| Network Working Group | D. Hong |
| Internet-Draft | J. Jeong |
| Intended status: Standards Track | J. Kim |
| Expires: May 3, 2018 | Sungkyunkwan University |
| S. Hares | |
| L. Xia | |
| Huawei | |
| October 30, 2017 |
YANG Data Model for Monitoring I2NSF Network Security Functions
draft-hong-i2nsf-nsf-monitoring-data-model-01
This document proposes a YANG data model for monitoring Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) system. If the monitoring of NSFs is performed in a comrehensive way, it is possible to detect the indication of malicious activity, anomalous behavior or the potential sign of denial of service attacks in a timely manner. This monitoring functionality is based on the monitoring information that is generated by NSFs. Thus, this document describes not only a data tree to specify an information model for monitoring NSFs, but also the corresponding YANG data model for monitoring NSFs.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines a YANG [RFC6020] data model for monitoring Network Security Functions (NSFs). This monitoring means the aquisition of vital information about NSFs via notifications, events, records or counters. The data model for the monitoring presented in this document is derived from the information model for monitoring NSFs through the NSF-Facing Interface specified in [i2nsf-monitoring-im].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This document uses the terminology described in [i2nsf-terminology][i2nsf-framework]. Especially, the following terms are from [i2nsf-monitoring-im].
A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams [i2rs-rib-data-model] is as follows:
Figure 1 shows the overview of a structure tree of monitoring information based on the [i2nsf-monitoring-im].
module: ietf-i2nsf-nsf-monitoring-dm
+--rw monitoring-message
+--rw monitoring-messages* [message-id]
+--rw message-id uint8
+--rw message-version uint8
+--rw (message-type)?
| +--:(event)
| | +--rw event-name string
| | +--rw (event-type)?
| | +--:(system-event)
| | | +--rw access-violation
| | | | +--rw group string
| | | | +--rw login-ip inet:ipv4-address
| | | | +--rw authentication-mode
| | | | +--rw local-authentication boolean
| | | | +--rw third-part-server-authentication boolean
| | | | +--rw exemption-authentication boolean
| | | | +--rw sso-authentication boolean
| | | +--rw config-change
| | | +--rw group string
| | | +--rw login-ip inet:ipv4-address
| | | +--rw authentication-mode
| | | +--rw local-authentication boolean
| | | +--rw third-part-server-authentication boolean
| | | +--rw exemption-authentication boolean
| | | +--rw sso-authentication boolean
| | +--:(nsf-event)
| | +--rw user-name? string
| | +--rw ddos-event
| | | +--rw message? string
| | | +--rw src-ip? inet:ipv4-address
| | | +--rw dst-ip? inet:ipv4-address
| | | +--rw src-port? inet:port-number
| | | +--rw dst-port? inet:port-number
| | | +--rw src-zone? string
| | | +--rw dst-zone? string
| | | +--rw rule-id uint8
| | | +--rw rule-name string
| | | +--rw profile? string
| | | +--rw raw-info? string
| | | +--rw ddos-attack-type
| | | | +--rw syn-flood? boolean
| | | | +--rw ack-flood? boolean
| | | | +--rw syn-ack-flood? boolean
| | | | +--rw fin-rst-flood? boolean
| | | | +--rw tcp-connection-flood? boolean
| | | | +--rw udp-flood? boolean
| | | | +--rw icmp-flood? boolean
| | | | +--rw https-flood? boolean
| | | | +--rw http-flood? boolean
| | | | +--rw dns-reply-flood? boolean
| | | | +--rw dns-query-flood? boolean
| | | | +--rw sip-flood? boolean
| | | +--rw start-time yang:date-and-time
| | | +--rw end-time yang:date-and-time
| | | +--rw attack-rate? uint32
| | | +--rw attack-speed? uint32
| | +--rw session-table-event
| | | +--rw current-session? uint8
| | | +--rw maximum-session? uint8
| | | +--rw threshold? uint8
| | | +--rw message? string
| | +--rw virus-event
| | | +--rw message? string
| | | +--rw src-ip? inet:ipv4-address
| | | +--rw dst-ip? inet:ipv4-address
| | | +--rw src-port? inet:port-number
| | | +--rw dst-port? inet:port-number
| | | +--rw src-zone? string
| | | +--rw dst-zone? string
