--- 1/draft-ietf-i2nsf-nsf-monitoring-data-model-10.txt 2021-10-15 07:13:37.230251590 -0700 +++ 2/draft-ietf-i2nsf-nsf-monitoring-data-model-11.txt 2021-10-15 07:13:37.386255493 -0700 @@ -1,23 +1,23 @@ Network Working Group J. Jeong, Ed. Internet-Draft P. Lingga Intended status: Standards Track Sungkyunkwan University -Expires: 19 March 2022 S. Hares +Expires: 18 April 2022 S. Hares L. Xia Huawei H. Birkholz Fraunhofer SIT - 15 September 2021 + 15 October 2021 I2NSF NSF Monitoring Interface YANG Data Model - draft-ietf-i2nsf-nsf-monitoring-data-model-10 + draft-ietf-i2nsf-nsf-monitoring-data-model-11 Abstract This document proposes an information model and the corresponding YANG data model of an interface for monitoring Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework. If the monitoring of NSFs is performed with the NSF monitoring interface in a comprehensive way, it is possible to detect the indication of malicious activity, anomalous behavior, the potential sign of denial of service attacks, or system overload in a @@ -35,21 +35,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 19 March 2022. + This Internet-Draft will expire on 18 April 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -94,34 +94,34 @@ 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 20 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 20 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 23 7. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 8. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 9. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 32 - 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 77 - 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 78 - 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 78 - 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 79 - 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80 - 13. Security Considerations . . . . . . . . . . . . . . . . . . . 81 - 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 82 - 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 83 - 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 83 - 16.1. Normative References . . . . . . . . . . . . . . . . . . 83 - 16.2. Informative References . . . . . . . . . . . . . . . . . 86 + 10. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 78 + 11. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 79 + 11.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 79 + 11.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 80 + 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82 + 13. Security Considerations . . . . . . . . . . . . . . . . . . . 82 + 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 84 + 15. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 84 + 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 84 + 16.1. Normative References . . . . . . . . . . . . . . . . . . 84 + 16.2. Informative References . . . . . . . . . . . . . . . . . 88 Appendix A. Changes from - draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 88 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 88 + draft-ietf-i2nsf-nsf-monitoring-data-model-09 . . . . . . 89 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 89 1. Introduction According to [RFC8329], the interface provided by a Network Security Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to administrative entities (e.g., Security Controller) to enable remote management (i.e., configuring and monitoring) is referred to as an I2NSF Monitoring Interface. This interface enables the sharing of vital data from the NSFs (e.g., alarms, records, and counters) to the Security Controller through a variety of mechanisms (e.g., queries, @@ -376,24 +376,24 @@ available from the NSF that can be monitored. Firstly, there must be some general information with each monitoring message sent from an NSF that helps a consumer to identify meta data with that message, which are listed as below: * message: The extra detail to give the context of the information. * vendor-name: The name of the NSF vendor. * nsf-name: The name or IP address of the NSF generating the - message. If the given nsf-name is not an IP address, the name can - be an arbitrary string including FQDN (Fully Qualified Domain - Name). The name MUST be unique for different NSFs to identify the - NSF that generates the message. + message. If the given nsf-name is not IP address, the name can