--- 1/draft-ietf-i2nsf-nsf-monitoring-data-model-03.txt 2020-09-07 23:13:11.635449112 -0700 +++ 2/draft-ietf-i2nsf-nsf-monitoring-data-model-04.txt 2020-09-07 23:13:11.763452368 -0700 @@ -1,156 +1,138 @@ -Network Working Group J. Jeong -Internet-Draft C. Chung +Network Working Group J. Jeong, Ed. +Internet-Draft P. Lingga Intended status: Standards Track Sungkyunkwan University -Expires: November 8, 2020 S. Hares +Expires: March 11, 2021 S. Hares L. Xia Huawei H. Birkholz Fraunhofer SIT - May 7, 2020 + September 7, 2020 I2NSF NSF Monitoring YANG Data Model - draft-ietf-i2nsf-nsf-monitoring-data-model-03 + draft-ietf-i2nsf-nsf-monitoring-data-model-04 Abstract This document proposes an information model and the corresponding YANG data model for monitoring Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework. If the monitoring of NSFs is performed in a comprehensive way, it is possible to detect the indication of malicious activity, anomalous - behavior or the potential sign of denial of service attacks in a - timely manner. This monitoring functionality is based on the - monitoring information that is generated by NSFs. Thus, this + behavior, the potential sign of denial of service attacks, or system + overload in a timely manner. This monitoring functionality is based + on the monitoring information that is generated by NSFs. Thus, this document describes not only an information model for monitoring NSFs along with a YANG data diagram, but also the corresponding YANG data model for monitoring NSFs. -Editorial Note (To be removed by RFC Editor) - - Please update these statements within the document with the RFC - number to be assigned to this document: - - "This version of this YANG module is part of RFC 6087;" - - "RFC XXXX: I2NSF NSF Monitoring YANG Data Model" - - "reference: RFC 6087" - - Please update the "revision" date of the YANG module. - Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 8, 2020. + This Internet-Draft will expire on March 11, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 - 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 - 2.3. YANG . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Use Cases for NSF Monitoring Data . . . . . . . . . . . . . . 4 4. Classification of NSF Monitoring Data . . . . . . . . . . . . 5 4.1. Retention and Emission . . . . . . . . . . . . . . . . . 6 4.2. Notifications and Events . . . . . . . . . . . . . . . . 7 - 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 8 + 4.3. Unsolicited Poll and Solicited Push . . . . . . . . . . . 7 4.4. I2NSF Monitoring Terminology for Retained Information . . 8 5. Conveyance of NSF Monitoring Information . . . . . . . . . . 9 5.1. Information Types and Acquisition Methods . . . . . . . . 10 - 6. Basic Information Model for All Monitoring Data . . . . . . . 11 + 6. Basic Information Model for All Monitoring Data . . . . . . . 10 7. Extended Information Model for Monitoring Data . . . . . . . 11 7.1. System Alarms . . . . . . . . . . . . . . . . . . . . . . 11 - 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 12 - 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 12 + 7.1.1. Memory Alarm . . . . . . . . . . . . . . . . . . . . 11 + 7.1.2. CPU Alarm . . . . . . . . . . . . . . . . . . . . . . 11 7.1.3. Disk Alarm . . . . . . . . . . . . . . . . . . . . . 12 - 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 13 - 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 13 - + 7.1.4. Hardware Alarm . . . . . . . . . . . . . . . . . . . 12 + 7.1.5. Interface Alarm . . . . . . . . . . . . . . . . . . . 12 7.2. System Events . . . . . . . . . . . . . . . . . . . . . . 13 7.2.1. Access Violation . . . . . . . . . . . . . . . . . . 13 - 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 14 + 7.2.2. Configuration Change . . . . . . . . . . . . . . . . 13 7.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 14 7.3.1. DDoS Event . . . . . . . . . . . . . . . . . . . . . 14 7.3.2. Session Table Event . . . . . . . . . . . . . . . . . 15 7.3.3. Virus Event . . . . . . . . . . . . . . . . . . . . . 15 7.3.4. Intrusion Event . . . . . . . . . . . . . . . . . . . 16 7.3.5. Botnet Event . . . . . . . . . . . . . . . . . . . . 17 7.3.6. Web Attack Event . . . . . . . . . . . . . . . . . . 18 - 7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 19 + 7.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 18 7.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 19 7.4.2. Resource Utilization Log . . . . . . . . . . . . . . 19 7.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 20 - 7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 21 - 7.5.1. DDoS Log . . . . . . . . . . . . . . . . . . . . . . 21 + 7.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 20 + 7.5.1. DDoS Log . . . . . . . . . . . . . . . . . . . . . . 20 7.5.2. Virus Log . . . . . . . . . . . . . . . . . . . . . . 21 - 7.5.3. Intrusion Log . . . . . . . . . . . . . . . . . . . . 22 + 7.5.3. Intrusion Log . . . . . . . . . . . . . . . . . . . . 21 7.5.4. Botnet Log . . . . . . . . . . . . . . . . . . . . . 22 - 7.5.5. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 23 + 7.5.5. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 22 7.5.6. Vulnerability Scanning Log . . . . . . . . . . . . . 23 - 7.5.7. Web Attack Log . . . . . . . . . . . . . . . . . . . 24 + 7.5.7. Web Attack Log . . . . . . . . . . . . . . . . . . . 23 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24 - 7.6.1. Interface counter . . . . . . . . . . . . . . . . . . 25 + 7.6.1. Interface counter . . . . . . . . . . . . . . . . . . 24 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 25 - 7.7.1. Firewall counter . . . . . . . . . . . . . . . . . . 26 - 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 27 + 7.7.1. Firewall counter . . . . . . . . . . . . . . . . . . 25 + 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 26 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 27 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 28 - 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 37 - 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 72 + 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 36 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 12. Security Considerations . . . . . . . . . . . . . . . . . . . 72 - 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 73 + 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 72 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 73 - 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 73 - 15.1. Normative References . . . . . . . . . . . . . . . . . . 73 - 15.2. Informative References . . . . . . . . . . . . . . . . . 75 + 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 + 15.1. Normative References . . . . . . . . . . . . . . . . . . 74 + 15.2. Informative References . . . . . . . . . . . . . . . . . 77 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- - model-02 . . . . . . . . . . . . . . . . . . . . . . 77 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 77 + model-03 . . . . . . . . . . . . . . . . . . . . . . 79 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79 1. Introduction - According to [I-D.ietf-i2nsf-terminology], the interface provided by - a Network Security Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or - Anti-Virus function) to administrative entities (e.g., Security - Controller) to enable remote management (i.e., configuring and - monitoring) is referred to as an I2NSF NSF-Facing Interface - + According to [RFC8329], the interface provided by a Network Security + Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus + function) to administrative entities (e.g., Security Controller) to + enable remote management (i.e., configuring and monitoring) is + referred to as an I2NSF NSF-Facing Interface [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Monitoring procedures intent to acquire vital types of data with respect to NSFs, (e.g., alarms, records, and counters) via data in motion (e.g., queries, notifications, and events). The monitoring of NSF plays an important role in an overall security framework, if it is done in a timely and comprehensive way. The monitoring information generated by an NSF can be a good, early indication of anomalous behavior or malicious activity, such as denial of service attacks (DoS). This document defines a comprehensive NSF monitoring information @@ -161,34 +143,23 @@ information model for monitoring presented in this document is a complementary information model to the information model for the security policy provisioning functionality of the NSF-Facing Interface specified in [I-D.ietf-i2nsf-capability]. This document also defines a YANG [RFC7950] data model for monitoring NSFs, which is derived from the information model for NSF monitoring. 