| | | +--rw rule-id uint8
| | | +--rw rule-name string
| | | +--rw profile? string
| | | +--rw raw-info? string
| | | +--rw virus-type
| | | | +--rw trajan? boolean
| | | | +--rw worm? boolean
| | | | +--rw macro? boolean
| | | +--rw virus-name? string
| | | +--rw file-type? string
| | | +--rw file-name? string
| | +--rw intrusion-event
| | | +--rw message? string
| | | +--rw src-ip? inet:ipv4-address
| | | +--rw dst-ip? inet:ipv4-address
| | | +--rw src-port? inet:port-number
| | | +--rw dst-port? inet:port-number
| | | +--rw src-zone? string
| | | +--rw dst-zone? string
| | | +--rw rule-id uint8
| | | +--rw rule-name string
| | | +--rw profile? string
| | | +--rw raw-info? string
| | | +--rw protocol
| | | | +--rw tcp? boolean
| | | | +--rw udp? boolean
| | | | +--rw icmp? boolean
| | | | +--rw icmpv6? boolean
| | | | +--rw ip? boolean
| | | | +--rw http? boolean
| | | | +--rw ftp? boolean
| | | +--rw intrusion-attack-type
| | | +--rw brutal-force? boolean
| | | +--rw buffer-overflow? boolean
| | +--rw botnet-event
| | | +--rw message? string
| | | +--rw src-ip? inet:ipv4-address
| | | +--rw dst-ip? inet:ipv4-address
| | | +--rw src-port? inet:port-number
| | | +--rw dst-port? inet:port-number
| | | +--rw src-zone? string
| | | +--rw dst-zone? string
| | | +--rw rule-id uint8
| | | +--rw rule-name string
| | | +--rw profile? string
| | | +--rw raw-info? string
| | | +--rw protocol
| | | | +--rw tcp? boolean
| | | | +--rw udp? boolean
| | | | +--rw icmp? boolean
| | | | +--rw icmpv6? boolean
| | | | +--rw ip? boolean
| | | | +--rw http? boolean
| | | | +--rw ftp? boolean
| | | +--rw botnet-name? string
| | | +--rw role? string
| | +--rw web-attack-event
| | +--rw message? string
| | +--rw src-ip? inet:ipv4-address
| | +--rw dst-ip? inet:ipv4-address
| | +--rw src-port? inet:port-number
| | +--rw dst-port? inet:port-number
| | +--rw src-zone? string
| | +--rw dst-zone? string
| | +--rw rule-id uint8
| | +--rw rule-name string
| | +--rw profile? string
| | +--rw raw-info? string
| | +--rw web-attack-type
| | | +--rw sql-injection? boolean
| | | +--rw command-injection? boolean
| | | +--rw xss? boolean
| | | +--rw csrf? boolean
| | +--rw req-method
| | | +--rw put? boolean
| | | +--rw get? boolean
| | +--rw req-url? string
| | +--rw url-category? string
| | +--rw filtering-type
| | +--rw blacklist? boolean
| | +--rw whitelist? boolean
| | +--rw user-defined? boolean
| | +--rw balicious-category? boolean
| | +--rw unknown? boolean
| +--:(log)
| | +--rw (log-type)?
| | +--:(system-log)
| | | +--rw access-logs
| | | | +--rw login-ip inet:ipv4-address
| | | | +--rw administartor? string
| | | | +--rw login-mode? login-mode
| | | | +--rw operation-type? operation-type
| | | | +--rw result? string
| | | | +--rw content? string
| | | +--rw resource-utiliz-logs
| | | | +--rw system-status? string
| | | | +--rw cpu-usage? uint8
| | | | +--rw memory-usage? uint8
| | | | +--rw disk-usage? uint8
| | | | +--rw disk-left? uint8
| | | | +--rw session-num? uint8
| | | | +--rw process-num? uint8
| | | | +--rw in-traffic-rate? uint32
| | | | +--rw out-traffic-rate? uint32
| | | | +--rw in-traffic-speed? uint32
| | | | +--rw out-traffic-speed? uint32
| | | +--rw user-activity-logs
| | | +--rw user string
| | | +--rw group string
| | | +--rw login-ip inet:ipv4-address
| | | +--rw authentication-mode
| | | | +--rw local-authentication boolean
| | | | +--rw third-part-server-authentication boolean
| | | | +--rw exemption-authentication boolean
| | | | +--rw sso-authentication boolean
| | | +--rw access-mode
| | | | +--rw ppp? boolean
| | | | +--rw svn? boolean
| | | | +--rw local? boolean
| | | +--rw online-duration? string
| | | +--rw logout-duration? string
| | | +--rw addtional-info? string
| | +--:(nsf-log)
| | +--rw ddos-logs
| | | +--rw attack-type? string
| | | +--rw attack-ave-rate? uint32
| | | +--rw attack-ave-speed? uint32
| | | +--rw attack-pkt-num? uint32
| | | +--rw attack-src-ip? inet:ipv4-address
| | | +--rw action? all-action
| | | +--rw os? string
| | +--rw virus-logs
| | | +--rw protocol
| | | | +--rw tcp? boolean
| | | | +--rw udp? boolean
| | | | +--rw icmp? boolean
