draft-ietf-i2nsf-nsf-monitoring-data-model-17.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-18.txt 
Network Working Group J. Jeong, Ed. Network Working Group J. Jeong, Ed.
Internet-Draft P. Lingga Internet-Draft P. Lingga
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: 15 October 2022 S. Hares Expires: 21 October 2022 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
13 April 2022 19 April 2022
I2NSF NSF Monitoring Interface YANG Data Model I2NSF NSF Monitoring Interface YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-17 draft-ietf-i2nsf-nsf-monitoring-data-model-18
Abstract Abstract
This document proposes an information model and the corresponding This document proposes an information model and the corresponding
YANG data model of an interface for monitoring Network Security YANG data model of an interface for monitoring Network Security
Functions (NSFs) in the Interface to Network Security Functions Functions (NSFs) in the Interface to Network Security Functions
(I2NSF) framework. If the monitoring of NSFs is performed with the (I2NSF) framework. If the monitoring of NSFs is performed with the
NSF monitoring interface in a standard way, it is possible to detect NSF monitoring interface in a standard way, it is possible to detect
the indication of malicious activity, anomalous behavior, the the indication of malicious activity, anomalous behavior, the
potential sign of denial-of-service attacks, or system overload in a potential sign of denial-of-service attacks, or system overload in a
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 15 October 2022. This Internet-Draft will expire on 21 October 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 52 skipping to change at page 2, line 52
6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 16 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 16
6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 17 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 17
6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 18 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 18
6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 19 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 19
6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 19 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 19
6.3.5. VoIP/VoCN Event . . . . . . . . . . . . . . . . . . . 20 6.3.5. VoIP/VoCN Event . . . . . . . . . . . . . . . . . . . 20
6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 21 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 21
6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 21 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 21
6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 22 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 22
6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 23 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 23
6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 23 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 24
6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 24 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 24
6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24
6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 24 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 24
6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 26 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 26
6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 26 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 26
6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 27 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 27
7. YANG Tree Structure of NSF Monitoring YANG Module . . . . . . 28 7. YANG Tree Structure of NSF Monitoring YANG Module . . . . . . 28
8. YANG Data Model of NSF Monitoring YANG Module . . . . . . . . 34 8. YANG Data Model of NSF Monitoring YANG Module . . . . . . . . 34
9. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 85 9. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 85
10. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 86 10. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 86
10.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 86 10.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 86
10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 87 10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 88
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89
12. Security Considerations . . . . . . . . . . . . . . . . . . . 89 12. Security Considerations . . . . . . . . . . . . . . . . . . . 90
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 91 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 92
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 91 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 92
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 91 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 92
15.1. Normative References . . . . . . . . . . . . . . . . . . 92 15.1. Normative References . . . . . . . . . . . . . . . . . . 93
15.2. Informative References . . . . . . . . . . . . . . . . . 96 15.2. Informative References . . . . . . . . . . . . . . . . . 97
Appendix A. Changes from Appendix A. Changes from
draft-ietf-i2nsf-nsf-monitoring-data-model-16 . . . . . . 97 draft-ietf-i2nsf-nsf-monitoring-data-model-16 . . . . . . 98
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 98
1. Introduction 1. Introduction
According to [RFC8329], the interface provided by a Network Security According to [RFC8329], the interface provided by a Network Security
Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to enable Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to enable
the collection of monitoring information is referred to as an I2NSF the collection of monitoring information is referred to as an I2NSF
Monitoring Interface. This interface enables the sharing of vital Monitoring Interface. This interface enables the sharing of vital
data from the NSFs (e.g., events, records, and counters) to an NSF data from the NSFs (e.g., events, records, and counters) to an NSF
data collector (e.g., Security Controller) through a variety of data collector (e.g., Security Controller) through a variety of
mechanisms (e.g., queries and notifications). The monitoring of NSF mechanisms (e.g., queries and notifications). The monitoring of NSF
skipping to change at page 19, line 36 skipping to change at page 19, line 36
* dst-ip: The destination IP address of the flow. * dst-ip: The destination IP address of the flow.
* src-port: The source port number of the flow. * src-port: The source port number of the flow.
* dst-port: The destination port number of the flow * dst-port: The destination port number of the flow
* protocol: The employed transport layer protocol. e.g., TCP or UDP. * protocol: The employed transport layer protocol. e.g., TCP or UDP.
Note that QUIC protocol [RFC9000] is excluded in the data model as Note that QUIC protocol [RFC9000] is excluded in the data model as
it is not considered in the initial I2NSF documents [RFC8329]. it is not considered in the initial I2NSF documents [RFC8329].
The QUIC traffic should not be treated as UDP traffic and will be The QUIC traffic should not be treated as generic UDP traffic and
considered in the future I2NSF documents. will be considered in the future I2NSF documents.
