draft-ietf-i2nsf-nsf-monitoring-data-model-10.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-11.txt 
Network Working Group J. Jeong, Ed. Network Working Group J. Jeong, Ed.
Internet-Draft P. Lingga Internet-Draft P. Lingga
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 19 March 2022 S. Hares Expires: 18 April 2022 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
15 September 2021 15 October 2021
I2NSF NSF Monitoring Interface YANG Data Model I2NSF NSF Monitoring Interface YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-10 draft-ietf-i2nsf-nsf-monitoring-data-model-11
Abstract Abstract
This document proposes an information model and the corresponding This document proposes an information model and the corresponding
YANG data model of an interface for monitoring Network Security YANG data model of an interface for monitoring Network Security
Functions (NSFs) in the Interface to Network Security Functions Functions (NSFs) in the Interface to Network Security Functions
(I2NSF) framework. If the monitoring of NSFs is performed with the (I2NSF) framework. If the monitoring of NSFs is performed with the
NSF monitoring interface in a comprehensive way, it is possible to NSF monitoring interface in a comprehensive way, it is possible to
detect the indication of malicious activity, anomalous behavior, the detect the indication of malicious activity, anomalous behavior, the
potential sign of denial of service attacks, or system overload in a potential sign of denial of service attacks, or system overload in a
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 March 2022. This Internet-Draft will expire on 18 April 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 13 skipping to change at page 3, line 13
6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20
6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20
6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21
6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22
6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22
6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23
7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24
8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25
9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32
10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 77 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 78
11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 78 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 79
11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 78 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 79
11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 79 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 80
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82
13. Security Considerations . . . . . . . . . . . . . . . . . . . 81 13. Security Considerations . . . . . . . . . . . . . . . . . . . 82
14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 82 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 84
15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 83 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 84
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 83 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 84
16.1. Normative References . . . . . . . . . . . . . . . . . . 83 16.1. Normative References . . . . . . . . . . . . . . . . . . 84
16.2. Informative References . . . . . . . . . . . . . . . . . 86 16.2. Informative References . . . . . . . . . . . . . . . . . 88
Appendix A. Changes from Appendix A. Changes from
draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 88 draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 89
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 88 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 89
1. Introduction 1. Introduction
According to [RFC8329], the interface provided by a Network Security According to [RFC8329], the interface provided by a Network Security
Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to
administrative entities (e.g., Security Controller) to enable remote administrative entities (e.g., Security Controller) to enable remote
management (i.e., configuring and monitoring) is referred to as an management (i.e., configuring and monitoring) is referred to as an
I2NSF Monitoring Interface. This interface enables the sharing of I2NSF Monitoring Interface. This interface enables the sharing of
vital data from the NSFs (e.g., alarms, records, and counters) to the vital data from the NSFs (e.g., alarms, records, and counters) to the
Security Controller through a variety of mechanisms (e.g., queries, Security Controller through a variety of mechanisms (e.g., queries,
skipping to change at page 9, line 27 skipping to change at page 9, line 27
available from the NSF that can be monitored. Firstly, there must be available from the NSF that can be monitored. Firstly, there must be
some general information with each monitoring message sent from an some general information with each monitoring message sent from an
NSF that helps a consumer to identify meta data with that message, NSF that helps a consumer to identify meta data with that message,
which are listed as below: which are listed as below:
* message: The extra detail to give the context of the information. * message: The extra detail to give the context of the information.
* vendor-name: The name of the NSF vendor. * vendor-name: The name of the NSF vendor.
* nsf-name: The name or IP address of the NSF generating the * nsf-name: The name or IP address of the NSF generating the
message. If the given nsf-name is not an IP address, the name can message. If the given nsf-name is not IP address, the name can be
be an arbitrary string including FQDN (Fully Qualified Domain an arbitrary string including FQDN (Fully Qualified Domain Name).
Name). The name MUST be unique for different NSFs to identify the The name MUST be unique in the scope of management domain for a
NSF that generates the message. different NSF to identify the NSF that generates the message.
* severity: It indicates the severity level. There are total four * severity: It indicates the severity level. There are total four
levels, i.e., critical, high, middle, and low. levels, i.e., critical, high, middle, and low.
* timestamp: Indicates the time when the message is generated. For * timestamp: Indicates the time when the message is generated. For
the notification operations (i.e., System Alarms, System Events, the notification operations (i.e., System Alarms, System Events,
NSF Events, System Logs, and NSF Logs), this is represented by the NSF Events, System Logs, and NSF Logs), this is represented by the
eventTime of NETCONF event notification [RFC5277] For other eventTime of NETCONF event notification [RFC5277] For other
operations (i.e., System Counter and NSF Counter), the timestamp operations (i.e., System Counter and NSF Counter), the timestamp
MUST be provided separately. MUST be provided separately.
skipping to change at page 12, line 47 skipping to change at page 12, line 47
* acquisition-method: subscription * acquisition-method: subscription
* emission-type: on-change * emission-type: on-change
* dampening-type: on-repetition * dampening-type: on-repetition
6.2.1. Access Violation 6.2.1. Access Violation
The access-violation system event is an event when a user tries to The access-violation system event is an event when a user tries to
access (read or write) any information above their privilege. The access (read, write, create, or delete) any information or execute
following information should be included in this event: commands above their privilege.
* event-name: access-denied. * event-name: access-denied.
* user: Name of a user. * user: Name of a user.
* group: Group(s) to which a user belongs. A user can belong to * group: Group(s) to which a user belongs. A user can belong to
multiple groups. multiple groups.
* ip-address: The IP address of the user that triggered the event. * ip-address: The IP address of the user that triggered the event.
skipping to change at page 15, line 11 skipping to change at page 15, line 11
* dst-port: The port number that the attack traffic aims at. * dst-port: The port number that the attack traffic aims at.