be + an arbitrary string including FQDN (Fully Qualified Domain Name). + The name MUST be unique in the scope of management domain for a + different NSF to identify the NSF that generates the message. * severity: It indicates the severity level. There are total four levels, i.e., critical, high, middle, and low. * timestamp: Indicates the time when the message is generated. For the notification operations (i.e., System Alarms, System Events, NSF Events, System Logs, and NSF Logs), this is represented by the eventTime of NETCONF event notification [RFC5277] For other operations (i.e., System Counter and NSF Counter), the timestamp MUST be provided separately. @@ -540,22 +540,22 @@ * acquisition-method: subscription * emission-type: on-change * dampening-type: on-repetition 6.2.1. Access Violation The access-violation system event is an event when a user tries to - access (read or write) any information above their privilege. The - following information should be included in this event: + access (read, write, create, or delete) any information or execute + commands above their privilege. * event-name: access-denied. * user: Name of a user. * group: Group(s) to which a user belongs. A user can belong to multiple groups. * ip-address: The IP address of the user that triggered the event. @@ -650,21 +650,21 @@ * dst-port: The port number that the attack traffic aims at. * start-time: The time stamp indicating when the attack started. * end-time: The time stamp indicating when the attack ended. If the attack is still undergoing when sending out the alarm, this field can be empty. * attack-rate: The packets per second of attack traffic. - * attack-speed: the bits per second of attack traffic. + * attack-speed: The bytes per second of attack traffic. * rule-name: The name of the I2NSF Policy Rule being triggered. Note that rule-name is used to match a detected NSF event with a policy rule in [I-D.ietf-i2nsf-nsf-facing-interface-dm], and also that there is no rule-name in a system event. 6.3.2. Virus Event The following information should be included in a Virus Event: @@ -863,24 +863,24 @@ * interface-id: Specifies the interface ID to identify the network interface. * in-traffic-rate: The total inbound traffic rate in packets per second. * out-traffic-rate: The total outbound traffic rate in packets per second. - * in-traffic-speed: The total inbound traffic speed in bits per + * in-traffic-speed: The total inbound traffic speed in bytes per second. - * out-traffic-speed: The total outbound traffic speed in bits per + * out-traffic-speed: The total outbound traffic speed in bytes per second. 6.4.3. User Activity Log User activity logs provide visibility into users' online records (such as login time, online/lockout duration, and login IP addresses) and the actions that users perform. User activity reports are helpful to identify exceptions during a user's login and network access activities. @@ -969,36 +969,36 @@ * in-drop-traffic-bytes: Total inbound drop bytes. * out-drop-traffic-bytes: Total outbound drop bytes. * in-traffic-average-rate: Inbound traffic average rate in packets per second. * in-traffic-peak-rate: Inbound traffic peak rate in packets per second. - * in-traffic-average-speed: Inbound traffic average speed in bits + * in-traffic-average-speed: Inbound traffic average speed in bytes per second. - * in-traffic-peak-speed: Inbound traffic peak speed in bits per + * in-traffic-peak-speed: Inbound traffic peak speed in bytes per second. * out-traffic-average-rate: Outbound traffic average rate in packets per second. * out-traffic-peak-rate: Outbound traffic peak rate in packets per second. - * out-traffic-average-speed: Outbound traffic average speed in bits + * out-traffic-average-speed: Outbound traffic average speed in bytes per second. - * out-traffic-peak-speed: Outbound traffic peak speed in bits per + * out-traffic-peak-speed: Outbound traffic peak speed in bytes per second. 