draft-ietf-i2nsf-nsf-monitoring-data-model-00.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-01.txt 
Network Working Group J. Jeong I2NSF Working Group J. Jeong
Internet-Draft C. Chung Internet-Draft C. Chung
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: September 12, 2019 S. Hares Expires: January 25, 2020 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
March 11, 2019 July 24, 2019
I2NSF NSF Monitoring YANG Data Model I2NSF NSF Monitoring YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-00 draft-ietf-i2nsf-nsf-monitoring-data-model-01
Abstract Abstract
This document proposes an information model and the corresponding This document describes an information model and the corresponding
YANG data model for monitoring Network Security Functions (NSFs) in YANG data model for monitoring Network Security Functions (NSFs) in
the Interface to Network Security Functions (I2NSF) framework. If the Interface to Network Security Functions (I2NSF) framework. If
the monitoring of NSFs is performed in a comprehensive way, it is the monitoring of NSFs is performed in a comprehensive way, it is
possible to detect the indication of malicious activity, anomalous possible to detect malicious activity, anomalous behavior, and the
behavior or the potential sign of denial of service attacks in a potential sign of denial of service attacks in a timely manner. This
timely manner. This monitoring functionality is based on the monitoring functionality is based on the monitoring information that
monitoring information that is generated by NSFs. Thus, this is generated by NSFs. Thus, this document describes not only an
document describes not only an information model for monitoring NSFs information model for monitoring NSFs along with a YANG data diagram,
along with a YANG data diagram, but also the corresponding YANG data but also the corresponding YANG data model for monitoring NSFs.
model for monitoring NSFs.
Editorial Note (To be removed by RFC Editor)
Please update these statements within the document with the RFC
number to be assigned to this document:
"This version of this YANG module is part of RFC 6087;"
"RFC XXXX: I2NSF NSF Monitoring YANG Data Model"
"reference: RFC 6087"
Please update the "revision" date of the YANG module.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on January 25, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 44 skipping to change at page 2, line 35
2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. YANG . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. YANG . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4
4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5
4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6
4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7
4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8
4.4. I2NSF Monitoring Terminology for Retained Information . . 8 4.4. I2NSF Monitoring Terminology for Retained Information . . 8
5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9
5.1. Information Types and Acquisition Methods . . . . . . . . 10 5.1. Information Types and Acquisition Methods . . . . . . . . 10
6. Basic Information Model for All Monitoring Data . . . . . . . 11 6. Basic Information Model for All Monitoring Data . . . . . . . 10
7. Extended Information Model for Monitoring Data . . . . . . . 11 7. Extended Information Model for Monitoring Data . . . . . . . 11
7.1. System Alarm . . . . . . . . . . . . . . . . . . . . . . 11 7.1. System Alarm . . . . . . . . . . . . . . . . . . . . . . 11
7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 12 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11
7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12
7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12
7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 13 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12
7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13
7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13
7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13
7.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 14
7.3. System Log . . . . . . . . . . . . . . . . . . . . . . . 14 7.3. System Log . . . . . . . . . . . . . . . . . . . . . . . 14
7.3.1. Access Logs . . . . . . . . . . . . . . . . . . . . . 14 7.3.1. Access Logs . . . . . . . . . . . . . . . . . . . . . 14
7.3.2. Resource Utilization Logs . . . . . . . . . . . . . . 15 7.3.2. Resource Utilization Logs . . . . . . . . . . . . . . 15
7.3.3. User Activity Logs . . . . . . . . . . . . . . . . . 15 7.3.3. User Activity Logs . . . . . . . . . . . . . . . . . 15
7.4. System Counters . . . . . . . . . . . . . . . . . . . . . 16 7.4. System Counters . . . . . . . . . . . . . . . . . . . . . 16
7.4.1. Interface counters . . . . . . . . . . . . . . . . . 16 7.4.1. Interface counters . . . . . . . . . . . . . . . . . 16
7.5. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 17 7.5. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 17
skipping to change at page 3, line 21 skipping to change at page 3, line 10
7.3.3. User Activity Logs . . . . . . . . . . . . . . . . . 15 7.3.3. User Activity Logs . . . . . . . . . . . . . . . . . 15
7.4. System Counters . . . . . . . . . . . . . . . . . . . . . 16 7.4. System Counters . . . . . . . . . . . . . . . . . . . . . 16
7.4.1. Interface counters . . . . . . . . . . . . . . . . . 16 7.4.1. Interface counters . . . . . . . . . . . . . . . . . 16
7.5. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 17 7.5. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 17
7.5.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 17 7.5.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 17
7.5.2. Session Table Event . . . . . . . . . . . . . . . . . 18 7.5.2. Session Table Event . . . . . . . . . . . . . . . . . 18
7.5.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 18 7.5.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 18
7.5.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 19 7.5.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 19
7.5.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 20 7.5.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 20
7.5.6. Web Attack Event . . . . . . . . . . . . . . . . . . 21 7.5.6. Web Attack Event . . . . . . . . . . . . . . . . . . 21
7.6. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 22 7.6. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 21
7.6.1. DDoS Logs . . . . . . . . . . . . . . . . . . . . . . 22 7.6.1. DDoS Logs . . . . . . . . . . . . . . . . . . . . . . 22
7.6.2. Virus Logs . . . . . . . . . . . . . . . . . . . . . 22 7.6.2. Virus Logs . . . . . . . . . . . . . . . . . . . . . 22
7.6.3. Intrusion Logs . . . . . . . . . . . . . . . . . . . 23 7.6.3. Intrusion Logs . . . . . . . . . . . . . . . . . . . 23
7.6.4. Botnet Logs . . . . . . . . . . . . . . . . . . . . . 23 7.6.4. Botnet Logs . . . . . . . . . . . . . . . . . . . . . 23
7.6.5. DPI Logs . . . . . . . . . . . . . . . . . . . . . . 23 7.6.5. DPI Logs . . . . . . . . . . . . . . . . . . . . . . 23
7.6.6. Vulnerabillity Scanning Logs . . . . . . . . . . . . 24 7.6.6. Vulnerability Scanning Logs . . . . . . . . . . . . . 24
7.6.7. Web Attack Logs . . . . . . . . . . . . . . . . . . . 25 7.6.7. Web Attack Logs . . . . . . . . . . . . . . . . . . . 25
7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25
7.7.1. Firewall counters . . . . . . . . . . . . . . . . . . 25 7.7.1. Firewall counters . . . . . . . . . . . . . . . . . . 25
7.7.2. Policy Hit Counters . . . . . . . . . . . . . . . . . 27 7.7.2. Policy Hit Counters . . . . . . . . . . . . . . . . . 26
8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27
9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28
10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 36 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 36
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71
12. Security Considerations . . . . . . . . . . . . . . . . . . . 72 12. Security Considerations . . . . . . . . . . . . . . . . . . . 72
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 72 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 72
13.1. Normative References . . . . . . . . . . . . . . . . . . 72 13.1. Normative References . . . . . . . . . . . . . . . . . . 72
13.2. Informative References . . . . . . . . . . . . . . . . . 74 13.2. Informative References . . . . . . . . . . . . . . . . . 74
Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data- Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-
model-06 . . . . . . . . . . . . . . . . . . . . . . 76 model-00 . . . . . . . . . . . . . . . . . . . . . . 76
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 76 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 76
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 77 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 76
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77
1. Introduction 1. Introduction
According to [I-D.ietf-i2nsf-terminology], the interface provided by According to [I-D.ietf-i2nsf-terminology], the interface provided by
a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Network Security Functions (NSFs) (e.g., Firewall, IPS, Anti-DDoS, or
Anti-Virus function) to administrative entities (e.g., Security Anti-Virus function) to administrative entities (e.g., Security
Controller) to enable remote management (i.e., configuring and Controller) to enable remote management (i.e., configuring and
monitoring) is referred to as an I2NSF NSF-Facing Interface monitoring) is referred to as an I2NSF NSF-Facing Interface
[I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures
intent to acquire vital types of data with respect to NSFs, (e.g., intent to acquire vital types of data with respect to NSFs, (e.g.,
alarms, records, and counters) via data in motion (e.g., queries, alarms, records, and counters) via data in motion (e.g., queries,
notifications, and events). The monitoring of NSF plays an important notifications, and events). The monitoring of NSF plays an important
role in an overall security framework, if it is done in a timely and role in an overall security framework, if it is done in a timely and
comprehensive way. The monitoring information generated by an NSF comprehensive way. The monitoring information generated by an NSF
can be a good, early indication of anomalous behavior or malicious can be a good, early indication of anomalous behavior or malicious
activity, such as denial of service attacks (DoS). activity, such as denial of service attacks (DoS).
This document defines a comprehensive NSF monitoring information This document defines a comprehensive NSF monitoring information
skipping to change at page 4, line 31 skipping to change at page 4, line 22
security policy provisioning functionality of the NSF-Facing security policy provisioning functionality of the NSF-Facing
Interface specified in [I-D.ietf-i2nsf-capability]. Interface specified in [I-D.ietf-i2nsf-capability].
This document also defines a YANG [RFC7950] data model for monitoring This document also defines a YANG [RFC7950] data model for monitoring
NSFs, which is derived from the information model for NSF monitoring. NSFs, which is derived from the information model for NSF monitoring.
2. Terminology 2. Terminology
2.1. Requirements Notation 2.1. Requirements Notation
This document does not propose a protocol standard, and the use of The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
words such as "should" follow their ordinary English meaning and not "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
that for normative languages defined in [RFC2119] [RFC8174]. document are to be interpreted as described in [RFC2119] [RFC8174].
2.2. Definitions 2.2. Definitions
The terms, which are used in this document, are defined in the I2NSF The terms, which are used in this document, are defined in the I2NSF
terminology document [I-D.ietf-i2nsf-terminology]. terminology document [I-D.ietf-i2nsf-terminology] [RFC8329].
2.3. YANG 2.3. YANG
This document follows the guidelines of [RFC6087], uses the common This document follows the guidelines of [RFC6087], uses the common
YANG types defined in [RFC6991], and adopts the Network Management YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA). The meaning of the symbols in tree Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols
diagrams is defined in [RFC8340]. in tree diagrams is defined in [RFC8340].
3. Use Cases for NSF Monitoring Data 3. Use Cases for NSF Monitoring Data
As mentioned earlier, monitoring plays a critical role in an overall As mentioned earlier, monitoring plays a critical role in an overall
security framework. The monitoring of the NSF provides very valuable security framework. The monitoring of the NSF provides very valuable
information to the security controller in maintaining the provisioned information to the security controller in maintaining the provisioned
security posture. Besides this, there are various other reasons to security posture. Besides this, there are various other reasons to
monitor the NSF as listed below: monitor the NSF as listed below:
o The security administrator with I2NSF User can configure a policy o The security administrator with I2NSF User can configure a policy
skipping to change at page 13, line 15 skipping to change at page 13, line 4
7.1.4. Hardware Alarm 7.1.4. Hardware Alarm
The following information should be included in a Hardware Alarm: The following information should be included in a Hardware Alarm:
o event_name: HW_FAILURE_ALARM o event_name: HW_FAILURE_ALARM
o component_name: It indicates the HW component responsible for o component_name: It indicates the HW component responsible for
generating this alarm. generating this alarm.
o threshold: The threshold triggering the alarm o threshold: The threshold triggering the alarm
o severity: The severity of the alarm such as critical, high, o severity: The severity of the alarm such as critical, high,
medium, low medium, low
o message: The HW component has failed or degraded. o message: The HW component has failed or degraded.
7.1.5. Interface Alarm 7.1.5. Interface Alarm
The following information should be included in a Interface Alarm: The following information should be included in an Interface Alarm:
o event_name: IFNET_STATE_ALARM o event_name: IFNET_STATE_ALARM
o interface_Name: The name of interface o interface_Name: The name of interface
o interface_state: UP, DOWN, CONGESTED o interface_state: UP, DOWN, CONGESTED
o threshold: The threshold triggering the event o threshold: The threshold triggering the event
o severity: The severity of the alarm such as critical, high, o severity: The severity of the alarm such as critical, high,
skipping to change at page 15, line 34 skipping to change at page 15, line 24
o CPU_usage: Specifies the CPU usage. o CPU_usage: Specifies the CPU usage.
o memory_usage: Specifies the memory usage. o memory_usage: Specifies the memory usage.
o disk_usage: Specifies the disk usage. o disk_usage: Specifies the disk usage.
o disk_left: Specifies the available disk space left. o disk_left: Specifies the available disk space left.
o session_number: Specifies total concurrent sessions. o session_number: Specifies total concurrent sessions.
o process_number: Specifies total number of system processes. o process_number: Specifies total number of systems processes.
o in_traffic_rate: The total inbound traffic rate in pps o in_traffic_rate: The total inbound traffic rate in pps
o out_traffic_rate: The total outbound traffic rate in pps o out_traffic_rate: The total outbound traffic rate in pps
o in_traffic_speed: The total inbound traffic speed in bps o in_traffic_speed: The total inbound traffic speed in bps
o out_traffic_speed: The total outbound traffic speed in bps o out_traffic_speed: The total outbound traffic speed in bps
7.3.3. User Activity Logs 7.3.3. User Activity Logs
skipping to change at page 17, line 47 skipping to change at page 17, line 37
The following information should be included in a DDoS Event: The following information should be included in a DDoS Event:
o event_name: SEC_EVENT_DDoS o event_name: SEC_EVENT_DDoS
o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood, o sub_attack_type: Any one of SYN flood, ACK flood, SYN-ACK flood,
FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS FIN/RST flood, TCP Connection flood, UDP flood, ICMP flood, HTTPS
flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood,
and etc. and etc.
o dst_ip: The IP address of a victum under attack o dst_ip: The IP address of a victim under attack
o dst_port: The port number that the attrack traffic aims at. o dst_port: The port number that the attack traffic aims at.
o start_time: The time stamp indicating when the attack started o start_time: The time stamp indicating when the attack started
o end_time: The time stamp indicating when the attack ended. If the o end_time: The time stamp indicating when the attack ended. If the
attack is still undergoing when sending out the alarm, this field attack is still undergoing when sending out the alarm, this field
can be empty. can be empty.
o attack_rate: The PPS of attack traffic o attack_rate: The PPS of attack traffic
o attack_speed: the bps of attack traffic o attack_speed: the bps of attack traffic
o rule_id: The ID of the rule being triggered o rule_id: The ID of the rule being triggered
o rule_name: The name of the rule being triggered o rule_name: The name of the rule being triggered
o profile: Security profile that traffic matches. o profile: Security profile that traffic matches.
7.5.2. Session Table Event 7.5.2. Session Table Event
The following information should be included in a Session The following information should be included in a Session
Table Event: Table Event:
o event_name: SESSION_USAGE_HIGH o event_name: SESSION_USAGE_HIGH
skipping to change at page 19, line 30 skipping to change at page 19, line 22
event. event.
o rule_id: The ID of the rule being triggered o rule_id: The ID of the rule being triggered
o rule_name: The name of the rule being triggered o rule_name: The name of the rule being triggered
o profile: Security profile that traffic matches. o profile: Security profile that traffic matches.
7.5.4. Intrusion Event 7.5.4. Intrusion Event
The following information should be included in an Intrustion Event: The following information should be included in an Intrusion Event:
o event_name: The name of event. e.g., SEC_EVENT_Intrusion o event_name: The name of event. e.g., SEC_EVENT_Intrusion
o sub_attack_type: Attack type, e.g., brutal force and buffer o sub_attack_type: Attack type, e.g., brutal force and buffer
overflow overflow
o src_ip: The source IP address of the packet o src_ip: The source IP address of the packet
o dst_ip: The destination IP address of the packet o dst_ip: The destination IP address of the packet
skipping to change at page 21, line 23 skipping to change at page 21, line 15
o raw_info: The information describing the packet triggering the o raw_info: The information describing the packet triggering the
event. event.
7.5.6. Web Attack Event 7.5.6. Web Attack Event
The following information should be included in a Web Attack Alarm: The following information should be included in a Web Attack Alarm:
o event_name: The name of event. e.g., SEC_EVENT_WebAttack o event_name: The name of event. e.g., SEC_EVENT_WebAttack
o sub_attack_type: Concret web attack type. e.g., SQL injection, o sub_attack_type: Concrete web attack type. e.g., SQL injection,
command injection, XSS, CSRF command injection, XSS, CSRF
o src_ip: The source IP address of the packet o src_ip: The source IP address of the packet
o dst_ip: The destination IP address of the packet o dst_ip: The destination IP address of the packet
o src_port: The source port number of the packet o src_port: The source port number of the packet
o dst_port: The destination port number of the packet o dst_port: The destination port number of the packet
skipping to change at page 24, line 41 skipping to change at page 24, line 35
o app: Application type of traffic o app: Application type of traffic
o policy_id: Security policy id that traffic matches o policy_id: Security policy id that traffic matches
o policy_name: Security policy name that traffic matches o policy_name: Security policy name that traffic matches
o action: Action defined in the file blocking rule, data filtering o action: Action defined in the file blocking rule, data filtering
rule, or application behavior control rule that traffic matches. rule, or application behavior control rule that traffic matches.
7.6.6. Vulnerabillity Scanning Logs 7.6.6. Vulnerability Scanning Logs
Vulnerability scanning logs record the victim host and its related Vulnerability scanning logs record the victim host and its related
vulnerability information that should to be fixed. The following vulnerability information that should to be fixed. The following
information should be included in the report: information should be included in the report:
o victim_ip: IP address of the victim host which has vulnerabilities o victim_ip: IP address of the victim host which has vulnerabilities
o vulnerability_id: The vulnerability id o vulnerability_id: The vulnerability id
o vulnerability_level: The vulnerability level. e.g., high, middle, o vulnerability_level: The vulnerability level. e.g., high, middle,
and low and low
o OS: The operating system of the victim host o OS: The operating system of the victim host
o service: The service which has vulnerabillity in the victim host o service: The service which has vulnerability in the victim host
o protocol: The protocol type. e.g., TCP and UDP o protocol: The protocol type. e.g., TCP and UDP
o port: The port number o port: The port number
o vulnerability_info: The information about the vulnerability o vulnerability_info: The information about the vulnerability
o fix_suggestion: The fix suggestion to the vulnerability. o fix_suggestion: The fix suggestion to the vulnerability.
7.6.7. Web Attack Logs 7.6.7. Web Attack Logs
Besides the fields in an Web Attack Alarm, the following information Besides the fields in a Web Attack Alarm, the following information
should be included in a Web Attack Report: should be included in a Web Attack Report:
o attack_type: Web Attack o attack_type: Web Attack
o rsp_code: Response code o rsp_code: Response code
o req_clientapp: The client application o req_clientapp: The client application
o req_cookies: Cookies o req_cookies: Cookies
skipping to change at page 28, line 7 skipping to change at page 27, line 47
to check the monitoring data generated by an NSF. The administrator to check the monitoring data generated by an NSF. The administrator
can check the monitoring data through the following process. When can check the monitoring data through the following process. When
the NSF monitoring data that is under the standard format is the NSF monitoring data that is under the standard format is
generated, the NSF forwards it to the security controller. The generated, the NSF forwards it to the security controller. The
security controller delivers it to I2NSF Consumer or Developer's security controller delivers it to I2NSF Consumer or Developer's
Management System (DMS) so that the administrator can know the state Management System (DMS) so that the administrator can know the state
of the I2NSF framework. of the I2NSF framework.
In order to communicate with other components, an I2NSF framework In order to communicate with other components, an I2NSF framework
[RFC8329] requires the interfaces. The three main interfaces in [RFC8329] requires the interfaces. The three main interfaces in
I2NSF framwork are used for sending monitoring data as follows: I2NSF framework are used for sending monitoring data as follows:
o I2NSF Consumer-Facing Interface o I2NSF Consumer-Facing Interface
[I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User [I-D.ietf-i2nsf-consumer-facing-interface-dm]: When an I2NSF User
makes a security policy and forwards it to the Security Controller makes a security policy and forwards it to the Security Controller
via Consumer-Facing Interface, it can specify the threat-feed for via Consumer-Facing Interface, it can specify the threat-feed for
threat prevention, the custom list, the malicious code scan group, threat prevention, the custom list, the malicious code scan group,
and the event map group. They can be used as an event to be and the event map group. They can be used as an event to be
monitored by an NSF. monitored by an NSF.
o I2NSF Registration Interface o I2NSF Registration Interface
skipping to change at page 30, line 34 skipping to change at page 30, line 26
+--rw message? string +--rw message? string
+--rw time-stamp? yang:date-and-time +--rw time-stamp? yang:date-and-time
+--rw vendor-name? string +--rw vendor-name? string
+--rw nsf-name? string +--rw nsf-name? string
+--rw module-name? string +--rw module-name? string
+--rw severity? severity +--rw severity? severity
+--rw hit-times? uint32 +--rw hit-times? uint32
notifications: notifications:
+---n system-detection-alarm +---n system-detection-alarm
| +--ro alarm-catagory? identityref | +--ro alarm-category? identityref
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro usage? uint8 | +--ro usage? uint8
| +--ro threshold? uint8 | +--ro threshold? uint8
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro module-name? string | +--ro module-name? string
| +--ro severity? severity | +--ro severity? severity
+---n system-detection-event +---n system-detection-event
| +--ro event-catagory? identityref | +--ro event-category? identityref
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro user string | +--ro user string
| +--ro group string | +--ro group string
| +--ro login-ip-addr inet:ipv4-address | +--ro login-ip-addr inet:ipv4-address
| +--ro authentication? identityref | +--ro authentication? identityref
| +--ro message? string | +--ro message? string
| +--ro time-stamp? yang:date-and-time | +--ro time-stamp? yang:date-and-time
| +--ro vendor-name? string | +--ro vendor-name? string
skipping to change at page 34, line 18 skipping to change at page 34, line 10
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro user string | +--ro user string
| +--ro group string | +--ro group string
| +--ro login-ip-addr inet:ipv4-address | +--ro login-ip-addr inet:ipv4-address
| +--ro authentication? identityref | +--ro authentication? identityref
| +--ro access? identityref | +--ro access? identityref
| +--ro online-duration? string | +--ro online-duration? string
| +--ro logout-duration? string | +--ro logout-duration? string
| +--ro addtional-info? string | +--ro additional-info? string
+---n nsf-log-ddos +---n nsf-log-ddos
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro attack-ave-rate? uint32 | +--ro attack-ave-rate? uint32
| +--ro attack-ave-speed? uint32 | +--ro attack-ave-speed? uint32
| +--ro attack-pkt-num? uint32 | +--ro attack-pkt-num? uint32
| +--ro attack-src-ip? inet:ipv4-address | +--ro attack-src-ip? inet:ipv4-address
| +--ro action? log-action | +--ro action? log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
skipping to change at page 36, line 47 skipping to change at page 36, line 39
+--ro vendor-name? string +--ro vendor-name? string
+--ro nsf-name? string +--ro nsf-name? string
+--ro module-name? string +--ro module-name? string
+--ro severity? severity +--ro severity? severity
Figure 1: Information Model for NSF Monitoring Figure 1: Information Model for NSF Monitoring
10. YANG Data Model 10. YANG Data Model
This section introduces a YANG data model for the information model This section introduces a YANG data model for the information model
of the NSF monitoring inforamtion model. of the NSF monitoring information model.
<CODE BEGINS> file "ietf-i2nsf-monitor@2019-03-11.yang"
module ietf-i2nsf-monitor {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor";
prefix
iim;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>
Editor: Chaehong Chung
<mailto:darkhong@skku.edu>";
description <CODE BEGINS> file "ietf-i2nsf-monitor@2019-07-23.yang"
"This module is a YANG module for monitoring NSFs. module ietf-i2nsf-monitor {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor";
prefix
iim;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
Copyright (c) 2018 IETF Trust and the persons identified as }
authors of the code. All rights reserved. import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Redistribution and use in source and binary forms, with or WG Chair: Linda Dunbar
without modification, is permitted pursuant to, and subject <mailto:Linda.duhbar@huawei.com>
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 6087; see Editor: Jaehoon Paul Jeong
the RFC itself for full legal notices."; <mailto:pauljeong@skku.edu>
revision "2019-03-11" { Editor: Chaehong Chung
description "First revision"; <mailto:darkhong@skku.edu>";
reference
"RFC XXXX: I2NSF NSF Monitoring YANG Data Model";
}
typedef severity { description
type enumeration { "This module is a YANG module for monitoring NSFs.
enum high {
description
"high-level";
}
enum middle {
description
"middle-level";
}
enum low {
description
"low-level";
}
}
description
"An indicator representing severity";
}
typedef log-action {
type enumeration {
enum allow {
description
"If action is allow";
}
enum alert {
description
"If action is alert";
}
enum block {
description
"If action is block";
}
enum discard {
description
"If action is discard";
}
enum declare {
description
"If action is declare";
}
enum block-ip {
description
"If action is block-ip";
}
enum block-service{
description
"If action is block-service";
}
}
description
"This is used for protocol";
}
typedef dpi-type{
type enumeration {
enum file-blocking{
description
"DPI for blocking file";
}
enum data-filtering{
description
"DPI for filtering data";
}
enum application-behavior-control{
description
"DPI for controlling application behavior";
}
}
description
"This is used for dpi type";
}
typedef operation-type{
type enumeration {
enum login{
description
"Login operation";
}
enum logout{
description
"Logout operation";
}
enum configuration{
description
"Configuration operation";
}
}
description
"An indicator representing operation-type";
}
typedef login-mode{
type enumeration {
enum root{
description
"Root login-mode";
}
enum user{
description
"User login-mode";
}
enum guest{
description
"Guest login-mode";
}
}
description
"An indicater representing login-mode";
}
identity characteristics { Copyright (c) 2018 IETF Trust and the persons identified as
description authors of the code. All rights reserved.
"Base identity for monitoring information
characteristics";
}
identity acquisition-method {
base characteristics;
description
"The type of acquisition-method. Can be multiple
types at once.";
}
identity subscription {
base acquisition-method;
description
"The acquisition-method type is subscription";
}
identity query {
base acquisition-method;
description
"The acquisition-method type is query";
}
identity emission-type {
base characteristics;
description
"The type of emission-type.";
}
identity periodical {
base emission-type;
description
"The emission-type type is periodical.";
}
identity on-change {
base emission-type;
description
"The emission-type type is on-change.";
}
identity dampening-type {
base characteristics;
description
"The type of dampening-type.";
}
identity no-dampening {
base dampening-type;
description
"The dampening-type is no-dampening.";
}
identity on-repetition {
base dampening-type;
description
"The dampening-type is on-repetition.";
}
identity none {
base dampening-type;
description
"The dampening-type is none.";
}
identity authentication-mode { Redistribution and use in source and binary forms, with or
description without modification, is permitted pursuant to, and subject
"User authentication mode types: to the license terms contained in, the Simplified BSD License
e.g., Local Authentication, set forth in Section 4.c of the IETF Trust's Legal Provisions
Third-Party Server Authentication, Relating to IETF Documents
Authentication Exemption, or Single Sign-On (SSO) (http://trustee.ietf.org/license-info).
Authentication.";
}
identity local-authentication {
base authentication-mode;
description
"Authentication-mode : local authentication.";
}
identity third-party-server-authentication {
base authentication-mode;
description
"If authentication-mode is
third-part-server-authentication";
}
identity exemption-authentication {
base authentication-mode;
description
"If authentication-mode is
exemption-authentication";
} This version of this YANG module is part of RFC 6087; see
identity sso-authentication { the RFC itself for full legal notices.";
base authentication-mode;
description
"If authentication-mode is
sso-authentication";
}
identity alarm-type { revision "2019-07-23" {
description description "First revision";
"Base identity for detectable alarm types"; reference
} "RFC XXXX: I2NSF NSF Monitoring YANG Data Model";
identity MEM-USAGE-ALARM { }
base alarm-type;
description
"A memory alarm is alerted";
}
identity CPU-USAGE-ALARM {
base alarm-type;
description
"A cpu alarm is alerted";
}
identity DISK-USAGE-ALARM {
base alarm-type;
description
"A disk alarm is alerted";
}
identity HW-FAILURE-ALARM {
base alarm-type;
description
"A hardware alarm is alerted";
}
identity IFNET-STATE-ALARM {
base alarm-type;
description
"An interface alarm is alerted";
}
identity event-type {
description
"Base identity for detectable event types";
}
identity ACCESS-DENIED {
base event-type;
description
"The system event is access-denied.";
}
identity CONFIG-CHANGE {
base event-type;
description
"The system event is config-change.";
}
identity flood-type { typedef severity {
description type enumeration {
"Base identity for detectable flood types"; enum high {
} description
identity syn-flood { "high-level";
base flood-type; }
description enum middle {
"A SYN flood is detected"; description
} "middle-level";
identity ack-flood { }
base flood-type; enum low {
description description
"An ACK flood is detected"; "low-level";
} }
identity syn-ack-flood { }
base flood-type; description
description "An indicator representing severity";
"An SYN-ACK flood is detected"; }
} typedef log-action {
identity fin-rst-flood { type enumeration {
base flood-type; enum allow {
description description
"A FIN-RST flood is detected"; "If action is allowed";
} }
identity tcp-con-flood { enum alert {
base flood-type; description
description "If action is alert";
"A TCP connection flood is detected"; }
} enum block {
identity udp-flood { description
base flood-type; "If action is block";
description }
"A UDP flood is detected"; enum discard {
} description
identity icmp-flood { "If action is discarded";
base flood-type; }
description enum declare {
"An ICMP flood is detected"; description
} "If action is declared";
identity https-flood { }
base flood-type; enum block-ip {
description description
"A HTTPS flood is detected"; "If action is block-ip";
} }
identity http-flood { enum block-service{
base flood-type; description
description "If action is block-service";
"A HTTP flood is detected"; }
} }
identity dns-reply-flood { description
base flood-type; "This is used for protocol";
description }
"A DNS reply flood is detected"; typedef dpi-type{
} type enumeration {
identity dns-query-flood { enum file-blocking{
base flood-type; description
description "DPI for blocking file";
"A DNS query flood is detected"; }
} enum data-filtering{
identity sip-flood { description
base flood-type; "DPI for filtering data";
description }
"A SIP flood is detected"; enum application-behavior-control{
} description
"DPI for controlling application behavior";
}
}
description
"This is used for dpi type";
}
typedef operation-type{
type enumeration {
enum login{
description
"Login operation";
}
enum logout{
description
"Logout operation";
}
enum configuration{
description
"Configuration operation";
}
}
description
"An indicator representing operation-type";
}
typedef login-mode{
type enumeration {
enum root{
description
"Root login-mode";
}
enum user{
description
"User login-mode";
}
enum guest{
description
"Guest login-mode";
}
}
description
"An indicator representing login-mode";
}
identity nsf-event-name { identity characteristics {
description description
"Base identity for detectable nsf event types"; "Base identity for monitoring information
} characteristics";
identity SEC-EVENT-DDOS { }
base nsf-event-name; identity acquisition-method {
description base characteristics;
"The nsf event is sec-event-ddos."; description
} "The type of acquisition-method. Can be multiple
identity SESSION-USAGE-HIGH { types at once.";
base nsf-event-name; }
description identity subscription {
"The nsf event is session-usage-high"; base acquisition-method;
} description
identity SEC-EVENT-VIRUS { "The acquisition-method type is subscription";
base nsf-event-name; }
description identity query {
"The nsf event is sec-event-virus"; base acquisition-method;
} description
identity SEC-EVENT-INTRUSION { "The acquisition-method type is query";
base nsf-event-name; }
description identity emission-type {
"The nsf event is sec-event-intrusion"; base characteristics;
} description
identity SEC-EVENT-BOTNET { "The type of emission-type.";
base nsf-event-name; }
description identity periodical {
"The nsf event is sec-event-botnet"; base emission-type;
} description
identity SEC-EVENT-WEBATTACK { "The emission-type type is periodical.";
base nsf-event-name; }
description identity on-change {
"The nsf event is sec-event-webattack"; base emission-type;
} description
identity attack-type { "The emission-type type is on-change.";
description }
"The root ID of attack based notification identity dampening-type {
in the notification taxonomy"; base characteristics;
} description
identity system-attack-type { "The type of dampening-type.";
base attack-type; }
description identity no-dampening {
"This ID is intended to be used base dampening-type;
in the context of system events"; description
} "The dampening-type is no-dampening.";
identity nsf-attack-type { }
base attack-type; identity on-repetition {
description base dampening-type;
"This ID is intended to be used description
in the context of nsf event"; "The dampening-type is on-repetition.";
} }
identity botnet-attack-type { identity none {
base nsf-attack-type; base dampening-type;
description description
"This is a ID stub limited to indicating "The dampening-type is none.";
that this attack type is botnet. }
The usual semantic and taxonomy is missing
and name is used.";
}
identity virus-type {
base nsf-attack-type;
description
"The type of virus. Can be multiple types at once.
This attack type is associated with a detected
system-log virus-attack";
}
identity trojan {
base virus-type;
description
"The detected virus type is trojan";
}
identity worm {
base virus-type;
description
"The detected virus type is worm";
} identity authentication-mode {
identity macro { description
base virus-type; "User authentication mode types:
description e.g., Local Authentication,
"The detected virus type is macro"; Third-Party Server Authentication,
} Authentication Exemption, or Single Sign-On (SSO)
identity intrusion-attack-type { Authentication.";
base nsf-attack-type; }
description identity local-authentication {
"The attack type is associatied with base authentication-mode;
a detectedsystem-log intrusion"; description
} "Authentication-mode : local authentication.";
identity brute-force { }
base intrusion-attack-type; identity third-party-server-authentication {
description base authentication-mode;
"The intrusion type is brute-force"; description
} "If authentication-mode is
identity buffer-overflow { third-part-server-authentication";
base intrusion-attack-type; }
description identity exemption-authentication {
"The intrusion type is buffer-overflow"; base authentication-mode;
} description
identity web-attack-type { "If authentication-mode is
base nsf-attack-type; exemption-authentication";
description }
"The attack type associated with identity sso-authentication {
a detected system-log web-attack"; base authentication-mode;
} description
identity command-injection { "If authentication-mode is
base web-attack-type; sso-authentication";
description }
"The detected web attack type is command injection"; identity alarm-type {
} description
identity xss { "Base identity for detectable alarm types";
base web-attack-type; }
description identity MEM-USAGE-ALARM {
"The detected web attack type is XSS"; base alarm-type;
} description
identity csrf { "A memory alarm is alerted";
base web-attack-type; }
description identity CPU-USAGE-ALARM {
"The detected web attack type is CSRF"; base alarm-type;
} description
identity ddos-attack-type { "A CPU alarm is alerted";
base nsf-attack-type; }
description identity DISK-USAGE-ALARM {
"The attack type is associated with a detected base alarm-type;
nsf-log event"; description
"A disk alarm is alerted";
}
identity HW-FAILURE-ALARM {
base alarm-type;
description
"A hardware alarm is alerted";
}
identity IFNET-STATE-ALARM {
base alarm-type;
description
"An interface alarm is alerted";
}
identity event-type {
description
"Base identity for detectable event types";
}
identity ACCESS-DENIED {
base event-type;
description
"The system event is access-denied.";
}
identity CONFIG-CHANGE {
base event-type;
description
"The system event is config-change.";
}
} identity flood-type {
description
"Base identity for detectable flood types";
}
identity syn-flood {
base flood-type;
description
"A SYN flood is detected";
}
identity ack-flood {
base flood-type;
description
"An ACK flood is detected";
}
identity syn-ack-flood {
base flood-type;
description
"An SYN-ACK flood is detected";
}
identity fin-rst-flood {
base flood-type;
description
"A FIN-RST flood is detected";
}
identity tcp-con-flood {
base flood-type;
description
"A TCP connection flood is detected";
}
identity udp-flood {
base flood-type;
description
"A UDP flood is detected";
}
identity icmp-flood {
base flood-type;
description
"An ICMP flood is detected";
}
identity https-flood {
base flood-type;
description
"A HTTPS flood is detected";
}
identity http-flood {
base flood-type;
description
"A HTTP flood is detected";
}
identity dns-reply-flood {
base flood-type;
description
"A DNS reply flood is detected";
}
identity dns-query-flood {
base flood-type;
description
"A DNS query flood is detected";
}
identity sip-flood {
base flood-type;
description
"A SIP flood is detected";
}
identity req-method { identity nsf-event-name {
description description
"A set of request types (if applicable). "Base identity for detectable nsf event types";
For instance, PUT or GET in HTTP"; }
} identity SEC-EVENT-DDOS {
identity put-req { base nsf-event-name;
base req-method; description
description "The nsf event is sec-event-ddos.";
"The detected request type is PUT"; }
} identity SESSION-USAGE-HIGH {
identity get-req { base nsf-event-name;
base req-method; description
description "The nsf event is session-usage-high";
"The detected request type is GET"; }
} identity SEC-EVENT-VIRUS {
base nsf-event-name;
description
"The nsf event is sec-event-virus";
}
identity SEC-EVENT-INTRUSION {
base nsf-event-name;
description
"The nsf event is sec-event-intrusion";
}
identity SEC-EVENT-BOTNET {
base nsf-event-name;
description
"The nsf event is sec-event-botnet";
}
identity SEC-EVENT-WEBATTACK {
base nsf-event-name;
description
"The nsf event is sec-event-webattack";
}
identity attack-type {
description
"The root ID of attack-based notification
in the notification taxonomy";
}
identity system-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of system events";
}
identity nsf-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of nsf event";
}
identity botnet-attack-type {
base nsf-attack-type;
description
"This is an ID stub limited to indicating
that this attack type is botnet.
The usual semantic and taxonomy is missing
and name is used.";
}
identity virus-type {
base nsf-attack-type;
description
"The type of virus. Can be multiple types at once.
This attack type is associated with a detected
system-log virus-attack";
}
identity trojan {
base virus-type;
description
"The detected virus type is trojan";
}
identity worm {
base virus-type;
description
"The detected virus type is worm";
}
identity macro {
base virus-type;
description
"The detected virus type is macro";
}
identity intrusion-attack-type {
base nsf-attack-type;
description
"The attack type is associated with
a detected system-log intrusion";
}
identity brute-force {
base intrusion-attack-type;
description
"The intrusion type is brute-force";
}
identity buffer-overflow {
base intrusion-attack-type;
description
"The intrusion type is buffer-overflow";
}
identity web-attack-type {
base nsf-attack-type;
description
"The attack type associated with
a detected system-log web-attack";
}
identity command-injection {
base web-attack-type;
description
"The detected web attack type is command injection";
}
identity xss {
base web-attack-type;
description
"The detected web attack type is XSS";
}
identity csrf {
base web-attack-type;
description
"The detected web attack type is CSRF";
}
identity ddos-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
nsf-log event";
}
identity filter-type { identity req-method {
description description
"The type of filter used to detect, for example, "A set of request types (if applicable).
a web-attack. Can be applicable to more than For instance, PUT or GET in HTTP";
web-attacks. Can be more than one type."; }
} identity put-req {
identity whitelist { base req-method;
base filter-type; description
description "The detected request type is PUT";
"The applied filter type is whitelist"; }
} identity get-req {
identity blacklist { base req-method;
base filter-type; description
description "The detected request type is GET";
"The applied filter type is blacklist"; }
}
identity user-defined {
base filter-type;
description
"The applied filter type is user-defined";
}
identity balicious-category {
base filter-type;
description
"The applied filter is balicious category";
}
identity unknown-filter {
base filter-type;
description
"The applied filter is unknown";
} identity filter-type {
description
"The type of filter used to detect, for example,
a web-attack. Can be applicable to more than
web-attacks. Can be more than one type.";
}
identity whitelist {
base filter-type;
description
"The applied filter type is whitelist";
}
identity blacklist {
base filter-type;
description
"The applied filter type is blacklist";
}
identity user-defined {
base filter-type;
description
"The applied filter type is user-defined";
}
identity balicious-category {
base filter-type;
description
"The applied filter is balicious category";
}
identity unknown-filter {
base filter-type;
description
"The applied filter is unknown";
}
identity access-mode { identity access-mode {
description description
"Base identity for detectable access mode."; "Base identity for detectable access mode.";
} }
identity ppp { identity ppp {
base access-mode; base access-mode;
description description
"Access-mode : ppp"; "Access-mode : ppp";
} }
identity svn { identity svn {
base access-mode; base access-mode;
description description
"Access-mode : svn"; "Access-mode : svn";
} }
identity local { identity local {
base access-mode; base access-mode;
description description
"Access-mode : local"; "Access-mode : local";
} }
identity protocol-type { identity protocol-type {
description description
"An identity used to enable type choices in leafs "An identity used to enable type choices in leaves
and leaflists wrt protocol metadata."; and leaflists wrt protocol metadata.";
} }
identity tcp { identity tcp {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
"TCP protocol type."; "TCP protocol type.";
reference reference
"RFC 793: Transmission Control Protocol"; "RFC 793: Transmission Control Protocol";
} }
identity udp { identity udp {
base ipv4; base ipv4;
base ipv6; base ipv6;
description description
"UDP protocol type."; "UDP protocol type.";
reference
"RFC 768: User Datagram Protocol";
}
identity icmp {
base ipv4;
base ipv6;
description
"General ICMP protocol type.";
reference
"RFC 792: Internet Control Message Protocol";
}
identity icmpv4 {
base ipv4;
description
"ICMPv4 protocol type.";
}
identity icmpv6 {
base ipv6;
description
"ICMPv6 protocol type.";
}
identity ip {
base protocol-type;
description
"General IP protocol type.";
reference
"RFC 791: Internet Protocol
RFC 2460: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC 791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC 2460: Internet Protocol, Version 6 (IPv6)";
}
identity http {
base tcp;
description
"HTPP protocol type.";
reference
"RFC 2616: Hypertext Transfer Protocol";
}
identity ftp {
base tcp;
description
"FTP protocol type.";
reference reference
"RFC 959: File Transfer Protocol"; "RFC 768: User Datagram Protocol";
}
} identity icmp {
grouping common-monitoring-data { base ipv4;
description base ipv6;
"The data set of common monitoring"; description
leaf message { "General ICMP protocol type.";
type string; reference
description "RFC 792: Internet Control Message Protocol";
"This is a freetext annotation of }
monitoring notification content"; identity icmpv4 {
} base ipv4;
leaf time-stamp { description
type yang:date-and-time; "ICMPv4 protocol type.";
description }
"Indicates the time of message generation"; identity icmpv6 {
} base ipv6;
leaf vendor-name { description
type string; "ICMPv6 protocol type.";
description }
"The name of the NSF vendor"; identity ip {
} base protocol-type;
leaf nsf-name { description
type string; "General IP protocol type.";
description reference
"The name (or IP) of the NSF "RFC 791: Internet Protocol
generating the message"; RFC 2460: Internet Protocol, Version 6 (IPv6)";
} }
leaf module-name { identity ipv4 {
type string; base ip;
description description
"The module name outputting the message"; "IPv4 protocol type.";
} reference
leaf severity { "RFC 791: Internet Protocol";
type severity; }
description identity ipv6 {
"The severity of the alarm such base ip;
asvcritical, high, middle, low."; description
} "IPv6 protocol type.";
} reference
grouping characteristics{ "RFC 2460: Internet Protocol, Version 6 (IPv6)";
description }
"A set of monitoring information characteristics"; identity http {
leaf acquisition-method { base tcp;
type identityref { description
base acquisition-method; "HTPP protocol type.";
} reference
description "RFC 2616: Hypertext Transfer Protocol";
"The acquisition-method for characteristics"; }
} identity ftp {
leaf emission-type { base tcp;
type identityref { description
base emission-type; "FTP protocol type.";
} reference
description "RFC 959: File Transfer Protocol";
"The emission-type for characteristics"; }
} grouping common-monitoring-data {
leaf dampening-type { description
type identityref { "The data set of common monitoring";
base dampening-type; leaf message {
} type string;
description description
"The dampening-type for characteristics"; "This is a freetext annotation of
} monitoring notification content";
} }
grouping i2nsf-system-alarm-type-content { leaf time-stamp {
description type yang:date-and-time;
"A set of system alarm type contents"; description
leaf usage { "Indicates the time of message generation";
type uint8; }
description leaf vendor-name {
"specifies the amount of usage"; type string;
} description
leaf threshold { "The name of the NSF vendor";
type uint8; }
description leaf nsf-name {
"The threshold triggering the alarm or the event"; type string;
} description
} "The name (or IP) of the NSF
grouping i2nsf-system-event-type-content { generating the message";
description }
"System event metadata associated leaf module-name {
with system events caused by user activity."; type string;
leaf user { description
type string; "The module name outputting the message";
mandatory true; }
description leaf severity {
"Name of a user"; type severity;
} description
leaf group { "The severity of the alarm such
type string; as critical, high, middle, low.";
mandatory true; }
description }
"Group to which a user belongs."; grouping characteristics{
} description
leaf login-ip-addr { "A set of monitoring information characteristics";
type inet:ipv4-address; leaf acquisition-method {
mandatory true; type identityref {
description base acquisition-method;
"Login IP address of a user."; }
} description
leaf authentication { "The acquisition-method for characteristics";
type identityref { }
base authentication-mode; leaf emission-type {
} type identityref {
description base emission-type;
"The authentication-mode for authentication"; }
} description
} "The emission-type for characteristics";
grouping i2nsf-nsf-event-type-content-extend { }
description leaf dampening-type {
"A set of common IPv4-related NSF event type identityref {
content elements"; base dampening-type;
leaf src-ip { }
type inet:ipv4-address; description
description "The dampening-type for characteristics";
"The source IP address of the packet"; }
} }
leaf dst-ip { grouping i2nsf-system-alarm-type-content {
type inet:ipv4-address; description
description "A set of system alarm type contents";
"The destination IP address of the packet"; leaf usage {
} type uint8;
leaf src-port { description
type inet:port-number; "specifies the amount of usage";
description }
"The source port of the packet"; leaf threshold {
} type uint8;
leaf dst-port { description
type inet:port-number; "The threshold triggering the alarm or the event";
description }
"The destination port of the packet"; }
} grouping i2nsf-system-event-type-content {
leaf src-zone { description
type string; "System event metadata associated
description with system events caused by user activity.";
"The source security zone of the packet"; leaf user {
} type string;
leaf dst-zone { mandatory true;
type string; description
description "Name of a user";
"The destination security zone of the packet"; }
} leaf group {
leaf rule-id { type string;
type uint8; mandatory true;
mandatory true; description
description "Group to which a user belongs.";
"The ID of the rule being triggered"; }
} leaf login-ip-addr {
leaf rule-name { type inet:ipv4-address;
type string; mandatory true;
mandatory true; description
description "Login IP address of a user.";
"The name of the rule being triggered"; }
} leaf authentication {
leaf profile { type identityref {
type string; base authentication-mode;
description }
"Security profile that traffic matches."; description
} "The authentication-mode for authentication";
leaf raw-info { }
type string; }
description grouping i2nsf-nsf-event-type-content-extend {
"The information describing the packet description
triggering the event."; "A set of common IPv4-related NSF event
} content elements";
} leaf src-ip {
grouping i2nsf-nsf-event-type-content { type inet:ipv4-address;
description description
"A set of common IPv4-related NSF event "The source IP address of the packet";
content elements"; }
leaf dst-ip { leaf dst-ip {
type inet:ipv4-address; type inet:ipv4-address;
description description
"The destination IP address of the packet"; "The destination IP address of the packet";
} }
leaf dst-port { leaf src-port {
type inet:port-number; type inet:port-number;
description description
"The destination port of the packet"; "The source port of the packet";
} }
leaf rule-id { leaf dst-port {
type uint8; type inet:port-number;
mandatory true; description
description "The destination port of the packet";
"The ID of the rule being triggered"; }
} leaf src-zone {
leaf rule-name { type string;
type string; description
mandatory true; "The source security zone of the packet";
description }
"The name of the rule being triggered"; leaf dst-zone {
} type string;
leaf profile { description
type string; "The destination security zone of the packet";
description }
"Security profile that traffic matches."; leaf rule-id {
} type uint8;
leaf raw-info { mandatory true;
type string; description
description "The ID of the rule being triggered";
"The information describing the packet }
triggering the event."; leaf rule-name {
} type string;
} mandatory true;
grouping traffic-rates { description
description "The name of the rule being triggered";
"A set of traffic rates
for statistics data";
leaf total-traffic {
type uint32;
description
"Total traffic";
}
leaf in-traffic-ave-rate {
type uint32;
description
"Inbound traffic average rate in pps";
}
leaf in-traffic-peak-rate {
type uint32;
description
"Inbound traffic peak rate in pps";
}
leaf in-traffic-ave-speed {
type uint32;
description
"Inbound traffic average speed in bps";
}
leaf in-traffic-peak-speed {
type uint32;
description
"Inbound traffic peak speed in bps";
}
leaf out-traffic-ave-rate {
type uint32;
description
"Outbound traffic average rate in pps";
}
leaf out-traffic-peak-rate {
type uint32;
description
"Outbound traffic peak rate in pps";
}
leaf out-traffic-ave-speed {
type uint32;
description
"Outbound traffic average speed in bps";
}
leaf out-traffic-peak-speed {
type uint32;
description
"Outbound traffic peak speed in bps";
}
}
grouping i2nsf-system-counter-type-content{
description
"A set of system counter type contents";
leaf interface-name {
type string;
description
"Network interface name configured in NSF";
}
leaf in-total-traffic-pkts {
type uint32;
description
"Total inbound packets";
}
leaf out-total-traffic-pkts {
type uint32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint32;
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint32;
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type uint32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type uint32;
description
"Total outbound drop packets";
}
leaf in-drop-traffic-bytes {
type uint32;
description
"Total inbound drop bytes";
}
leaf out-drop-traffic-bytes {
type uint32;
description
"Total outbound drop bytes";
}
uses traffic-rates;
}
grouping i2nsf-nsf-counters-type-content{
description
"A set of nsf counters type contents";
leaf src-ip {
type inet:ipv4-address;
description
"The source IP address of the packet";
}
leaf dst-ip {
type inet:ipv4-address;
description
"The destination IP address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf src-region {
type string;
description
"Source region of the traffic";
}
leaf dst-region{
type string;
description
"Destination region of the traffic";
}
leaf policy-id {
type uint8;
description
"The ID of the policy being triggered";
}
leaf policy-name {
type string;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"User who generates traffic";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"Protocol type of traffic";
}
leaf app {
type string;
description
"Application type of traffic";
}
}
notification system-detection-alarm { }
description leaf profile {
"This notification is sent, when a system alarm type string;
is detected."; description
leaf alarm-catagory { "Security profile that traffic matches.";
type identityref { }
base alarm-type; leaf raw-info {
} type string;
description description
"The alarm catagory for "The information describing the packet
system-detection-alarm notification"; triggering the event.";
} }
uses characteristics; }
uses i2nsf-system-alarm-type-content; grouping i2nsf-nsf-event-type-content {
uses common-monitoring-data; description
} "A set of common IPv4-related NSF event
notification system-detection-event { content elements";
description leaf dst-ip {
"This notification is sent, when a security-sensitive type inet:ipv4-address;
authentication action fails."; description
leaf event-catagory { "The destination IP address of the packet";
type identityref { }
base event-type; leaf dst-port {
} type inet:port-number;
description description
"The event catagory for system-detection-event"; "The destination port of the packet";
} }
uses characteristics; leaf rule-id {
uses i2nsf-system-event-type-content; type uint8;
uses common-monitoring-data; mandatory true;
} description
notification nsf-detection-flood { "The ID of the rule being triggered";
description }
"This notification is sent, leaf rule-name {
when a specific flood type is detected"; type string;
leaf event-name { mandatory true;
type identityref { description
base SEC-EVENT-DDOS; "The name of the rule being triggered";
} }
description leaf profile {
"The event name for nsf-detection-flood"; type string;
} description
uses i2nsf-nsf-event-type-content; "Security profile that traffic matches.";
leaf sub-attack-type { }
type identityref { leaf raw-info {
base flood-type; type string;
} description
description "The information describing the packet
"Any one of Syn flood, ACK flood, SYN-ACK flood, triggering the event.";
FIN/RST flood, TCP Connection flood, UDP flood, }
Icmp flood, HTTPS flood, HTTP flood, DNS query flood, }
DNS reply flood, SIP flood, and etc."; grouping traffic-rates {
} description
leaf start-time { "A set of traffic rates
type yang:date-and-time; for statistics data";
mandatory true; leaf total-traffic {
description type uint32;
"The time stamp indicating when the attack started"; description
} "Total traffic";
leaf end-time { }
type yang:date-and-time; leaf in-traffic-ave-rate {
mandatory true; type uint32;
description description
"The time stamp indicating when the attack ended"; "Inbound traffic average rate in pps";
} }
leaf attack-rate { leaf in-traffic-peak-rate {
type uint32; type uint32;
description description
"The PPS rate of attack traffic"; "Inbound traffic peak rate in pps";
} }
leaf attack-speed { leaf in-traffic-ave-speed {
type uint32; type uint32;
description description
"The BPS speed of attack traffic"; "Inbound traffic average speed in bps";
} }
uses common-monitoring-data; leaf in-traffic-peak-speed {
} type uint32;
notification nsf-detection-session-table { description
description "Inbound traffic peak speed in bps";
"This notification is sent, when an a session table }
event is deteced"; leaf out-traffic-ave-rate {
leaf current-session { type uint32;
type uint8; description
description "Outbound traffic average rate in pps";
"The number of concurrent sessions"; }
} leaf out-traffic-peak-rate {
leaf maximum-session { type uint32;
type uint8; description
description "Outbound traffic peak rate in pps";
"The maximum number of sessions that the session }
table can support"; leaf out-traffic-ave-speed {
} type uint32;
leaf threshold { description
type uint8; "Outbound traffic average speed in bps";
description }
"The threshold triggering the event"; leaf out-traffic-peak-speed {
} type uint32;
uses common-monitoring-data; description
} "Outbound traffic peak speed in bps";
notification nsf-detection-virus { }
description }
"This notification is sent, when a virus is detected"; grouping i2nsf-system-counter-type-content{
uses i2nsf-nsf-event-type-content-extend; description
leaf virus { "A set of system counter type contents";
type identityref { leaf interface-name {
base virus-type; type string;
} description
description "Network interface name configured in NSF";
"The virus type for nsf-detection-virus notification"; }
} leaf in-total-traffic-pkts {
leaf virus-name { type uint32;
type string; description
description "Total inbound packets";
"The name of the detected virus"; }
} leaf out-total-traffic-pkts {
type uint32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint32;
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint32;
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type uint32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type uint32;
description
"Total outbound drop packets";
}
leaf in-drop-traffic-bytes {
type uint32;
description
"Total inbound drop bytes";
}
leaf out-drop-traffic-bytes {
type uint32;
description
"Total outbound drop bytes";
}
uses traffic-rates;
}
grouping i2nsf-nsf-counters-type-content{
description
"A set of nsf counters type contents";
leaf src-ip {
type inet:ipv4-address;
description
"The source IP address of the packet";
}
leaf dst-ip {
type inet:ipv4-address;
description
"The destination IP address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf src-region {
type string;
description
"Source region of the traffic";
}
leaf dst-region{
type string;
description
"Destination region of the traffic";
}
leaf policy-id {
type uint8;
description
"The ID of the policy being triggered";
}
leaf policy-name {
type string;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"User who generates traffic";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"Protocol type of traffic";
}
leaf app {
type string;
description
"Application type of traffic";
}
}
leaf file-type { notification system-detection-alarm {
type string; description
description "This notification is sent, when a system alarm
"The type of file virus code
is found in (if appicable).";
}
leaf file-name {
type string;
description
"The name of file virus code
is found in (if appicable).";
}
uses common-monitoring-data;
}
notification nsf-detection-intrusion {
description
"This notification is send, when an intrusion event
is detected."; is detected.";
uses i2nsf-nsf-event-type-content-extend; leaf alarm-category {
leaf protocol { type identityref {
type identityref { base alarm-type;
base protocol-type; }
} description
description "The alarm category for
"The protocol type for system-detection-alarm notification";
nsf-detection-intrusion notification"; }
} uses characteristics;
leaf app { uses i2nsf-system-alarm-type-content;
type string; uses common-monitoring-data;
description }
"The employed application layer protocol"; notification system-detection-event {
} description
leaf sub-attack-type { "This notification is sent, when a security-sensitive
type identityref { authentication action fails.";
base intrusion-attack-type; leaf event-category {
} type identityref {
description base event-type;
"The sub attack type for intrusion attack"; }
} description
uses common-monitoring-data; "The event category for system-detection-event";
} }
notification nsf-detection-botnet { uses characteristics;
description uses i2nsf-system-event-type-content;
"This notification is send, when a botnet event is uses common-monitoring-data;
detected"; }
uses i2nsf-nsf-event-type-content-extend; notification nsf-detection-flood {
leaf attack-type { description
type identityref { "This notification is sent,
base botnet-attack-type; when a specific flood type is detected";
} leaf event-name {
description type identityref {
"The attack type for botnet attack"; base SEC-EVENT-DDOS;
} }
leaf protocol { description
type identityref { "The event name for nsf-detection-flood";
base protocol-type; }
} uses i2nsf-nsf-event-type-content;
description leaf sub-attack-type {
"The protocol type for nsf-detection-botnet notification"; type identityref {
} base flood-type;
leaf botnet-name { }
type string; description
description "Any one of Syn flood, ACK flood, SYN-ACK flood,
"The name of the detected botnet"; FIN/RST flood, TCP Connection flood, UDP flood,
} Icmp flood, HTTPS flood, HTTP flood, DNS query flood,
leaf role { DNS reply flood, SIP flood, etc.";
type string; }
description leaf start-time {
"The role of the communicating type yang:date-and-time;
parties within the botnet"; mandatory true;
} description
uses common-monitoring-data; "The time stamp indicating when the attack started";
} }
notification nsf-detection-web-attack { leaf end-time {
description type yang:date-and-time;
"This notification is send, when an attack event is mandatory true;
detected"; description
uses i2nsf-nsf-event-type-content-extend; "The time stamp indicating when the attack ended";
leaf sub-attack-type { }
type identityref { leaf attack-rate {
base web-attack-type; type uint32;
} description
description "The PPS rate of attack traffic";
"Concret web attack type, e.g., sql injection, }
command injection, XSS, CSRF"; leaf attack-speed {
type uint32;
description
"The BPS speed of attack traffic";
}
uses common-monitoring-data;
}
notification nsf-detection-session-table {
description
"This notification is sent, when a session table
event is detected";
leaf current-session {
type uint8;
description
"The number of concurrent sessions";
}
leaf maximum-session {
type uint8;
description
"The maximum number of sessions that the session
table can support";
}
leaf threshold {
type uint8;
description
"The threshold triggering the event";
}
uses common-monitoring-data;
}
notification nsf-detection-virus {
description
"This notification is sent, when a virus is detected";
uses i2nsf-nsf-event-type-content-extend;
leaf virus {
type identityref {
base virus-type;
}
description
"The virus type for nsf-detection-virus notification";
}
leaf virus-name {
type string;
description
"The name of the detected virus";
}
} leaf file-type {
leaf request-method {
type identityref {
base req-method;
}
description
"The method of requirement. For instance, PUT or
GET in HTTP";
}
leaf req-uri {
type string;
description
"Requested URI";
}
leaf uri-category {
type string;
description
"Matched URI category";
}
leaf-list filtering-type {
type identityref {
base filter-type;
}
description
"URL filtering type, e.g., Blacklist, Whitelist,
User-Defined, Predefined, Malicious Category,
Unknown";
}
uses common-monitoring-data;
}
notification system-access-log {
description
"The notification is send, if there is
a new system log entry about
a system access event";
leaf login-ip {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user";
}
leaf administrator {
type string;
description
"Administrator that maintains the device";
}
leaf login-mode {
type login-mode;
description
"Specifies the administrator log-in mode";
}
leaf operation-type {
type operation-type;
description
"The operation type that the administrator execute";
}
leaf result {
type string;
description
"Command execution result";
}
leaf content {
type string;
description
"The Operation performed by an administrator
after login";
}
uses characteristics;
}
notification system-res-util-log {
description
"This notification is send, if there is
a new log entry representing ressource
utiliztation updates.";
leaf system-status {
type string; type string;
description description
"The current systems "The type of file virus code
running status"; is found in (if applicable).";
} }
leaf cpu-usage { leaf file-name {
type uint8; type string;
description description
"Specifies the relative amount of "The name of file virus code
cpu usage wrt plattform ressources"; is found in (if applicable).";
} }
leaf memory-usage { uses common-monitoring-data;
}
notification nsf-detection-intrusion {
description
"This notification is sent, when an intrusion event
is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for
nsf-detection-intrusion notification";
}
leaf app {
type string;
description
"The employed application layer protocol";
}
leaf sub-attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The sub attack type for intrusion attack";
}
uses common-monitoring-data;
}
notification nsf-detection-botnet {
description
"This notification is sent, when a botnet event is
detected";
uses i2nsf-nsf-event-type-content-extend;
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description
"The attack type for botnet attack";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-detection-botnet notification";
}
leaf botnet-name {
type string;
description
"The name of the detected botnet";
}
leaf role {
type string;
description
"The role of the communicating
parties within the botnet";
}
uses common-monitoring-data;
}
notification nsf-detection-web-attack {
description
"This notification is sent, when an attack event is
detected";
uses i2nsf-nsf-event-type-content-extend;
leaf sub-attack-type {
type identityref {
base web-attack-type;
}
description
"Concrete web attack type, e.g., sql injection,
command injection, XSS, CSRF";
}
leaf request-method {
type identityref {
base req-method;
}
description
"The method of requirement. For instance, PUT or
GET in HTTP";
}
leaf req-uri {
type string;
description
"Requested URI";
}
leaf uri-category {
type string;
description
"Matched URI category";
}
leaf-list filtering-type {
type identityref {
base filter-type;
}
description
"URL filtering type, e.g., Blacklist, Whitelist,
User-Defined, Predefined, Malicious Category,
Unknown";
}
uses common-monitoring-data;
}
notification system-access-log {
description
"The notification is sent, if there is
a new system log entry about
a system access event";
leaf login-ip {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user";
}
leaf administrator {
type string;
description
"Administrator that maintains the device";
}
leaf login-mode {
type login-mode;
description
"Specifies the administrator log-in mode";
}
leaf operation-type {
type operation-type;
description
"The operation type that the administrator executes";
}
leaf result {
type string;
description
"Command execution result";
}
leaf content {
type string;
description
"The Operation performed by an administrator
after login";
}
uses characteristics;
}
notification system-res-util-log {
description
"This notification is sent, if there is
a new log entry representing resource
utilization updates.";
leaf system-status {
type string;
description
"The current systems
running status";
}
leaf cpu-usage {
type uint8; type uint8;
description description
"Specifies the amount of memory usage"; "Specifies the relative amount of
} cpu usage wrt platform resources";
leaf disk-usage { }
type uint8; leaf memory-usage {
description type uint8;
"Specifies the amount of disk usage"; description
} "Specifies the amount of memory usage";
leaf disk-left { }
leaf disk-usage {
type uint8; type uint8;
description description
"Specifies the amount of disk left"; "Specifies the amount of disk usage";
} }
leaf session-num { leaf disk-left {
type uint8; type uint8;
description
"The total number of sessions";
}
leaf process-num {
type uint8;
description
"The total number of process";
}
leaf in-traffic-rate {
type uint32;
description
"The total inbound traffic rate in pps";
}
leaf out-traffic-rate {
type uint32;
description
"The total outbount traffic rate in pps";
}
leaf in-traffic-speed {
type uint32;
description
"The total inbound traffic speed in bps";
}
leaf out-traffic-speed {
type uint32;
description
"The total outbound traffic speed in bps";
}
uses characteristics;
}
notification system-user-activity-log {
description
"This notification is send, if there is
a new user activity log entry";
uses characteristics;
uses i2nsf-system-event-type-content;
leaf access {
type identityref {
base access-mode;
}
description
"The access type for
system-user-activity-log notification";
}
leaf online-duration {
type string;
description
"Online duration";
}
leaf logout-duration {
type string;
description
"Lockout duration";
}
leaf addtional-info {
type string;
description
"User activities. e.g., Successful
User Login, Failed Login attempts,
User Logout, Successful User
Password Change, Failed User
Password Change, User Lockout,
User Unlocking, Unknown";
}
}
notification nsf-log-ddos {
description
"This notification is send, if there is
a new DDoS event log entry in the nsf log";
leaf attack-type {
type identityref {
base ddos-attack-type;
}
description
"The ddos attack type for
nsf-log-ddos notification";
}
leaf attack-ave-rate {
type uint32;
description
"The ave PPS of attack traffic";
}
leaf attack-ave-speed {
type uint32;
description
"the ave bps of attack traffic";
}
leaf attack-pkt-num {
type uint32;
description
"the number of attack packets";
}
leaf attack-src-ip {
type inet:ipv4-address;
description
"The source IP addresses of attack
traffics. If there are a large
amount of IP addresses, then
pick a certain number of resources
according to different rules.";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-virus {
description
"This notification is send, If there is
a new virus event log enry in the nsf log";
leaf attack-type {
type identityref {
base virus-type;
}
description
"The virus type for nsf-log-virus notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf os{
type string;
description
"simple os information";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message
is generated";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-intrusion {
description
"This notification is send, if there is
a new intrusion event log entry in the nsf log";
leaf attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The intrusion attack type for
nsf-log-intrusion notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message
is generated";
}
leaf attack-rate {
type uint32;
description
"The PPS of attack traffic";
}
leaf attack-speed {
type uint32;
description
"The bps of attack traffic";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-botnet {
description
"This noticiation is send, if there is
a new botnet event log in the nsf log";
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description
"The botnet attack type for
nsf-log-botnet notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf botnet-pkt-num{
type uint8;
description
"The number of the packets sent to
or from the detected botnet";
}
leaf os{
type string;
description
"simple os information";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-dpi {
description
"This notification is send, if there is
a new dpi event in the nsf log";
leaf attack-type {
type dpi-type;
description
"The type of the dpi";
}
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
}
notification nsf-log-vuln-scan {
description
"This notification is send, if there is
a new vulnerability-scan report in the nsf log";
leaf vulnerability-id {
type uint8;
description
"The vulnerability id";
}
leaf victim-ip {
type inet:ipv4-address;
description
"IP address of the victim host
which has vulnerabilities";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for
nsf-log-vuln-scan notification";
}
leaf port-num {
type inet:port-number;
description description
"The port number"; "Specifies the amount of disk left";
} }
leaf level { leaf session-num {
type severity; type uint8;
description description
"The vulnerability severity"; "The total number of sessions";
} }
leaf os { leaf process-num {
type string; type uint8;
description description
"simple os information"; "The total number of process";
} }
leaf vulnerability-info { leaf in-traffic-rate {
type string; type uint32;
description description
"The information about the vulnerability"; "The total inbound traffic rate in pps";
} }
leaf fix-suggestion { leaf out-traffic-rate {
type string; type uint32;
description description
"The fix suggestion to the vulnerability"; "The total outbound traffic rate in pps";
} }
leaf service { leaf in-traffic-speed {
type string; type uint32;
description description
"The service which has vulnerabillity in the victim host"; "The total inbound traffic speed in bps";
}
leaf out-traffic-speed {
type uint32;
description
"The total outbound traffic speed in bps";
}
uses characteristics;
}
notification system-user-activity-log {
description
"This notification is sent, if there is
a new user activity log entry";
uses characteristics;
uses i2nsf-system-event-type-content;
leaf access {
type identityref {
base access-mode;
}
description
"The access type for
system-user-activity-log notification";
}
leaf online-duration {
type string;
description
"Online duration";
}
leaf logout-duration {
type string;
description
"Lockout duration";
}
leaf additional-info {
type string;
description
"User activities. e.g., Successful
User Login, Failed Login attempts,
User Logout, Successful User
Password Change, Failed User
Password Change, User Lockout,
User Unlocking, Unknown";
}
}
notification nsf-log-ddos {
description
"This notification is sent, if there is
a new DDoS event log entry in the nsf log";
leaf attack-type {
type identityref {
base ddos-attack-type;
}
description
"The ddos attack type for
nsf-log-ddos notification";
}
leaf attack-ave-rate {
type uint32;
description
"The ave PPS of attack traffic";
}
leaf attack-ave-speed {
type uint32;
description
"the ave bps of attack traffic";
}
leaf attack-pkt-num {
type uint32;
description
"the number of attack packets";
}
leaf attack-src-ip {
type inet:ipv4-address;
description
"The source IP addresses of attack
traffics. If there are a large
amount of IP addresses, then
pick a certain number of resources
according to different rules.";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-virus {
description
"This notification is sent, if there is
a new virus event log entry in the nsf log";
leaf attack-type {
type identityref {
base virus-type;
}
description
"The virus type for nsf-log-virus notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf os{
type string;
description
"simple os information";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message
is generated";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-intrusion {
description
"This notification is sent, if there is
a new intrusion event log entry in the nsf log";
leaf attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The intrusion attack type for
nsf-log-intrusion notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message
is generated";
}
leaf attack-rate {
type uint32;
description
"The PPS of attack traffic";
}
leaf attack-speed {
type uint32;
description
"The bps of attack traffic";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-botnet {
description
"This notification is sent, if there is
a new botnet event log in the nsf log";
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description
"The botnet attack type for
nsf-log-botnet notification";
}
leaf action {
type log-action;
description
"Action type: allow, alert,
block, discard, declare,
block-ip, block-service";
}
leaf botnet-pkt-num{
type uint8;
description
"The number of the packets sent to
or from the detected botnet";
}
leaf os{
type string;
description
"simple os information";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-dpi {
description
"This notification is sent, if there is
a new dpi event in the nsf log";
leaf attack-type {
type dpi-type;
description
"The type of the dpi";
}
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
}
notification nsf-log-vuln-scan {
description
"This notification is sent, if there is
a new vulnerability-scan report in the nsf log";
leaf vulnerability-id {
type uint8;
description
"The vulnerability id";
}
leaf victim-ip {
type inet:ipv4-address;
description
"IP address of the victim host
which has vulnerabilities";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for
nsf-log-vuln-scan notification";
}
leaf port-num {
type inet:port-number;
description
"The port number";
}
leaf level {
type severity;
description
"The vulnerability severity";
}
leaf os {
type string;
description
"simple os information";
}
leaf vulnerability-info {
type string;
description
"The information about the vulnerability";
}
leaf fix-suggestion {
type string;
description
"The fix suggestion to the vulnerability";
}
leaf service {
type string;
description
"The service which has vulnerability in the victim host";
}
uses characteristics;
uses common-monitoring-data;
}
notification nsf-log-web-attack {
description
"This notification is sent, if there is
a new web-attack event in the nsf log";
} leaf attack-type {
uses characteristics; type identityref {
uses common-monitoring-data; base web-attack-type;
} }
notification nsf-log-web-attack { description
description "The web attack type for
"This notificatio is send, if there is nsf-log-web-attack notification";
a new web-attack event in the nsf log"; }
leaf attack-type { leaf rsp-code {
type identityref { type string;
base web-attack-type; description
} "Response code";
description }
"The web attack type for leaf req-clientapp {
nsf-log-web-attack notification"; type string;
} description
leaf rsp-code { "The client application";
type string; }
description leaf req-cookies {
"Response code"; type string;
} description
leaf req-clientapp { "Cookies";
type string; }
description leaf req-host {
"The client application"; type string;
} description
leaf req-cookies { "The domain name of the requested host";
type string; }
description leaf raw-info {
"Cookies"; type string;
} description
leaf req-host { "The information describing
type string; the packet triggering the event.";
description }
"The domain name of the requested host"; uses characteristics;
} uses common-monitoring-data;
leaf raw-info { }
type string; container counters {
description description
"The information describing "This is probably better covered by an import
the packet triggering the event."; as this will not be notifications.
} Counter are not very suitable as telemetry, maybe
uses characteristics; via periodic subscriptions, which would still
uses common-monitoring-data; violate principle of least surprise.";
} container system-interface {
container counters { description
description "The system counter type is interface counter";
"This is probably better covered by an import uses characteristics;
as this will not be notifications. uses i2nsf-system-counter-type-content;
Counter are not very suitable as telemetry, maybe uses common-monitoring-data;
via periodic subscriptions, which would still }
violate principle of least surprise."; container nsf-firewall {
container system-interface { description
description "The nsf counter type is firewall counter";
"The system counter type is interface counter"; uses characteristics;
uses characteristics; uses i2nsf-nsf-counters-type-content;
uses i2nsf-system-counter-type-content; uses traffic-rates;
uses common-monitoring-data; }
} container nsf-policy-hits {
container nsf-firewall { description
description "The counters of policy hit";
"The nsf counter type is firewall counter"; uses characteristics;
uses characteristics; uses i2nsf-nsf-counters-type-content;
uses i2nsf-nsf-counters-type-content; uses common-monitoring-data;
uses traffic-rates; leaf hit-times {
} type uint32;
container nsf-policy-hits { description
description "The hit times for policy";
"The counters of policy hit"; }
uses characteristics; }
uses i2nsf-nsf-counters-type-content; }
uses common-monitoring-data; }
leaf hit-times { <CODE ENDS>
type uint32;
description
"The hit times for policy";
}
}
}
}
<CODE ENDS>
Figure 2: Data Model of Monitoring Figure 2: Data Model of Monitoring
11. IANA Considerations 11. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC6020][RFC7950].
name: ietf-i2nsf-monitor name: ietf-i2nsf-monitor
namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor
prefix: iim prefix: iim
reference: RFC XXXX reference: RFC XXXX
12. Security Considerations 12. Security Considerations
The YANG module described in this document defines a schema for data The YANG module described in this document defines a schema for data
that is designed to be accessed via network management protocols such that is designed to be accessed via network management protocols such
skipping to change at page 72, line 32 skipping to change at page 72, line 27
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module which can be created,
modified and deleted (i.e., config true, which is the default) are modified and deleted (i.e., config true, which is the default) are
considered sensitive. Write operations (e.g., edit-config) applied considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
framework operations. The monitoring YANG module should be protected framework operations. The monitoring YANG module should be protected
by the secure communication channel, to ensure its confidentiality by the secure communication channel, to ensure its confidentiality
and integrity. In another side, the NSF and security controller can and integrity. In another side, the NSF and security controller can
all be faked, which lead to undesireable results, i.e., leakage of an all be faked, which lead to undesirable results (i.e., leakage of an
NSF's important operational information, faked NSF sending false NSF's important operational information, and faked NSF sending false
information to mislead security controller. The mutual information to mislead security controller). The mutual
authentication is essential to protected against this kind of attack. authentication is essential to protected against this kind of attack.
The current mainstream security technologies (i.e., TLS, DTLS, IPSEC, The current mainstream security technologies (i.e., TLS, DTLS, IPSEC,
X.509 PKI) can be employed approriately to provide the above security and X.509 PKI) can be employed appropriately to provide the above
functions. security functions.
In addition, to defend against the DDoS attack caused by a lot of In addition, to defend against the DDoS attack caused by a lot of
NSFs sending massive notifications to the security controller, the NSFs sending massive notifications to the security controller, the
rate limiting or similar mechanisms should be considered in an NSF rate limiting or similar mechanisms should be considered in an NSF
and security controller, whether in advance or just in the process of and security controller, whether in advance or just in the process of
DDoS attack. DDoS attack.
13. References 13. References
13.1. Normative References 13.1. Normative References
[I-D.ietf-netconf-subscribed-notifications] [I-D.ietf-netconf-subscribed-notifications]
Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and
A. Tripathy, "Subscription to YANG Event Notifications", A. Tripathy, "Subscription to YANG Event Notifications",
draft-ietf-netconf-subscribed-notifications-23 (work in draft-ietf-netconf-subscribed-notifications-26 (work in
progress), February 2019. progress), May 2019.
[I-D.ietf-netconf-yang-push] [I-D.ietf-netconf-yang-push]
Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen- Clemm, A. and E. Voit, "Subscription to YANG Datastores",
Nygaard, E., Bierman, A., and B. Lengyel, "Subscription to draft-ietf-netconf-yang-push-25 (work in progress), May
YANG Datastores", draft-ietf-netconf-yang-push-22 (work in 2019.
progress), February 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
skipping to change at page 73, line 38 skipping to change at page 73, line 31
September 2004, <https://www.rfc-editor.org/info/rfc3877>. September 2004, <https://www.rfc-editor.org/info/rfc3877>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424,
DOI 10.17487/RFC5424, March 2009, DOI 10.17487/RFC5424, March 2009,
<https://www.rfc-editor.org/info/rfc5424>. <https://www.rfc-editor.org/info/rfc5424>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog
skipping to change at page 74, line 32 skipping to change at page 74, line 28
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
13.2. Informative References 13.2. Informative References
[I-D.ietf-i2nsf-capability] [I-D.ietf-i2nsf-capability]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-04 (work in progress), October 2018. i2nsf-capability-05 (work in progress), April 2019.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", draft- "I2NSF Consumer-Facing Interface YANG Data Model", draft-
ietf-i2nsf-consumer-facing-interface-dm-02 (work in ietf-i2nsf-consumer-facing-interface-dm-05 (work in
progress), November 2018. progress), June 2019.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q.
Lin, "I2NSF Network Security Function-Facing Interface Lin, "I2NSF Network Security Function-Facing Interface
YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface-
dm-02 (work in progress), November 2018. dm-06 (work in progress), June 2019.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK,
"I2NSF Registration Interface YANG Data Model", draft- "I2NSF Registration Interface YANG Data Model", draft-
ietf-i2nsf-registration-interface-dm-01 (work in ietf-i2nsf-registration-interface-dm-04 (work in
progress), November 2018. progress), June 2019.
[I-D.ietf-i2nsf-terminology] [I-D.ietf-i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-07 (work in Terminology", draft-ietf-i2nsf-terminology-08 (work in
progress), January 2019. progress), July 2019.
[I-D.yang-i2nsf-nfv-architecture] [I-D.yang-i2nsf-nfv-architecture]
Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the
NFV Reference Architecture", draft-yang-i2nsf-nfv- NFV Reference Architecture", draft-yang-i2nsf-nfv-
architecture-04 (work in progress), November 2018. architecture-05 (work in progress), July 2019.
[I-D.yang-i2nsf-security-policy-translation] [I-D.yang-i2nsf-security-policy-translation]
Yang, J., Jeong, J., and J. Kim, "Security Policy Yang, J., Jeong, J., and J. Kim, "Security Policy
Translation in Interface to Network Security Functions", Translation in Interface to Network Security Functions",
draft-yang-i2nsf-security-policy-translation-02 (work in draft-yang-i2nsf-security-policy-translation-03 (work in
progress), October 2018. progress), March 2019.
[RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export
Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004,
<https://www.rfc-editor.org/info/rfc3954>. <https://www.rfc-editor.org/info/rfc3954>.
[RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
January 2011, <https://www.rfc-editor.org/info/rfc6087>. January 2011, <https://www.rfc-editor.org/info/rfc6087>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data-model-06 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-00
The following changes are made from draft-hong-i2nsf-nsf-monitoring-
data-model-06:
o This version has reflected the comments from Tom Petch as follows.
o In Editorial Note, RFC XXXX: I2NSF NSF Monitoring YANG Data Model
is mentioned.
o In Section 2, Requirements Language and Terminology are integrated
and the explain for YANG Data Diagrams is moved to Terminology.
o In Section 2.3, NMDA conformance is mentioned.
o In Section 2.1, the reference [RFC8174] is added.
o In Section 2.3, the reference [RFC8340] that specifies the format
for tree diagrams is added for the tree diagrams.
o In Section 10, the copyright of the YANG Module is added in The following changes are made from draft-ietf-i2nsf-nsf-monitoring-
description. data-model-00:
o In Section 10, the YANG import statements includes reference o In Section 2.1, Requirements Notation is updated.
statements.
o In Section 10, the YANG Module includes RFC XXX to notify the RFC o In Section 2.2, the reference [RFC8329] is added.
from which it comes.
o In Section 10, the the identity for protocols includes reference o In Section 2.3, the reference [RFC8342] is added.
statements.
o In Section 11, for the YANG Module Names and URI in the IETF XML o In Section 11, the reference [RFC6020] is added.
Registry, the section is added.
o In Section 12, o Many editorial errors have been corrected.
Appendix B. Acknowledgments Appendix B. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute of Information & Communications
Technology Promotion (IITP) grant funded by the Korea government Technology Planning & Evaluation (IITP) grant funded by the Korea
(MSIP) (R-20160222-002755, Cloud based Security Intelligence MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Technology Development for the Customized Security Service Security Intelligence Technology Development for the Customized
Provisioning). Security Service Provisioning).
This work was supported in part by the MSIT, Korea, under the ITRC
(Information Technology Research Center) support program (IITP-
2019-2017-0-01633) supervised by the IITP.
Appendix C. Contributors Appendix C. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The following are Many people actively contributed to this document. The following are
considered co-authors: considered co-authors:
o Jinyong Tim Kim (Sungkyunkwan University) o Jinyong Tim Kim (Sungkyunkwan University)
o Dongjin Hong (Sungkyunkwan University) o Dongjin Hong (Sungkyunkwan University)
skipping to change at page 77, line 26 skipping to change at page 77, line 8
o Yi Wu (Aliababa Group) o Yi Wu (Aliababa Group)
o Rakesh Kumar (Juniper Networks) o Rakesh Kumar (Juniper Networks)
o Anil Lohiya (Juniper Networks) o Anil Lohiya (Juniper Networks)
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Software Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 31 299 4957 Phone: +82 31 299 4957
Fax: +82 31 290 7996 Fax: +82 31 290 7996
EMail: pauljeong@skku.edu EMail: pauljeong@skku.edu
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
Chaehong Chung Chaehong Chung
Department of Computer Engineering Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
Phone: +82 10 8541 7158 Phone: +82 10 8541 7158
EMail: darkhong@skku.edu EMail: darkhong@skku.edu
Susan Hares Susan Hares
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI 48176
USA USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
EMail: shares@ndzh.com EMail: shares@ndzh.com
Liang Xia (Frank) Liang Xia (Frank)
 End of changes. 92 change blocks. 
1766 lines changed or deleted 1736 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/