* start-time: The time stamp indicating when the attack started. * start-time: The time stamp indicating when the attack started.
* end-time: The time stamp indicating when the attack ended. If the * end-time: The time stamp indicating when the attack ended. If the
attack is still undergoing when sending out the alarm, this field attack is still undergoing when sending out the alarm, this field
can be empty. can be empty.
* attack-rate: The packets per second of attack traffic. * attack-rate: The packets per second of attack traffic.
* attack-speed: the bits per second of attack traffic. * attack-speed: The bytes per second of attack traffic.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
Note that rule-name is used to match a detected NSF event with a Note that rule-name is used to match a detected NSF event with a
policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm], and also policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm], and also
that there is no rule-name in a system event. that there is no rule-name in a system event.
6.3.2. Virus Event 6.3.2. Virus Event
The following information should be included in a Virus Event: The following information should be included in a Virus Event:
skipping to change at page 19, line 30 skipping to change at page 19, line 30
* interface-id: Specifies the interface ID to identify the network * interface-id: Specifies the interface ID to identify the network
interface. interface.
* in-traffic-rate: The total inbound traffic rate in packets per * in-traffic-rate: The total inbound traffic rate in packets per
second. second.
* out-traffic-rate: The total outbound traffic rate in packets per * out-traffic-rate: The total outbound traffic rate in packets per
second. second.
* in-traffic-speed: The total inbound traffic speed in bits per * in-traffic-speed: The total inbound traffic speed in bytes per
second. second.
* out-traffic-speed: The total outbound traffic speed in bits per * out-traffic-speed: The total outbound traffic speed in bytes per
second. second.
6.4.3. User Activity Log 6.4.3. User Activity Log
User activity logs provide visibility into users' online records User activity logs provide visibility into users' online records
(such as login time, online/lockout duration, and login IP addresses) (such as login time, online/lockout duration, and login IP addresses)
and the actions that users perform. User activity reports are and the actions that users perform. User activity reports are
helpful to identify exceptions during a user's login and network helpful to identify exceptions during a user's login and network
access activities. access activities.
skipping to change at page 21, line 40 skipping to change at page 21, line 40
* in-drop-traffic-bytes: Total inbound drop bytes. * in-drop-traffic-bytes: Total inbound drop bytes.
* out-drop-traffic-bytes: Total outbound drop bytes. * out-drop-traffic-bytes: Total outbound drop bytes.
* in-traffic-average-rate: Inbound traffic average rate in packets * in-traffic-average-rate: Inbound traffic average rate in packets
per second. per second.
* in-traffic-peak-rate: Inbound traffic peak rate in packets per * in-traffic-peak-rate: Inbound traffic peak rate in packets per
second. second.
* in-traffic-average-speed: Inbound traffic average speed in bits * in-traffic-average-speed: Inbound traffic average speed in bytes
per second. per second.
* in-traffic-peak-speed: Inbound traffic peak speed in bits per * in-traffic-peak-speed: Inbound traffic peak speed in bytes per
second. second.
* out-traffic-average-rate: Outbound traffic average rate in packets * out-traffic-average-rate: Outbound traffic average rate in packets
per second. per second.
* out-traffic-peak-rate: Outbound traffic peak rate in packets per * out-traffic-peak-rate: Outbound traffic peak rate in packets per
second. second.
* out-traffic-average-speed: Outbound traffic average speed in bits * out-traffic-average-speed: Outbound traffic average speed in bytes
per second. per second.
* out-traffic-peak-speed: Outbound traffic peak speed in bits per * out-traffic-peak-speed: Outbound traffic peak speed in bytes per
second. second.
6.7. NSF Counters 6.7. NSF Counters
NSF counters have the following characteristics: NSF counters have the following characteristics:
* acquisition-method: subscription or query * acquisition-method: subscription or query
* emission-type: periodic * emission-type: periodic
skipping to change at page 23, line 8 skipping to change at page 23, line 8
* out-interface: Outbound interface of traffic. * out-interface: Outbound interface of traffic.
* total-traffic: Total traffic volume. * total-traffic: Total traffic volume.
* in-traffic-average-rate: Inbound traffic average rate in packets * in-traffic-average-rate: Inbound traffic average rate in packets
per second. per second.
* in-traffic-peak-rate: Inbound traffic peak rate in packets per * in-traffic-peak-rate: Inbound traffic peak rate in packets per
second. second.
* in-traffic-average-speed: Inbound traffic average speed in bits * in-traffic-average-speed: Inbound traffic average speed in bytes
per second. per second.
* in-traffic-peak-speed: Inbound traffic peak speed in bits per * in-traffic-peak-speed: Inbound traffic peak speed in bytes per
second. second.
* out-traffic-average-rate: Outbound traffic average rate in packets * out-traffic-average-rate: Outbound traffic average rate in packets
per second. per second.
* out-traffic-peak-rate: Outbound traffic peak rate in packets per * out-traffic-peak-rate: Outbound traffic peak rate in packets per
second. second.
* out-traffic-average-speed: Outbound traffic average speed in bits * out-traffic-average-speed: Outbound traffic average speed in bytes
per second. per second.
* out-traffic-peak-speed: Outbound traffic peak speed in bits per * out-traffic-peak-speed: Outbound traffic peak speed in bytes per
second. second.
6.7.2. Policy Hit Counter 6.7.2. Policy Hit Counter
Policy Hit Counters record the security policy that traffic matches Policy Hit Counters record the security policy that traffic matches
and its hit count. It can check if policy configurations are and its hit count. It can check if policy configurations are
correct. correct.
