--- 1/draft-ietf-i2nsf-nsf-monitoring-data-model-17.txt 2022-04-19 19:13:38.205314727 -0700 +++ 2/draft-ietf-i2nsf-nsf-monitoring-data-model-18.txt 2022-04-19 19:13:38.381319165 -0700 @@ -1,23 +1,23 @@ Network Working Group J. Jeong, Ed. Internet-Draft P. Lingga Intended status: Standards Track Sungkyunkwan University -Expires: 15 October 2022 S. Hares +Expires: 21 October 2022 S. Hares L. Xia Huawei H. Birkholz Fraunhofer SIT - 13 April 2022 + 19 April 2022 I2NSF NSF Monitoring Interface YANG Data Model - draft-ietf-i2nsf-nsf-monitoring-data-model-17 + draft-ietf-i2nsf-nsf-monitoring-data-model-18 Abstract This document proposes an information model and the corresponding YANG data model of an interface for monitoring Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework. If the monitoring of NSFs is performed with the NSF monitoring interface in a standard way, it is possible to detect the indication of malicious activity, anomalous behavior, the potential sign of denial-of-service attacks, or system overload in a @@ -35,21 +35,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 15 October 2022. + This Internet-Draft will expire on 21 October 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -84,43 +84,43 @@ 6.3. NSF Events . . . . . . . . . . . . . . . . . . . . . . . 16 6.3.1. DDoS Detection . . . . . . . . . . . . . . . . . . . 17 6.3.2. Virus Event . . . . . . . . . . . . . . . . . . . . . 18 6.3.3. Intrusion Event . . . . . . . . . . . . . . . . . . . 19 6.3.4. Web Attack Event . . . . . . . . . . . . . . . . . . 19 6.3.5. VoIP/VoCN Event . . . . . . . . . . . . . . . . . . . 20 6.4. System Logs . . . . . . . . . . . . . . . . . . . . . . . 21 6.4.1. Access Log . . . . . . . . . . . . . . . . . . . . . 21 6.4.2. Resource Utilization Log . . . . . . . . . . . . . . 22 6.4.3. User Activity Log . . . . . . . . . . . . . . . . . . 23 - 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 23 + 6.5. NSF Logs . . . . . . . . . . . . . . . . . . . . . . . . 24 6.5.1. Deep Packet Inspection Log . . . . . . . . . . . . . 24 6.6. System Counter . . . . . . . . . . . . . . . . . . . . . 24 6.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 24 6.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 26 6.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 26 6.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 27 7. YANG Tree Structure of NSF Monitoring YANG Module . . . . . . 28 8. YANG Data Model of NSF Monitoring YANG Module . . . . . . . . 34 9. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 85 10. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 86 10.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 86 - 10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 87 - 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 - 12. Security Considerations . . . . . . . . . . . . . . . . . . . 89 - 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 91 - 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 91 - 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 91 - 15.1. Normative References . . . . . . . . . . . . . . . . . . 92 - 15.2. Informative References . . . . . . . . . . . . . . . . . 96 + 10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 88 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 + 12. Security Considerations . . . . . . . . . . . . . . . . . . . 90 + 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 92 + 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 92 + 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 92 + 15.1. Normative References . . . . . . . . . . . . . . . . . . 93 + 15.2. Informative References . . . . . . . . . . . . . . . . . 97 Appendix A. Changes from - draft-ietf-i2nsf-nsf-monitoring-data-model-16 . . . . . . 97 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97 + draft-ietf-i2nsf-nsf-monitoring-data-model-16 . . . . . . 98 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 98 1. Introduction According to [RFC8329], the interface provided by a Network Security Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to enable the collection of monitoring information is referred to as an I2NSF Monitoring Interface. This interface enables the sharing of vital data from the NSFs (e.g., events, records, and counters) to an NSF data collector (e.g., Security Controller) through a variety of mechanisms (e.g., queries and notifications). The monitoring of NSF @@ -878,22 +878,22 @@ * dst-ip: The destination IP address of the flow. * src-port: The source port number of the flow. * dst-port: The destination port number of the flow * protocol: The employed transport layer protocol. e.g., TCP or UDP. Note that QUIC protocol [RFC9000] is excluded in the data model as it is not considered in the initial I2NSF documents [RFC8329]. - The QUIC traffic should not be treated as UDP traffic and will be - considered in the future I2NSF documents. + The QUIC traffic should not be treated as generic UDP traffic and + will be considered in the future I2NSF documents. * app: The employed application layer protocol. e.g., HTTP or FTP. * rule-name: The name of the I2NSF Policy Rule being triggered. 