inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint32
| +--ro action* log-action | +--ro action* log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-virus) +--:(i2nsf-nsf-detection-virus)
{i2nsf-nsf-detection-virus}? {i2nsf-nsf-detection-virus}?
| +--ro i2nsf-nsf-detection-virus | +--ro i2nsf-nsf-detection-virus
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-location? string
| +--ro dst-zone? string | +--ro dst-location? string
| +--ro virus? identityref | +--ro virus? identityref
| +--ro virus-name? string | +--ro virus-name? string
| +--ro file-type? string | +--ro file-type? string
| +--ro file-name? string | +--ro file-name? string
| +--ro os? string | +--ro os? string
| +--ro action* log-action | +--ro action* log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-intrusion) +--:(i2nsf-nsf-detection-intrusion)
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--ro i2nsf-nsf-detection-intrusion | +--ro i2nsf-nsf-detection-intrusion
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-location? string
| +--ro dst-zone? string | +--ro dst-location? string
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro app? identityref | +--ro app? identityref
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro action* log-action | +--ro action* log-action
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint32
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-web-attack) +--:(i2nsf-nsf-detection-web-attack)
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--ro i2nsf-nsf-detection-web-attack | +--ro i2nsf-nsf-detection-web-attack
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-location? string
| +--ro dst-zone? string | +--ro dst-location? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro request-method? identityref | +--ro request-method? identityref
| +--ro req-uri? string | +--ro req-uri? string
| +--ro filtering-type* identityref | +--ro filtering-type* identityref
| +--ro req-user-agent? string | +--ro req-user-agent? string
| +--ro req-cookie? string | +--ro req-cookie? string
| +--ro req-host? string | +--ro req-host? string
| +--ro response-code? string | +--ro response-code? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro action* log-action | +--ro action* log-action
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-voip-volte) +--:(i2nsf-nsf-detection-voip-volte)
{i2nsf-nsf-detection-voip-volte}? {i2nsf-nsf-detection-voip-volte}?
| +--ro i2nsf-nsf-detection-voip-volte | +--ro i2nsf-nsf-detection-voip-volte
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-location? string
| +--ro dst-zone? string | +--ro dst-location? string
| +--ro source-voice-id* string | +--ro source-voice-id* string
| +--ro destination-voice-id* string | +--ro destination-voice-id* string
| +--ro user-agent* string | +--ro user-agent* string
+--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}?
+--ro i2nsf-nsf-log-dpi +--ro i2nsf-nsf-log-dpi
+--ro attack-type? dpi-type +--ro attack-type? dpi-type
+--ro acquisition-method? identityref +--ro acquisition-method? identityref
+--ro emission-type? identityref +--ro emission-type? identityref
+--ro dampening-type? identityref +--ro dampening-type? identityref
+--ro policy-name +--ro policy-name
-> /nsfi:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
+--ro src-user? string +--ro src-user? string
+--ro message? string +--ro message? string
+--ro vendor-name? string +--ro vendor-name? string
+--ro nsf-name? union +--ro nsf-name? union
+--ro severity? severity +--ro severity? severity
Figure 1: Information Model for NSF Monitoring Figure 1: Information Model for NSF Monitoring
9. YANG Data Model 9. YANG Data Model
This section describes a YANG module of I2NSF NSF Monitoring. The This section describes a YANG module of I2NSF NSF Monitoring. The
data model provided in this document uses identities to be used to data model provided in this document uses identities to be used to
get information of the monitored of an NSF's monitoring data. Every get information of the monitored of an NSF's monitoring data. Every
identity used in the document gives information or status about the identity used in the document gives information or status about the
current situation of an NSF. This YANG module imports from current situation of an NSF. This YANG module imports from
[RFC6991], and makes references to [RFC0768][RFC0791] [RFC6991], and makes references to [RFC0768][RFC0791]
[RFC0792][RFC0793] [RFC0959][RFC4443] [RFC8200][RFC8641] [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959]
[RFC3501][RFC4340][RFC4443] [RFC4960][RFC5231][RFC7230]
[RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis]
[IANA-HTTP-Status-Code] [IANA-Media-Types]. [IANA-HTTP-Status-Code] [IANA-Media-Types].