* src-ip: Source IP address of traffic. * src-ip: Source IP address of traffic.
skipping to change at page 25, line 16 skipping to change at page 25, line 16
The tree structure of the NSF monitoring YANG module is provided The tree structure of the NSF monitoring YANG module is provided
below: below:
module: ietf-i2nsf-nsf-monitoring module: ietf-i2nsf-nsf-monitoring
+--ro i2nsf-counters +--ro i2nsf-counters
| +--ro system-interface* [interface-name] | +--ro system-interface* [interface-name]
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro interface-name string | | +--ro interface-name if:interface-ref
| | +--ro in-total-traffic-pkts? yang:counter32 | | +--ro in-total-traffic-pkts? yang:counter32
| | +--ro out-total-traffic-pkts? yang:counter32 | | +--ro out-total-traffic-pkts? yang:counter32
| | +--ro in-total-traffic-bytes? uint64 | | +--ro in-total-traffic-bytes? uint64
| | +--ro out-total-traffic-bytes? uint64 | | +--ro out-total-traffic-bytes? uint64
| | +--ro in-drop-traffic-pkts? yang:counter32 | | +--ro in-drop-traffic-pkts? yang:counter32
| | +--ro out-drop-traffic-pkts? yang:counter32 | | +--ro out-drop-traffic-pkts? yang:counter32
| | +--ro in-drop-traffic-bytes? uint64 | | +--ro in-drop-traffic-bytes? uint64
| | +--ro out-drop-traffic-bytes? uint64 | | +--ro out-drop-traffic-bytes? uint64
| | +--ro discontinuity-time yang:date-and-time
| | +--ro total-traffic? yang:counter32 | | +--ro total-traffic? yang:counter32
| | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-average-rate? uint32
| | +--ro in-traffic-peak-rate? uint32 | | +--ro in-traffic-peak-rate? uint32
| | +--ro in-traffic-average-speed? uint32 | | +--ro in-traffic-average-speed? uint64
| | +--ro in-traffic-peak-speed? uint32 | | +--ro in-traffic-peak-speed? uint64
| | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-average-rate? uint32
| | +--ro out-traffic-peak-rate? uint32 | | +--ro out-traffic-peak-rate? uint32
| | +--ro out-traffic-average-speed? uint32 | | +--ro out-traffic-average-speed? uint64
| | +--ro out-traffic-peak-speed? uint32 | | +--ro out-traffic-peak-speed? uint64
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| | +--ro timestamp? yang:date-and-time | | +--ro timestamp? yang:date-and-time
| +--ro nsf-firewall* [policy-name] | +--ro nsf-firewall* [policy-name]
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro policy-name | | +--ro policy-name
-> /nsfintf:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
| | +--ro src-user? string | | +--ro src-user? string
| | +--ro discontinuity-time yang:date-and-time
| | +--ro total-traffic? yang:counter32 | | +--ro total-traffic? yang:counter32
| | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-average-rate? uint32
| | +--ro in-traffic-peak-rate? uint32 | | +--ro in-traffic-peak-rate? uint32
| | +--ro in-traffic-average-speed? uint32 | | +--ro in-traffic-average-speed? uint64
| | +--ro in-traffic-peak-speed? uint32 | | +--ro in-traffic-peak-speed? uint64
| | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-average-rate? uint32
| | +--ro out-traffic-peak-rate? uint32 | | +--ro out-traffic-peak-rate? uint32
| | +--ro out-traffic-average-speed? uint32 | | +--ro out-traffic-average-speed? uint64
| | +--ro out-traffic-peak-speed? uint32 | | +--ro out-traffic-peak-speed? uint64
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| | +--ro timestamp? yang:date-and-time | | +--ro timestamp? yang:date-and-time
| +--ro nsf-policy-hits* [policy-name] | +--ro nsf-policy-hits* [policy-name]
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro policy-name | +--ro policy-name
-> /nsfintf:i2nsf-security-policy/system-policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name
| +--ro src-user? string | +--ro src-user? string
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
| +--ro discontinuity-time yang:date-and-time
| +--ro hit-times? yang:counter32 | +--ro hit-times? yang:counter32
| +--ro timestamp? yang:date-and-time | +--ro timestamp? yang:date-and-time
+--rw i2nsf-monitoring-configuration +--rw i2nsf-monitoring-configuration
+--rw i2nsf-system-detection-alarm +--rw i2nsf-system-detection-alarm
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw system-alarm* [alarm-type] | +--rw system-alarm* [alarm-type]
| +--rw alarm-type enumeration | +--rw alarm-type enumeration
| +--rw threshold? uint8 | +--rw threshold? uint8
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-detection-event +--rw i2nsf-system-detection-event
skipping to change at page 26, line 44 skipping to change at page 26, line 47
+--rw i2nsf-traffic-flows +--rw i2nsf-traffic-flows
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
| +--rw enabled? boolean | +--rw enabled? boolean
+--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-session-table-configuration +--rw i2nsf-nsf-detection-session-table-configuration
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-intrusion +--rw i2nsf-nsf-detection-intrusion
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-web-attack +--rw i2nsf-nsf-detection-web-attack
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-system-access-log +--rw i2nsf-nsf-system-access-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-res-util-log +--rw i2nsf-system-res-util-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-user-activity-log +--rw i2nsf-system-user-activity-log
| +--rw enabled? boolean | +--rw enabled? boolean
skipping to change at page 27, line 25 skipping to change at page 27, line 29
+--rw i2nsf-counter +--rw i2nsf-counter
+--rw period? uint16 +--rw period? uint16
notifications: notifications:
+---n i2nsf-event +---n i2nsf-event
| +--ro (sub-event-type)? | +--ro (sub-event-type)?
| +--:(i2nsf-system-detection-alarm) | +--:(i2nsf-system-detection-alarm)
| | +--ro i2nsf-system-detection-alarm | | +--ro i2nsf-system-detection-alarm
| | +--ro alarm-category? identityref | | +--ro alarm-category? identityref
| | +--ro component-name? string | | +--ro component-name? string
| | +--ro interface-name? string | | +--ro interface-name? if:interface-ref
| | +--ro interface-state? enumeration | | +--ro interface-state? enumeration
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro usage? uint8 | | +--ro usage? uint8
| | +--ro threshold? uint8 | | +--ro threshold? uint8
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
skipping to change at page 28, line 30 skipping to change at page 28, line 33
| +--ro maximum-session? uint32 | +--ro maximum-session? uint32
| +--ro threshold? uint32 | +--ro threshold? uint32
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+---n i2nsf-log +---n i2nsf-log
| +--ro (sub-logs-type)? | +--ro (sub-logs-type)?
| +--:(i2nsf-nsf-system-access-log) | +--:(i2nsf-nsf-system-access-log)
| | +--ro i2nsf-nsf-system-access-log | | +--ro i2nsf-nsf-system-access-log
| | +--ro login-ip inet:ip-address-no-zone | | +--ro login-ip? inet:ip-address-no-zone
| | +--ro username? string | | +--ro username? string
| | +--ro login-role? login-role | | +--ro login-role? login-role
| | +--ro operation-type? operation-type | | +--ro operation-type? operation-type
| | +--ro input? string | | +--ro input? string
| | +--ro output? string | | +--ro output? string
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
skipping to change at page 29, line 10 skipping to change at page 29, line 13
| | +--ro disk* [disk-id] | | +--ro disk* [disk-id]
| | | +--ro disk-id string | | | +--ro disk-id string
| | | +--ro disk-usage? uint8 | | | +--ro disk-usage? uint8
| | | +--ro disk-left? uint8 | | | +--ro disk-left? uint8
| | +--ro session-num? uint32 | | +--ro session-num? uint32
| | +--ro process-num? uint32 | | +--ro process-num? uint32
| | +--ro interface* [interface-id] | | +--ro interface* [interface-id]
| | | +--ro interface-id string | | | +--ro interface-id string
| | | +--ro in-traffic-rate? uint32 | | | +--ro in-traffic-rate? uint32
| | | +--ro out-traffic-rate? uint32 | | | +--ro out-traffic-rate? uint32
| | | +--ro in-traffic-speed? uint32 | | | +--ro in-traffic-speed? uint64
| | | +--ro out-traffic-speed? uint32 | | | +--ro out-traffic-speed? uint64
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? union | | +--ro nsf-name? union
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-system-user-activity-log) | +--:(i2nsf-system-user-activity-log)
| +--ro i2nsf-system-user-activity-log | +--ro i2nsf-system-user-activity-log
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
skipping to change at page 29, line 43 skipping to change at page 29, line 46
| +--ro logout-duration? uint32 | +--ro logout-duration? uint32
| +--ro additional-info? enumeration | +--ro additional-info? enumeration
+---n i2nsf-nsf-event +---n i2nsf-nsf-event
+--ro (sub-event-type)? +--ro (sub-event-type)?
+--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}?
| +--ro i2nsf-nsf-detection-ddos | +--ro i2nsf-nsf-detection-ddos
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro start-time yang:date-and-time | +--ro start-time yang:date-and-time
| +--ro end-time yang:date-and-time | +--ro end-time yang:date-and-time
| +--ro attack-src-ip* inet:ip-address-no-zone | +--ro attack-src-ip* inet:ip-address-no-zone
| +--ro attack-dst-ip* inet:ip-prefix | +--ro attack-dst-ip* inet:ip-address-no-zone
| +--ro attack-src-port* inet:port-number | +--ro attack-src-port* inet:port-number
| +--ro attack-dst-port* inet:port-number | +--ro attack-dst-port* inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint64
| +--ro action* log-action | +--ro action* log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-virus) +--:(i2nsf-nsf-detection-virus)
{i2nsf-nsf-detection-virus}? {i2nsf-nsf-detection-virus}?
| +--ro i2nsf-nsf-detection-virus | +--ro i2nsf-nsf-detection-virus
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
| +--ro virus? identityref | +--ro virus? identityref
| +--ro virus-name? string | +--ro virus-name? string
| +--ro file-type? string | +--ro file-type? string
| +--ro file-name? string | +--ro file-name? string
| +--ro os? string | +--ro os? string
| +--ro action* log-action | +--ro action* log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-intrusion) +--:(i2nsf-nsf-detection-intrusion)
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--ro i2nsf-nsf-detection-intrusion | +--ro i2nsf-nsf-detection-intrusion
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro app? identityref | +--ro app? identityref
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro action* log-action | +--ro action* log-action
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint64
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-web-attack) +--:(i2nsf-nsf-detection-web-attack)
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--ro i2nsf-nsf-detection-web-attack | +--ro i2nsf-nsf-detection-web-attack
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro request-method? identityref | +--ro request-method? identityref
| +--ro req-uri? string | +--ro req-uri? string
| +--ro filtering-type* identityref | +--ro filtering-type* identityref
| +--ro req-user-agent? string | +--ro req-user-agent? string
skipping to change at page 31, line 42 skipping to change at page 31, line 45
| +--ro response-code? string | +--ro response-code? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro action* log-action | +--ro action* log-action
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? union | +--ro nsf-name? union
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-voip-volte) +--:(i2nsf-nsf-detection-voip-volte)
{i2nsf-nsf-detection-voip-volte}? {i2nsf-nsf-detection-voip-volte}?
| +--ro i2nsf-nsf-detection-voip-volte | +--ro i2nsf-nsf-detection-voip-volte
| +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-ip? inet:ip-address-no-zone
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfintf:i2nsf-security-policy/rules/rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address-no-zone | +--ro src-ip? inet:ip-address-no-zone
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-location? string | +--ro src-location? string
| +--ro dst-location? string | +--ro dst-location? string
| +--ro source-voice-id* string | +--ro source-voice-id* string
| +--ro destination-voice-id* string | +--ro destination-voice-id* string
| +--ro user-agent* string | +--ro user-agent* string
+--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}?
