--- 1/draft-ietf-i2nsf-nsf-monitoring-data-model-07.txt 2021-04-29 08:13:20.233204892 -0700 +++ 2/draft-ietf-i2nsf-nsf-monitoring-data-model-08.txt 2021-04-29 08:13:20.425209654 -0700 @@ -1,23 +1,23 @@ Network Working Group J. Jeong, Ed. Internet-Draft P. Lingga Intended status: Standards Track Sungkyunkwan University -Expires: October 2, 2021 S. Hares +Expires: October 31, 2021 S. Hares L. Xia Huawei H. Birkholz Fraunhofer SIT - March 31, 2021 + April 29, 2021 I2NSF NSF Monitoring Interface YANG Data Model - draft-ietf-i2nsf-nsf-monitoring-data-model-07 + draft-ietf-i2nsf-nsf-monitoring-data-model-08 Abstract This document proposes an information model and the corresponding YANG data model of an interface for monitoring Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework. If the monitoring of NSFs is performed with the NSF monitoring interface in a comprehensive way, it is possible to detect the indication of malicious activity, anomalous behavior, the potential sign of denial of service attacks, or system overload in a @@ -35,21 +35,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 2, 2021. + This Internet-Draft will expire on October 31, 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -98,34 +98,34 @@ 7.5.1. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 20 7.5.2. Vulnerability Scanning Log . . . . . . . . . . . . . 21 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 21 7.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 7.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 24 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 33 - 11. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 73 - 12. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 74 - 12.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 74 - 12.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 76 - 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 77 - 14. Security Considerations . . . . . . . . . . . . . . . . . . . 78 - 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 79 - 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 79 - 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 80 - 17.1. Normative References . . . . . . . . . . . . . . . . . . 80 - 17.2. Informative References . . . . . . . . . . . . . . . . . 83 + 11. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 74 + 12. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 75 + 12.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 75 + 12.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 77 + 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 78 + 14. Security Considerations . . . . . . . . . . . . . . . . . . . 79 + 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 80 + 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 80 + 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 81 + 17.1. Normative References . . . . . . . . . . . . . . . . . . 81 + 17.2. Informative References . . . . . . . . . . . . . . . . . 84 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- - model-06 . . . . . . . . . . . . . . . . . . . . . . 85 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 85 + model-07 . . . . . . . . . . . . . . . . . . . . . . 86 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 86 1. Introduction According to [RFC8329], the interface provided by a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus function) to administrative entities (e.g., Security Controller) to enable remote management (i.e., configuring and monitoring) is referred to as an I2NSF Monitoring Interface. Monitoring procedures intent to acquire vital types of data with respect to NSFs, (e.g., alarms, records, and counters) via data in motion (e.g., queries, @@ -1551,44 +1551,46 @@ +--ro message? string +--ro vendor-name? string +--ro nsf-name? string +--ro severity? severity Figure 1: Information Model for NSF Monitoring 10. YANG Data Model This section describes a YANG module of I2NSF NSF Monitoring. This - YANG module imports from [RFC6991], and makes references to [RFC0768] - [RFC0791][RFC0792][RFC0793][RFC0956][RFC2616][RFC4443][RFC8200][RFC86 - 41]. + YANG module imports from [RFC6991], and makes references to + [RFC0768][RFC0791] [RFC0792][RFC0793][RFC0956] + [RFC0959][RFC2616][RFC4443] [RFC8200][RFC8632][RFC8641]. - file "ietf-i2nsf-nsf-monitoring@2021-03-31.yang" + file "ietf-i2nsf-nsf-monitoring@2021-04-29.yang" module ietf-i2nsf-nsf-monitoring { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; prefix nsfmi; import ietf-inet-types{ prefix inet; reference "Section 4 of RFC 6991"; } import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } import ietf-i2nsf-policy-rule-for-nsf { prefix nsfi; + reference + "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-12"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: Editor: Jaehoon Paul Jeong @@ -1606,24 +1608,24 @@ without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; - revision "2021-03-31" { - description "Initial revision"; + revision "2021-04-29" { + description "Latest revision"; reference - "RFC XXXX: I2NSF NSF Monitoring YANG Data Model"; + "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. } /* * Typedefs */ typedef severity { @@ -2325,26 +2328,26 @@ content elements"; leaf dst-ip { type inet:ip-address; description "The destination IPv4 (IPv6) address of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; - } leaf rule-name { type leafref { path - "/nsfi:i2nsf-security-policy/nsfi:system-policy/nsfi:rules/nsfi:rule-name"; + "/nsfi:i2nsf-security-policy/nsfi:system-policy" + +"/nsfi:rules/nsfi:rule-name"; } mandatory