<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-08-24.yang" <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-09-15.yang"
module ietf-i2nsf-nsf-monitoring { module ietf-i2nsf-nsf-monitoring {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix prefix
nsfmi; nsfmi;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
skipping to change at page 33, line 4 skipping to change at page 33, line 6
nsfmi; nsfmi;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"Section 3 of RFC 6991"; "Section 3 of RFC 6991";
} }
import ietf-i2nsf-policy-rule-for-nsf { import ietf-i2nsf-policy-rule-for-nsf {
prefix nsfi; prefix nsfintf;
reference reference
"Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-13"; "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14";
} }
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/i2nsf> "WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
Editor: Patrick Lingga Editor: Patrick Lingga
<mailto:patricklink@skku.edu>"; <mailto:patricklink@skku.edu>";
description description
"This module is a YANG module for I2NSF NSF Monitoring. "This module is a YANG module for I2NSF NSF Monitoring.
skipping to change at page 33, line 48 skipping to change at page 33, line 49
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
revision "2021-08-24" { revision "2021-09-15" {
description "Latest revision"; description "Latest revision";
reference reference
"RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Typedefs * Typedefs
skipping to change at page 47, line 43 skipping to change at page 47, line 45
base protocol; base protocol;
description description
"Base identity for Layer 4 protocol condition capabilities, "Base identity for Layer 4 protocol condition capabilities,
e.g., TCP, UDP, SCTP, DCCP, and ICMP"; e.g., TCP, UDP, SCTP, DCCP, and ICMP";
} }
identity tcp { identity tcp {
base transport-protocol; base transport-protocol;
description description
"TCP protocol type."; "TCP protocol type.";
reference reference
"RFC 793: Transmission Control Protocol"; "RFC 793: Transmission Control Protocol
draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification";
} }
identity udp { identity udp {
base transport-protocol; base transport-protocol;
description description
"UDP protocol type."; "UDP protocol type.";
reference reference
"RFC 768: User Datagram Protocol"; "RFC 768: User Datagram Protocol";
} }
identity sctp { identity sctp {
base transport-protocol; base transport-protocol;
skipping to change at page 49, line 23 skipping to change at page 49, line 27
reference reference
"RFC 854: Telnet Protocol"; "RFC 854: Telnet Protocol";
} }
identity smtp { identity smtp {
base application-protocol; base application-protocol;
description description
"The identity for smtp."; "The identity for smtp.";
reference reference
"RFC 5321: Simple Mail Transfer Protocol (SMTP)"; "RFC 5321: Simple Mail Transfer Protocol (SMTP)";
} }
identity sftp { identity pop3 {
base application-protocol; base application-protocol;
description description
"The identity for sftp."; "The identity for pop3.";
reference reference
"RFC 913: Simple File Transfer Protocol (SFTP)"; "RFC 1939: Post Office Protocol - Version 3 (POP3)";
} }
identity pop3 { identity imap {
base application-protocol; base application-protocol;
description description
"The identity for pop3."; "The identity for Internet Message Access Protocol.";
reference reference
"RFC 1081: Post Office Protocol -Version 3 (POP3)"; "RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1";
} }
/* /*
* Grouping * Grouping
*/ */
grouping timestamp { grouping timestamp {
description description
"Grouping for identifying the time of the message."; "Grouping for identifying the time of the message.";
leaf timestamp { leaf timestamp {
skipping to change at page 50, line 23 skipping to change at page 50, line 27
} }
leaf vendor-name { leaf vendor-name {
type string; type string;
description description
"The name of the NSF vendor. The string is unrestricted to "The name of the NSF vendor. The string is unrestricted to
identify the provider or vendor of the NSF."; identify the provider or vendor of the NSF.";
} }
leaf nsf-name { leaf nsf-name {
type union { type union {
type string; type string;
type inet:ip-address; type inet:ip-address-no-zone;
} }
description description
"The name or IP address of the NSF generating the message. "The name or IP address of the NSF generating the message.