+--ro i2nsf-nsf-log-dpi +--ro i2nsf-nsf-log-dpi
skipping to change at page 32, line 32 skipping to change at page 32, line 35
Figure 1: Information Model for NSF Monitoring Figure 1: Information Model for NSF Monitoring
9. YANG Data Model 9. YANG Data Model
This section describes a YANG module of I2NSF NSF Monitoring. The This section describes a YANG module of I2NSF NSF Monitoring. The
data model provided in this document uses identities to be used to data model provided in this document uses identities to be used to
get information of the monitored of an NSF's monitoring data. Every get information of the monitored of an NSF's monitoring data. Every
identity used in the document gives information or status about the identity used in the document gives information or status about the
current situation of an NSF. This YANG module imports from current situation of an NSF. This YANG module imports from
[RFC6991], and makes references to [RFC0768][RFC0791] [RFC6991], and makes references to [RFC0768][RFC0791]
[RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959] [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC3501]
[RFC3501][RFC4340][RFC4443] [RFC4960][RFC5231][RFC7230] [RFC4340][RFC4443][RFC4960] [RFC5321][RFC6242][RFC7230]
[RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis] [RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis]
[IANA-HTTP-Status-Code] [IANA-Media-Types]. [IANA-HTTP-Status-Code] [IANA-Media-Types].
<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-09-15.yang" <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-10-15.yang"
module ietf-i2nsf-nsf-monitoring { module ietf-i2nsf-nsf-monitoring {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix prefix
nsfmi; nsfmi;
import ietf-inet-types{ import ietf-inet-types{
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
skipping to change at page 33, line 12 skipping to change at page 33, line 16
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"Section 3 of RFC 6991"; "Section 3 of RFC 6991";
} }
import ietf-i2nsf-policy-rule-for-nsf { import ietf-i2nsf-policy-rule-for-nsf {
prefix nsfintf; prefix nsfintf;
reference reference
"Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14"; "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14";
} }
import ietf-interfaces {
prefix if;
reference
"Section 5 of RFC 8343";
}
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
contact contact
"WG Web: <https://tools.ietf.org/wg/i2nsf> "WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org> WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu> <mailto:pauljeong@skku.edu>
skipping to change at page 33, line 49 skipping to change at page 34, line 9
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
revision "2021-09-15" { revision "2021-10-15" {
description "Latest revision"; description "Latest revision";
reference reference
"RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Typedefs * Typedefs
skipping to change at page 40, line 7 skipping to change at page 40, line 14
identity interface-alarm { identity interface-alarm {
base system-alarm; base system-alarm;
description description
"An interface alarm is alerted."; "An interface alarm is alerted.";
} }
identity access-violation { identity access-violation {
base system-event; base system-event;
description description
"The access-violation system event is an event when a user "The access-violation system event is an event when a user
tries to access (read or write) any information above their tries to access (read, write, create, or delete) any
privilege."; information or execute commands above their privilege.";
} }
identity configuration-change { identity configuration-change {
base system-event; base system-event;
description description
"The configuration-change system event is an event when a user "The configuration-change system event is an event when a user
adds a new configuration or modify an existing configuration adds a new configuration or modify an existing configuration
(write configuration)."; (write configuration).";
} }
identity attack-type { identity attack-type {
skipping to change at page 49, line 11 skipping to change at page 49, line 18
description description
"FTP protocol type."; "FTP protocol type.";
reference reference
"RFC 959: File Transfer Protocol"; "RFC 959: File Transfer Protocol";
} }
identity ssh { identity ssh {
base application-protocol; base application-protocol;
description description
"SSH protocol type."; "SSH protocol type.";
reference reference
"RFC 959: File Transfer Protocol"; "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)";
} }
identity telnet { identity telnet {
base application-protocol; base application-protocol;
description description
"The identity for telnet."; "The identity for telnet.";
reference reference
"RFC 854: Telnet Protocol"; "RFC 854: Telnet Protocol";
} }
identity smtp { identity smtp {
base application-protocol; base application-protocol;
skipping to change at page 50, line 33 skipping to change at page 50, line 40
} }
leaf nsf-name { leaf nsf-name {
type union { type union {
type string; type string;
type inet:ip-address-no-zone; type inet:ip-address-no-zone;
} }
description description
"The name or IP address of the NSF generating the message. "The name or IP address of the NSF generating the message.
If the given nsf-name is not IP address, the name can be an If the given nsf-name is not IP address, the name can be an
arbitrary string including FQDN (Fully Qualified Domain arbitrary string including FQDN (Fully Qualified Domain
Name). The name MUST be unique for different NSF to Name). The name MUST be unique in the scope of management
identify the NSF that generates the message."; domain for a different NSF to identify the NSF that
generates the message.";
} }
leaf severity { leaf severity {
type severity; type severity;
description description
"The severity of the alarm such as critical, high, "The severity of the alarm such as critical, high,
middle, and low."; middle, and low.";
} }
} }
grouping characteristics { grouping characteristics {
description description
skipping to change at page 53, line 28 skipping to change at page 53, line 34
type inet:port-number; type inet:port-number;
description description
"The source port of the packet"; "The source port of the packet";
} }
leaf src-location { leaf src-location {
type string { type string {
length "1..100"; length "1..100";
pattern "[0-9a-zA-Z ]*"; pattern "[0-9a-zA-Z ]*";
} }
description description
"The source geographical location (e.g., country and city) of "The source geographical location (e.g., country and city)
the packet."; of the packet.";
} }
leaf dst-location { leaf dst-location {
type string { type string {
length "1..100"; length "1..100";
pattern "[0-9a-zA-Z ]*"; pattern "[0-9a-zA-Z ]*";
} }
description description
"The destination geographical location (e.g., country and "The destination geographical location (e.g., country and
city) of the packet."; city) of the packet.";
} }
skipping to change at page 54, line 14 skipping to change at page 54, line 21
"A set of traffic rates for monitoring attack traffic "A set of traffic rates for monitoring attack traffic
data"; data";
leaf attack-rate { leaf attack-rate {
type uint32; type uint32;
units "pps"; units "pps";
description description
"The average packets per second (pps) rate of attack "The average packets per second (pps) rate of attack
traffic"; traffic";
} }
leaf attack-speed { leaf attack-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"The average bits per second (bps) speed of attack traffic"; "The average bytes per second (Bps) speed of attack traffic";
} }
} }
grouping traffic-rates { grouping traffic-rates {
description description
"A set of traffic rates for statistics data"; "A set of traffic rates for statistics data";
leaf discontinuity-time {
type yang:date-and-time;
mandatory true;
description
"The time on the most recent occasion at which any one or
more of this interface's counters suffered a discontinuity.