| | | | +--rw icmpv6? boolean
| | | | +--rw ip? boolean
| | | | +--rw http? boolean
| | | | +--rw ftp? boolean
| | | +--rw attack-type? string
| | | +--rw action? all-action
| | | +--rw os? string
| | | +--rw time yang:date-and-time
| | +--rw intrusion-logs
| | | +--rw attack-type? string
| | | +--rw action? all-action
| | | +--rw time yang:date-and-time
| | | +--rw attack-rate? uint32
| | | +--rw attack-speed? uint32
| | +--rw botnet-logs
| | | +--rw attack-type? string
| | | +--rw botnet-pkt-num? uint8
| | | +--rw action? all-action
| | | +--rw os? string
| | +--rw dpi-logs
| | | +--rw dpi-type? dpi-type
| | | +--rw src-ip? inet:ipv4-address
| | | +--rw dst-ip? inet:ipv4-address
| | | +--rw src-port? inet:port-number
| | | +--rw dst-port? inet:port-number
| | | +--rw src-zone? string
| | | +--rw dst-zone? string
| | | +--rw src-region? string
| | | +--rw dst-region? string
| | | +--rw policy-id uint8
| | | +--rw policy-name string
| | | +--rw src-user? string
| | | +--rw protocol
| | | | +--rw tcp? boolean
| | | | +--rw udp? boolean
| | | | +--rw icmp? boolean
| | | | +--rw icmpv6? boolean
| | | | +--rw ip? boolean
| | | | +--rw http? boolean
| | | | +--rw ftp? boolean
| | | +--rw file-type? string
| | | +--rw file-name? string
| | +--rw vulnerability-scanning-logs* [vulnerability-id]
| | | +--rw vulnerability-id uint8
| | | +--rw victim-ip? inet:ipv4-address
| | | +--rw protocol
| | | | +--rw tcp? boolean
| | | | +--rw udp? boolean
| | | | +--rw icmp? boolean
| | | | +--rw icmpv6? boolean
| | | | +--rw ip? boolean
| | | | +--rw http? boolean
| | | | +--rw ftp? boolean
| | | +--rw port-num? inet:port-number
| | | +--rw level? severity
| | | +--rw os? string
| | | +--rw addtional-info? string
| | +--rw web-attack-logs
| | +--rw attack-type? string
| | +--rw rsp-code? string
| | +--rw req-clientapp? string
| | +--rw req-cookies? string
| | +--rw req-host? string
| | +--rw raw-info? string
| +--:(counters)
| +--rw (counter-type)?
| +--:(system-counter)
| | +--rw interface-counters
| | +--rw interface-name? string
| | +--rw in-total-traffic-pkts? uint32
| | +--rw out-total-traffic-pkts? uint32
| | +--rw in-total-traffic-bytes? uint32
| | +--rw out-total-traffic-bytes? uint32
| | +--rw in-drop-traffic-pkts? uint32
| | +--rw out-drop-traffic-pkts? uint32
| | +--rw in-drop-traffic-bytes? uint32
| | +--rw out-drop-traffic-bytes? uint32
| | +--rw total-traffic? uint32
| | +--rw in-traffic-ave-rate? uint32
| | +--rw in-traffic-peak-rate? uint32
| | +--rw in-traffic-ave-speed? uint32
| | +--rw in-traffic-peak-speed? uint32
| | +--rw out-traffic-ave-rate? uint32
| | +--rw out-traffic-peak-rate? uint32
| | +--rw out-traffic-ave-speed? uint32
| | +--rw out-traffic-peak-speed? uint32
| +--:(nsf-counter)
| | +--rw firewall-counters
| | +--rw src-ip? inet:ipv4-address
| | +--rw dst-ip? inet:ipv4-address
| | +--rw src-port? inet:port-number
| | +--rw dst-port? inet:port-number
| | +--rw src-zone? string
| | +--rw dst-zone? string
| | +--rw src-region? string
| | +--rw dst-region? string
| | +--rw policy-id uint8
| | +--rw policy-name string
| | +--rw src-user? string
| | +--rw protocol
| | | +--rw tcp? boolean
| | | +--rw udp? boolean
| | | +--rw icmp? boolean
| | | +--rw icmpv6? boolean
| | | +--rw ip? boolean
| | | +--rw http? boolean
| | | +--rw ftp? boolean
| | +--rw total-traffic? uint32
| | +--rw in-traffic-ave-rate? uint32
| | +--rw in-traffic-peak-rate? uint32
| | +--rw in-traffic-ave-speed? uint32
| | +--rw in-traffic-peak-speed? uint32
| | +--rw out-traffic-ave-rate? uint32
| | +--rw out-traffic-peak-rate? uint32
| | +--rw out-traffic-ave-speed? uint32
| | +--rw out-traffic-peak-speed? uint32
| | +--rw bound
| | +--rw in-interface? boolean
| | +--rw out-interface? boolean
| +--:(policy-hit-counters)
| +--rw policy-hit-counters
| +--rw src-ip? inet:ipv4-address
| +--rw dst-ip? inet:ipv4-address
| +--rw src-port? inet:port-number
| +--rw dst-port? inet:port-number
| +--rw src-zone? string
| +--rw dst-zone? string
| +--rw src-region? string
| +--rw dst-region? string
| +--rw policy-id uint8
| +--rw policy-name string
| +--rw src-user? string