If the given nsf-name is not IP address, the name can be an If the given nsf-name is not IP address, the name can be an
arbitrary string including FQDN (Fully Qualified Domain arbitrary string including FQDN (Fully Qualified Domain
Name). The name MUST be unique for different NSF to Name). The name MUST be unique for different NSF to
identify the NSF that generates the message."; identify the NSF that generates the message.";
} }
leaf severity { leaf severity {
type severity; type severity;
skipping to change at page 52, line 5 skipping to change at page 52, line 9
mandatory true; mandatory true;
description description
"The name of a user"; "The name of a user";
} }
leaf-list group { leaf-list group {
type string; type string;
description description
"The group(s) to which a user belongs."; "The group(s) to which a user belongs.";
} }
leaf ip-address { leaf ip-address {
type inet:ip-address; type inet:ip-address-no-zone;
mandatory true; mandatory true;
description description
"The IPv4 (or IPv6) address of a user that trigger the "The IPv4 (or IPv6) address of a user that trigger the
event."; event.";
} }
leaf authentication { leaf authentication {
type identityref { type identityref {
base authentication-mode; base authentication-mode;
} }
description description
"The authentication-mode of a user."; "The authentication-mode of a user.";
} }
} }
grouping i2nsf-nsf-event-type-content { grouping i2nsf-nsf-event-type-content {
description description
"A set of common IPv4 (or IPv6)-related NSF event "A set of common IPv4 (or IPv6)-related NSF event
content elements"; content elements";
leaf dst-ip { leaf dst-ip {
type inet:ip-address; type inet:ip-address-no-zone;
description description
"The destination IPv4 (IPv6) address of the packet"; "The destination IPv4 (IPv6) address of the packet";
} }
leaf dst-port { leaf dst-port {
type inet:port-number; type inet:port-number;
description description
"The destination port of the packet"; "The destination port of the packet";
} }
leaf rule-name { leaf rule-name {
type leafref { type leafref {
path path
"/nsfi:i2nsf-security-policy" "/nsfintf:i2nsf-security-policy"
+"/nsfi:rules/nsfi:rule-name"; +"/nsfintf:rules/nsfintf:rule-name";
} }
mandatory true; mandatory true;
description description
"The name of the I2NSF Policy Rule being triggered"; "The name of the I2NSF Policy Rule being triggered";
} }
leaf raw-info { leaf raw-info {
type string; type string;
description description
"The information describing the packet "The information describing the packet
triggering the event."; triggering the event.";
skipping to change at page 52, line 48 skipping to change at page 53, line 4
} }
mandatory true; mandatory true;
description description
"The name of the I2NSF Policy Rule being triggered"; "The name of the I2NSF Policy Rule being triggered";
} }
leaf raw-info { leaf raw-info {
type string; type string;
description description
"The information describing the packet "The information describing the packet
triggering the event."; triggering the event.";
} }
} }
grouping i2nsf-nsf-event-type-content-extend { grouping i2nsf-nsf-event-type-content-extend {
description description
"A set of extended common IPv4 (or IPv6)-related NSF "A set of extended common IPv4 (or IPv6)-related NSF
event content elements"; event content elements";
uses i2nsf-nsf-event-type-content; uses i2nsf-nsf-event-type-content;
leaf src-ip { leaf src-ip {
type inet:ip-address; type inet:ip-address-no-zone;
description description
"The source IPv4 (or IPv6) address of the packet"; "The source IPv4 (or IPv6) address of the packet";
} }
leaf src-port { leaf src-port {
type inet:port-number; type inet:port-number;
description description
"The source port of the packet"; "The source port of the packet";
} }
leaf src-zone { leaf src-location {
type string { type string {
length "1..100"; length "1..100";
pattern "[0-9a-zA-Z ]*"; pattern "[0-9a-zA-Z ]*";
} }
description description
"The source geographical location (e.g., country and city) of "The source geographical location (e.g., country and city) of
the packet."; the packet.";
} }
leaf dst-zone { leaf dst-location {
type string { type string {
length "1..100"; length "1..100";
pattern "[0-9a-zA-Z ]*"; pattern "[0-9a-zA-Z ]*";
} }
description description