If no such discontinuities have occurred since the last
re-initialization of the local management subsystem, then
this node contains the time the local management subsystem
re-initialized itself.";
}
leaf total-traffic { leaf total-traffic {
type yang:counter32; type yang:counter32;
units "packets"; units "packets";
description description
"The total number of traffic packets (in and out) in the "The total number of traffic packets (in and out) in the
NSF."; NSF.";
} }
leaf in-traffic-average-rate { leaf in-traffic-average-rate {
type uint32; type uint32;
units "pps"; units "pps";
skipping to change at page 54, line 45 skipping to change at page 55, line 15
The average is calculated from the start of the NSF service The average is calculated from the start of the NSF service
until the generation of this record."; until the generation of this record.";
} }
leaf in-traffic-peak-rate { leaf in-traffic-peak-rate {
type uint32; type uint32;
units "pps"; units "pps";
description description
"Inbound traffic peak rate in packets per second (pps)."; "Inbound traffic peak rate in packets per second (pps).";
} }
leaf in-traffic-average-speed { leaf in-traffic-average-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"Inbound traffic average speed in bits per second (bps). "Inbound traffic average speed in bytes per second (Bps).
The average is calculated from the start of the NSF service The average is calculated from the start of the NSF service
until the generation of this record."; until the generation of this record.";
} }
leaf in-traffic-peak-speed { leaf in-traffic-peak-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"Inbound traffic peak speed in bits per second (bps)."; "Inbound traffic peak speed in bytes per second (Bps).";
} }
leaf out-traffic-average-rate { leaf out-traffic-average-rate {
type uint32; type uint32;
units "pps"; units "pps";
description description
"Outbound traffic average rate in packets per second (pps). "Outbound traffic average rate in packets per second (pps).
The average is calculated from the start of the NSF service The average is calculated from the start of the NSF service
until the generation of this record."; until the generation of this record.";
} }
leaf out-traffic-peak-rate { leaf out-traffic-peak-rate {
type uint32; type uint32;
units "pps"; units "pps";
description description
"Outbound traffic peak rate in packets per Second (pps)."; "Outbound traffic peak rate in packets per second (pps).";
} }
leaf out-traffic-average-speed { leaf out-traffic-average-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"Outbound traffic average speed in bits per second (bps). "Outbound traffic average speed in bytes per second (Bps).
The average is calculated from the start of the NSF service The average is calculated from the start of the NSF service
until the generation of this record."; until the generation of this record.";
} }
leaf out-traffic-peak-speed { leaf out-traffic-peak-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"Outbound traffic peak speed in bits per second (bps)."; "Outbound traffic peak speed in bytes per second (Bps).";
} }
} }
grouping i2nsf-system-counter-type-content{ grouping i2nsf-system-counter-type-content{
description description
"A set of counters for an interface traffic data."; "A set of counters for an interface traffic data.";
leaf interface-name { leaf interface-name {
type string; type if:interface-ref;
description description
"Network interface name configured in an NSF"; "Network interface name configured in an NSF";
reference
"RFC 8343: A YANG Data Model for Interface Management";
} }
leaf in-total-traffic-pkts { leaf in-total-traffic-pkts {
type yang:counter32; type yang:counter32;
description description
"Total inbound packets"; "Total inbound packets";
} }
leaf out-total-traffic-pkts { leaf out-total-traffic-pkts {
type yang:counter32; type yang:counter32;
description description
"Total outbound packets"; "Total outbound packets";
skipping to change at page 59, line 33 skipping to change at page 60, line 4
description description
"The alarm category for "The alarm category for
system-detection-alarm notification"; system-detection-alarm notification";
} }
leaf component-name { leaf component-name {
type string; type string;
description description
"The hardware component responsible for generating "The hardware component responsible for generating
the message. Applicable for Hardware Failure the message. Applicable for Hardware Failure
Alarm."; Alarm.";
} }
leaf interface-name { leaf interface-name {
type string; type if:interface-ref;
description description
"The interface name responsible for generating "The interface name responsible for generating
the message. Applicable for Network Interface the message. Applicable for Network Interface
Failure Alarm."; Failure Alarm.";
reference
"RFC 8343: A YANG Data Model for Interface Management";
} }
leaf interface-state { leaf interface-state {
type enumeration { type enumeration {
enum down { enum down {
description description
"The interface state is down."; "The interface state is down.";
} }
enum up { enum up {
description description
"The interface state is up and not congested."; "The interface state is up and not congested.";
skipping to change at page 62, line 31 skipping to change at page 63, line 5
sub-logs. Only 1 sub-event will be instantiated in each sub-logs. Only 1 sub-event will be instantiated in each
i2nsf-logs message. Each case is expected to define one i2nsf-logs message. Each case is expected to define one
container with all the sub-logs fields."; container with all the sub-logs fields.";
case i2nsf-nsf-system-access-log { case i2nsf-nsf-system-access-log {
container i2nsf-nsf-system-access-log { container i2nsf-nsf-system-access-log {