2. Terminology -2.1. Requirements Notation - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119] [RFC8174]. - -2.2. Definitions - - The terms, which are used in this document, are defined in the I2NSF - terminology document [I-D.ietf-i2nsf-terminology] [RFC8329]. - -2.3. YANG + This document uses the terminology described in [RFC8329]. - This document follows the guidelines of [RFC6087], uses the common + This document follows the guidelines of [RFC8407], uses the common YANG types defined in [RFC6991], and adopts the Network Management Datastore Architecture (NMDA) [RFC8342]. The meaning of the symbols in tree diagrams is defined in [RFC8340]. 3. Use Cases for NSF Monitoring Data As mentioned earlier, monitoring plays a critical role in an overall security framework. The monitoring of the NSF provides very valuable information to the security controller in maintaining the provisioned security posture. Besides this, there are various other reasons to @@ -242,48 +213,45 @@ o Retention and Emission o Notifications and Events o Unsolicited Poll and Solicited Push The Alarm Management Framework in [RFC3877] defines an Event as something that happens which may be of interest. It defines a fault as a change in status, crossing a threshold, or an external input to - the system. In the I2NSF domain, I2NSF events - [I-D.ietf-i2nsf-terminology] are created and the scope of the Alarm - Management Framework's Events is still applicable due to its broad - definition. The model presented in this document elaborates on the - workflow of creating I2NSF events in the context of NSF monitoring - and on the way initial I2NSF events are created. + the system. In the I2NSF domain, I2NSF events are created and the + scope of the Alarm Management Framework's Events is still applicable + due to its broad definition. The model presented in this document + elaborates on the workflow of creating I2NSF events in the context of + NSF monitoring and on the way initial I2NSF events are created. As with I2NSF components, every generic system entity can include a - set of capabilities [I-D.ietf-i2nsf-terminology] that creates - information about the context, composition, configuration, state or - behavior of that system entity. This information is intended to be - provided to other consumers of information and in the scope of this - document, which deals with NSF information monitoring in an automated - fashion. + set of capabilities that creates information about the context, + composition, configuration, state or behavior of that system entity. + This information is intended to be provided to other consumers of + information and in the scope of this document, which deals with NSF + information monitoring in an automated fashion. 4.1. Retention and Emission Typically, a system entity populates standardized interface, such as SNMP, NETCONF, RESTCONF or CoMI to provide and emit created - information directly via NSF-Facing Interface - [I-D.ietf-i2nsf-terminology]. Alternatively, the created information - is retained inside the system entity (or a hierarchy of system - entities in a composite device) via records or counters that are not - exposed directly via NSF-Facing Interfaces. + information directly via NSF-Facing Interface. Alternatively, the + created information is retained inside the system entity (or a + hierarchy of system entities in a composite device) via records or + counters that are not exposed directly via NSF-Facing Interfaces. Information emitted via standardized interfaces can be consumed by an - I2NSF User [I-D.ietf-i2nsf-terminology] that includes the capability - to consume information not only via an I2NSF Interface(e.g., + I2NSF User that includes the capability to consume information not + only via an I2NSF Interface(e.g., [I-D.ietf-i2nsf-consumer-facing-interface-dm]) but also via interfaces complementary to the standardized interfaces a generic system entity provides. Information retained on a system entity requires a corresponding I2NSF User to access aggregated records of information, typically in the form of log-files or databases. There are ways to aggregate records originating from different system entities over a network, for examples via Syslog Protocol [RFC5424] or Syslog over TCP [RFC6587]. But even if records are conveyed, the result is the same @@ -306,28 +274,27 @@ o a system entity that retains an aggregation of records o an I2NSF Component that includes the capabilities of using standardized interfaces provided by other system entities that are not I2NSF Components o an I2NSF Component that creates the information 4.2. Notifications and Events - A specific task of I2NSF User is to process I2NSF Policy Rules - [I-D.ietf-i2nsf-terminology]. The rules of a policy are composed of - three clauses: Events, Conditions, and Actions. In consequence, an - I2NSF Event is specified to trigger an I2NSF Policy Rule. Such an - I2NSF Event is defined as any important occurrence over time in the - system being managed, and/or in the environment of the system being - managed in [I-D.ietf-i2nsf-terminology], which aligns well with the - generic definition of Event from [RFC3877]. + A specific task of I2NSF User is to process I2NSF Policy Rules. The + rules of a policy are composed of three clauses: Events, Conditions, + and Actions. In consequence, an I2NSF Event is specified to trigger + an I2NSF Policy Rule. Such an I2NSF Event is defined as any + important occurrence over time in the system being managed, and/or in + the environment of the system being managed, which aligns well with + the generic definition of Event from [RFC3877]. The model illustrated in this document introduces a complementary type of information that can be a conveyed notification. Notification: An occurrence of a change of context, composition, configuration, state or behavior of a system entity that can be directly or indirectly observed by an I2NSF User and can be used as input for an event-clause in I2NSF Policy Rules. A notification is similar to an I2NSF Event with the exception @@ -825,29 +792,28 @@ 7. The packet from the zombie host to the victim o botnet_info: Simple description of Botnet o rule_id: The ID of the rule being triggered o rule_name: The name of the rule being triggered o profile: Security profile that traffic matches - o raw_info: The information describing the packet triggering the event. 7.3.6. Web Attack Event The following information should be included in a Web Attack Alarm: - o event_name: The name of event. e.g., SEC_EVENT_WebAttack + o event_name: The name of event. e.g., SEC_EVENT_Web_Attack o sub_attack_type: Concrete web attack type. e.g., SQL injection, command injection, XSS, CSRF o src_ip: The source IP address of the packet o dst_ip: The destination IP address of the packet o src_port: The source port number of the packet @@ -1309,38 +1271,38 @@ interface. The role of Ve-Vnfm is to request VNF lifecycle management (e.g., the instantiation and de-instantiation of an NSF, and load balancing among NSFs), exchange configuration information, and exchange status information for a network service. In the I2NSF framework, the DMS manages data about resource states and network traffic for the lifecycle management of an NSF. Therefore, the generated monitoring data from NSFs are delivered from the Security Controller to the DMS via Registration Interface. These data are delivered from the DMS to the VNF Manager in the Management and Orchestration (MANO) in the NFV - system [I-D.yang-i2nsf-nfv-architecture]. + system [I-D.ietf-i2nsf-applicability]. o I2NSF NSF-Facing Interface [I-D.ietf-i2nsf-nsf-facing-interface-dm]: After a high-level security policy from I2NSF User is translated by security policy translator [I-D.yang-i2nsf-security-policy-translation] in the Security Controller, the translated security policy (i.e., low- level policy) is applied to an NSF via NSF-Facing Interface. The monitoring data model specifies the list of events that can trigger Event-Condition-Action (ECA) policies via NSF-Facing Interface. 9. Tree Structure The tree structure of the NSF monitoring YANG module is provided below: - module: ietf-i2nsf-monitor + module: ietf-i2nsf-nsf-monitoring +--rw counters +--rw system-interface | +--rw acquisition-method? identityref | +--rw emission-type? identityref | +--rw dampening-type? identityref | +--rw interface-name? string | +--rw in-total-traffic-pkts? uint32 | +--rw out-total-traffic-pkts? uint32 | +--rw in-total-traffic-bytes? uint32 | +--rw out-total-traffic-bytes? uint32 @@ -1360,22 +1322,22 @@ | +--rw message? string | +--rw time-stamp? yang:date-and-time | +--rw vendor-name? string | +--rw nsf-name? string | +--rw module-name? string | +--rw severity? severity +--rw nsf-firewall | +--rw acquisition-method? identityref | +--rw emission-type? identityref | +--rw dampening-type? identityref - | +--rw src-ip? inet:ipv4-address - | +--rw dst-ip? inet:ipv4-address + | +--rw src-ip? inet:ip-address + | +--rw dst-ip? inet:ip-address | +--rw src-port? inet:port-number | +--rw dst-port? inet:port-number | +--rw src-zone? string | +--rw dst-zone? string | +--rw src-region? string | +--rw dst-region? string | +--rw policy-id? uint8 | +--rw policy-name? string | +--rw src-user? string | +--rw protocol? identityref @@ -1386,22 +1348,22 @@ | +--rw in-traffic-ave-speed? uint32 | +--rw in-traffic-peak-speed? uint32 | +--rw out-traffic-ave-rate? uint32 | +--rw out-traffic-peak-rate? uint32 | +--rw out-traffic-ave-speed? uint32 | +--rw out-traffic-peak-speed? uint32 +--rw nsf-policy-hits +--rw acquisition-method? identityref +--rw emission-type? identityref +--rw dampening-type? identityref - +--rw src-ip? inet:ipv4-address - +--rw dst-ip? inet:ipv4-address + +--rw src-ip? inet:ip-address + +--rw dst-ip? inet:ip-address +--rw src-port? inet:port-number +--rw dst-port? inet:port-number +--rw src-zone? string +--rw dst-zone? string +--rw src-region? string +--rw dst-region? string +--rw policy-id? uint8 +--rw policy-name? string +--rw src-user? string +--rw protocol? identityref @@ -1428,31 +1390,31 @@ | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n system-detection-event | +--ro event-category? identityref | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro user string | +--ro group string - | +--ro login-ip-addr inet:ipv4-address + | +--ro login-ip-addr inet:ip-address | +--ro authentication? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-flood | +--ro event-name? identityref - | +--ro dst-ip? inet:ipv4-address + | +--ro dst-ip? inet:ip-address | +--ro dst-port? inet:port-number | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro sub-attack-type? identityref | +--ro start-time yang:date-and-time | +--ro end-time yang:date-and-time | +--ro attack-rate? uint32 | +--ro attack-speed? uint32 @@ -1466,105 +1428,105 @@ | +--ro current-session? uint8 | +--ro maximum-session? uint8 | +--ro threshold? uint8 | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-virus - | +--ro src-ip? inet:ipv4-address - | +--ro dst-ip? inet:ipv4-address + | +--ro src-ip? inet:ip-address + | +--ro dst-ip? inet:ip-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro virus? identityref | +--ro virus-name? string | +--ro file-type? string | +--ro file-name? string | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-intrusion - | +--ro src-ip? inet:ipv4-address - | +--ro dst-ip? inet:ipv4-address + | +--ro src-ip? inet:ip-address + | +--ro dst-ip? inet:ip-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro protocol? identityref | +--ro app? string | +--ro sub-attack-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-botnet - | +--ro src-ip? inet:ipv4-address - | +--ro dst-ip? inet:ipv4-address + | +--ro src-ip? inet:ip-address + | +--ro dst-ip? inet:ip-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro attack-type? identityref | +--ro protocol? identityref | +--ro botnet-name? string | +--ro role? string | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-web-attack - | +--ro src-ip? inet:ipv4-address - | +--ro dst-ip? inet:ipv4-address + | +--ro src-ip? inet:ip-address + | +--ro dst-ip? inet:ip-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro sub-attack-type? identityref | +--ro request-method? identityref | +--ro req-uri? string | +--ro uri-category? string | +--ro filtering-type* identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n system-access-log - | +--ro login-ip inet:ipv4-address + | +--ro login-ip inet:ip-address | +--ro administrator? string | +--ro login-mode? login-mode | +--ro operation-type? operation-type | +--ro result? string | +--ro content? string | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref +---n system-res-util-log | +--ro system-status? string @@ -1580,32 +1542,32 @@ | +--ro out-traffic-speed? uint32 | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref +---n system-user-activity-log | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro user string | +--ro group string - | +--ro login-ip-addr inet:ipv4-address + | +--ro login-ip-addr inet:ip-address | +--ro authentication? identityref | +--ro access? identityref | +--ro online-duration? string | +--ro logout-duration? string | +--ro additional-info? string +---n nsf-log-ddos | +--ro attack-type? identityref | +--ro attack-ave-rate? uint32 | +--ro attack-ave-speed? uint32 | +--ro attack-pkt-num? uint32 - | +--ro attack-src-ip? inet:ipv4-address + | +--ro attack-src-ip? inet:ip-address | +--ro action? log-action | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity @@ -1650,42 +1612,42 @@ | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-dpi | +--ro attack-type? dpi-type | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref - | +--ro src-ip? inet:ipv4-address - | +--ro dst-ip? inet:ipv4-address + | +--ro src-ip? inet:ip-address + | +--ro dst-ip? inet:ip-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro src-region? string | +--ro dst-region? string | +--ro policy-id? uint8 | +--ro policy-name? string | +--ro src-user? string | +--ro protocol? identityref | +--ro app? string | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-vuln-scan | +--ro vulnerability-id? uint8 - | +--ro victim-ip? inet:ipv4-address + | +--ro victim-ip? inet:ip-address | +--ro protocol? identityref | +--ro port-num? inet:port-number | +--ro level? severity | +--ro os? string | +--ro vulnerability-info? string | +--ro fix-suggestion? string | +--ro service? string | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref @@ -1709,76 +1671,81 @@ +--ro time-stamp? yang:date-and-time +--ro vendor-name? string +--ro nsf-name? string +--ro module-name? string +--ro severity? severity Figure 1: Information Model for NSF Monitoring 10. YANG Data Model - This section introduces a YANG data model for the information model - of the NSF monitoring information model. + This section describes a YANG module of I2NSF NSF Monitoring. This + YANG module imports from [RFC6991], and makes references to [RFC0768] + [RFC0791][RFC0792][RFC0793][RFC0956][RFC2616][RFC4443][RFC8200]. - file "ietf-i2nsf-monitor@2020-05-07.yang" - module ietf-i2nsf-monitor { + file "ietf-i2nsf-nsf-monitoring@2020-09-07.yang" + module ietf-i2nsf-nsf-monitoring { yang-version 1.1; namespace - "urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor"; + "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; prefix - iim; + nsfmi; import ietf-inet-types{ prefix inet; reference "Section 4 of RFC 6991"; } import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: - WG Chair: Linda Dunbar - - Editor: Jaehoon Paul Jeong - Editor: Chaehong Chung - "; + Editor: Patrick Lingga + "; description - "This module is a YANG module for monitoring NSFs. + "This module is a YANG module for I2NSF NSF Monitoring. - Copyright (c) 2018 IETF Trust and the persons identified as + Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info). + http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC 6087; see + This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision "2020-05-07" { - description "The third revision"; + // RFC Ed.: replace XXXX with an actual RFC number and remove + // this note. + + revision "2020-09-07" { + description "Initial revision"; reference "RFC XXXX: I2NSF NSF Monitoring YANG Data Model"; + + // RFC Ed.: replace XXXX with an actual RFC number and remove + // this note. + } typedef severity { type enumeration { enum high { description "high-level"; } enum middle { description @@ -1836,21 +1803,21 @@ enum data-filtering{ description "DPI for filtering data"; } enum application-behavior-control{ description "DPI for controlling application behavior"; } } description - "This is used for dpi type"; + "This is used for DPI type"; } typedef operation-type{ type enumeration { enum login{ description "Login operation"; } enum logout{ description "Logout operation"; @@ -1884,32 +1850,32 @@ } identity characteristics { description "Base identity for monitoring information characteristics"; } identity acquisition-method { base characteristics; description - "The type of acquisition-method. Can be multiple + "The type of acquisition-method. It can be multiple