| +--rw protocol
| | +--rw tcp? boolean
| | +--rw udp? boolean
| | +--rw icmp? boolean
| | +--rw icmpv6? boolean
| | +--rw ip? boolean
| | +--rw http? boolean
| | +--rw ftp? boolean
| +--rw total-traffic? uint32
| +--rw in-traffic-ave-rate? uint32
| +--rw in-traffic-peak-rate? uint32
| +--rw in-traffic-ave-speed? uint32
| +--rw in-traffic-peak-speed? uint32
| +--rw out-traffic-ave-rate? uint32
| +--rw out-traffic-peak-rate? uint32
| +--rw out-traffic-ave-speed? uint32
| +--rw out-traffic-peak-speed? uint32
| +--rw hit-times? uint32
+--rw message string
+--rw time-stamp yang:date-and-time
+--rw severity severity
Figure 1: Information Model for NSF Monitoring
This section introduces a YANG data model for the information model of monitoring inforamtion based on [i2nsf-monitoring-im].
<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring-dm@2017-10-30.yang"
module ietf-i2nsf-nsf-monitoring-dm {
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring-dm";
prefix
monitoring-information;
import ietf-inet-types{
prefix inet;
}
import ietf-yang-types {
prefix yang;
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
WG Chair: Linda Dunbar
<mailto:Linda.duhbar@huawei.com>
Editor: Dongjin Hong
<mailto:dong.jin@skku.edu>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>";
description
"This module defines a YANG data module for monitoring NSFs.";
revision "2017-10-29" {
description "Initial revision";
reference
"draft-zhang-i2nsf-info-model-monitoring-04";
}
typedef severity {
type enumeration {
enum high {
description
"high-level";
}
enum middle {
description
"middle-level";
}
enum low {
description
"low-level";
}
}
description
"This is used for indicating the severity";
}
typedef all-action {
type enumeration {
enum allow {
description
"TBD";
}
enum alert {
description
"TBD";
}
enum block {
description
"TBD";
}
enum discard {
description
"TBD";
}
enum declare {
description
"TBD";
}
enum block-ip {
description
"TBD";
}
enum block-service{
description
"TBD";
}
}
description
"This is used for protocol";
}
typedef dpi-type{
type enumeration {
enum file-blocking{
description
"TBD";
}
enum data-filtering{
description
"TBD";
}
enum application-behavior-control{
description
"TBD";
}
}
description
"This is used for dpi type";
}
typedef operation-type{
type enumeration {
enum login{
description
"TBD";
}
enum logout{
description
"TBD";
}
enum configuration{
description
"TBD";
}
}
description
"This is used for operation type";
}
typedef login-mode{
type enumeration {
enum root{
description
"TBD";
}
enum user{
description
"TBD";
}
enum guest{
description
"TBD";
}
}
description
"This is used for login mode";
}
grouping protocol {
description
"A set of protocols";
container protocol {
description
"Protocol types:
TCP, UDP, ICMP, ICMPv6, IP, HTTP, FTP and etc.";
leaf tcp {
type boolean;
description
"TCP protocol type.";
}
leaf udp {
type boolean;
description
"UDP protocol type.";
}
leaf icmp {
type boolean;
description
"ICMP protocol type.";
}
leaf icmpv6 {
type boolean;
description
"ICMPv6 protocol type.";
}
leaf ip {
type boolean;
description
"IP protocol type.";
}
leaf http {
type boolean;
description
"HTTP protocol type.";
}
leaf ftp {
type boolean;
description
"ftp protocol type.";
}
}
}
grouping traffic-rates {
description
"A set of traffic rates
for statistics data";
leaf total-traffic {
type uint32;
description
"Total traffic";
}
leaf in-traffic-ave-rate {
type uint32;
description
"Inbound traffic average rate in pps";
}
leaf in-traffic-peak-rate {
type uint32;
description
"Inbound traffic peak rate in pps";
}
leaf in-traffic-ave-speed {
type uint32;
description
"Inbound traffic average speed in bps";
}
leaf in-traffic-peak-speed {
type uint32;
description
"Inbound traffic peak speed in bps";
}
leaf out-traffic-ave-rate {
type uint32;
description
"Outbound traffic average rate in pps";
}
leaf out-traffic-peak-rate {
type uint32;
description
"Outbound traffic peak rate in pps";
}
leaf out-traffic-ave-speed {
type uint32;
description
"Outbound traffic average speed in bps";
}
leaf out-traffic-peak-speed {
type uint32;
description
"Outbound traffic peak speed in bps";