* app: The employed application layer protocol. e.g., HTTP or FTP. * app: The employed application layer protocol. e.g., HTTP or FTP.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
6.3.4. Web Attack Event 6.3.4. Web Attack Event
The following information should be included in a Web Attack Alarm: The following information should be included in a Web Attack Alarm:
* event-name: detection-web-attack. * event-name: detection-web-attack.
skipping to change at page 20, line 19 skipping to change at page 20, line 19
* dst-port: The destination port number of the packet. * dst-port: The destination port number of the packet.
* req-method: The HTTP method of the request. For instance, "PUT" * req-method: The HTTP method of the request. For instance, "PUT"
and "GET" in HTTP. and "GET" in HTTP.
* req-target: The HTTP Request Target. * req-target: The HTTP Request Target.
* response-code: The HTTP Response status code. * response-code: The HTTP Response status code.
* cookies: The HTTP Cookie header field of the request from the user * cookies: The HTTP Cookie header field of the request from the user
agent. The cookies information needs to be kept confidential and agent. Note that though cookies have many historical infelicities
is not RECOMMENDED to be included in the monitoring data unless that degrade security and privacy, the Cookie and Set-Cookie
the information is absolutely necessary to help to enhance the header fields are widely used on the Internet [RFC6265]. Thus,
the cookies information needs to be kept confidential and is NOT
RECOMMENDED to be included in the monitoring data unless the
information is absolutely necessary to help to enhance the
security of the network. security of the network.
* req-host: The HTTP Host header field of the request. * req-host: The HTTP Host header field of the request.
* filtering-type: URL filtering type. e.g., deny-list, allow-list, * filtering-type: URL filtering type. e.g., deny-list, allow-list,
and unknown. and unknown.
* rule-name: The name of the I2NSF Policy Rule being triggered. * rule-name: The name of the I2NSF Policy Rule being triggered.
6.3.5. VoIP/VoCN Event 6.3.5. VoIP/VoCN Event
skipping to change at page 34, line 28 skipping to change at page 34, line 36
identity used in the document gives information or status about the identity used in the document gives information or status about the
current situation of an NSF. This YANG module imports from current situation of an NSF. This YANG module imports from
[RFC6991], [RFC8343], and [I-D.ietf-i2nsf-nsf-facing-interface-dm], [RFC6991], [RFC8343], and [I-D.ietf-i2nsf-nsf-facing-interface-dm],
and makes references to [RFC0768] [RFC0791] [RFC0792] [RFC0826] and makes references to [RFC0768] [RFC0791] [RFC0792] [RFC0826]
[RFC0854] [RFC1939] [RFC0959] [RFC2595] [RFC4340] [RFC4443] [RFC4861] [RFC0854] [RFC1939] [RFC0959] [RFC2595] [RFC4340] [RFC4443] [RFC4861]
[RFC5321] [RFC5646] [RFC6242] [RFC6265] [RFC8200] [RFC8641] [RFC9051] [RFC5321] [RFC5646] [RFC6242] [RFC6265] [RFC8200] [RFC8641] [RFC9051]
[I-D.ietf-httpbis-http2bis] [I-D.ietf-httpbis-messaging] [I-D.ietf-httpbis-http2bis] [I-D.ietf-httpbis-messaging]
[I-D.ietf-httpbis-semantics] [I-D.ietf-tcpm-rfc793bis] [I-D.ietf-httpbis-semantics] [I-D.ietf-tcpm-rfc793bis]
[I-D.ietf-tsvwg-rfc4960-bis] [IANA-HTTP-Status-Code] [IEEE-802.1AB] [I-D.ietf-tsvwg-rfc4960-bis] [IANA-HTTP-Status-Code] [IEEE-802.1AB]
<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2022-04-13.yang" <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2022-04-19.yang"
module ietf-i2nsf-nsf-monitoring { module ietf-i2nsf-nsf-monitoring {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix prefix
nsfmi; nsfmi;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
skipping to change at page 35, line 45 skipping to change at page 36, line 5
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
revision "2022-04-13" { revision "2022-04-19" {
description "Latest revision"; description "Latest revision";
reference reference
"RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Typedefs * Typedefs
*/ */
typedef severity { typedef severity {
type enumeration { type enumeration {
enum critical { enum critical {
description description
skipping to change at page 79, line 10 skipping to change at page 79, line 21
base filter-type; base filter-type;
} }
description description
"URL filtering type, e.g., deny-list, allow-list, "URL filtering type, e.g., deny-list, allow-list,
and Unknown"; and Unknown";
} }
leaf cookies { leaf cookies {
type string; type string;
description description
"The HTTP Cookies header field of the request from "The HTTP Cookies header field of the request from