6.3.4. Web Attack Event The following information should be included in a Web Attack Alarm: * event-name: detection-web-attack. @@ -910,23 +910,26 @@ * dst-port: The destination port number of the packet. * req-method: The HTTP method of the request. For instance, "PUT" and "GET" in HTTP. * req-target: The HTTP Request Target. * response-code: The HTTP Response status code. * cookies: The HTTP Cookie header field of the request from the user - agent. The cookies information needs to be kept confidential and - is not RECOMMENDED to be included in the monitoring data unless - the information is absolutely necessary to help to enhance the + agent. Note that though cookies have many historical infelicities + that degrade security and privacy, the Cookie and Set-Cookie + header fields are widely used on the Internet [RFC6265]. Thus, + the cookies information needs to be kept confidential and is NOT + RECOMMENDED to be included in the monitoring data unless the + information is absolutely necessary to help to enhance the security of the network. * req-host: The HTTP Host header field of the request. * filtering-type: URL filtering type. e.g., deny-list, allow-list, and unknown. * rule-name: The name of the I2NSF Policy Rule being triggered. 6.3.5. VoIP/VoCN Event @@ -1592,21 +1597,21 @@ identity used in the document gives information or status about the current situation of an NSF. This YANG module imports from [RFC6991], [RFC8343], and [I-D.ietf-i2nsf-nsf-facing-interface-dm], and makes references to [RFC0768] [RFC0791] [RFC0792] [RFC0826] [RFC0854] [RFC1939] [RFC0959] [RFC2595] [RFC4340] [RFC4443] [RFC4861] [RFC5321] [RFC5646] [RFC6242] [RFC6265] [RFC8200] [RFC8641] [RFC9051] [I-D.ietf-httpbis-http2bis] [I-D.ietf-httpbis-messaging] [I-D.ietf-httpbis-semantics] [I-D.ietf-tcpm-rfc793bis] [I-D.ietf-tsvwg-rfc4960-bis] [IANA-HTTP-Status-Code] [IEEE-802.1AB] - file "ietf-i2nsf-nsf-monitoring@2022-04-13.yang" + file "ietf-i2nsf-nsf-monitoring@2022-04-19.yang" module ietf-i2nsf-nsf-monitoring { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; prefix nsfmi; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; @@ -1656,28 +1661,27 @@ without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; - revision "2022-04-13" { + revision "2022-04-19" { description "Latest revision"; reference "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. - } /* * Typedefs */ typedef severity { type enumeration { enum critical { description @@ -3744,25 +3751,28 @@ base filter-type; } description "URL filtering type, e.g., deny-list, allow-list, and Unknown"; } leaf cookies { type string; description "The HTTP Cookies header field of the request from - the user agent. The cookie information needs to be - kept confidential and is not RECOMMENDED to be - included in the monitoring data unless the information - is absolutely necessary to help to enhance the - security of the network."; + the user agent. Note that though cookies have many + historical infelicities that degrade security and + privacy, the Cookie and Set-Cookie header fields are + widely used on the Internet. Thus, the cookie + information needs to be kept confidential and is NOT + RECOMMENDED to be included in the monitoring data + unless the information is absolutely necessary to help + to enhance the security of the network."; reference "RFC 6265: HTTP State Management Mechanism - Cookie"; } leaf req-host { type string; description "The HTTP Host header field of the request"; reference "draft-ietf-httpbis-semantics-19: HTTP Semantics - Host"; } @@ -4531,31 +4544,31 @@ [I-D.ietf-httpbis-semantics] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP Semantics", Work in Progress, Internet-Draft, draft-ietf- httpbis-semantics-19, 12 September 2021, . [I-D.ietf-i2nsf-capability-data-model] Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. Lin, "I2NSF Capability YANG Data Model", Work in Progress, - Internet-Draft, draft-ietf-i2nsf-capability-data-model-29, - 25 March 2022, . + Internet-Draft, draft-ietf-i2nsf-capability-data-model-30, + 13 April 2022, . [I-D.ietf-i2nsf-nsf-facing-interface-dm] Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-facing-interface-dm-24, 6 April 2022, + i2nsf-nsf-facing-interface-dm-25, 13 April 2022, . + facing-interface-dm-25.txt>. [I-D.ietf-tcpm-rfc793bis] Eddy, W. M., "Transmission Control Protocol (TCP) Specification", Work in Progress, Internet-Draft, draft- ietf-tcpm-rfc793bis-28, 7 March 2022, . [I-D.ietf-tsvwg-rfc4960-bis] Stewart, R. R., Tüxen, M., and K. E. E. Nielsen, "Stream @@ -4583,23 +4596,23 @@ [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, "Handling Long Lines in Content of Internet-Drafts and RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, . [I-D.ietf-i2nsf-consumer-facing-interface-dm] Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-consumer- - facing-interface-dm-17, 23 March 2022, + facing-interface-dm-18, 13 April 2022, . + consumer-facing-interface-dm-18.txt>. [IANA-HTTP-Status-Code] Internet Assigned Numbers Authority (IANA), "Hypertext Transfer Protocol (HTTP) Status Code Registry", September 2018, . [IEEE-802.1AB] Institute of Electrical and Electronics Engineers, "IEEE Standard for Local and metropolitan area networks -