}
}
grouping i2nsf-system-event-type-content {
description
"A set of system event type contents";
leaf group {
type string;
mandatory true;
description
"Group to which a user belongs.";
}
leaf login-ip {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user.";
}
container authentication-mode {
description
"User authentication mode. e.g., Local Authentication,
Third-Party Server Authentication,
Authentication Exemption, SSO Authentication.";
leaf local-authentication {
type boolean;
mandatory true;
description
"Authentication-mode : local authentication.";
}
leaf third-part-server-authentication {
type boolean;
mandatory true;
description
"TBD";
}
leaf exemption-authentication {
type boolean;
mandatory true;
description
"TBD";
}
leaf sso-authentication {
type boolean;
mandatory true;
description
"TBD";
}
}
}
grouping i2nsf-nsf-event-type-content {
description
"A set of nsf event type contents";
leaf message {
type string;
description
"The message for nsf events";
}
leaf src-ip {
type inet:ipv4-address;
description
"The source IP address of the packet";
}
leaf dst-ip {
type inet:ipv4-address;
description
"The destination IP address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf rule-id {
type uint8;
mandatory true;
description
"The ID of the rule being triggered";
}
leaf rule-name {
type string;
mandatory true;
description
"The name of the rule being triggered";
}
leaf profile {
type string;
description
"Security profile that traffic matches.";
}
leaf raw-info {
type string;
description
"The information describing the packet
triggering the event.";
}
}
grouping i2nsf-system-counter-type-content{
description
"A set of system counter type contents";
leaf interface-name {
type string;
description
"Network interface name configured in NSF";
}
leaf in-total-traffic-pkts {
type uint32;
description
"Total inbound packets";
}
leaf out-total-traffic-pkts {
type uint32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint32;
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint32;
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type uint32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type uint32;
description
"Total outbound drop packets";
}
leaf in-drop-traffic-bytes {
type uint32;
description
"Total inbound drop bytes";
}
leaf out-drop-traffic-bytes {
type uint32;
description
"Total outbound drop bytes";
}
uses traffic-rates;
}
grouping i2nsf-nsf-counters-type-content{
description
"A set of nsf counters type contents";
leaf src-ip {
type inet:ipv4-address;
description
"The source IP address of the packet";
}
leaf dst-ip {
type inet:ipv4-address;
description
"The destination IP address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf src-region {
type string;
description
"Source region of the traffic";
}
leaf dst-region{
type string;
description
"Destination region of the traffic";
}
leaf policy-id {
type uint8;
mandatory true;
description
"The ID of the policy being triggered";
}
leaf policy-name {
type string;
mandatory true;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"User who generates traffic";
}
uses protocol;
uses traffic-rates;
}
container monitoring-message {
description
"The message for monitoring information";
list monitoring-messages {
key message-id;
description
"The messages according to monitoring information";
leaf message-id {
type uint8;
mandatory true;
description
"This is message ID
This is key for monitoring messages";
}
leaf message-version {
type uint8;
mandatory true;
description
"The version of message";
}
choice message-type {
description
"The type of message";
case event {
description
"If the message type is event";
leaf event-name {
type string;
mandatory true;
description
"The name of the event";
}
choice event-type {
description
"This is event type such as system event
and nsf event.";
case system-event {
description
"If the event type is system event";
container access-violation {
description
"If the system event is
access violation";
uses i2nsf-system-event-type-content;
}
container config-change {
description
"If the system event is
config change violation";
uses i2nsf-system-event-type-content;
}
}
case nsf-event {
description
"If the event type is nsf event";
leaf user-name {
type string;
description
"This is user name for NSF event";
}
container ddos-event {
description
"If the event type is DDoS event";
uses i2nsf-nsf-event-type-content;
container ddos-attack-type{
description
"Type of DDoS attack";
leaf syn-flood{
type boolean;
description
"If the DDoS attack is
syn flood";
}
leaf ack-flood{
type boolean;
description
"If the DDoS attack is
ack flood";
}
leaf syn-ack-flood{
type boolean;
description
"If the DDoS attack is
syn ack flood";
}
leaf fin-rst-flood{
type boolean;
description
"If the DDoS attack is
fin rst flood";
}
leaf tcp-connection-flood{
type boolean;
description
"If the DDoS attack is
tcp connection flood";
}
leaf udp-flood{
type boolean;
description
"If the DDoS attack is
udp flood";
}
leaf icmp-flood{
type boolean;
description
"If the DDoS attack is
icmp flood";
}
leaf https-flood{
type boolean;
description
"If the DDoS attack is
https flood";
}
leaf http-flood{
type boolean;
description
"If the DDoS attack is
http flood";
}
leaf dns-reply-flood{
type boolean;
description
"If the DDoS attack is
dns reply flood";
}
leaf dns-query-flood{
type boolean;
description
"If the DDoS attack is
dns query flood";
}
leaf sip-flood{
type boolean;
description
"If the DDoS attack is
sip flood";
}
}
leaf start-time {
type yang:date-and-time;
mandatory true;
description
"The time stamp indicating
when the attack started";
}
leaf end-time {
type yang:date-and-time;
mandatory true;
description
"The time stamp indicating
when the attack ended";
}
leaf attack-rate {
type uint32;
description
"The PPS of attack traffic";
}
leaf attack-speed {
type uint32;
description
"the bps of attack traffic";
}
}
container session-table-event {
description
"If the event type is session
table event";
leaf current-session {
type uint8;
description
"The number of concurrent
sessions";
}
leaf maximum-session {
type uint8;
description
"The maximum number of sessions
that the session table can
support";
}
leaf threshold {
type uint8;
description
"The threshold triggering
the event";
}
leaf message {
type string;
description
"The number of session table
exceeded the threshold";
}
}
container virus-event {
description
"If the event type is virus event";
uses i2nsf-nsf-event-type-content;
container virus-type {
description
"The type of virus";
leaf trajan {
type boolean;
description
"If the virus type is trajan";
}
leaf worm {
type boolean;
description
"If the virus type is worm";
}
leaf macro {
type boolean;
description
"If the virus type is macro";
}
}
leaf virus-name {
type string;
description
"The name of virus";
}
leaf file-type {
type string;
description
"The type of file";
}
leaf file-name {
type string;
description
"The name of file";
}
}
container intrusion-event {
description
"If the event type is intrusion event";
uses i2nsf-nsf-event-type-content;
uses protocol;
container intrusion-attack-type {
description
"The attack type of intrusion";
leaf brutal-force {
type boolean;
description
"The intrusion type is
brutal force";
}
leaf buffer-overflow {
type boolean;
description
"The intrusion type is
buffer overflow";
}
}
}
container botnet-event {
description
"If the event type is botnet event";
uses i2nsf-nsf-event-type-content;
uses protocol;
leaf botnet-name {
type string;
description
"The name of the detected botnet";
}
leaf role {
type string;
description
"The role of the communicating
parties within the botnet";
}
}
container web-attack-event {
description
"If the event type is web
attack event";
uses i2nsf-nsf-event-type-content;
container web-attack-type {
description
"To determine the attack
type";
leaf sql-injection {
type boolean;
description
"If the web attack type is
sql injection";
}
leaf command-injection {
type boolean;
description
"If the web attack type is
command injection";
}
leaf xss {
type boolean;
description
"If the web attack type is
xss injection";
}
leaf csrf {
type boolean;
description
"If the web attack type is
csrf injection";
}
}
container req-method {
description
"The method of requirement.