types at once."; } identity subscription { base acquisition-method; description - "The acquisition-method type is subscription"; + "The acquisition-method type is subscription."; } identity query { base acquisition-method; description - "The acquisition-method type is query"; + "The acquisition-method type is query."; } identity emission-type { base characteristics; description "The type of emission-type."; } identity periodical { base emission-type; description "The emission-type type is periodical."; @@ -1964,49 +1930,48 @@ description "If authentication-mode is exemption-authentication"; } identity sso-authentication { base authentication-mode; description "If authentication-mode is sso-authentication"; } - identity alarm-type { description "Base identity for detectable alarm types"; } identity MEM-USAGE-ALARM { base alarm-type; description - "A memory alarm is alerted"; + "A memory alarm is alerted."; } identity CPU-USAGE-ALARM { base alarm-type; description - "A CPU alarm is alerted"; + "A CPU alarm is alerted."; } identity DISK-USAGE-ALARM { base alarm-type; description - "A disk alarm is alerted"; + "A disk alarm is alerted."; } identity HW-FAILURE-ALARM { base alarm-type; description - "A hardware alarm is alerted"; + "A hardware alarm is alerted."; } identity IFNET-STATE-ALARM { base alarm-type; description - "An interface alarm is alerted"; + "An interface alarm is alerted."; } identity event-type { description "Base identity for detectable event types"; } identity ACCESS-DENIED { base event-type; description "The system event is access-denied."; } @@ -2016,250 +1981,259 @@ "The system event is config-change."; } identity flood-type { description "Base identity for detectable flood types"; } identity syn-flood { base flood-type; description - "A SYN flood is detected"; + "A SYN flood is detected."; } identity ack-flood { base flood-type; description - "An ACK flood is detected"; + "An ACK flood is detected."; } identity syn-ack-flood { base flood-type; description - "An SYN-ACK flood is detected"; + "A SYN-ACK flood is detected."; } identity fin-rst-flood { base flood-type; description - "A FIN-RST flood is detected"; + "A FIN-RST flood is detected."; } identity tcp-con-flood { base flood-type; description - "A TCP connection flood is detected"; + "A TCP connection flood is detected."; } identity udp-flood { base flood-type; description - "A UDP flood is detected"; + "A UDP flood is detected."; } identity icmp-flood { base flood-type; description - "An ICMP flood is detected"; + "Either an ICMPv4 or ICMPv6 flood is detected."; } - identity https-flood { + identity icmpv4-flood { base flood-type; description - "A HTTPS flood is detected"; + "An ICMPv4 flood is detected."; + } + identity icmpv6-flood { + base flood-type; + description + "An ICMPv6 flood is detected."; } identity http-flood { base flood-type; description - "A HTTP flood is detected"; + "An HTTP flood is detected."; } - identity dns-reply-flood { + identity https-flood { base flood-type; description - "A DNS reply flood is detected"; + "An HTTPS flood is detected."; } identity dns-query-flood { base flood-type; description - "A DNS query flood is detected"; + "A DNS query flood is detected."; + + } + identity dns-reply-flood { + base flood-type; + description + "A DNS reply flood is detected."; } identity sip-flood { base flood-type; description - "A SIP flood is detected"; + "An SIP flood is detected."; } - identity nsf-event-name { description - "Base identity for detectable nsf event types"; + "Base identity for detectable NSF event types"; } identity SEC-EVENT-DDOS { base nsf-event-name; description - "The nsf event is sec-event-ddos."; + "The NSF event is sec-event-ddos."; } identity SESSION-USAGE-HIGH { base nsf-event-name; description - "The nsf event is session-usage-high"; + "The NSF event is session-usage-high."; } identity SEC-EVENT-VIRUS { base nsf-event-name; description - "The nsf event is sec-event-virus"; - + "The NSF event is sec-event-virus."; } identity SEC-EVENT-INTRUSION { base nsf-event-name; description - "The nsf event is sec-event-intrusion"; + "The NSF event is sec-event-intrusion."; } identity SEC-EVENT-BOTNET { base nsf-event-name; description - "The nsf event is sec-event-botnet"; + "The NSF event is sec-event-botnet."; } - identity SEC-EVENT-WEBATTACK { + identity SEC-EVENT-WEB-ATTACK { base nsf-event-name; description - "The nsf event is sec-event-webattack"; + "The NSF event is sec-event-web-attack."; } identity attack-type { description "The root ID of attack-based notification in the notification taxonomy"; } identity system-attack-type { base attack-type; description "This ID is intended to be used - in the context of system events"; + in the context of system events."; } identity nsf-attack-type { base attack-type; description "This ID is intended to be used - in the context of nsf event"; + in the context of NSF event."; } identity botnet-attack-type { base nsf-attack-type; description - "This is an ID stub limited to indicating - that this attack type is botnet. + "This indicates that this attack type is botnet. The usual semantic and taxonomy is missing - and name is used."; + and a name is used."; } identity virus-type { base nsf-attack-type; description - "The type of virus. Can be multiple types at once. + "The type of virus. It caan be multiple types at once. This attack type is associated with a detected - system-log virus-attack"; + system-log virus-attack."; } identity trojan { base virus-type; description - "The detected virus type is trojan"; + "The detected virus type is trojan."; } identity worm { base virus-type; description - "The detected virus type is worm"; + "The detected virus type is worm."; } identity macro { base virus-type; description - "The detected virus type is macro"; + "The detected virus type is macro."; } identity intrusion-attack-type { base nsf-attack-type; description - "The attack type is associated with - a detected system-log intrusion"; + "The attack type is associated with a detected + system-log intrusion."; + } identity brute-force { base intrusion-attack-type; description - "The intrusion type is brute-force"; + "The intrusion type is brute-force."; } identity buffer-overflow { base intrusion-attack-type; description - "The intrusion type is buffer-overflow"; + "The intrusion type is buffer-overflow."; } identity web-attack-type { base nsf-attack-type; description - "The attack type associated with - a detected system-log web-attack"; + "The attack type is associated with a detected + system-log web-attack."; } identity command-injection { base web-attack-type; description - "The detected web attack type is command injection"; + "The detected web attack type is command injection."; } identity xss { base web-attack-type; description - "The detected web attack type is XSS"; + "The detected web attack type is XSS."; } identity csrf { base web-attack-type; description - "The detected web attack type is CSRF"; + "The detected web attack type is CSRF."; } identity ddos-attack-type { base nsf-attack-type; description "The attack type is associated with a detected - nsf-log event"; + nsf-log event."; } identity req-method { description "A set of request types (if applicable). - For instance, PUT or GET in HTTP"; + For instance, PUT or GET in HTTP."; } identity put-req { base req-method; description - "The detected request type is PUT"; + "The detected request type is PUT."; + } identity get-req { base req-method; description - "The detected request type is GET"; + "The detected request type is GET."; } - identity filter-type { description - "The type of filter used to detect, for example, - a web-attack. Can be applicable to more than - web-attacks. Can be more than one type."; + "The type of filter used to detect an attack, + for example, a web-attack. It can be applicable to + more than web-attacks. It can be more than one type."; } identity whitelist { base filter-type; description - "The applied filter type is whitelist"; + "The applied filter type is whitelist."; } identity blacklist { base filter-type; description - "The applied filter type is blacklist"; + "The applied filter type is blacklist."; } identity user-defined { base filter-type; description - "The applied filter type is user-defined"; + "The applied filter type is user-defined."; } identity balicious-category { base filter-type; description - "The applied filter is balicious category"; + "The applied filter is balicious category."; } identity unknown-filter { base filter-type; description - "The applied filter is unknown"; + "The applied filter is unknown."; } identity access-mode { description "Base identity for detectable access mode."; } identity ppp { base access-mode; description "Access-mode : ppp"; @@ -2271,21 +2245,21 @@ } identity local { base access-mode; description "Access-mode : local"; } identity protocol-type { description "An identity used to enable type choices in leaves - and leaflists wrt protocol metadata."; + and leaflists with respect to protocol metadata."; } identity tcp { base ipv4; base ipv6; description "TCP protocol type."; reference "RFC 793: Transmission Control Protocol"; } identity udp { @@ -2295,53 +2269,64 @@ "UDP protocol type."; reference "RFC 768: User Datagram Protocol"; } identity icmp { base ipv4; base ipv6; description "General ICMP protocol type."; reference - "RFC 792: Internet Control Message Protocol"; + "RFC 792: Internet Control Message Protocol + RFC 4443: Internet Control Message Protocol + (ICMPv6) for the Internet Protocol Version 6 + (IPv6) Specification"; } identity icmpv4 { base ipv4; description "ICMPv4 protocol type."; + reference + "RFC 791: Internet Protocol + RFC 792: Internet Control Message Protocol"; } identity icmpv6 { base ipv6; description "ICMPv6 protocol type."; + reference + "RFC 8200: Internet Protocol, Version 6 (IPv6) + RFC 4443: Internet Control Message Protocol (ICMPv6) + for the Internet Protocol Version 6 (IPv6) + Specification"; } identity ip { base protocol-type; description "General IP protocol type."; reference "RFC 791: Internet Protocol - RFC 2460: Internet Protocol, Version 6 (IPv6)"; + RFC 8200: Internet Protocol, Version 6 (IPv6)"; } identity ipv4 { base ip; description "IPv4 protocol type."; reference "RFC 791: Internet Protocol"; } identity ipv6 { base ip; description "IPv6 protocol type."; reference - "RFC 2460: Internet Protocol, Version 6 (IPv6)"; + "RFC 8200: Internet Protocol, Version 6 (IPv6)"; } identity http { base tcp; description "HTPP protocol type."; reference "RFC 2616: Hypertext Transfer Protocol"; } identity ftp { base tcp; @@ -2349,49 +2334,48 @@ "FTP protocol type."; reference "RFC 959: File Transfer Protocol"; } grouping common-monitoring-data { description "The data set of common monitoring"; leaf message { type string; description - "This is a freetext annotation of - monitoring notification content"; + "This is a freetext annotation for + monitoring a notification's content."; } leaf time-stamp { type yang:date-and-time; description - "Indicates the time of message generation"; + "It indicates the time of a message's generation."; } leaf vendor-name { type string; description "The name of the NSF vendor"; } leaf nsf-name { type string; description - "The name (or IP) of the NSF - generating the message"; + "The name (or IP) of the NSF generating the message."; } leaf module-name { type string; description - "The module name outputting the message"; + "The module name outputting the message."; } leaf severity { type severity; description - "The severity of the alarm such - as critical, high, middle, low."; + "The severity of the alarm such as critical, high, + middle, low."; } } grouping characteristics{ description "A set of monitoring information characteristics"; leaf acquisition-method { type identityref { base acquisition-method; } description @@ -2421,61 +2405,63 @@ "specifies the amount of usage"; } leaf threshold { type uint8; description "The threshold triggering the alarm or the event"; } } grouping i2nsf-system-event-type-content { description - "System event metadata associated - with system events caused by user activity."; + "System event metadata associated with system events + caused by user activity."; leaf user { type string; mandatory true; description - "Name of a user"; + "The name of a user"; } leaf group { type string; mandatory true; description - "Group to which a user belongs."; + "The group to which a user belongs."; } leaf login-ip-addr { - type inet:ipv4-address; + type inet:ip-address; mandatory true; description - "Login IP address of a user."; + "Th login IPv4 (or IPv6) address of a user."; + } leaf authentication { type identityref { base authentication-mode; } description "The authentication-mode for authentication"; } } grouping i2nsf-nsf-event-type-content-extend { description - "A set of common IPv4-related NSF event - content elements"; + "A set of common IPv4-related NSF event content + elements"; leaf src-ip { - type inet:ipv4-address; + type inet:ip-address; description - "The source IP address of the packet"; + "The source IPv4 (or IPv6) address of the packet"; } leaf dst-ip { - type inet:ipv4-address; + type inet:ip-address; description - "The destination IP address of the packet"; + "The destination IPv4 (or IPv6) address of the + packet"; } leaf src-port { type inet:port-number; description "The source port of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; @@ -2504,32 +2489,32 @@ "The name of the rule being triggered"; } leaf profile { type string; description "Security profile that traffic matches."; } leaf raw-info { type string; description - "The information describing the packet - triggering the event."; + "The information describing the packet triggering + the event."; } } grouping i2nsf-nsf-event-type-content { description - "A set of common IPv4-related NSF event + "A set of common IPv4 (or IPv6)-related NSF event content elements"; leaf dst-ip { - type inet:ipv4-address; + type inet:ip-address; description - "The destination IP address of the packet"; + "The destination IPv4 (IPv6) address of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; } leaf rule-id { type uint8; mandatory true; description @@ -2537,33 +2522,32 @@ } leaf rule-name { type string; mandatory true; description "The name of the rule being triggered"; } leaf profile { type string; description - "Security profile that traffic matches."; + "Security profile that traffic matches"; } leaf raw-info { type string; description "The information describing the packet - triggering the event."; + triggering the event"; } } grouping traffic-rates { description - "A set of traffic rates - for statistics data"; + "A set of traffic rates for statistics data"; leaf total-traffic { type uint32; description "Total traffic"; } leaf in-traffic-ave-rate { type uint32; description "Inbound traffic average rate in pps"; } @@ -2603,21 +2586,21 @@ description "Outbound traffic peak speed in bps"; } } grouping i2nsf-system-counter-type-content{ description "A set of system counter type contents"; leaf interface-name { type string; description - "Network interface name configured in NSF"; + "Network interface name configured in an NSF"; } leaf in-total-traffic-pkts { type uint32; description "Total inbound packets"; } leaf out-total-traffic-pkts { type uint32; description "Total outbound packets"; @@ -2649,30 +2633,31 @@ } leaf out-drop-traffic-bytes { type uint32; description "Total outbound drop bytes"; } uses traffic-rates; } grouping i2nsf-nsf-counters-type-content{ description - "A set of nsf counters type contents"; + "A set of NSF counters type contents"; leaf src-ip { - type inet:ipv4-address; + type inet:ip-address; description - "The source IP address of the packet"; + "The source IPv4 (or IPv6) address of the packet"; } leaf dst-ip { - type inet:ipv4-address; + type inet:ip-address; description - "The destination IP address of the packet"; + "The destination IPv4 (or IPv6) address of the + packet"; } leaf src-port { type inet:port-number; description "The source port of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; @@ -2751,39 +2737,40 @@ } description "The event category for system-detection-event"; } uses characteristics; uses i2nsf-system-event-type-content; uses common-monitoring-data; } notification nsf-detection-flood { description - "This notification is sent, - when a specific flood type is detected"; + "This notification is sent, when a specific flood type + is detected."; leaf event-name { type identityref { base SEC-EVENT-DDOS; } description "The event name for nsf-detection-flood"; } uses i2nsf-nsf-event-type-content; leaf sub-attack-type { type identityref { base flood-type; } description "Any one of Syn flood, ACK flood, SYN-ACK flood, FIN/RST flood, TCP Connection flood, UDP flood, - Icmp flood, HTTPS flood, HTTP flood, DNS query flood, - DNS reply flood, SIP flood, etc."; + ICMP (i.e., ICMPv4 or ICMPv6)cmp flood, HTTP flood, + HTTPS flood, DNS query flood, DNS reply flood, SIP + flood, etc."; } leaf start-time { type yang:date-and-time; mandatory true; description "The time stamp indicating when the attack started"; } leaf end-time { type yang:date-and-time; mandatory true; @@ -2798,21 +2785,21 @@ leaf attack-speed { type uint32; description "The BPS speed of attack traffic"; } uses common-monitoring-data; } notification nsf-detection-session-table { description "This notification is sent, when a session table - event is detected"; + event is detected."; leaf current-session { type uint8; description "The number of concurrent sessions"; } leaf maximum-session { type uint8; description "The maximum number of sessions that the session table can support"; @@ -2814,86 +2801,85 @@ leaf maximum-session { type uint8; description "The maximum number of sessions that the session table can support"; } leaf threshold { type uint8; description "The threshold triggering the event"; - } uses common-monitoring-data; } notification nsf-detection-virus { description - "This notification is sent, when a virus is detected"; + "This notification is sent, when a virus is detected."; uses i2nsf-nsf-event-type-content-extend; leaf virus { type identityref { base virus-type; } description "The virus type for nsf-detection-virus notification"; } leaf virus-name { type string; description "The name of the detected virus"; } leaf file-type { type string; description - "The type of file virus code - is found in (if applicable)."; + "The type of file virus code is found in (if + applicable)."; } leaf file-name { type string; description - "The name of file virus code - is found in (if applicable)."; + "The name of file virus code is found in (if + applicable)."; } uses common-monitoring-data; } notification nsf-detection-intrusion { description "This notification is sent, when an intrusion event is detected."; uses i2nsf-nsf-event-type-content-extend; leaf protocol { type identityref { base protocol-type; } description - "The protocol type for - nsf-detection-intrusion notification"; + "The protocol type for nsf-detection-intrusion + notification"; } leaf app { type string; description "The employed application layer protocol"; } leaf sub-attack-type { type identityref { base intrusion-attack-type; } description "The sub attack type for intrusion attack"; } uses common-monitoring-data; } notification nsf-detection-botnet { description "This notification is sent, when a botnet event is - detected"; + detected."; uses i2nsf-nsf-event-type-content-extend; leaf attack-type { type identityref { base botnet-attack-type; } description "The attack type for botnet attack"; } leaf protocol { type identityref { @@ -2911,66 +2897,66 @@ type string; description "The role of the communicating parties within the botnet"; } uses common-monitoring-data; } notification nsf-detection-web-attack { description "This notification is sent, when an attack event is - detected"; + detected."; uses i2nsf-nsf-event-type-content-extend; leaf sub-attack-type { type identityref { base web-attack-type; } description - "Concrete web attack type, e.g., sql injection, - command injection, XSS, CSRF"; + "Concrete web attack type, e.g., SQL injection, + command injection, XSS, and CSRF."; + } leaf request-method { type identityref { base req-method; } description "The method of requirement. For instance, PUT or - GET in HTTP"; + GET in HTTP."; } leaf req-uri { type string; description "Requested URI"; } leaf uri-category { type string; description "Matched URI category"; } leaf-list filtering-type { type identityref { base filter-type; } description "URL filtering type, e.g., Blacklist, Whitelist, User-Defined, Predefined, Malicious Category, - Unknown"; + and Unknown"; } uses common-monitoring-data; } notification system-access-log { description - "The notification is sent, if there is - a new system log entry about - a system access event"; + "The notification is sent, if there is a new system + log entry about a system access event."; leaf login-ip { - type inet:ipv4-address; + type inet:ip-address; mandatory true; description "Login IP address of a user"; } leaf administrator { type string; description "Administrator that maintains the device"; } leaf login-mode { @@ -2984,46 +2970,44 @@ "The operation type that the administrator executes"; } leaf result { type string; description "Command execution result"; } leaf content { type string; description - "The Operation performed by an administrator - after login"; + "The Operation performed by an administrator after + login"; } uses characteristics; } notification system-res-util-log { description - "This notification is sent, if there is - a new log entry representing resource - utilization updates."; + "This notification is sent, if there is a new log + entry representing resource utilization updates."; leaf system-status { type string; description - "The current systems - running status"; + "The current systems running status"; } leaf cpu-usage { type uint8; description - "Specifies the relative amount of - cpu usage wrt platform resources"; + "Specifies the relative amount of CPU usage with + respect to platform resources"; } leaf memory-usage { type uint8; description - "Specifies the amount of memory usage"; + "Specifies the amount of memory usage."; } leaf disk-usage { type uint8; description "Specifies the amount of disk usage"; } leaf disk-left { type uint8; description "Specifies the amount of disk left"; @@ -3055,286 +3039,273 @@ } leaf out-traffic-speed { type uint32; description "The total outbound traffic speed in bps"; } uses characteristics; } notification system-user-activity-log { description - "This notification is sent, if there is - a new user activity log entry"; + "This notification is sent, if there is a new user + activity log entry."; uses characteristics; uses i2nsf-system-event-type-content; leaf access { type identityref { base access-mode; } description - "The access type for - system-user-activity-log notification"; + "The access type for system-user-activity-log + notification"; } leaf online-duration { type string; description "Online duration"; } leaf logout-duration { type string; description "Lockout duration"; } leaf additional-info { type string; description - "User activities. e.g., Successful - User Login, Failed Login attempts, - User Logout, Successful User - Password Change, Failed User - Password Change, User Lockout, - User Unlocking, Unknown"; + "User activities, e.g., Successful User Login, + Failed Login attempts, User Logout, Successful User + Password Change, Failed User Password Change, User + Lockout, User Unlocking, and Unknown."; } } notification nsf-log-ddos { description - "This notification is sent, if there is - a new DDoS event log entry in the nsf log"; + "This notification is sent, if there is a new DDoS + event log entry in the NSF log."; leaf attack-type { type identityref { base ddos-attack-type; } description - "The ddos attack type for - nsf-log-ddos notification"; + "The DDoS attack type for nsf-log-ddos notification"; } leaf attack-ave-rate { type uint32; description - "The ave PPS of attack traffic"; + "The average PPS of attack traffic"; } leaf attack-ave-speed { type uint32; description - "the ave bps of attack traffic"; + "the average bps of attack traffic"; } leaf attack-pkt-num { type uint32; description "the number of attack packets"; } leaf attack-src-ip { - type inet:ipv4-address; + type inet:ip-address; description - "The source IP addresses of attack - traffics. If there are a large - amount of IP addresses, then - pick a certain number of resources - according to different rules."; + "The source IPv4 (or IPv6) addresses of attack + traffic. If there are a large amount of IPv4 + (or IPv6) addresses, then pick a certain number + of resources according to different rules."; } leaf action { type log-action; description - "Action type: allow, alert, - block, discard, declare, + "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-virus { description - "This notification is sent, if there is - a new virus event log entry in the nsf log"; + "This notification is sent, if there is a new virus + event log entry in the NSF log."; leaf attack-type { type identityref { base virus-type; } description "The virus type for nsf-log-virus notification"; } leaf action { type log-action; description - "Action type: allow, alert, - block, discard, declare, + "Action type: allow, alert, block, discard, declare, block-ip, block-service"; - } leaf os{ type string; description - "simple os information"; + "simple OS information"; } leaf time { type yang:date-and-time; mandatory true; description - "Indicate the time when the message - is generated"; + "It is the time when the message is generated."; } uses characteristics; uses common-monitoring-data; } notification nsf-log-intrusion { description - "This notification is sent, if there is - a new intrusion event log entry in the nsf log"; + "This