6.7. NSF Counters NSF counters have the following characteristics: * acquisition-method: subscription or query * emission-type: periodic @@ -1033,36 +1033,36 @@ * out-interface: Outbound interface of traffic. * total-traffic: Total traffic volume. * in-traffic-average-rate: Inbound traffic average rate in packets per second. * in-traffic-peak-rate: Inbound traffic peak rate in packets per second. - * in-traffic-average-speed: Inbound traffic average speed in bits + * in-traffic-average-speed: Inbound traffic average speed in bytes per second. - * in-traffic-peak-speed: Inbound traffic peak speed in bits per + * in-traffic-peak-speed: Inbound traffic peak speed in bytes per second. * out-traffic-average-rate: Outbound traffic average rate in packets per second. * out-traffic-peak-rate: Outbound traffic peak rate in packets per second. - * out-traffic-average-speed: Outbound traffic average speed in bits + * out-traffic-average-speed: Outbound traffic average speed in bytes per second. - * out-traffic-peak-speed: Outbound traffic peak speed in bits per + * out-traffic-peak-speed: Outbound traffic peak speed in bytes per second. 6.7.2. Policy Hit Counter Policy Hit Counters record the security policy that traffic matches and its hit count. It can check if policy configurations are correct. * src-ip: Source IP address of traffic. @@ -1138,75 +1138,78 @@ The tree structure of the NSF monitoring YANG module is provided below: module: ietf-i2nsf-nsf-monitoring +--ro i2nsf-counters | +--ro system-interface* [interface-name] | | +--ro acquisition-method? identityref | | +--ro emission-type? identityref | | +--ro dampening-type? identityref - | | +--ro interface-name string + | | +--ro interface-name if:interface-ref | | +--ro in-total-traffic-pkts? yang:counter32 | | +--ro out-total-traffic-pkts? yang:counter32 | | +--ro in-total-traffic-bytes? uint64 | | +--ro out-total-traffic-bytes? uint64 | | +--ro in-drop-traffic-pkts? yang:counter32 | | +--ro out-drop-traffic-pkts? yang:counter32 | | +--ro in-drop-traffic-bytes? uint64 | | +--ro out-drop-traffic-bytes? uint64 + | | +--ro discontinuity-time yang:date-and-time | | +--ro total-traffic? yang:counter32 | | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-peak-rate? uint32 - | | +--ro in-traffic-average-speed? uint32 - | | +--ro in-traffic-peak-speed? uint32 + | | +--ro in-traffic-average-speed? uint64 + | | +--ro in-traffic-peak-speed? uint64 | | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-peak-rate? uint32 - | | +--ro out-traffic-average-speed? uint32 - | | +--ro out-traffic-peak-speed? uint32 + | | +--ro out-traffic-average-speed? uint64 + | | +--ro out-traffic-peak-speed? uint64 | | +--ro message? string | | +--ro vendor-name? string | | +--ro nsf-name? union | | +--ro severity? severity | | +--ro timestamp? yang:date-and-time | +--ro nsf-firewall* [policy-name] | | +--ro acquisition-method? identityref | | +--ro emission-type? identityref | | +--ro dampening-type? identityref | | +--ro policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name | | +--ro src-user? string + | | +--ro discontinuity-time yang:date-and-time | | +--ro total-traffic? yang:counter32 | | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-peak-rate? uint32 - | | +--ro in-traffic-average-speed? uint32 - | | +--ro in-traffic-peak-speed? uint32 + | | +--ro in-traffic-average-speed? uint64 + | | +--ro in-traffic-peak-speed? uint64 | | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-peak-rate? uint32 - | | +--ro out-traffic-average-speed? uint32 - | | +--ro out-traffic-peak-speed? uint32 + | | +--ro out-traffic-average-speed? uint64 + | | +--ro out-traffic-peak-speed? uint64 | | +--ro message? string | | +--ro vendor-name? string | | +--ro nsf-name? union | | +--ro severity? severity | | +--ro timestamp? yang:date-and-time | +--ro nsf-policy-hits* [policy-name] | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro policy-name -> /nsfintf:i2nsf-security-policy/system-policy-name | +--ro src-user? string | +--ro message? string | +--ro vendor-name? string | +--ro nsf-name? union | +--ro severity? severity + | +--ro discontinuity-time yang:date-and-time | +--ro hit-times? yang:counter32 | +--ro timestamp? yang:date-and-time +--rw i2nsf-monitoring-configuration +--rw i2nsf-system-detection-alarm | +--rw enabled? boolean | +--rw system-alarm* [alarm-type] | +--rw alarm-type enumeration | +--rw threshold? uint8 | +--rw dampening-period? uint32 +--rw i2nsf-system-detection-event @@ -1244,21 +1248,21 @@ +--rw i2nsf-counter +--rw period? uint16 notifications: +---n i2nsf-event | +--ro (sub-event-type)? | +--:(i2nsf-system-detection-alarm) | | +--ro i2nsf-system-detection-alarm | | +--ro alarm-category? identityref | | +--ro component-name? string - | | +--ro interface-name? string + | | +--ro interface-name? if:interface-ref | | +--ro interface-state? enumeration | | +--ro acquisition-method? identityref | | +--ro emission-type? identityref | | +--ro dampening-type? identityref | | +--ro usage? uint8 | | +--ro threshold? uint8 | | +--ro message? string | | +--ro vendor-name? string | | +--ro nsf-name? union | | +--ro severity? severity @@ -1297,21 +1301,21 @@ | +--ro maximum-session? uint32 | +--ro threshold? uint32 | +--ro message? string | +--ro vendor-name? string | +--ro nsf-name? union | +--ro severity? severity +---n i2nsf-log | +--ro (sub-logs-type)? | +--:(i2nsf-nsf-system-access-log) | | +--ro i2nsf-nsf-system-access-log - | | +--ro login-ip inet:ip-address-no-zone + | | +--ro login-ip? inet:ip-address-no-zone | | +--ro username? string | | +--ro login-role? login-role | | +--ro operation-type? operation-type | | +--ro input? string | | +--ro output? string | | +--ro acquisition-method? identityref | | +--ro emission-type? identityref | | +--ro dampening-type? identityref | | +--ro message? string | | +--ro vendor-name? string @@ -1325,22 +1329,22 @@ | | +--ro disk* [disk-id] | | | +--ro disk-id string | | | +--ro disk-usage? uint8 | | | +--ro disk-left? uint8 | | +--ro session-num? uint32 | | +--ro process-num? uint32 | | +--ro interface* [interface-id] | | | +--ro interface-id string | | | +--ro in-traffic-rate? uint32 | | | +--ro out-traffic-rate? uint32 - | | | +--ro in-traffic-speed? uint32 - | | | +--ro out-traffic-speed? uint32 + | | | +--ro in-traffic-speed? uint64 + | | | +--ro out-traffic-speed? uint64 | | +--ro acquisition-method? identityref | | +--ro emission-type? identityref | | +--ro dampening-type? identityref | | +--ro message? string | | +--ro vendor-name? string | | +--ro nsf-name? union | | +--ro severity? severity | +--:(i2nsf-system-user-activity-log) | +--ro i2nsf-system-user-activity-log | +--ro acquisition-method? identityref @@ -1358,28 +1362,28 @@ | +--ro logout-duration? uint32 | +--ro additional-info? enumeration +---n i2nsf-nsf-event +--ro (sub-event-type)? +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? | +--ro i2nsf-nsf-detection-ddos | +--ro attack-type? identityref | +--ro start-time yang:date-and-time | +--ro end-time yang:date-and-time | +--ro attack-src-ip* inet:ip-address-no-zone - | +--ro attack-dst-ip* inet:ip-prefix + | +--ro attack-dst-ip* inet:ip-address-no-zone | +--ro attack-src-port* inet:port-number | +--ro attack-dst-port* inet:port-number | +--ro rule-name -> /nsfintf:i2nsf-security-policy/rules/rule-name | +--ro raw-info? string | +--ro attack-rate? uint32 - | +--ro attack-speed? uint32 + | +--ro attack-speed? uint64 | +--ro action* log-action | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro vendor-name? string | +--ro nsf-name? union | +--ro severity? severity +--:(i2nsf-nsf-detection-virus) {i2nsf-nsf-detection-virus}? @@ -1416,21 +1420,21 @@ | +--ro raw-info? string | +--ro src-ip? inet:ip-address-no-zone | +--ro src-port? inet:port-number | +--ro src-location? string | +--ro dst-location? string | +--ro protocol? identityref | +--ro app? identityref | +--ro attack-type? identityref | +--ro action* log-action | +--ro attack-rate? uint32 - | +--ro attack-speed? uint32 + | +--ro attack-speed? uint64 | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro vendor-name? string | +--ro nsf-name? union | +--ro severity? severity +--:(i2nsf-nsf-detection-web-attack) {i2nsf-nsf-detection-web-attack}? | +--ro i2nsf-nsf-detection-web-attack @@ -1491,26 +1495,26 @@ Figure 1: Information Model for NSF Monitoring 9. YANG Data Model This section describes a YANG module of I2NSF NSF Monitoring. The data model provided in this document uses identities to be used to get information of the monitored of an NSF's monitoring data. Every identity used in the document gives information or status about the current situation of an NSF. This YANG module imports from [RFC6991], and makes references to [RFC0768][RFC0791] - [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959] - [RFC3501][RFC4340][RFC4443] [RFC4960][RFC5231][RFC7230] + [RFC0792][RFC0793][RFC0854] [RFC1939][RFC0959][RFC3501] + [RFC4340][RFC4443][RFC4960] [RFC5321][RFC6242][RFC7230] [RFC7231][RFC8200][RFC8641] [I-D.ietf-tcpm-rfc793bis] [IANA-HTTP-Status-Code] [IANA-Media-Types]. - file "ietf-i2nsf-nsf-monitoring@2021-09-15.yang" + file "ietf-i2nsf-nsf-monitoring@2021-10-15.yang" module ietf-i2nsf-nsf-monitoring { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; prefix nsfmi; import ietf-inet-types{ prefix inet; reference "Section 4 of RFC 6991"; @@ -1518,20 +1523,25 @@ import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } import ietf-i2nsf-policy-rule-for-nsf { prefix nsfintf; reference "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14"; } + import ietf-interfaces { + prefix if; + reference + "Section 5 of RFC 8343"; + } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: WG List: Editor: Jaehoon Paul Jeong @@ -1555,21 +1565,21 @@ without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; - revision "2021-09-15" { + revision "2021-10-15" { description "Latest revision"; reference "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. } /* * Typedefs @@ -1849,22 +1859,22 @@ identity interface-alarm { base system-alarm; description "An interface alarm is alerted."; } identity access-violation { base system-event; description "The access-violation system event is an event when a user - tries to access (read or write) any information above their - privilege."; + tries to access (read, write, create, or delete) any + information or execute commands above their privilege."; } identity configuration-change { base system-event; description "The configuration-change system event is an event when a user adds a new configuration or modify an existing configuration (write configuration)."; } identity attack-type { @@ -2286,21 +2298,21 @@ description "FTP protocol type."; reference "RFC 959: File Transfer Protocol"; } identity ssh { base application-protocol; description "SSH protocol type."; reference - "RFC 959: File Transfer Protocol"; + "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; } identity telnet { base application-protocol; description "The identity for telnet."; reference "RFC 854: Telnet Protocol"; } identity smtp { base application-protocol; @@ -2356,22 +2368,23 @@ } leaf nsf-name { type union { type string; type inet:ip-address-no-zone; } description "The name or IP address of the NSF generating the message. If the given nsf-name is not IP address, the name can be an arbitrary string including FQDN (Fully Qualified Domain - Name). The name MUST be unique for different NSF to - identify the NSF that generates the message."; + Name). The name MUST be unique in the scope of management + domain for a different NSF to identify the NSF that + generates the message."; } leaf severity { type severity; description "The severity of the alarm such as critical, high, middle, and low."; } } grouping characteristics { description @@ -2496,22 +2508,22 @@ type inet:port-number; description "The source port of the packet"; } leaf src-location { type string { length "1..100"; pattern "[0-9a-zA-Z ]*"; } description - "The source geographical location (e.g., country and city) of - the packet."; + "The source geographical location (e.g., country and city) + of the packet."; } leaf dst-location { type string { length "1..100"; pattern "[0-9a-zA-Z ]*"; } description "The destination geographical location (e.g., country and city) of the packet."; } @@ -2531,29 +2543,40 @@ "A set of traffic rates for monitoring attack traffic data"; leaf attack-rate { type uint32; units "pps"; description "The average packets per second (pps) rate of attack traffic"; } leaf attack-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "The average bits per second (bps) speed of attack traffic"; + "The average bytes per second (Bps) speed of attack traffic"; } } grouping traffic-rates { description "A set of traffic rates for statistics data"; + leaf discontinuity-time { + type yang:date-and-time; + mandatory true; + description + "The time on the most recent occasion at which any one or + more of this interface's counters suffered a discontinuity. + If no such discontinuities have occurred since the last + re-initialization of the local management subsystem, then + this node contains the time the local management subsystem + re-initialized itself."; + } leaf total-traffic { type yang:counter32; units "packets"; description "The total number of traffic packets (in and out) in the NSF."; } leaf in-traffic-average-rate { type uint32; units "pps"; @@ -2562,69 +2585,71 @@ The average is calculated from the start of the NSF service until the generation of this record."; } leaf in-traffic-peak-rate { type uint32; units "pps"; description "Inbound traffic peak rate in packets per second (pps)."; } leaf