description description
"The notification is sent, if there is a new system "The notification is sent, if there is a new system
log entry about a system access event."; log entry about a system access event.";
leaf login-ip { leaf login-ip {
type inet:ip-address-no-zone; type inet:ip-address-no-zone;
mandatory true;
description description
"Login IP address of a user"; "Login IP address of a user";
} }
leaf username { leaf username {
type string; type string;
description description
"The login username that maintains the device"; "The login username that maintains the device";
} }
leaf login-role { leaf login-role {
type login-role; type login-role;
skipping to change at page 65, line 23 skipping to change at page 65, line 44
second"; second";
} }
leaf out-traffic-rate { leaf out-traffic-rate {
type uint32; type uint32;
units "pps"; units "pps";
description description
"The total outbound traffic rate in packets per "The total outbound traffic rate in packets per
second"; second";
} }
leaf in-traffic-speed { leaf in-traffic-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"The total inbound traffic speed in bits per second"; "The total inbound traffic speed in bytes per second";
} }
leaf out-traffic-speed { leaf out-traffic-speed {
type uint32; type uint64;
units "bps"; units "Bps";
description description
"The total outbound traffic speed in bits per "The total outbound traffic speed in bytes per
second"; second";
} }
} }
uses characteristics; uses characteristics;
uses common-monitoring-data; uses common-monitoring-data;
} }
} }
case i2nsf-system-user-activity-log { case i2nsf-system-user-activity-log {
container i2nsf-system-user-activity-log { container i2nsf-system-user-activity-log {
skipping to change at page 68, line 11 skipping to change at page 68, line 33
"The time stamp indicating when the attack ended"; "The time stamp indicating when the attack ended";
} }
leaf-list attack-src-ip { leaf-list attack-src-ip {
type inet:ip-address-no-zone; type inet:ip-address-no-zone;
description description
"The source IPv4 (or IPv6) addresses of attack "The source IPv4 (or IPv6) addresses of attack
traffic. It can hold multiple IPv4 (or IPv6) traffic. It can hold multiple IPv4 (or IPv6)
addresses."; addresses.";
} }
leaf-list attack-dst-ip { leaf-list attack-dst-ip {
type inet:ip-prefix; type inet:ip-address-no-zone;
description description
"The destination IPv4 (or IPv6) addresses of attack "The destination IPv4 (or IPv6) addresses of attack
traffic. It can hold multiple IPv4 (or IPv6) traffic. It can hold multiple IPv4 (or IPv6)
addresses."; addresses.";
} }
leaf-list attack-src-port { leaf-list attack-src-port {
type inet:port-number; type inet:port-number;
description description
"The source ports of the DDoS attack"; "The source ports of the DDoS attack";
} }
skipping to change at page 73, line 39 skipping to change at page 74, line 12
} }
list nsf-policy-hits { list nsf-policy-hits {
key policy-name; key policy-name;
description description
"Policy Hit Counters record the number of hits that traffic "Policy Hit Counters record the number of hits that traffic
packets match a security policy. It can check if policy packets match a security policy. It can check if policy
configurations are correct or not."; configurations are correct or not.";
uses characteristics; uses characteristics;
uses i2nsf-nsf-counters-type-content; uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data; uses common-monitoring-data;
leaf discontinuity-time {
type yang:date-and-time;
mandatory true;
description
"The time on the most recent occasion at which any one or
more of this interface's counters suffered a discontinuity.
If no such discontinuities have occurred since the last
re-initialization of the local management subsystem, then
this node contains the time the local management subsystem
re-initialized itself.";
}
leaf hit-times { leaf hit-times {
type yang:counter32; type yang:counter32;
description description
"The number of times a policy is hit"; "The number of times a policy is hit";
} }
uses timestamp; uses timestamp;
} }
} }
container i2nsf-monitoring-configuration { container i2nsf-monitoring-configuration {
description description
"The container for configuring I2NSF monitoring."; "The container for configuring I2NSF monitoring.";
container i2nsf-system-detection-alarm { container i2nsf-system-detection-alarm {
description description
"The container for configuring I2NSF system-detection-alarm "The container for configuring I2NSF system-detection-alarm
notification"; notification";
uses enable-notification; uses enable-notification;
list system-alarm { list system-alarm {
key alarm-type; key alarm-type;
description description
"Configuration for system alarm (i.e., CPU, Memory, "Configuration for system alarm (i.e., CPU, Memory, and
and Disk Usage)"; Disk Usage)";
leaf alarm-type { leaf alarm-type {
type enumeration { type enumeration {
enum cpu { enum cpu {
description description
"To configure the CPU usage threshold to trigger the "To configure the CPU usage threshold to trigger the
cpu-alarm"; cpu-alarm";
} }
enum memory { enum memory {
description description
"To configure the Memory usage threshold to trigger "To configure the Memory usage threshold to trigger
the memory-alarm"; the memory-alarm";
} }
enum disk { enum disk {
description description
"To configure the Disk (storage) usage threshold to "To configure the Disk (storage) usage threshold to
trigger the disk-alarm"; trigger the disk-alarm";
} }
} }
description description
"Type of alarm to be configured"; "Type of alarm to be configured. The three alarm-types
defined here are used to configure the threshold of the
monitoring notification. The threshold is used to
determine when the notification should be sent.