notification is sent, if there is a new + intrusion event log entry in the NSF log."; leaf attack-type { type identityref { base intrusion-attack-type; } description - "The intrusion attack type for - nsf-log-intrusion notification"; + "The intrusion attack type for nsf-log-intrusion + notification"; } leaf action { type log-action; description - "Action type: allow, alert, - block, discard, declare, + "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } leaf time { type yang:date-and-time; mandatory true; description - "Indicate the time when the message - is generated"; + "It is the time when the message is generated."; } leaf attack-rate { type uint32; description "The PPS of attack traffic"; } leaf attack-speed { type uint32; description "The bps of attack traffic"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-botnet { description - "This notification is sent, if there is - a new botnet event log in the nsf log"; + "This notification is sent, if there is a new botnet + event log in the NSF log."; leaf attack-type { type identityref { base botnet-attack-type; } description - "The botnet attack type for - nsf-log-botnet notification"; + "The botnet attack type for nsf-log-botnet notification"; } leaf action { type log-action; description - "Action type: allow, alert, - block, discard, declare, + "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } leaf botnet-pkt-num{ type uint8; description - "The number of the packets sent to - or from the detected botnet"; + "The number of the packets sent to or from the detected botnet"; } leaf os{ type string; description - "simple os information"; + "simple OS information"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-dpi { description - "This notification is sent, if there is - a new dpi event in the nsf log"; + "This notification is sent, if there is a new DPI + event in the NSF log."; leaf attack-type { type dpi-type; description - "The type of the dpi"; - + "The type of the DPI"; } uses characteristics; uses i2nsf-nsf-counters-type-content; uses common-monitoring-data; } notification nsf-log-vuln-scan { description - "This notification is sent, if there is - a new vulnerability-scan report in the nsf log"; + "This notification is sent, if there is a new + vulnerability-scan report in the NSF log."; leaf vulnerability-id { type uint8; description - "The vulnerability id"; + "The vulnerability ID"; } leaf victim-ip { - type inet:ipv4-address; + type inet:ip-address; description - "IP address of the victim host - which has vulnerabilities"; + "IPv4 (or IPv6) address of the victim host which + has vulnerabilities"; } leaf protocol { type identityref { base protocol-type; } description - "The protocol type for - nsf-log-vuln-scan notification"; + "The protocol type for nsf-log-vuln-scan + notification"; } leaf port-num { type inet:port-number; description "The port number"; } leaf level { type severity; description "The vulnerability severity"; } leaf os { type string; description - "simple os information"; + "simple OS information"; } leaf vulnerability-info { type string; description "The information about the vulnerability"; } leaf fix-suggestion { type string; description "The fix suggestion to the vulnerability"; } leaf service { type string; description - "The service which has vulnerability in the victim host"; + "The service which has vulnerability in the victim + host"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-web-attack { description - "This notification is sent, if there is - a new web-attack event in the nsf log"; + "This notification is sent, if there is a new + web-attack event in the NSF log."; leaf attack-type { type identityref { base web-attack-type; } description - "The web attack type for - nsf-log-web-attack notification"; + "The web attack type for nsf-log-web-attack + notification"; } leaf rsp-code { type string; description "Response code"; } leaf req-clientapp { type string; description "The client application"; @@ -3345,43 +3316,44 @@ "Cookies"; } leaf req-host { type string; description "The domain name of the requested host"; } leaf raw-info { type string; description - "The information describing - the packet triggering the event."; + "The information describing the packet triggering + the event."; } uses characteristics; uses common-monitoring-data; } container counters { description - "This is probably better covered by an import - as this will not be notifications. - Counter are not very suitable as telemetry, maybe - via periodic subscriptions, which would still - violate principle of least surprise."; + "This is probably better covered by an import as this + will not be notifications. Counters are not very + suitable as telemetry, maybe via periodic + subscriptions, which would still violate the principle + of least surprise."; container system-interface { description - "The system counter type is interface counter"; + "The system counter type is interface counter."; uses characteristics; uses i2nsf-system-counter-type-content; uses common-monitoring-data; } container nsf-firewall { description - "The nsf counter type is firewall counter"; + "The NSF counter type is firewall counter."; + uses characteristics; uses i2nsf-nsf-counters-type-content; uses traffic-rates; } container nsf-policy-hits { description "The counters of policy hit"; uses characteristics; uses i2nsf-nsf-counters-type-content; uses common-monitoring-data; @@ -3395,32 +3367,35 @@ } Figure 2: Data Model of Monitoring 11. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: - URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor + URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in - the "YANG Module Names" registry [RFC6020][RFC7950]. + the "YANG Module Names" registry [RFC7950][RFC8525]: - name: ietf-i2nsf-monitor - namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitor - prefix: iim + name: ietf-i2nsf-nsf-monitoring + namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring + prefix: nsfmi reference: RFC XXXX + // RFC Ed.: replace XXXX with an actual RFC number and remove + // this note. + 12. Security Considerations The YANG module described in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446]. @@ -3433,101 +3408,161 @@ modified and deleted (i.e., config true, which is the default) are considered sensitive. Write operations (e.g., edit-config) applied to these data nodes without proper protection can negatively affect framework operations. The monitoring YANG module should be protected by the secure communication channel, to ensure its confidentiality and integrity. In another side, the NSF and security controller can all be faked, which lead to undesirable results (i.e., leakage of an NSF's important operational information, and faked NSF sending false information to mislead security controller). The mutual authentication is essential to protected against this kind of attack. - The current mainstream security technologies (i.e., TLS, DTLS, IPSEC, + The current mainstream security technologies (i.e., TLS, DTLS, IPsec, and X.509 PKI) can be employed appropriately to provide the above security functions. In addition, to defend against the DDoS attack caused by a lot of NSFs sending massive notifications to the security controller, the rate limiting or similar mechanisms should be considered in an NSF and security controller, whether in advance or just in the process of DDoS attack. 