"The destination geographical location (e.g., country and "The destination geographical location (e.g., country and
city) of the packet."; city) of the packet.";
} }
} }
grouping log-action { grouping log-action {
skipping to change at page 56, line 49 skipping to change at page 57, line 4
} }
uses traffic-rates; uses traffic-rates;
} }
grouping i2nsf-nsf-counters-type-content{ grouping i2nsf-nsf-counters-type-content{
description description
"A set of contents of a policy in an NSF."; "A set of contents of a policy in an NSF.";
leaf policy-name { leaf policy-name {
type leafref { type leafref {
path path
"/nsfi:i2nsf-security-policy" "/nsfintf:i2nsf-security-policy"
+"/nsfi:system-policy-name"; +"/nsfintf:system-policy-name";
} }
mandatory true; mandatory true;
description description
"The name of the policy being triggered"; "The name of the policy being triggered";
} }
leaf src-user{ leaf src-user{
type string; type string;
description description
"The I2NSF User's name who generates the policy."; "The I2NSF User's name who generates the policy.";
} }
skipping to change at page 60, line 38 skipping to change at page 60, line 42
uses common-monitoring-data; uses common-monitoring-data;
} }
} }
case i2nsf-traffic-flows { case i2nsf-traffic-flows {
container i2nsf-traffic-flows { container i2nsf-traffic-flows {
description description
"This notification is sent to inform about the traffic "This notification is sent to inform about the traffic
flows."; flows.";
leaf src-ip { leaf src-ip {
type inet:ip-address; type inet:ip-address-no-zone;
description description
"The source IPv4 (or IPv6) address of the flow"; "The source IPv4 (or IPv6) address of the flow";
} }
leaf dst-ip { leaf dst-ip {
type inet:ip-address; type inet:ip-address-no-zone;
description description
"The destination IPv4 (or IPv6) address of the flow"; "The destination IPv4 (or IPv6) address of the flow";
} }
leaf protocol { leaf protocol {
type identityref { type identityref {
base protocol; base protocol;
} }
description description
"The protocol type for nsf-detection-intrusion "The protocol type for nsf-detection-intrusion
notification"; notification";
skipping to change at page 62, line 26 skipping to change at page 62, line 30
"This choice must be augmented with cases for each allowed "This choice must be augmented with cases for each allowed
sub-logs. Only 1 sub-event will be instantiated in each sub-logs. Only 1 sub-event will be instantiated in each
i2nsf-logs message. Each case is expected to define one i2nsf-logs message. Each case is expected to define one
container with all the sub-logs fields."; container with all the sub-logs fields.";
case i2nsf-nsf-system-access-log { case i2nsf-nsf-system-access-log {
container i2nsf-nsf-system-access-log { container i2nsf-nsf-system-access-log {
description description
"The notification is sent, if there is a new system "The notification is sent, if there is a new system
log entry about a system access event."; log entry about a system access event.";
leaf login-ip { leaf login-ip {
type inet:ip-address; type inet:ip-address-no-zone;
mandatory true; mandatory true;
description description
"Login IP address of a user"; "Login IP address of a user";
} }
leaf username { leaf username {
type string; type string;
description description
"The login username that maintains the device"; "The login username that maintains the device";
} }
leaf login-role { leaf login-role {
skipping to change at page 67, line 49 skipping to change at page 68, line 4
description description
"The time stamp indicating when the attack started"; "The time stamp indicating when the attack started";
} }
leaf end-time { leaf end-time {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"The time stamp indicating when the attack ended"; "The time stamp indicating when the attack ended";
} }
leaf-list attack-src-ip { leaf-list attack-src-ip {
type inet:ip-address; type inet:ip-address-no-zone;
description description
"The source IPv4 (or IPv6) addresses of attack "The source IPv4 (or IPv6) addresses of attack
traffic. It can hold multiple IPv4 (or IPv6) traffic. It can hold multiple IPv4 (or IPv6)
addresses."; addresses.";
} }
leaf-list attack-dst-ip { leaf-list attack-dst-ip {
type inet:ip-prefix; type inet:ip-prefix;
description description