For instance, PUT or GET
in HTTP";
leaf put{
type boolean;
description
"If req method is PUT";
}
leaf get {
type boolean;
description
"If req method is GET";
}
}
leaf req-url {
type string;
description
"Requested URL";
}
leaf url-category {
type string;
description
"Matched URL category";
}
container filtering-type {
description
"URL filtering type,
e.g., Blacklist, Whitelist,
User-Defined, Predefined,
Malicious Category, Unknown";
leaf blacklist {
type boolean;
description
"The filtering type is
blacklist";
}
leaf whitelist {
type boolean;
description
"The filtering type is
whitelist";
}
leaf user-defined {
type boolean;
description
"The filtering type is
user defined";
}
leaf balicious-category{
type boolean;
description
"The filtering type is
balicious category";
}
leaf unknown {
type boolean;
description
"The filtering type is
unknown";
}
}
}
}
}
}
case log {
description
"If the message type is log";
choice log-type {
description
"The type of log";
case system-log{
description
"If the log type is system log";
container access-logs {
description
"If the log is access logs
in system log";
leaf login-ip {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user.";
}
leaf administartor {
type string;
description
"Administrator that
operates on the device";
}
leaf login-mode {
type login-mode;
description
"Specifies the
administrator logs in mode";
}
leaf operation-type {
type operation-type;
description
"The operation type that
the administrator execute";
}
leaf result {
type string;
description
"Command execution result";
}
leaf content {
type string;
description
"Operation performed by
an administrator after login.";
}
}
container resource-utiliz-logs {
description
"If the log is resource utilize
logs in system log";
leaf system-status {
type string;
description
"TBD";
}
leaf cpu-usage {
type uint8;
description
"specifies the amount of
cpu usage";
}
leaf memory-usage {
type uint8;
description
"specifies the amount of
memory usage";
}
leaf disk-usage {
type uint8;
description
"specifies the amount of
disk usage";
}
leaf disk-left {
type uint8;
description
"specifies the amount of
disk left";
}
leaf session-num {
type uint8;
description
"The total number of
sessions";
}
leaf process-num {
type uint8;
description
"The total number of
process";
}
leaf in-traffic-rate {
type uint32;
description
"The total inbound
traffic rate in pps";
}
leaf out-traffic-rate {
type uint32;
description
"The total outbound
traffic rate in pps";
}
leaf in-traffic-speed {
type uint32;
description
"The total inbound
traffic speed in bps";
}
leaf out-traffic-speed {
type uint32;
description
"The total outbound
traffic speed in bps";
}
}
container user-activity-logs {
description
"If the log is user activity
logs in system log";
leaf user {
type string;
mandatory true;
description
"Name of a user";
}
leaf group {
type string;
mandatory true;
description
"Group to which a user belongs.";
}
leaf login-ip {
type inet:ipv4-address;
mandatory true;
description
"Login IP address of a user.";
}
container authentication-mode {
description
"User authentication mode. e.g.,
Local Authentication,
Third-Party Server Authentication,
Authentication Exemption, SSO Authentication.";
leaf local-authentication {
type boolean;
mandatory true;
description
"Authentication-mode : local authentication.";
}
leaf third-part-server-authentication {
type boolean;
mandatory true;
description
"TBD";
}
leaf exemption-authentication {
type boolean;
mandatory true;
description
"TBD";
}
leaf sso-authentication {
type boolean;
mandatory true;
description
"TBD";
}
}
container access-mode {
description
"TBD";
leaf ppp{
type boolean;
description
"TBD";
}
leaf svn{
type boolean;
description
"TBD";
}
leaf local{
type boolean;
description
"TBD";
}
}
leaf online-duration {
type string;
description
"TBD";
}
leaf logout-duration {
type string;
description
"TBD";
}
leaf addtional-info {
type string;
description
"TBD";
}
}
}
case nsf-log{
description
"If the log type is nsf log";
container ddos-logs {
description
"If the log is DDoS logs
in nsf log";
leaf attack-type{
type string;
description
"DDoS";
}
leaf attack-ave-rate {
type uint32;
description
"The ave PPS of
attack traffic";
}
leaf attack-ave-speed {
type uint32;
description
"the ave bps of
attack traffic";
}
leaf attack-pkt-num{
type uint32;
description
"the number of
attack packets";
}
leaf attack-src-ip {
type inet:ipv4-address;
description
"TBD";
}
leaf action {
type all-action;
description
"TBD";
}
leaf os {
type string;
description
"simple os information";
}
}
container virus-logs {
description
"If the log is virus logs
in nsf log";
uses protocol;
leaf attack-type{
type string;
description
"Virus";
}
leaf action{
type all-action;
description
"TBD";
}
leaf os{
type string;
description
"simple os information";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the
message is generated";
}
}
container intrusion-logs {
description
"If the log is intrusion logs
in nsf log";
leaf attack-type{
type string;
description
"Intrusion";
}
leaf action{
type all-action;
description
"TBD";
}
leaf time {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the