in-traffic-average-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "Inbound traffic average speed in bits per second (bps). + "Inbound traffic average speed in bytes per second (Bps). The average is calculated from the start of the NSF service until the generation of this record."; } leaf in-traffic-peak-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "Inbound traffic peak speed in bits per second (bps)."; + "Inbound traffic peak speed in bytes per second (Bps)."; } leaf out-traffic-average-rate { type uint32; units "pps"; description "Outbound traffic average rate in packets per second (pps). The average is calculated from the start of the NSF service until the generation of this record."; } leaf out-traffic-peak-rate { type uint32; units "pps"; description - "Outbound traffic peak rate in packets per Second (pps)."; + "Outbound traffic peak rate in packets per second (pps)."; } leaf out-traffic-average-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "Outbound traffic average speed in bits per second (bps). + "Outbound traffic average speed in bytes per second (Bps). The average is calculated from the start of the NSF service until the generation of this record."; } leaf out-traffic-peak-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "Outbound traffic peak speed in bits per second (bps)."; + "Outbound traffic peak speed in bytes per second (Bps)."; } } grouping i2nsf-system-counter-type-content{ description "A set of counters for an interface traffic data."; leaf interface-name { - type string; + type if:interface-ref; description "Network interface name configured in an NSF"; + reference + "RFC 8343: A YANG Data Model for Interface Management"; } leaf in-total-traffic-pkts { type yang:counter32; description "Total inbound packets"; } leaf out-total-traffic-pkts { type yang:counter32; description "Total outbound packets"; @@ -2789,27 +2814,30 @@ description "The alarm category for system-detection-alarm notification"; } leaf component-name { type string; description "The hardware component responsible for generating the message. Applicable for Hardware Failure Alarm."; + } leaf interface-name { - type string; + type if:interface-ref; description "The interface name responsible for generating the message. Applicable for Network Interface Failure Alarm."; + reference + "RFC 8343: A YANG Data Model for Interface Management"; } leaf interface-state { type enumeration { enum down { description "The interface state is down."; } enum up { description "The interface state is up and not congested."; @@ -2932,21 +2960,20 @@ sub-logs. Only 1 sub-event will be instantiated in each i2nsf-logs message. Each case is expected to define one container with all the sub-logs fields."; case i2nsf-nsf-system-access-log { container i2nsf-nsf-system-access-log { description "The notification is sent, if there is a new system log entry about a system access event."; leaf login-ip { type inet:ip-address-no-zone; - mandatory true; description "Login IP address of a user"; } leaf username { type string; description "The login username that maintains the device"; } leaf login-role { type login-role; @@ -3069,30 +3096,30 @@ second"; } leaf out-traffic-rate { type uint32; units "pps"; description "The total outbound traffic rate in packets per second"; } leaf in-traffic-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "The total inbound traffic speed in bits per second"; + "The total inbound traffic speed in bytes per second"; } leaf out-traffic-speed { - type uint32; - units "bps"; + type uint64; + units "Bps"; description - "The total outbound traffic speed in bits per + "The total outbound traffic speed in bytes per second"; } } uses characteristics; uses common-monitoring-data; } } case i2nsf-system-user-activity-log { container i2nsf-system-user-activity-log { @@ -3201,21 +3229,21 @@ "The time stamp indicating when the attack ended"; } leaf-list attack-src-ip { type inet:ip-address-no-zone; description "The source IPv4 (or IPv6) addresses of attack traffic. It can hold multiple IPv4 (or IPv6) addresses."; } leaf-list attack-dst-ip { - type inet:ip-prefix; + type inet:ip-address-no-zone; description "The destination IPv4 (or IPv6) addresses of attack traffic. It can hold multiple IPv4 (or IPv6) addresses."; } leaf-list attack-src-port { type inet:port-number; description "The source ports of the DDoS attack"; } @@ -3469,62 +3498,81 @@ } list nsf-policy-hits { key policy-name; description "Policy Hit Counters record the number of hits that traffic packets match a security policy. It can check if policy configurations are correct or not."; uses characteristics; uses i2nsf-nsf-counters-type-content; uses common-monitoring-data; + leaf discontinuity-time { + type yang:date-and-time; + mandatory true; + description + "The time on the most recent occasion at which any one or + more of this interface's counters suffered a discontinuity. + If no such discontinuities have occurred since the last + re-initialization of the local management subsystem, then + this node contains the time the local management subsystem + re-initialized itself."; + } leaf hit-times { type yang:counter32; description "The number of times a policy is hit"; } uses timestamp; } } container i2nsf-monitoring-configuration { description "The container for configuring I2NSF monitoring."; container i2nsf-system-detection-alarm { description "The container for configuring I2NSF system-detection-alarm notification"; uses enable-notification; list system-alarm { key alarm-type; description - "Configuration for system alarm (i.e., CPU, Memory, - and Disk Usage)"; + "Configuration for system alarm (i.e., CPU, Memory, and + Disk Usage)"; leaf alarm-type { type enumeration { enum cpu { description "To configure the CPU usage threshold to trigger the cpu-alarm"; } enum memory { description "To configure the Memory usage threshold to trigger the memory-alarm"; } enum disk { description "To configure the Disk (storage) usage threshold to trigger the disk-alarm"; } } description - "Type of alarm to be configured"; + "Type of alarm to be configured. The three alarm-types + defined here are used to configure the threshold of the + monitoring notification. The threshold is used to + determine when the notification should be sent. + The other two alarms defined in the module (i.e., + hardware-alarm and interface-alarm) do not use any + threshold value to create a notification. These alarms + detect a failure or a change of state to create a + notification."; } leaf threshold { type uint8 { range "1..100"; } units "percent"; description "The configuration for threshold percentage to trigger the alarm. The alarm will be triggered if the usage is exceeded the threshold."; @@ -3762,33 +3811,39 @@ The following XML file shows the reply from the NETCONF Server (e.g., NSF): + + 2021-04-29T08:43:52.181088+00:00 + ens3 nsfmi:query 549050 814956 0 5078 time_based_firewall + + 2021-04-29T08:43:52.181088+00:00 + lo nsfmi:query 48487 48487 0 0 @@ -3987,28 +4042,28 @@ [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443, DOI 10.17487/RFC4443, March 2006, . [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007, . - [RFC5231] Segmuller, W. and B. Leiba, "Sieve Email Filtering: - Relational Extension", RFC 5231, DOI 10.17487/RFC5231, - January 2008, . - [RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications", RFC 5277, DOI 10.17487/RFC5277, July 2008, . + [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, + DOI 10.17487/RFC5321, October 2008, + . + [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", @@ -4092,39 +4147,39 @@ [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, "Handling Long Lines in Content of Internet-Drafts and RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, . [I-D.ietf-i2nsf-consumer-facing-interface-dm] Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-consumer- - facing-interface-dm-14, 21 August 2021, + facing-interface-dm-15, 15 September 2021, . + consumer-facing-interface-dm-15.txt>. [I-D.ietf-i2nsf-nsf-facing-interface-dm] Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-facing-interface-dm-13, 15 August 2021, + i2nsf-nsf-facing-interface-dm-14, 15 September 2021, . + facing-interface-dm-14.txt>. [I-D.ietf-i2nsf-registration-interface-dm] Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, "I2NSF Registration Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-registration- - interface-dm-11, 21 August 2021, + interface-dm-12, 15 September 2021, . + registration-interface-dm-12.txt>. [I-D.ietf-i2nsf-applicability] Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. Lopez, "Applicability of Interfaces to Network Security Functions to Network-Based Security Services", Work in Progress, Internet-Draft, draft-ietf-i2nsf-applicability- 18, 16 September 2019, . [I-D.yang-i2nsf-security-policy-translation]