"The destination IPv4 (or IPv6) addresses of attack "The destination IPv4 (or IPv6) addresses of attack
traffic. It can hold multiple IPv4 (or IPv6) traffic. It can hold multiple IPv4 (or IPv6)
skipping to change at page 68, line 26 skipping to change at page 68, line 30
"The source ports of the DDoS attack"; "The source ports of the DDoS attack";
} }
leaf-list attack-dst-port { leaf-list attack-dst-port {
type inet:port-number; type inet:port-number;
description description
"The destination ports of the DDoS attack"; "The destination ports of the DDoS attack";
} }
leaf rule-name { leaf rule-name {
type leafref { type leafref {
path path
"/nsfi:i2nsf-security-policy" "/nsfintf:i2nsf-security-policy"
+"/nsfi:rules/nsfi:rule-name"; +"/nsfintf:rules/nsfintf:rule-name";
} }
mandatory true; mandatory true;
description description
"The name of the I2NSF Policy Rule being triggered"; "The name of the I2NSF Policy Rule being triggered";
} }
leaf raw-info { leaf raw-info {
type string; type string;
description description
"The information describing the packet "The information describing the packet
triggering the event."; triggering the event.";
skipping to change at page 72, line 19 skipping to change at page 72, line 23
} }
leaf-list destination-voice-id { leaf-list destination-voice-id {
type string; type string;
description description
"The detected destination voice ID for VoIP and VoLTE "The detected destination voice ID for VoIP and VoLTE
that violates the security policy."; that violates the security policy.";
} }
leaf-list user-agent { leaf-list user-agent {
type string; type string;
description description
"The detected user-agent for VoIP and VoLTE that violates "The detected user-agent for VoIP and VoLTE that
the security policy."; violates the security policy.";
} }
} }
} }
case i2nsf-nsf-log-dpi { case i2nsf-nsf-log-dpi {
if-feature "i2nsf-nsf-log-dpi"; if-feature "i2nsf-nsf-log-dpi";
container i2nsf-nsf-log-dpi { container i2nsf-nsf-log-dpi {
description description
"This notification is sent, if there is a new DPI "This notification is sent, if there is a new DPI
event in the NSF log."; event in the NSF log.";
leaf attack-type { leaf attack-type {
skipping to change at page 72, line 48 skipping to change at page 73, line 4
} }
} }
} }
} }
/* /*
* Data nodes * Data nodes
*/ */
container i2nsf-counters { container i2nsf-counters {
config false; config false;
description description
"This is probably better covered by an import as this "The state data representing continuous value changes of
will not be notifications. Counters are not very information elements that occur very frequently. The value
suitable as telemetry, maybe via periodic should be calculated from the start of the service of the
subscriptions, which would still violate the principle NSF.";
of least surprise.";
list system-interface { list system-interface {
key interface-name; key interface-name;
description description
"Interface counters provide the visibility of traffic into "Interface counters provide the visibility of traffic into
and out of an NSF, and bandwidth usage."; and out of an NSF, and bandwidth usage.";
uses characteristics; uses characteristics;
uses i2nsf-system-counter-type-content; uses i2nsf-system-counter-type-content;
uses common-monitoring-data; uses common-monitoring-data;
uses timestamp; uses timestamp;
} }
skipping to change at page 74, line 4 skipping to change at page 74, line 7
} }
} }
container i2nsf-monitoring-configuration { container i2nsf-monitoring-configuration {
description description
"The container for configuring I2NSF monitoring."; "The container for configuring I2NSF monitoring.";
container i2nsf-system-detection-alarm { container i2nsf-system-detection-alarm {
description description
"The container for configuring I2NSF system-detection-alarm "The container for configuring I2NSF system-detection-alarm
notification"; notification";
uses enable-notification; uses enable-notification;
list system-alarm { list system-alarm {
key alarm-type; key alarm-type;
description description
"Configuration for system alarm (i.e., CPU, Memory, "Configuration for system alarm (i.e., CPU, Memory,
and Disk Usage)"; and Disk Usage)";
leaf alarm-type { leaf alarm-type {
type enumeration { type enumeration {
enum CPU { enum cpu {
description description
"To configure the CPU usage threshold to trigger the "To configure the CPU usage threshold to trigger the
CPU-USAGE-ALARM"; cpu-alarm";
} }
enum Memory { enum memory {
description description
"To configure the Memory usage threshold to trigger "To configure the Memory usage threshold to trigger
the MEM-USAGE-ALARM"; the memory-alarm";
} }
enum Disk { enum disk {
description description
"To configure the Disk (storage) usage threshold to "To configure the Disk (storage) usage threshold to
trigger the DISK-USAGE-ALARM"; trigger the disk-alarm";
} }
} }
description description
"Type of alarm to be configured"; "Type of alarm to be configured";
} }
leaf threshold { leaf threshold {
type uint8 { type uint8 {
range "1..100"; range "1..100";
} }
units "percent"; units "percent";
skipping to change at page 77, line 8 skipping to change at page 77, line 18
Monitoring subscription. The YANG module in this document supports Monitoring subscription. The YANG module in this document supports
"ietf-subscribed-notifications" YANG module [RFC8639] for "ietf-subscribed-notifications" YANG module [RFC8639] for
subscription. The reserved event stream name for this document is subscription. The reserved event stream name for this document is
"I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support
"I2NSF-Monitoring" event stream for an NSF data collector (e.g., "I2NSF-Monitoring" event stream for an NSF data collector (e.g.,
Security Controller). The "I2NSF-Monitoring" event stream contains Security Controller). The "I2NSF-Monitoring" event stream contains
all I2NSF events described in this document. The following example all I2NSF events described in this document. The following example
shows the capabilities of the event streams of an NSF (e.g., shows the capabilities of the event streams of an NSF (e.g.,
"NETCONF" and "I2NSF-Monitoring" event streams) by the subscription "NETCONF" and "I2NSF-Monitoring" event streams) by the subscription
of an NSF data collector; note that this example XML file is of an NSF data collector; note that this example XML file is
delivered by an NSF to an NSF data collector: delivered by an NSF to an NSF data collector. The XML examples in
this document follow the line breaks as per [RFC8792].
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" <rpc-reply message-id="1"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data> <data>
<netconf xmlns="urn:ietf:params:xml:ns:netmod:notification"> <netconf xmlns="urn:ietf:params:xml:ns:netmod:notification">
<streams> <streams>
<stream> <stream>
<name>NETCONF</name> <name>NETCONF</name>
<description>Default NETCONF Event Stream</description> <description>Default NETCONF Event Stream</description>
skipping to change at page 84, line 5 skipping to change at page 84, line 5
<https://www.rfc-editor.org/info/rfc791>. <https://www.rfc-editor.org/info/rfc791>.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981, RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>. <https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May
1983, <https://www.rfc-editor.org/info/rfc854>.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
<https://www.rfc-editor.org/info/rfc959>. <https://www.rfc-editor.org/info/rfc959>.
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
<https://www.rfc-editor.org/info/rfc1939>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003,
<https://www.rfc-editor.org/info/rfc3501>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management
Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877,
September 2004, <https://www.rfc-editor.org/info/rfc3877>. September 2004, <https://www.rfc-editor.org/info/rfc3877>.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340,
DOI 10.17487/RFC4340, March 2006,
<https://www.rfc-editor.org/info/rfc4340>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89, Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006, RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>. <https://www.rfc-editor.org/info/rfc4443>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007,
<https://www.rfc-editor.org/info/rfc4960>.
[RFC5231] Segmuller, W. and B. Leiba, "Sieve Email Filtering:
Relational Extension", RFC 5231, DOI 10.17487/RFC5231,
January 2008, <https://www.rfc-editor.org/info/rfc5231>.
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event
Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008,
<https://www.rfc-editor.org/info/rfc5277>. <https://www.rfc-editor.org/info/rfc5277>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
skipping to change at page 86, line 14 skipping to change at page 86, line 49
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", Work in "I2NSF Consumer-Facing Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-consumer- Progress, Internet-Draft, draft-ietf-i2nsf-consumer-
facing-interface-dm-13, 8 March 2021, facing-interface-dm-14, 21 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
consumer-facing-interface-dm-13.txt>. consumer-facing-interface-dm-14.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", Work in Progress, Internet-Draft, draft-ietf- Data Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-facing-interface-dm-12, 8 March 2021, i2nsf-nsf-facing-interface-dm-13, 15 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
facing-interface-dm-12.txt>. facing-interface-dm-13.txt>.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park,
"I2NSF Registration Interface YANG Data Model", Work in "I2NSF Registration Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-registration- Progress, Internet-Draft, draft-ietf-i2nsf-registration-
interface-dm-10, 21 February 2021, interface-dm-11, 21 August 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
registration-interface-dm-10.txt>. registration-interface-dm-11.txt>.
[I-D.ietf-i2nsf-applicability] [I-D.ietf-i2nsf-applicability]
Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R.
Lopez, "Applicability of Interfaces to Network Security Lopez, "Applicability of Interfaces to Network Security
Functions to Network-Based Security Services", Work in Functions to Network-Based Security Services", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-applicability- Progress, Internet-Draft, draft-ietf-i2nsf-applicability-
18, 16 September 2019, <https://www.ietf.org/archive/id/ 18, 16 September 2019, <https://www.ietf.org/archive/id/
draft-ietf-i2nsf-applicability-18.txt>. draft-ietf-i2nsf-applicability-18.txt>.
[I-D.yang-i2nsf-security-policy-translation] [I-D.yang-i2nsf-security-policy-translation]
Jeong, J. (., Lingga, P., Yang, J., and C. Chung, Jeong, J. (., Lingga, P., Yang, J., and C. Chung,
"Security Policy Translation in Interface to Network "Security Policy Translation in Interface to Network
Security Functions", Work in Progress, Internet-Draft, Security Functions", Work in Progress, Internet-Draft,
draft-yang-i2nsf-security-policy-translation-08, 22 draft-yang-i2nsf-security-policy-translation-09, 21 August
February 2021, <https://www.ietf.org/archive/id/draft- 2021, <https://www.ietf.org/archive/id/draft-yang-i2nsf-
yang-i2nsf-security-policy-translation-08.txt>. security-policy-translation-09.txt>.
[I-D.ietf-tcpm-rfc793bis]
Eddy, W. M., "Transmission Control Protocol (TCP)
Specification", Work in Progress, Internet-Draft, draft-
ietf-tcpm-rfc793bis-25, 7 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-tcpm-
rfc793bis-25.txt>.
[IANA-HTTP-Status-Code] [IANA-HTTP-Status-Code]
Internet Assigned Numbers Authority (IANA), "Hypertext Internet Assigned Numbers Authority (IANA), "Hypertext
Transfer Protocol (HTTP) Status Code Registry", September Transfer Protocol (HTTP) Status Code Registry", September
2018, <https://www.iana.org/assignments/http-status-codes/ 2018, <https://www.iana.org/assignments/http-status-codes/
http-status-codes.xhtml>. http-status-codes.xhtml>.
[IANA-Media-Types] [IANA-Media-Types]
Internet Assigned Numbers Authority (IANA), "Media Types", Internet Assigned Numbers Authority (IANA), "Media Types",
August 2021, <https://www.iana.org/assignments/media- August 2021, <https://www.iana.org/assignments/media-
types/media-types.xhtml>. types/media-types.xhtml>.
Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-08 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-09
The following changes are made from draft-ietf-i2nsf-nsf-monitoring- The following changes are made from draft-ietf-i2nsf-nsf-monitoring-
data-model-08: data-model-09:
* This version is revised following Tom Petch's, Martin Bjorklund's, * This version is revised following Tom Petch's, Martin Bjorklund's,
and Roman Danyliw's Comments. and Roman Danyliw's Comments.
* This version is revised to synchronize with other I2NSF documents. * This version is revised to synchronize with other I2NSF documents.
Authors' Addresses Authors' Addresses
Jaehoon (Paul) Jeong (editor) Jaehoon (Paul) Jeong (editor)
Department of Computer Science and Engineering Department of Computer Science and Engineering
 End of changes. 101 change blocks. 
120 lines changed or deleted 170 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/