true; description "The name of the rule being triggered"; } leaf raw-info { type string; description "The information describing the packet triggering the event."; @@ -2517,24 +2519,26 @@ type uint64; units "bytes"; description "Total outbound drop bytes"; } uses traffic-rates; } grouping i2nsf-nsf-counters-type-content{ description "A set of contents of a policy in an NSF."; + leaf policy-name { type leafref { path - "/nsfi:i2nsf-security-policy/nsfi:system-policy/nsfi:system-policy-name"; + "/nsfi:i2nsf-security-policy/nsfi:system-policy" + +"/nsfi:system-policy-name"; } mandatory true; description "The name of the policy being triggered"; } leaf src-user{ type string; description "User who generates the policy"; } @@ -2562,26 +2566,32 @@ default "0"; description "Specifies the minimum interval between the assembly of successive update records for a single receiver of a subscription. Whenever subscribed objects change and a dampening-period interval (which may be zero) has elapsed since the previous update record creation for a receiver, any subscribed objects and properties that have changed since the previous update record will have their current values marshalled and placed - in a new update record."; + in a new update record. But if the subscribed objects change + when the dampening-period is active, it should update the + record without sending the notification until the dampening- + period is finished. If multiple changes happen during the + active dampening-period, it should update the record with the + latest data. And at the end of the dampening-period, it should + send the record as a notification with the latest updated + record and restart the countdown."; reference "RFC 8641: Subscription to YANG Notifications for Datastore Updates - Section 5."; } - } /* * Feature Nodes */ feature i2nsf-nsf-detection-ddos { description "This feature means it supports I2NSF nsf-detection-ddos notification"; @@ -3083,38 +3091,40 @@ base botnet-attack-type; } description "The attack type for botnet attack"; } leaf protocol { type identityref { base protocol-type; } description - "The protocol type for nsf-detection-botnet notification"; + "The protocol type for nsf-detection-botnet + notification"; } leaf botnet-name { type string; description "The name of the detected botnet"; } leaf role { type string; description "The role of the communicating parties within the botnet"; } uses log-action; leaf botnet-pkt-num{ type uint8; description - "The number of the packets sent to or from the detected botnet"; + "The number of the packets sent to or from the detected + botnet"; } leaf os{ type string; description "Simple OS information"; } uses characteristics; uses common-monitoring-data; } } @@ -3279,23 +3290,23 @@ description "Interface counters provide the visibility of traffic into and out of an NSF, and bandwidth usage."; uses characteristics; uses i2nsf-system-counter-type-content; uses common-monitoring-data; } list nsf-firewall { key policy-name; description - "Firewall counters provide the visibility of traffic signatures, - bandwidth usage, and how the configured security and bandwidth - policies have been applied."; + "Firewall counters provide the visibility of traffic + signatures, bandwidth usage, and how the configured security + and bandwidth policies have been applied."; uses characteristics; uses i2nsf-nsf-counters-type-content; uses traffic-rates; uses common-monitoring-data; } list nsf-policy-hits { key policy-name; description "Policy Hit Counters record the number of hits that traffic packets match a security policy. It can check if policy @@ -3376,31 +3386,30 @@ container i2nsf-nsf-detection-ddos { if-feature "i2nsf-nsf-detection-ddos"; description "The container for configuring I2NSF nsf-detection-ddos notification"; uses enable-notification; uses dampening; } container i2nsf-nsf-detection-session-table-configuration { description - "The container for configuring I2NSF nsf-detection-session-table - notification"; + "The container for configuring I2NSF nsf-detection-session- + table notification"; uses enable-notification; uses dampening; } container i2nsf-nsf-detection-virus { if-feature "i2nsf-nsf-detection-virus"; description "The container for configuring I2NSF nsf-detection-virus notification"; - uses enable-notification; uses dampening; } container i2nsf-nsf-detection-intrusion { if-feature "i2nsf-nsf-detection-intrusion"; description "The container for configuring I2NSF nsf-detection-intrusion notification"; uses enable-notification; uses dampening; @@ -3488,34 +3497,37 @@ "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support "I2NSF-Monitoring" event stream for an NSF data collector (e.g., Security Controller and NSF data analyzer). The "I2NSF-Monitoring" event stream contains all I2NSF events described in this document. The following example shows the capabilities of the event streams of an NSF (e.g., "NETCONF" and "I2NSF-Monitoring" event streams) by the subscription of an NSF data collector; note that this example XML file is delivered by an NSF to an NSF data collector: - + NETCONF Default NETCONF Event Stream false I2NSF-Monitoring I2NSF Monitoring Event Stream true - 2021-03-31T09:37:39+00:00 + + 2021-04-29T09:37:39+00:00 + Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring Event Stream 12. XML Examples for I2NSF NSF Monitoring @@ -3524,38 +3536,47 @@ delivered via Monitoring Interface from an NSF. 12.1. I2NSF