the user agent. The cookie information needs to be the user agent. Note that though cookies have many
kept confidential and is not RECOMMENDED to be historical infelicities that degrade security and
included in the monitoring data unless the information privacy, the Cookie and Set-Cookie header fields are
is absolutely necessary to help to enhance the widely used on the Internet. Thus, the cookie
security of the network."; information needs to be kept confidential and is NOT
RECOMMENDED to be included in the monitoring data
unless the information is absolutely necessary to help
to enhance the security of the network.";
reference reference
"RFC 6265: HTTP State Management Mechanism - Cookie"; "RFC 6265: HTTP State Management Mechanism - Cookie";
} }
leaf req-host { leaf req-host {
type string; type string;
description description
"The HTTP Host header field of the request"; "The HTTP Host header field of the request";
reference reference
"draft-ietf-httpbis-semantics-19: HTTP Semantics - Host"; "draft-ietf-httpbis-semantics-19: HTTP Semantics - Host";
} }
skipping to change at page 96, line 8 skipping to change at page 97, line 8
[I-D.ietf-httpbis-semantics] [I-D.ietf-httpbis-semantics]
Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP
Semantics", Work in Progress, Internet-Draft, draft-ietf- Semantics", Work in Progress, Internet-Draft, draft-ietf-
httpbis-semantics-19, 12 September 2021, httpbis-semantics-19, 12 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-httpbis- <https://www.ietf.org/archive/id/draft-ietf-httpbis-
semantics-19.txt>. semantics-19.txt>.
[I-D.ietf-i2nsf-capability-data-model] [I-D.ietf-i2nsf-capability-data-model]
Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q.
Lin, "I2NSF Capability YANG Data Model", Work in Progress, Lin, "I2NSF Capability YANG Data Model", Work in Progress,
Internet-Draft, draft-ietf-i2nsf-capability-data-model-29, Internet-Draft, draft-ietf-i2nsf-capability-data-model-30,
25 March 2022, <https://www.ietf.org/archive/id/draft- 13 April 2022, <https://www.ietf.org/archive/id/draft-
ietf-i2nsf-capability-data-model-29.txt>. ietf-i2nsf-capability-data-model-30.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", Work in Progress, Internet-Draft, draft-ietf- Data Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-facing-interface-dm-24, 6 April 2022, i2nsf-nsf-facing-interface-dm-25, 13 April 2022,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
facing-interface-dm-24.txt>. facing-interface-dm-25.txt>.
[I-D.ietf-tcpm-rfc793bis] [I-D.ietf-tcpm-rfc793bis]
Eddy, W. M., "Transmission Control Protocol (TCP) Eddy, W. M., "Transmission Control Protocol (TCP)
Specification", Work in Progress, Internet-Draft, draft- Specification", Work in Progress, Internet-Draft, draft-
ietf-tcpm-rfc793bis-28, 7 March 2022, ietf-tcpm-rfc793bis-28, 7 March 2022,
<https://www.ietf.org/archive/id/draft-ietf-tcpm- <https://www.ietf.org/archive/id/draft-ietf-tcpm-
rfc793bis-28.txt>. rfc793bis-28.txt>.
[I-D.ietf-tsvwg-rfc4960-bis] [I-D.ietf-tsvwg-rfc4960-bis]
Stewart, R. R., Tüxen, M., and K. E. E. Nielsen, "Stream Stewart, R. R., Tüxen, M., and K. E. E. Nielsen, "Stream
skipping to change at page 97, line 14 skipping to change at page 98, line 14
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and "Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>. <https://www.rfc-editor.org/info/rfc8792>.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", Work in "I2NSF Consumer-Facing Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-consumer- Progress, Internet-Draft, draft-ietf-i2nsf-consumer-
facing-interface-dm-17, 23 March 2022, facing-interface-dm-18, 13 April 2022,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
consumer-facing-interface-dm-17.txt>. consumer-facing-interface-dm-18.txt>.
[IANA-HTTP-Status-Code] [IANA-HTTP-Status-Code]
Internet Assigned Numbers Authority (IANA), "Hypertext Internet Assigned Numbers Authority (IANA), "Hypertext
Transfer Protocol (HTTP) Status Code Registry", September Transfer Protocol (HTTP) Status Code Registry", September
2018, <https://www.iana.org/assignments/http-status-codes/ 2018, <https://www.iana.org/assignments/http-status-codes/
http-status-codes.xhtml>. http-status-codes.xhtml>.
[IEEE-802.1AB] [IEEE-802.1AB]
Institute of Electrical and Electronics Engineers, "IEEE Institute of Electrical and Electronics Engineers, "IEEE
Standard for Local and metropolitan area networks - Standard for Local and metropolitan area networks -
 End of changes. 18 change blocks. 
35 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/