message is generated";
}
leaf attack-rate {
type uint32;
description
"The PPS of attack traffic";
}
leaf attack-speed {
type uint32;
description
"the bps of attack traffic";
}
}
container botnet-logs {
description
"If the log is botnet logs
in nsf log";
leaf attack-type{
type string;
description
"Botnet";
}
leaf botnet-pkt-num{
type uint8;
description
"The number of the packets
sent to or from the
detected botnet";
}
leaf action{
type all-action;
description
"TBD";
}
leaf os{
type string;
description
"simple os information";
}
}
container dpi-logs {
description
"If the log is dpi logs
in nsf log";
leaf dpi-type{
type dpi-type;
description
"The type of dpi";
}
leaf src-ip {
type inet:ipv4-address;
description
"The source IP address of the packet";
}
leaf dst-ip {
type inet:ipv4-address;
description
"The destination IP address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf src-zone {
type string;
description
"The source security zone of the packet";
}
leaf dst-zone {
type string;
description
"The destination security zone of the packet";
}
leaf src-region {
type string;
description
"Source region of the traffic";
}
leaf dst-region{
type string;
description
"Destination region of the traffic";
}
leaf policy-id {
type uint8;
mandatory true;
description
"The ID of the policy being triggered";
}
leaf policy-name {
type string;
mandatory true;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"User who generates traffic";
}
uses protocol;
leaf file-type {
type string;
description
"The type of file";
}
leaf file-name {
type string;
description
"The name of file";
}
}
list vulnerability-scanning-logs {
key vulnerability-id;
description
"If the log is vulnerability
scanning logs in nsf log";
leaf vulnerability-id{
type uint8;
description
"The vulnerability id";
}
leaf victim-ip {
type inet:ipv4-address;
description
"IP address of the victim
host which has vulnerabilities";
}
uses protocol;
leaf port-num{
type inet:port-number;
description
"The port number";
}
leaf level{
type severity;
description
"The vulnerability severity";
}
leaf os{
type string;
description
"simple os information";
}
leaf addtional-info{
type string;
description
"TBD";
}
}
container web-attack-logs {
description
"If the log is web attack
logs in nsf log";
leaf attack-type{
type string;
description
"Web Attack";
}
leaf rsp-code{
type string;
description
"Response code";
}
leaf req-clientapp{
type string;
description
"The client application";
}
leaf req-cookies{
type string;
description
"Cookies";
}
leaf req-host{
type string;
description
"The domain name of the
requested host";
}
leaf raw-info{
type string;
description
"The information describing
the packet triggering the
event.";
}
}
}
}
}
case counters {
description
"If the message type is counters";
choice counter-type {
description
"The type of counter";
case system-counter {
container interface-counters {
description
"The system counter type is
interface counter";
uses i2nsf-system-counter-type-content;
}
}
case nsf-counter{
container firewall-counters {
description
"The nsf counter type is
firewall counter";
uses i2nsf-nsf-counters-type-content;
container bound{
description
"Inbound or Outbound";
leaf in-interface {
type boolean;
description
"If the bound is inbound";
}
leaf out-interface {
type boolean;
description
"If the bound is outbound";
}
}
}
}
container policy-hit-counters {
description
"The counters of policy hit";
uses i2nsf-nsf-counters-type-content;
leaf hit-times{
type uint32;
description
"The hit times for policy";
}
}
}
}
}
leaf message {
type string;
mandatory true;
description
"This is a message for monitoring information";
}
leaf time-stamp {
type yang:date-and-time;
mandatory true;
description
"Indicate the time when the message is generated";
}
leaf severity {
type severity;
mandatory true;
description
"The severity of the alarm such as
critical, high, middle, low.";
}
}
}
}
<CODE ENDS>
Figure 2: Data Model of Monitoring
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning).
This document has greatly benefited from inputs by Daeyoung Hyun.
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
| [RFC6020] | Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. |
| [i2nsf-framework] | Hares,, S., Lopez,, J., Dunbar, L., Strassner, J. and R. Kumar, "Framework for Interface to Network Security Functions", Internet-Draft draft-ietf-i2nsf-framework-05, May 2017. |
| [i2nsf-monitoring-im] | Xia,, L., Zhang,, D., Wu, Y., Kumar, R., Lohiya, A. and H. Birkholz, "An Information Model for the Monitoring of Network Security Functions (NSF)", Internet-Draft draft-zhang-i2nsf-info-model-monitoring-04, July 2017. |
| [i2nsf-terminology] | Hares,, S., Strassner,, J., Lopez,, D., Xia,, L. and H. Birkholz,, "Interface to Network Security Functions (I2NSF) Terminology", Internet-Draft draft-ietf-i2nsf-terminology-04, July 2017. |
| [i2rs-rib-data-model] | Wang, L., Ananthakrishnan, H., Chen, M., Dass, A., Kini, S. and N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", Internet-Draft draft-ietf-i2rs-rib-data-model-07, January 2017. |
The following changes are made from draft-hong-i2nsf-nsf-monitoring-data-model-00: