draft-ietf-i2nsf-nsf-monitoring-data-model-11.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-12.txt 
Network Working Group J. Jeong, Ed. Network Working Group J. Jeong, Ed.
Internet-Draft P. Lingga Internet-Draft P. Lingga
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 18 April 2022 S. Hares Expires: 21 May 2022 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
15 October 2021 17 November 2021
I2NSF NSF Monitoring Interface YANG Data Model I2NSF NSF Monitoring Interface YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-11 draft-ietf-i2nsf-nsf-monitoring-data-model-12
Abstract Abstract
This document proposes an information model and the corresponding This document proposes an information model and the corresponding
YANG data model of an interface for monitoring Network Security YANG data model of an interface for monitoring Network Security
Functions (NSFs) in the Interface to Network Security Functions Functions (NSFs) in the Interface to Network Security Functions
(I2NSF) framework. If the monitoring of NSFs is performed with the (I2NSF) framework. If the monitoring of NSFs is performed with the
NSF monitoring interface in a comprehensive way, it is possible to NSF monitoring interface in a comprehensive way, it is possible to
detect the indication of malicious activity, anomalous behavior, the detect the indication of malicious activity, anomalous behavior, the
potential sign of denial of service attacks, or system overload in a potential sign of denial of service attacks, or system overload in a
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 18 April 2022. This Internet-Draft will expire on 21 May 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 26 skipping to change at page 2, line 26
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4
4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5
4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6
4.2. Notifications, Events, and Records . . . . . . . . . . . 8 4.2. Notifications, Events, and Records . . . . . . . . . . . 7
4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8
5. Basic Information Model for Monitoring Data . . . . . . . . . 9 5. Basic Information Model for Monitoring Data . . . . . . . . . 9
6. Extended Information Model for Monitoring Data . . . . . . . 9 6. Extended Information Model for Monitoring Data . . . . . . . 9
6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 10 6.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 10
6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 10 6.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 10
6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 6.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 10
6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 11 6.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 11
6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 11 6.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 11
6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 6.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12
6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 12 6.2. System Events . . . . . . . . . . . . . . . . . . . . . . 12
6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 12 6.2.1. Access Violation . . . . . . . . . . . . . . . . . . 12
6.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 6.2.2. Configuration Change . . . . . . . . . . . . . . . . 13
6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 13 6.2.3. Session Table Event . . . . . . . . . . . . . . . . . 13
6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 14 6.2.4. Traffic Flows . . . . . . . . . . . . . . . . . . . . 13
6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14
6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 14 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 14
6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 15
6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 15
6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 16 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 16
6.3.5. VoIP/VoLTE Event . . . . . . . . . . . . . . . . . . 17 6.3.5. VoIP/VoLTE Event . . . . . . . . . . . . . . . . . . 17
6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18
6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 18 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 18
6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 18 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 18
6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 19 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 19
6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20
6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20
6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20
skipping to change at page 3, line 21 skipping to change at page 3, line 21
8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25
9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32
10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 78 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 78
11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 79 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 79
11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 79 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 79
11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 80 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 80
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82
13. Security Considerations . . . . . . . . . . . . . . . . . . . 82 13. Security Considerations . . . . . . . . . . . . . . . . . . . 82
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 84 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 84
15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 84 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 84
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 84 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 85
16.1. Normative References . . . . . . . . . . . . . . . . . . 84 16.1. Normative References . . . . . . . . . . . . . . . . . . 85
16.2. Informative References . . . . . . . . . . . . . . . . . 88 16.2. Informative References . . . . . . . . . . . . . . . . . 88
Appendix A. Changes from Appendix A. Changes from
draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 89 draft-ietf-i2nsf-nsf-monitoring-data-model-11 . . . . . . 90
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 89 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90
1. Introduction 1. Introduction
According to [RFC8329], the interface provided by a Network Security According to [RFC8329], the interface provided by a Network Security
Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to
administrative entities (e.g., Security Controller) to enable remote administrative entities (e.g., Security Controller) to enable remote
management (i.e., configuring and monitoring) is referred to as an management (i.e., configuring and monitoring) is referred to as an
I2NSF Monitoring Interface. This interface enables the sharing of I2NSF Monitoring Interface. This interface enables the sharing of
vital data from the NSFs (e.g., alarms, records, and counters) to the vital data from the NSFs (e.g., alarms, records, and counters) to the
Security Controller through a variety of mechanisms (e.g., queries, Security Controller through a variety of mechanisms (e.g., queries,
skipping to change at page 6, line 15 skipping to change at page 6, line 15
set of capabilities that creates information about some context with set of capabilities that creates information about some context with
monitoring data (i.e., monitoring information), composition, monitoring data (i.e., monitoring information), composition,
configuration, state or behavior of that system entity. This configuration, state or behavior of that system entity. This
information is intended to be provided to other consumers of information is intended to be provided to other consumers of
information and in the scope of this document, which deals with NSF information and in the scope of this document, which deals with NSF
monitoring data in an automated fashion. monitoring data in an automated fashion.
4.1. Retention and Emission 4.1. Retention and Emission
A system entity (e.g., NSF) first retains I2NSF monitoring data A system entity (e.g., NSF) first retains I2NSF monitoring data
inside its own system before emitting the information another I2NSF inside its own system before emitting the information to another
component (e.g., NSF Data Collector). The I2NSF monitoring I2NSF component (e.g., NSF Data Collector). The I2NSF monitoring
information consist of I2NSF Event, I2NSF Record, and I2NSF Counter information consist of I2NSF Event, I2NSF Record, and I2NSF Counter
as follows: as follows:
I2NSF Event: I2NSF Event is defined as an important occurrence over I2NSF Event: I2NSF Event is defined as an important occurrence over
time, that is, a change in the system being managed or a change in time, that is, a change in the system being managed or a change in
the environment of the system being managed. An I2NSF Event the environment of the system being managed. An I2NSF Event
requires immediate attention and should be notified as soon as requires immediate attention and should be notified as soon as
possible. When used in the context of an (imperative) I2NSF possible. When used in the context of an (imperative) I2NSF
Policy Rule, an I2NSF Event is used to determine whether the Policy Rule, an I2NSF Event is used to determine whether the
Condition clause of that Policy Rule can be evaluated or not. The Condition clause of that Policy Rule can be evaluated or not. The
skipping to change at page 7, line 18 skipping to change at page 7, line 18
I2NSF Counter: An I2NSF Counter is defined as a specific I2NSF Counter: An I2NSF Counter is defined as a specific
representation of continuous value changes of information elements representation of continuous value changes of information elements
that occur very frequently. Prominent examples are network that occur very frequently. Prominent examples are network
interface counters for protocol data unit (PDU) amount, byte interface counters for protocol data unit (PDU) amount, byte
amount, drop counters, and error counters. Counters are useful in amount, drop counters, and error counters. Counters are useful in
debugging and visibility into operational behavior of a system debugging and visibility into operational behavior of a system
entity (e.g., NSF). When an NSF data collector asks for the value entity (e.g., NSF). When an NSF data collector asks for the value
of a counter to it, a system entity emits of a counter to it, a system entity emits
For the utilization of the storage space for accumulated NSF The retention of I2NSF monitoring information listed in Section 9 may
monitoring data, all of the information MUST provide the general be affected by the importance of the data. The importance of the
information (e.g., timestamp) for purging existing records, which is data could be context-dependent, where it may not just be based on
discussed in Section 5. This document provides a YANG data model in the type of data, but may also depend on where it is deployed, e.g.,
Section 9 for the important I2NSF monitoring information that should a test lab and testbed. The local policy and configuration will
be retained. All of the information in the data model is considered dictate the policies and procedures to review, archive, or purge the
important and should be kept permanently as the information might be collected monitoring data.
useful in many circumstances in the future. The allowed cases for
removing some monitoring information include the following:
* When the system storage is full to create a fresh record
[RFC4949], the oldest record can be removed.
* The administrator deletes existing records manually after
analyzing the information in them.
The I2NSF monitoring information retained on a system entity (e.g., The I2NSF monitoring information retained on a system entity (e.g.,
NSF) may be delivered to a corresponding I2NSF User via an NSF data NSF) may be delivered to a corresponding I2NSF User via an NSF data
collector. The information consists of the aggregated records, collector. The information consists of the aggregated records,
typically in the form of log-files or databases. For the NSF typically in the form of log-files or databases. For the NSF
Monitoring Interface to deliver the information to the NSF data Monitoring Interface to deliver the information to the NSF data
collector, the NSF needs to accommodate standardized delivery collector, the NSF needs to accommodate standardized delivery
protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. The NSF protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. The NSF
data collector can forward the information to the I2NSF User through data collector can forward the information to the I2NSF User through
one of standardized delivery protocols. The interface for this one of standardized delivery protocols. The interface for this
skipping to change at page 11, line 17 skipping to change at page 11, line 7
6.1.2. CPU Alarm 6.1.2. CPU Alarm
CPU is the Central Processing Unit that executes basic operations of CPU is the Central Processing Unit that executes basic operations of
the system. The cpu-alarm is emitted when the CPU usage exceeds the the system. The cpu-alarm is emitted when the CPU usage exceeds the
threshold. The following information should be included in a CPU threshold. The following information should be included in a CPU
Alarm: Alarm:
* event-name: cpu-alarm. * event-name: cpu-alarm.
* usage: Specifies the size of CPU used. * usage: Specifies the CPU utilization.
* threshold: The threshold triggering the event. * threshold: The threshold triggering the event.
* severity: The severity of the alarm such as critical, high, * severity: The severity of the alarm such as critical, high,
medium, and low. medium, and low.
* message: Simple information such as "The CPU usage exceeded the * message: Simple information such as "The CPU usage exceeded the
threshold" or with extra information. threshold" or with extra information.
6.1.3. Disk Alarm 6.1.3. Disk Alarm
skipping to change at page 15, line 15 skipping to change at page 15, line 7
* end-time: The time stamp indicating when the attack ended. If the * end-time: The time stamp indicating when the attack ended. If the
attack is still undergoing when sending out the alarm, this field attack is still undergoing when sending out the alarm, this field
can be empty. can be empty.
* attack-rate: The packets per second of attack traffic. * attack-rate: The packets per second of attack traffic.
* attack-speed: The bytes per second of attack traffic. * attack-speed: The bytes per second of attack traffic.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
Note that rule-name is used to match a detected NSF event with a Note that rule-name is used to match a detected NSF event with a
policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm], and also policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm].
that there is no rule-name in a system event.
6.3.2. Virus Event 6.3.2. Virus Event
The following information should be included in a Virus Event: The following information should be included in a Virus Event:
* event-name: detection-virus. * event-name: detection-virus.
* virus: Type of the virus. e.g., trojan, worm, macro virus type. * virus: Type of the virus. e.g., trojan, worm, macro virus type.
* virus-name: Name of the virus. * virus-name: Name of the virus.
* dst-ip: The destination IP address of the packet where the virus * dst-ip: The destination IP address of the flow where the virus is
is found. found.
* src-ip: The source IP address of the packet where the virus is * src-ip: The source IP address of the flow where the virus is
found. found.
* src-port: The source port of the packet where the virus is found. * src-port: The source port of the flow where the virus is found.
* dst-port: The destination port of the packet where the virus is * dst-port: The destination port of the flow where the virus is
found. found.
* src-location: The source geographical location (e.g., country and * src-location: The geographical location (e.g., country and city)
city) of the virus. of the src-ip field.
* dst-location: The destination geographical location (e.g., country * dst-location: The geographical location (e.g., country and city)
and city) of the virus. of the dst-ip field.
* file-type: The type of the file where the virus is hided within. * os: The operating system of the host that has the virus.
* file-name: The name of the file where the virus is hided within. * file-type: The type of the file where the virus is hidden.
* file-name: The name of the file where the virus is hidden.
* raw-info: The information describing the packet triggering the * raw-info: The information describing the packet triggering the
event. event.
* rule-name: The name of the rule being triggered. * rule-name: The name of the rule being triggered.
6.3.3. Intrusion Event 6.3.3. Intrusion Event
The following information should be included in an Intrusion Event: The following information should be included in an Intrusion Event:
skipping to change at page 16, line 22 skipping to change at page 16, line 16
* src-ip: The source IP address of the flow. * src-ip: The source IP address of the flow.
* dst-ip: The destination IP address of the flow. * dst-ip: The destination IP address of the flow.
* src-port:The source port number of the flow. * src-port:The source port number of the flow.
* dst-port: The destination port number of the flow * dst-port: The destination port number of the flow
* src-location: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the flow. city) of the src-ip field.
* dst-location: The destination geographical location (e.g., country * dst-location: The destination geographical location (e.g., country
and city) of the flow. and city) of the dst-ip field.
* protocol: The employed transport layer protocol. e.g., TCP and * protocol: The employed transport layer protocol. e.g., TCP and
UDP. UDP.
* app: The employed application layer protocol. e.g., HTTP and FTP. * app: The employed application layer protocol. e.g., HTTP and FTP.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
* raw-info: The information describing the flow triggering the * raw-info: The information describing the flow triggering the
event. event.
skipping to change at page 17, line 6 skipping to change at page 16, line 49
* src-ip: The source IP address of the packet. * src-ip: The source IP address of the packet.
* dst-ip: The destination IP address of the packet. * dst-ip: The destination IP address of the packet.
* src-port: The source port number of the packet. * src-port: The source port number of the packet.
* dst-port: The destination port number of the packet. * dst-port: The destination port number of the packet.
* src-location: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the packet. city) of the src-ip field.
* dst-location: The destination geographical location (e.g., country * dst-location: The destination geographical location (e.g., country
and city) of the packet. and city) of the dst-ip field.
* request-method: The method of requirement. For instance, "PUT" * req-method: The HTTP method of the request. For instance, "PUT"
and "GET" in HTTP. and "GET" in HTTP.
* req-uri: Requested URI. * req-target: The HTTP Request Target.
* response-code: The HTTP Response code.
* req-user-agent: The HTTP request user agent header field. * response-code: The HTTP Response status code.
* req-cookies: The HTTP Cookie previously sent by the server with * req-user-agent: The HTTP User-Agent header field of the request.
Set-Cookie.
* req-host: The domain name of the requested host. * cookies: The HTTP Set-Cookie header field of the response.
* uri-category: Matched URI category. * req-host: The HTTP Host header field of the request.
* filtering-type: URL filtering type. e.g., deny-list, allow-list, * filtering-type: URL filtering type. e.g., deny-list, allow-list,
and unknown. and unknown.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
6.3.5. VoIP/VoLTE Event 6.3.5. VoIP/VoLTE Event
The following information should be included in a VoIP/VoLTE Event: The following information should be included in a VoIP/VoLTE Event:
skipping to change at page 18, line 6 skipping to change at page 17, line 45
* src-ip: The source IP address of the VoIP/VoLTE. * src-ip: The source IP address of the VoIP/VoLTE.
* dst-ip: The destination IP address of the VoIP/VoLTE. * dst-ip: The destination IP address of the VoIP/VoLTE.
* src-port: The source port number of the VoIP/VoLTE. * src-port: The source port number of the VoIP/VoLTE.
* dst-port: The destination port number of VoIP/VoLTE. * dst-port: The destination port number of VoIP/VoLTE.
* src-location: The source geographical location (e.g., country and * src-location: The source geographical location (e.g., country and
city) of the VoIP/VoLTE. city) of the src-ip field.
* dst-location: The destination geographical location (e.g., country * dst-location: The destination geographical location (e.g., country
and city) of the VoIP/VoLTE. and city) of the dst-ip field.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
6.4. System Logs 6.4. System Logs
System log is a record that is used to monitor the activity of the System log is a record that is used to monitor the activity of the
user on the NSF and the status of the NSF. System logs have the user on the NSF and the status of the NSF. System logs have the
following characteristics: following characteristics:
* acquisition-method: subscription * acquisition-method: subscription
skipping to change at page 18, line 36 skipping to change at page 18, line 28
Access logs record administrators' login, logout, and operations on a Access logs record administrators' login, logout, and operations on a
device. By analyzing them, security vulnerabilities can be device. By analyzing them, security vulnerabilities can be
identified. The following information should be included in an identified. The following information should be included in an
operation report: operation report:
* username: The username that operates on the device. * username: The username that operates on the device.
* login-ip: IP address used by an administrator to log in. * login-ip: IP address used by an administrator to log in.
* login-mode: Specifies the administrator logs in mode e.g. * login-role: The login role to specify the privilege level of the
administrator, user, and guest. user account, e.g., administrator, user, and guest.
* operation-type: The operation type that the administrator execute, * operation-type: The operation type that the administrator execute,
e.g., login, logout, configuration, and other. e.g., login, logout, configuration, and other.
* input: The operation performed by a user after login. The * input: The operation performed by a user after login. The
operation is a command given by a user. operation is a command given by a user.
* output: The result after executing the input. * output: The result after executing the input.
6.4.2. Resource Utilization Log 6.4.2. Resource Utilization Log
skipping to change at page 25, line 45 skipping to change at page 25, line 45
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| | +--ro timestamp? yang:date-and-time | | +--ro timestamp? yang:date-and-time
| +--ro nsf-firewall* [policy-name] | +--ro nsf-firewall* [policy-name]
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro policy-name | | +--ro policy-name
-> /nsfintf:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
| | +--ro src-user? string | | +--ro src-user? string
| | +--ro discontinuity-time yang:date-and-time | | +--ro discontinuity-time yang:date-and-time
| | +--ro total-traffic? yang:counter32 | | +--ro total-traffic? yang:counter32
| | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-average-rate? uint32
| | +--ro in-traffic-peak-rate? uint32 | | +--ro in-traffic-peak-rate? uint32
| | +--ro in-traffic-average-speed? uint64 | | +--ro in-traffic-average-speed? uint64
| | +--ro in-traffic-peak-speed? uint64 | | +--ro in-traffic-peak-speed? uint64
| | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-average-rate? uint32
| | +--ro out-traffic-peak-rate? uint32 | | +--ro out-traffic-peak-rate? uint32
| | +--ro out-traffic-average-speed? uint64 | | +--ro out-traffic-average-speed? uint64
skipping to change at page 26, line 18 skipping to change at page 26, line 18
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| | +--ro timestamp? yang:date-and-time | | +--ro timestamp? yang:date-and-time
| +--ro nsf-policy-hits* [policy-name] | +--ro nsf-policy-hits* [policy-name]
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro policy-name | +--ro policy-name
-> /nsfintf:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
| +--ro src-user? string | +--ro src-user? string
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
| +--ro discontinuity-time yang:date-and-time | +--ro discontinuity-time yang:date-and-time
| +--ro hit-times? yang:counter32 | +--ro hit-times? yang:counter32
| +--ro timestamp? yang:date-and-time | +--ro timestamp? yang:date-and-time
+--rw i2nsf-monitoring-configuration +--rw i2nsf-monitoring-configuration
+--rw i2nsf-system-detection-alarm +--rw i2nsf-system-detection-alarm
skipping to change at page 26, line 47 skipping to change at page 26, line 47
+--rw i2nsf-traffic-flows +--rw i2nsf-traffic-flows
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
| +--rw enabled? boolean | +--rw enabled? boolean
+--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-session-table-configuration +--rw i2nsf-nsf-detection-session-table-configuration
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-intrusion +--rw i2nsf-nsf-detection-intrusion
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-web-attack +--rw i2nsf-nsf-detection-web-attack
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-system-access-log +--rw i2nsf-nsf-system-access-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-res-util-log +--rw i2nsf-system-res-util-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-user-activity-log +--rw i2nsf-system-user-activity-log
skipping to change at page 30, line 15 skipping to change at page 30, line 15
| +--ro attack-speed? uint64 | +--ro attack-speed? uint64
| +--ro action* log-action | +--ro action* log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-virus) +--:(i2nsf-nsf-detection-virus)
{i2nsf-nsf-detection-virus}? {i2nsf-nsf-detection-virus}?
| +--ro i2nsf-nsf-detection-virus | +--ro i2nsf-nsf-detection-virus
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
skipping to change at page 30, line 40 skipping to change at page 30, line 40
| +--ro os? string | +--ro os? string
| +--ro action* log-action | +--ro action* log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-intrusion) +--:(i2nsf-nsf-detection-intrusion)
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--ro i2nsf-nsf-detection-intrusion | +--ro i2nsf-nsf-detection-intrusion
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
skipping to change at page 31, line 17 skipping to change at page 31, line 17
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint64 | +--ro attack-speed? uint64
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-web-attack) +--:(i2nsf-nsf-detection-web-attack)
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--ro i2nsf-nsf-detection-web-attack | +--ro i2nsf-nsf-detection-web-attack
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro request-method? identityref | +--ro req-method? identityref
| +--ro req-uri? string | +--ro req-target? string
| +--ro filtering-type* identityref | +--ro filtering-type* identityref
| +--ro req-user-agent? string | +--ro req-user-agent? string
| +--ro req-cookie? string | +--ro cookies? string
| +--ro req-host? string | +--ro req-host? string
| +--ro response-code? string | +--ro response-code? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro action* log-action | +--ro action* log-action
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-voip-volte) +--:(i2nsf-nsf-detection-voip-volte)
{i2nsf-nsf-detection-voip-volte}? {i2nsf-nsf-detection-voip-volte}?
| +--ro i2nsf-nsf-detection-voip-volte | +--ro i2nsf-nsf-detection-voip-volte
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
skipping to change at page 32, line 35 skipping to change at page 32, line 35
Figure 1: Information Model for NSF Monitoring Figure 1: Information Model for NSF Monitoring
9. YANG Data Model 9. YANG Data Model
This section describes a YANG module of I2NSF NSF Monitoring. The This section describes a YANG module of I2NSF NSF Monitoring. The
data model provided in this document uses identities to be used to data model provided in this document uses identities to be used to
get information of the monitored of an NSF's monitoring data. Every get information of the monitored of an NSF's monitoring data. Every
identity used in the document gives information or status about the identity used in the document gives information or status about the
current situation of an NSF. This YANG module imports from current situation of an NSF. This YANG module imports from
[RFC6991], and makes references to [RFC0768][RFC0791] [RFC6991], and makes references to [RFC0768][RFC0791]
[RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC3501] [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC4340]
[RFC4340][RFC4443][RFC4960] [RFC5321][RFC6242][RFC7230] [RFC4443][RFC4960][RFC5321] [RFC6242][RFC6265][RFC7230]
[RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis] [RFC7231][RFC8200][RFC8641] [RFC9051] [I-D.ietf-tcpm-rfc793bis]
[IANA-HTTP-Status-Code] [IANA-Media-Types]. [IANA-HTTP-Status-Code] [IANA-Media-Types].
<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-10-15.yang" <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-11-17.yang"
module ietf-i2nsf-nsf-monitoring { module ietf-i2nsf-nsf-monitoring {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix prefix
nsfmi; nsfmi;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
skipping to change at page 34, line 9 skipping to change at page 34, line 9
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
revision "2021-10-15" { revision "2021-11-17" {
description "Latest revision"; description "Latest revision";
reference reference
"RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Typedefs * Typedefs
skipping to change at page 37, line 12 skipping to change at page 37, line 12
} }
description description
"The type of operation done by a user during a session. "The type of operation done by a user during a session.
The user operation is not considering their privileges."; The user operation is not considering their privileges.";
} }
typedef login-role { typedef login-role {
type enumeration { type enumeration {
enum administrator { enum administrator {
description description
"Administrator (i.e., Super User) login role. "Administrator (i.e., Superuser)'s login role.
Non-restricted role."; Non-restricted role.";
} }
enum user { enum user {
description description
"User login role. Semi-restricted role, some data and "User login role. Semi-restricted role, some data and
configurations are available but confidential or important configurations are available but confidential or important
data and configuration are restricted."; data and configuration are restricted.";
} }
enum guest { enum guest {
description description
"Guest login role. Restricted role, only few read data are "Guest login role. Restricted role, only few read data are
available and write configurations are restricted."; available and write configurations are restricted.";
} }
} }
description description
"The role of a user after login."; "The privilege level of the user account.";
} }
/* /*
* Identity * Identity
*/ */
identity characteristics { identity characteristics {
description description
"Base identity for monitoring information "Base identity for monitoring information
characteristics"; characteristics";
skipping to change at page 44, line 37 skipping to change at page 44, line 37
base ddos-type; base ddos-type;
description description
"An Secure Sockets Layer (SSL) flood is detected"; "An Secure Sockets Layer (SSL) flood is detected";
} }
identity ntp-amp-flood { identity ntp-amp-flood {
base ddos-type; base ddos-type;
description description
"A Network Time Protocol (NTP) amplification is detected"; "A Network Time Protocol (NTP) amplification is detected";
} }
identity request-method { identity req-method {
description description
"A set of request types in HTTP (if applicable)."; "A set of request types in HTTP (if applicable).";
} }
identity put { identity put {
base request-method; base req-method;
description description
"The detected request type is PUT."; "The detected request type is PUT.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method PUT"; and Content - Request Method PUT";
} }
identity post { identity post {
base request-method; base req-method;
description description
"The detected request type is POST."; "The detected request type is POST.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method POST"; and Content - Request Method POST";
} }
identity get { identity get {
base request-method; base req-method;
description description
"The detected request type is GET."; "The detected request type is GET.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method GET"; and Content - Request Method GET";
} }
identity head { identity head {
base request-method; base req-method;
description description
"The detected request type is HEAD."; "The detected request type is HEAD.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method HEAD"; and Content - Request Method HEAD";
} }
identity delete { identity delete {
base request-method; base req-method;
description description
"The detected request type is DELETE."; "The detected request type is DELETE.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method DELETE"; and Content - Request Method DELETE";
} }
identity connect { identity connect {
base request-method; base req-method;
description description
"The detected request type is CONNECT."; "The detected request type is CONNECT.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method CONNECT"; and Content - Request Method CONNECT";
} }
identity options { identity options {
base request-method; base req-method;
description description
"The detected request type is OPTIONS."; "The detected request type is OPTIONS.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method OPTIONS"; and Content - Request Method OPTIONS";
} }
identity trace { identity trace {
base request-method; base req-method;
description description
"The detected request type is TRACE."; "The detected request type is TRACE.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method TRACE"; and Content - Request Method TRACE";
} }
identity filter-type { identity filter-type {
description description
skipping to change at page 49, line 46 skipping to change at page 49, line 46
description description
"The identity for pop3."; "The identity for pop3.";
reference reference
"RFC 1939: Post Office Protocol - Version 3 (POP3)"; "RFC 1939: Post Office Protocol - Version 3 (POP3)";
} }
identity imap { identity imap {
base application-protocol; base application-protocol;
description description
"The identity for Internet Message Access Protocol."; "The identity for Internet Message Access Protocol.";
reference reference
"RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"; "RFC 9051: Internet Message Access Protocol (IMAP) - Version
4rev2";
} }
/* /*
* Grouping * Grouping
*/ */
grouping timestamp { grouping timestamp {
description description
"Grouping for identifying the time of the message."; "Grouping for identifying the time of the message.";
leaf timestamp { leaf timestamp {
skipping to change at page 53, line 21 skipping to change at page 53, line 23
} }
} }
grouping i2nsf-nsf-event-type-content-extend { grouping i2nsf-nsf-event-type-content-extend {
description description
"A set of extended common IPv4 (or IPv6)-related NSF "A set of extended common IPv4 (or IPv6)-related NSF
event content elements"; event content elements";
uses i2nsf-nsf-event-type-content; uses i2nsf-nsf-event-type-content;
leaf src-ip { leaf src-ip {
type inet:ip-address-no-zone; type inet:ip-address-no-zone;
description description
"The source IPv4 (or IPv6) address of the packet"; "The source IPv4 (or IPv6) address of the packet or flow";
} }
leaf src-port { leaf src-port {
type inet:port-number; type inet:port-number;
description description
"The source port of the packet"; "The source port of the packet or flow";
} }
leaf src-location { leaf src-location {
type string { type string {
length "1..100"; length "1..100";
pattern "[0-9a-zA-Z ]*"; pattern "[0-9a-zA-Z ]*";
} }
description description
"The source geographical location (e.g., country and city) "The source geographical location (e.g., country and city)
of the packet."; of the src-ip field.";
} }
leaf dst-location { leaf dst-location {
type string { type string {
length "1..100"; length "1..100";
pattern "[0-9a-zA-Z ]*"; pattern "[0-9a-zA-Z ]*";
} }
description description
"The destination geographical location (e.g., country and "The destination geographical location (e.g., country and
city) of the packet."; city) of the dst-ip field.";
} }
} }
grouping log-action { grouping log-action {
description description
"A grouping for logging action."; "A grouping for logging action.";
leaf-list action { leaf-list action {
type log-action; type log-action;
description description
"Action type: allow, alert, block, discard, declare, "Action type: allow, alert, block, discard, declare,
block-ip, block-service"; block-ip, block-service";
} }
} }
grouping attack-rates { grouping attack-rates {
description description
"A set of traffic rates for monitoring attack traffic "A set of traffic rates for monitoring attack traffic
skipping to change at page 63, line 16 skipping to change at page 63, line 18
"Login IP address of a user"; "Login IP address of a user";
} }
leaf username { leaf username {
type string; type string;
description description
"The login username that maintains the device"; "The login username that maintains the device";
} }
leaf login-role { leaf login-role {
type login-role; type login-role;
description description
"Specifies the user log-in role, i.e., administrator, "The login role to specify the privilege level of the
user, or guest."; user account, e.g., administrator, user, or guest.";
} }
leaf operation-type { leaf operation-type {
type operation-type; type operation-type;
description description
"The operation type that the user executes"; "The operation type that the user executes";
} }
leaf input { leaf input {
type string; type string;
description description
"The operation performed by a user after login. The "The operation performed by a user after login. The
skipping to change at page 64, line 24 skipping to change at page 64, line 24
security service."; security service.";
} }
} }
description description
"The current system's running status"; "The current system's running status";
} }
leaf cpu-usage { leaf cpu-usage {
type uint8; type uint8;
units "percent"; units "percent";
description description
"Specifies the relative percentage of CPU usage with "Specifies the relative percentage of CPU utilization
respect to platform resources"; with respect to platform resources";
} }
leaf memory-usage { leaf memory-usage {
type uint8; type uint8;
units "percent"; units "percent";
description description
"Specifies the percentage of memory usage."; "Specifies the percentage of memory usage.";
} }
list disk { list disk {
key disk-id; key disk-id;
description description
skipping to change at page 71, line 18 skipping to change at page 71, line 19
detected."; detected.";
uses i2nsf-nsf-event-type-content-extend; uses i2nsf-nsf-event-type-content-extend;
leaf attack-type { leaf attack-type {
type identityref { type identityref {
base web-attack-type; base web-attack-type;
} }
description description
"Concrete web attack type, e.g., SQL injection, "Concrete web attack type, e.g., SQL injection,
command injection, XSS, and CSRF."; command injection, XSS, and CSRF.";
} }
leaf request-method { leaf req-method {
type identityref { type identityref {
base request-method; base req-method;
} }
description description
"The HTTP request method, e.g., PUT or GET."; "The HTTP method of the request, e.g., PUT or GET.";
reference reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): "RFC 7231: Hypertext Transfer Protocol (HTTP/1.1):
Semantics and Content - Request Methods"; Semantics and Content - Request Methods";
} }
leaf req-uri { leaf req-target {
type string; type string;
description description
"The Requested URI"; "The HTTP Request Target. This field can be filled in
the format of origin-form, absolute-form,
authority-form, or asterisk-form";
reference
"RFC 7230: Hypertext Transfer Protocol (HTTP/1.1):
Message Syntax and Routing - Request Target";
} }
leaf-list filtering-type { leaf-list filtering-type {
type identityref { type identityref {
base filter-type; base filter-type;
} }
description description
"URL filtering type, e.g., deny-list, allow-list, "URL filtering type, e.g., deny-list, allow-list,
and Unknown"; and Unknown";
} }
leaf req-user-agent { leaf req-user-agent {
type string; type string;
description description
"The request user agent"; "The HTTP User-Agent header field of the request";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1):
Semantics and Content - User Agent";
} }
leaf req-cookie { leaf cookies {
type string; type string;
description description
"The HTTP Cookie previously sent by the server with "The HTTP Set-Cookie header field of the response";
reference
"RFC 6265: HTTP State Management Mechanism -
Set-Cookie"; Set-Cookie";
} }
leaf req-host { leaf req-host {
type string; type string;
description description
"The domain name of the requested host"; "The HTTP Host header field of the request";
reference
"RFC 7230: Hypertext Transfer Protocol (HTTP/1.1):
Message Syntax and Routing - Host";
} }
leaf response-code { leaf response-code {
type string; type string;
description description
"The HTTP Response code"; "The HTTP Response status code";
reference reference
"IANA Website: Hypertext Transfer Protocol (HTTP) "IANA Website: Hypertext Transfer Protocol (HTTP)
Status Code Registry"; Status Code Registry";
} }
uses characteristics; uses characteristics;
uses log-action; uses log-action;
uses common-monitoring-data; uses common-monitoring-data;
} }
} }
case i2nsf-nsf-detection-voip-volte{ case i2nsf-nsf-detection-voip-volte{
skipping to change at page 82, line 35 skipping to change at page 82, line 35
13. Security Considerations 13. Security Considerations
YANG module described in this document defines a schema for data that YANG module described in this document defines a schema for data that
is designed to be accessed via network management protocols such as is designed to be accessed via network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the mandatory-to-implement secure the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446]. [RFC8446].
The NETCONF access control model [RFC8341] provides the means to The Network Configuration Access Control Model (NACM) [RFC8341]
restrict access for particular NETCONF or RESTCONF users to a provides the means to restrict access for particular NETCONF or
preconfigured subset of all available NETCONF or RESTCONF protocol RESTCONF users to a preconfigured subset of all available NETCONF or
operations and content. RESTCONF protocol operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module which can be created,
modified and deleted (i.e., config true, which is the default) are modified and deleted (i.e., config true, which is the default) are
considered sensitive as they all could potentially impact security considered sensitive as they all could potentially impact security
monitoring and mitigation activities. Write operations (e.g., edit- monitoring and mitigation activities. Write operations (e.g., edit-
config) applied to these data nodes without proper protection could config) applied to these data nodes without proper protection could
result in missed alarms or incorrect alarms information being result in missed alarms or incorrect alarms information being
returned to the NSF data collector. There are threats that need to returned to the NSF data collector. There are threats that need to
be considered and mitigated: be considered and mitigated:
skipping to change at page 83, line 38 skipping to change at page 83, line 38
(collector-to-NSF), mutual authentication should be used to (collector-to-NSF), mutual authentication should be used to
mitigate the threat. mitigate the threat.
In addition, to defend against the DDoS attack caused by a lot of In addition, to defend against the DDoS attack caused by a lot of
NSFs sending massive notifications to the NSF data collector, the NSFs sending massive notifications to the NSF data collector, the
rate limiting or similar mechanisms should be considered in both an rate limiting or similar mechanisms should be considered in both an
NSF and NSF data collector, whether in advance or just in the process NSF and NSF data collector, whether in advance or just in the process
of DDoS attack. of DDoS attack.
All of the readable data nodes in this YANG module may be considered All of the readable data nodes in this YANG module may be considered
vulnerable in some network environments. Some data also may contain sensitive in some network environments. These data nodes represent
private information that is highly sensitive to the user, such as the information consistent with the logging commonly performed in network
IP address of a user in the container "i2nsf-system-user-activity- and security operations. They may reveal the specific configuration
log" and the container "i2nsf-system-detection-event". It is of a network; vulnerabilities in specific systems; and the deployed
important to control read access (e.g., via get, get-config, or security controls and their relative efficacy in detecting or
notification) to the data nodes. If access control is not properly mitigating an attack. To an attacker, this information could inform
configured, it can expose system internals to those who should not how to (further) compromise the network, evade detection, or confirm
have access to this information. whether they have been observed by the network operator.
Additionally, many of the data nodes in this YANG module such as
containers "i2nsf-system-user-activity-log", "i2nsf-system-detection-
event", and "i2nsf-nsf-detection-voip-volte" are privacy sensitive.
They may describe specific or aggregate user activity to include
associating user names with specific IP addresses; or users with
specific network usage.
14. Acknowledgments 14. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). This work was supported in part by Security Service Provisioning). This work was supported in part by
the IITP (2020-0-00395, Standard Development of Blockchain based the IITP (2020-0-00395, Standard Development of Blockchain based
Network Management Automation Technology). This work was supported Network Management Automation Technology). This work was supported
skipping to change at page 85, line 38 skipping to change at page 85, line 42
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
<https://www.rfc-editor.org/info/rfc1939>. <https://www.rfc-editor.org/info/rfc1939>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003,
<https://www.rfc-editor.org/info/rfc3501>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management
Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877,
September 2004, <https://www.rfc-editor.org/info/rfc3877>. September 2004, <https://www.rfc-editor.org/info/rfc3877>.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, Congestion Control Protocol (DCCP)", RFC 4340,
skipping to change at page 86, line 37 skipping to change at page 86, line 37
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/info/rfc6265>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
skipping to change at page 88, line 14 skipping to change at page 88, line 19
[RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard,
E., and A. Tripathy, "Subscription to YANG Notifications", E., and A. Tripathy, "Subscription to YANG Notifications",
RFC 8639, DOI 10.17487/RFC8639, September 2019, RFC 8639, DOI 10.17487/RFC8639, September 2019,
<https://www.rfc-editor.org/info/rfc8639>. <https://www.rfc-editor.org/info/rfc8639>.
[RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications
for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641,
September 2019, <https://www.rfc-editor.org/info/rfc8641>. September 2019, <https://www.rfc-editor.org/info/rfc8641>.
[RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet Message
Access Protocol (IMAP) - Version 4rev2", RFC 9051,
DOI 10.17487/RFC9051, August 2021,
<https://www.rfc-editor.org/info/rfc9051>.
16.2. Informative References 16.2. Informative References
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
skipping to change at page 88, line 42 skipping to change at page 89, line 9
"I2NSF Consumer-Facing Interface YANG Data Model", Work in "I2NSF Consumer-Facing Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-consumer- Progress, Internet-Draft, draft-ietf-i2nsf-consumer-
facing-interface-dm-15, 15 September 2021, facing-interface-dm-15, 15 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
consumer-facing-interface-dm-15.txt>. consumer-facing-interface-dm-15.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", Work in Progress, Internet-Draft, draft-ietf- Data Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-facing-interface-dm-14, 15 September 2021, i2nsf-nsf-facing-interface-dm-15, 4 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
facing-interface-dm-14.txt>. facing-interface-dm-15.txt>.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park,
"I2NSF Registration Interface YANG Data Model", Work in "I2NSF Registration Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-registration- Progress, Internet-Draft, draft-ietf-i2nsf-registration-
interface-dm-12, 15 September 2021, interface-dm-13, 4 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
registration-interface-dm-12.txt>. registration-interface-dm-13.txt>.
[I-D.ietf-i2nsf-applicability] [I-D.ietf-i2nsf-applicability]
Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R.
Lopez, "Applicability of Interfaces to Network Security Lopez, "Applicability of Interfaces to Network Security
Functions to Network-Based Security Services", Work in Functions to Network-Based Security Services", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-applicability- Progress, Internet-Draft, draft-ietf-i2nsf-applicability-
18, 16 September 2019, <https://www.ietf.org/archive/id/ 18, 16 September 2019, <https://www.ietf.org/archive/id/
draft-ietf-i2nsf-applicability-18.txt>. draft-ietf-i2nsf-applicability-18.txt>.
[I-D.yang-i2nsf-security-policy-translation] [I-D.yang-i2nsf-security-policy-translation]
skipping to change at page 89, line 39 skipping to change at page 90, line 10
Internet Assigned Numbers Authority (IANA), "Hypertext Internet Assigned Numbers Authority (IANA), "Hypertext
Transfer Protocol (HTTP) Status Code Registry", September Transfer Protocol (HTTP) Status Code Registry", September
2018, <https://www.iana.org/assignments/http-status-codes/ 2018, <https://www.iana.org/assignments/http-status-codes/
http-status-codes.xhtml>. http-status-codes.xhtml>.
[IANA-Media-Types] [IANA-Media-Types]
Internet Assigned Numbers Authority (IANA), "Media Types", Internet Assigned Numbers Authority (IANA), "Media Types",
August 2021, <https://www.iana.org/assignments/media- August 2021, <https://www.iana.org/assignments/media-
types/media-types.xhtml>. types/media-types.xhtml>.
Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-09 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-11
The following changes are made from draft-ietf-i2nsf-nsf-monitoring- The following changes are made from draft-ietf-i2nsf-nsf-monitoring-
data-model-09: data-model-11:
* This version is revised following Tom Petch's, Martin Bjorklund's,
and Roman Danyliw's Comments.
* This version is revised to synchronize with other I2NSF documents. * This version is revised following Roman Danyliw's Comments.
Authors' Addresses Authors' Addresses
Jaehoon (Paul) Jeong (editor) Jaehoon (Paul) Jeong (editor)
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon Suwon
Gyeonggi-Do Gyeonggi-Do
16419 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
 End of changes. 90 change blocks. 
132 lines changed or deleted 147 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/