The other two alarms defined in the module (i.e.,
hardware-alarm and interface-alarm) do not use any
threshold value to create a notification. These alarms
detect a failure or a change of state to create a
notification.";
} }
leaf threshold { leaf threshold {
type uint8 { type uint8 {
range "1..100"; range "1..100";
} }
units "percent"; units "percent";
description description
"The configuration for threshold percentage to trigger "The configuration for threshold percentage to trigger
the alarm. The alarm will be triggered if the usage the alarm. The alarm will be triggered if the usage
is exceeded the threshold."; is exceeded the threshold.";
skipping to change at page 80, line 12 skipping to change at page 81, line 12
The following XML file shows the reply from the NETCONF Server (e.g., The following XML file shows the reply from the NETCONF Server (e.g.,
NSF): NSF):
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<rpc-reply message-id="1" <rpc-reply message-id="1"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<data> <data>
<i2nsf-counters <i2nsf-counters
xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring">
<system-interface> <system-interface>
<discontinuity-time>
2021-04-29T08:43:52.181088+00:00
</discontinuity-time>
<interface-name>ens3</interface-name> <interface-name>ens3</interface-name>
<acquisition-method <acquisition-method
xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\ xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
ietf-i2nsf-nsf-monitoring"> ietf-i2nsf-nsf-monitoring">
nsfmi:query nsfmi:query
</acquisition-method> </acquisition-method>
<in-total-traffic-bytes>549050</in-total-traffic-bytes> <in-total-traffic-bytes>549050</in-total-traffic-bytes>
<out-total-traffic-bytes>814956</out-total-traffic-bytes> <out-total-traffic-bytes>814956</out-total-traffic-bytes>
<in-drop-traffic-bytes>0</in-drop-traffic-bytes> <in-drop-traffic-bytes>0</in-drop-traffic-bytes>
<out-drop-traffic-bytes>5078</out-drop-traffic-bytes> <out-drop-traffic-bytes>5078</out-drop-traffic-bytes>
<nsf-name>time_based_firewall</nsf-name> <nsf-name>time_based_firewall</nsf-name>
</system-interface> </system-interface>
<system-interface> <system-interface>
<discontinuity-time>
2021-04-29T08:43:52.181088+00:00
</discontinuity-time>
<interface-name>lo</interface-name> <interface-name>lo</interface-name>
<acquisition-method <acquisition-method
xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\ xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
ietf-i2nsf-nsf-monitoring"> ietf-i2nsf-nsf-monitoring">
nsfmi:query nsfmi:query
</acquisition-method> </acquisition-method>
<in-total-traffic-bytes>48487</in-total-traffic-bytes> <in-total-traffic-bytes>48487</in-total-traffic-bytes>
<out-total-traffic-bytes>48487</out-total-traffic-bytes> <out-total-traffic-bytes>48487</out-total-traffic-bytes>
<in-drop-traffic-bytes>0</in-drop-traffic-bytes> <in-drop-traffic-bytes>0</in-drop-traffic-bytes>
<out-drop-traffic-bytes>0</out-drop-traffic-bytes> <out-drop-traffic-bytes>0</out-drop-traffic-bytes>
skipping to change at page 84, line 49 skipping to change at page 86, line 20
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89, Protocol Version 6 (IPv6) Specification", STD 89,
RFC 4443, DOI 10.17487/RFC4443, March 2006, RFC 4443, DOI 10.17487/RFC4443, March 2006,
<https://www.rfc-editor.org/info/rfc4443>. <https://www.rfc-editor.org/info/rfc4443>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007, RFC 4960, DOI 10.17487/RFC4960, September 2007,
<https://www.rfc-editor.org/info/rfc4960>. <https://www.rfc-editor.org/info/rfc4960>.
[RFC5231] Segmuller, W. and B. Leiba, "Sieve Email Filtering:
Relational Extension", RFC 5231, DOI 10.17487/RFC5231,
January 2008, <https://www.rfc-editor.org/info/rfc5231>.
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event
Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008,
<https://www.rfc-editor.org/info/rfc5277>. <https://www.rfc-editor.org/info/rfc5277>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
skipping to change at page 87, line 9 skipping to change at page 88, line 34
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and "Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>. <https://www.rfc-editor.org/info/rfc8792>.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", Work in "I2NSF Consumer-Facing Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-consumer- Progress, Internet-Draft, draft-ietf-i2nsf-consumer-
facing-interface-dm-14, 21 August 2021, facing-interface-dm-15, 15 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
consumer-facing-interface-dm-14.txt>. consumer-facing-interface-dm-15.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", Work in Progress, Internet-Draft, draft-ietf- Data Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-facing-interface-dm-13, 15 August 2021, i2nsf-nsf-facing-interface-dm-14, 15 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
facing-interface-dm-13.txt>. facing-interface-dm-14.txt>.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park,
"I2NSF Registration Interface YANG Data Model", Work in "I2NSF Registration Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-registration- Progress, Internet-Draft, draft-ietf-i2nsf-registration-
interface-dm-11, 21 August 2021, interface-dm-12, 15 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
registration-interface-dm-11.txt>. registration-interface-dm-12.txt>.
[I-D.ietf-i2nsf-applicability] [I-D.ietf-i2nsf-applicability]
Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R.
Lopez, "Applicability of Interfaces to Network Security Lopez, "Applicability of Interfaces to Network Security
Functions to Network-Based Security Services", Work in Functions to Network-Based Security Services", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-applicability- Progress, Internet-Draft, draft-ietf-i2nsf-applicability-
18, 16 September 2019, <https://www.ietf.org/archive/id/ 18, 16 September 2019, <https://www.ietf.org/archive/id/
draft-ietf-i2nsf-applicability-18.txt>. draft-ietf-i2nsf-applicability-18.txt>.
[I-D.yang-i2nsf-security-policy-translation] [I-D.yang-i2nsf-security-policy-translation]
 End of changes. 90 change blocks. 
113 lines changed or deleted 163 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/