13. Acknowledgments This work was supported by Institute of Information & Communications - Technology Planning & Evaluation (IITP) grant funded by the Ministry - of Science and ICT (MSIT), Korea, (R-20160222-002755, Cloud based + Technology Planning & Evaluation (IITP) grant funded by the Korea + MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized - Security Service Provisioning). - - This work was supported in part by the MSIT under the Information - Technology Research Center (ITRC) support program (IITP- - 2019-2017-0-01633) supervised by the IITP. + Security Service Provisioning). This work was supported in part by + the IITP (2020-0-00395, Standard Development of Blockchain based + Network Management Automation Technology). This work was supported + in part by the MSIT under the Information Technology Research Center + (ITRC) support program (IITP-2020-2017-0-01633) supervised by the + IITP. 14. Contributors This document is made by the group effort of I2NSF working group. - Many people actively contributed to this document. The following are - considered co-authors: + Many people actively contributed to this document. The authors + sincerely appreciate their contributions. - o Jinyong Tim Kim (Sungkyunkwan University) + The following are co-authors of this document: - o Dongjin Hong (Sungkyunkwan University) + Chaehong Chung + Department of Electronic, Electrical and Computer Engineering + Sungkyunkwan University + 2066 Seo-ro Jangan-gu + Suwon, Gyeonggi-do 16419 + Republic of Korea - o Dacheng Zhang (Huawei) + EMail: darkhong@skku.edu - o Yi Wu (Aliababa Group) + Jinyong Tim Kim + Department of Electronic, Electrical and Computer Engineering + Sungkyunkwan University + 2066 Seo-ro Jangan-gu + Suwon, Gyeonggi-do 16419 + Republic of Korea - o Rakesh Kumar (Juniper Networks) + EMail: timkim@skku.edu - o Anil Lohiya (Juniper Networks) + Dongjin Hong + Department of Electronic, Electrical and Computer Engineering + Sungkyunkwan University + 2066 Seo-ro Jangan-gu + Suwon, Gyeonggi-do 16419 + Republic of Korea + + EMail: dong.jin@skku.edu + + Dacheng Zhang + Huawei + + EMail: dacheng.zhang@huawei.com + + Yi Wu + Aliababa Group + + EMail: anren.wy@alibaba-inc.com + Rakesh Kumar + Juniper Networks + 1133 Innovation Way + Sunnyvale, CA 94089 + USA + + EMail: rkkumar@juniper.net + + Anil Lohiya + Juniper Networks + + EMail: alohiya@juniper.net 15. References 15.1. Normative References - [I-D.ietf-netconf-subscribed-notifications] - Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and - A. Tripathy, "Subscription to YANG Event Notifications", - draft-ietf-netconf-subscribed-notifications-26 (work in - progress), May 2019. + [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, + DOI 10.17487/RFC0768, August 1980, + . - [I-D.ietf-netconf-yang-push] - Clemm, A. and E. Voit, "Subscription to YANG Datastores", - draft-ietf-netconf-yang-push-25 (work in progress), May - 2019. + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + DOI 10.17487/RFC0791, September 1981, + . + + [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, + RFC 792, DOI 10.17487/RFC0792, September 1981, + . + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, + RFC 793, DOI 10.17487/RFC0793, September 1981, + . + + [RFC0956] Mills, D., "Algorithms for synchronizing network clocks", + RFC 956, DOI 10.17487/RFC0956, September 1985, + . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., + Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext + Transfer Protocol -- HTTP/1.1", RFC 2616, + DOI 10.17487/RFC2616, June 1999, + . + [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, September 2004, . + [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export + Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, + . + + [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet + Control Message Protocol (ICMPv6) for the Internet + Protocol Version 6 (IPv6) Specification", STD 89, + RFC 4443, DOI 10.17487/RFC4443, March 2006, + . + [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, DOI 10.17487/RFC5424, March 2009, . - [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for - the Network Configuration Protocol (NETCONF)", RFC 6020, - DOI 10.17487/RFC6020, October 2010, - . - [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog @@ -3545,139 +3580,155 @@ . [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . - [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC - 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, - May 2017, . + [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", STD 86, RFC 8200, + DOI 10.17487/RFC8200, July 2017, + . + + [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. + Kumar, "Framework for Interface to Network Security + Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, + . + + [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", + BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, + . [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, . [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "Network Management Datastore Architecture (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, . + [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of + Documents Containing YANG Data Models", BCP 216, RFC 8407, + DOI 10.17487/RFC8407, October 2018, + . + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . + [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., + and R. Wilton, "YANG Library", RFC 8525, + DOI 10.17487/RFC8525, March 2019, + . + 15.2. Informative References + [I-D.ietf-i2nsf-applicability] + Jeong, J., Hyun, S., Ahn, T., Hares, S., and D. Lopez, + "Applicability of Interfaces to Network Security Functions + to Network-Based Security Services", draft-ietf-i2nsf- + applicability-18 (work in progress), September 2019. + [I-D.ietf-i2nsf-capability] Xia, L., Strassner, J., Basile, C., and D. Lopez, "Information Model of NSFs Capabilities", draft-ietf- i2nsf-capability-05 (work in progress), April 2019. [I-D.ietf-i2nsf-consumer-facing-interface-dm] Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", draft- - ietf-i2nsf-consumer-facing-interface-dm-08 (work in - progress), March 2020. + ietf-i2nsf-consumer-facing-interface-dm-11 (work in + progress), September 2020. [I-D.ietf-i2nsf-nsf-facing-interface-dm] Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- - dm-08 (work in progress), November 2019. + dm-10 (work in progress), August 2020. [I-D.ietf-i2nsf-registration-interface-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, "I2NSF Registration Interface YANG Data Model", draft- - ietf-i2nsf-registration-interface-dm-08 (work in - progress), March 2020. + ietf-i2nsf-registration-interface-dm-09 (work in + progress), August 2020. - [I-D.ietf-i2nsf-terminology] - Hares, S., Strassner, J., Lopez, D., Xia, L., and H. - Birkholz, "Interface to Network Security Functions (I2NSF) - Terminology", draft-ietf-i2nsf-terminology-08 (work in - progress), July 2019. + [I-D.ietf-netconf-subscribed-notifications] + Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and + A. Tripathy, "Subscription to YANG Event Notifications", + draft-ietf-netconf-subscribed-notifications-26 (work in + progress), May 2019. - [I-D.yang-i2nsf-nfv-architecture] - Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the - NFV Reference Architecture", draft-yang-i2nsf-nfv- - architecture-05 (work in progress), July 2019. + [I-D.ietf-netconf-yang-push] + Clemm, A. and E. Voit, "Subscription to YANG Datastores", + draft-ietf-netconf-yang-push-25 (work in progress), May + 2019. [I-D.yang-i2nsf-security-policy-translation] Jeong, J., Yang, J., Chung, C., and J. Kim, "Security Policy Translation in Interface to Network Security Functions", draft-yang-i2nsf-security-policy- - translation-05 (work in progress), November 2019. - - [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export - Version 9", RFC 3954, DOI 10.17487/RFC3954, October 2004, - . - - [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG - Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, - January 2011, . + translation-06 (work in progress), May 2020. - [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. - Kumar, "Framework for Interface to Network Security - Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, - . +Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-03 - [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", - BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, - . + The following changes are made from draft-ietf-i2nsf-nsf-monitoring- + data-model-03: -Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-02 + o This version updates the author list by replacing Chaehong Chung + with with Patrick Lingga as an active co-author for the YANG + module update. - The following changes are made from draft-ietf-i2nsf-nsf-monitoring- - data-model-02: + o This version updates the YANG module name, prefix, and + descriptions in the YANG module. - o This version has a submission date update to maintain the active - status of the draft. + o This updated YANG module supports both IPv4 and IPv6. - o This version updates the version numbers of the referenced drafts. + o This version updates the version numbers of the referenced RFCs + and drafts. Authors' Addresses - Jaehoon Paul Jeong + Jaehoon Paul Jeong (editor) Department of Computer Science and Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Fax: +82 31 290 7996 EMail: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php - Chaehong Chung + Patrick Lingga Department of Electronic, Electrical and Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 - EMail: darkhong@skku.edu - + EMail: patricklink@skku.edu Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com + Liang Xia (Frank) Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu China EMail: Frank.xialiang@huawei.com Henk Birkholz Fraunhofer Institute for Secure Information Technology