System Detection Alarm The following example shows an alarm triggered by Memory Usage of the server; note that this example XML file is delivered by an NSF to an NSF data collector: - 2021-03-31T07:43:52.181088+00:00 - + 2021-04-29T07:43:52.181088+00:00 + - + nsfmi:mem-usage-alarm - + nsfmi:subscription - + nsfmi:on-change - + nsfmi:on-repetition 91 90 - Memory Usage Exceeded The Threshold + Memory Usage Exceeded the Threshold time_based_firewall high Figure 4: Example of I2NSF System Detection Alarm triggered by Memory Usage The XML data above shows: @@ -3580,51 +3601,58 @@ 12.2. I2NSF Interface Counters To get the I2NSF system interface counters information by query, NETCONF Client (e.g., NSF data collector) needs to initiate GET connection with NETCONF Server (e.g., NSF). The following XML file can be used to get the state data and filter the information. - + Figure 5: XML Example for NETCONF GET with System Interface Filter The following XML file shows the reply from the NETCONF Server (e.g., NSF): - + - + ens3 - + nsfmi:query 549050 814956 0 5078 time_based_firewall lo - + nsfmi:query 48487 48487 0 0 time_based_firewall @@ -3691,21 +3719,21 @@ 15. Acknowledgments This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). This work was supported in part by the IITP (2020-0-00395, Standard Development of Blockchain based Network Management Automation Technology). This work was supported in part by the MSIT under the Information Technology Research Center - (ITRC) support program (IITP-2020-2017-0-01633) supervised by the + (ITRC) support program (IITP-2021-2017-0-01633) supervised by the IITP. 16. Contributors This document is made by the group effort of I2NSF working group. Many people actively contributed to this document. The authors sincerely appreciate their contributions. The following are co-authors of this document: @@ -3775,20 +3803,24 @@ . [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, DOI 10.17487/RFC0793, September 1981, . [RFC0956] Mills, D., "Algorithms for synchronizing network clocks", RFC 956, DOI 10.17487/RFC0956, September 1985, . + [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", + STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, + . + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, DOI 10.17487/RFC2616, June 1999, . @@ -3881,20 +3913,24 @@ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10.17487/RFC8525, March 2019, . + [RFC8632] Vallin, S. and M. Bjorklund, "A YANG Data Model for Alarm + Management", RFC 8632, DOI 10.17487/RFC8632, September + 2019, . + [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, E., and A. Tripathy, "Subscription to YANG Notifications", RFC 8639, DOI 10.17487/RFC8639, September 2019, . [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, September 2019, . 17.2. Informative References @@ -3906,70 +3942,59 @@ applicability-18 (work in progress), September 2019. [I-D.ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-05 (work in progress), April 2019. [I-D.ietf-i2nsf-consumer-facing-interface-dm] Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", draft- - ietf-i2nsf-consumer-facing-interface-dm-12 (work in - progress), September 2020. + ietf-i2nsf-consumer-facing-interface-dm-13 (work in + progress), March 2021. [I-D.ietf-i2nsf-nsf-facing-interface-dm] Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- - dm-10 (work in progress), August 2020. + dm-12 (work in progress), March 2021. [I-D.ietf-i2nsf-registration-interface-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, "I2NSF Registration Interface YANG Data Model", draft- - ietf-i2nsf-registration-interface-dm-09 (work in - progress), August 2020. + ietf-i2nsf-registration-interface-dm-10 (work in + progress), February 2021. [I-D.ietf-netconf-subscribed-notifications] Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and A. Tripathy, "Subscription to YANG Event Notifications", draft-ietf-netconf-subscribed-notifications-26 (work in progress), May 2019. [I-D.ietf-netconf-yang-push] Clemm, A. and E. Voit, "Subscription to YANG Datastores", draft-ietf-netconf-yang-push-25 (work in progress), May 2019. [I-D.yang-i2nsf-security-policy-translation] - Jeong, J., Yang, J., Chung, C., and J. Kim, "Security + Jeong, J., Lingga, P., Yang, J., and C. Chung, "Security Policy Translation in Interface to Network Security Functions", draft-yang-i2nsf-security-policy- - translation-07 (work in progress), November 2020. + translation-08 (work in progress), February 2021. -Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-06 +Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-07 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- - data-model-06: - - o This version is revised according to the comments of Andy Bierman - who is a YANG doctor. - - o This version updates its title as "I2NSF NSF Monitoring Interface - YANG Data Model". It clarifies the NSF Monitoring Interface to - deliver NSF monitoring data to an NSF data collector (e.g., - Security Controller and NSF data analyzer). - - o This version adds an attack destination IP address for DDoS-attack - event to provide I2NSF Analyser with more information about the - destination of DDoS-attack packets. + data-model-07: - o This version supports a notification for monitoring traffic flows. + o This version is revised according to the comments from both Tom + Petch and Andy Bierman. Authors' Addresses Jaehoon (Paul) Jeong (editor) Department of Computer Science and Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea