<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-09-15.yang"
module ietf-i2nsf-nsf-monitoring {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix
nsfmi;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-i2nsf-policy-rule-for-nsf {
prefix nsfintf;
reference
"Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-14";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <https://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong
<mailto:pauljeong@skku.edu>
Editor: Patrick Lingga
<mailto:patricklink@skku.edu>";
description
"This module is a YANG module for I2NSF NSF Monitoring.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here.
Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision "2021-09-15" {
description "Latest revision";
reference
"RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove
// this note.
}
/*
* Typedefs
*/
typedef severity {
type enumeration {
enum critical {
description
"The 'critical' severity level indicates that
an immediate corrective action is required.
A 'critical' severity is reported when a service
becomes totally out of service and must be restored.";
}
enum high {
description
"The 'high' severity level indicates that
an urgent corrective action is required.
A 'high' severity is reported when there is
a severe degradation in the capability of the
service and its full capability must be restored.";
}
enum middle {
description
"The 'middle' severity level indicates the
existence of a non-service-affecting fault
condition and corrective action should be done
to prevent a more serious fault. The 'middle'
severity is reported when the detected problem
is not degrading the capability of the service, but
some service degradation might happen if not
prevented.";
}
enum low {
description
"The 'low' severity level indicates the detection
of a potential fault before any effect is observed.
The 'low' severity is reported when an action should
be done before a fault happen.";
}
}
description
"An indicator representing severity levels. The severity
levels starting from the highest are critical, high, middle,
and low.";
}
typedef log-action {
type enumeration {
enum allow {
description
"If action is allowed";
}
enum alert {
description
"If action is alert";
}
enum block {
description
"If action is block";
}
enum discard {
description
"If action is discarded";
}
enum declare {
description
"If action is declared";
}
enum block-ip {
description
"If action is block-ip";
}
enum block-service{
description
"If action is block-service";
}
}
description
"The type representing action for logging.";
}
typedef dpi-type{
type enumeration {
enum file-blocking{
description
"DPI for preventing the specified file types from flowing
in the network.";
}
enum data-filtering{
description
"DPI for preventing sensitive information (e.g., Credit
Card Number or Social Security Numbers) leaving a
protected network.";
}
enum application-behavior-control{
description
"DPI for filtering packet based on the application or
network behavior analysis to identify malicious or
unusual activity.";
}
}
description
"The type of Deep Packet Inspection (DPI).
The defined types are file-blocking, data-filtering, and
application-behavior-control.";
}
typedef operation-type{
type enumeration {
enum login {
description
"The operation type is Login.";
}
enum logout {
description
"The operation type is Logout.";
}
enum configuration {
description
"The operation type is Configuration. The configuration
operation includes the command for writing a new
configuration and modifying an existing configuration.";
}
enum other {
description
"The operation type is Other operation. This other
includes all operations done by a user except login,
logout, and configuration.";
}
}
description
"The type of operation done by a user during a session.
The user operation is not considering their privileges.";
}
typedef login-role {
type enumeration {
enum administrator {
description
"Administrator (i.e., Super User) login role.
Non-restricted role.";
}
enum user {
description
"User login role. Semi-restricted role, some data and
configurations are available but confidential or important
data and configuration are restricted.";
}
enum guest {
description
"Guest login role. Restricted role, only few read data are
available and write configurations are restricted.";
}
}
description
"The role of a user after login.";
}
/*
* Identity
*/
identity characteristics {
description
"Base identity for monitoring information
characteristics";
}
identity acquisition-method {
base characteristics;
description
"The type of acquisition-method. It can be multiple
types at once.";
}
identity subscription {
base acquisition-method;
description
"The acquisition-method type is subscription.";
}
identity query {
base acquisition-method;
description
"The acquisition-method type is query.";
}
identity emission-type {
base characteristics;
description
"The type of emission-type.";
}
identity periodic {
base emission-type;
description
"The emission-type type is periodic.";
}
identity on-change {
base emission-type;
description
"The emission-type type is on-change.";
}
identity dampening-type {
base characteristics;
description
"The type of message dampening to stop the rapid transmission
of messages. The dampening types are on-repetition and
no-dampening";
}
identity no-dampening {
base dampening-type;
description
"The dampening-type is no-dampening. No-dampening type does
not limit the transmission for the messages of the same
type.";
}
identity on-repetition {
base dampening-type;
description
"The dampening-type is on-repetition. On-repetition type limits
the transmitted on-change message to one message at a certain
interval.";
}
identity authentication-mode {
description
"The authentication mode for a user to connect to the NSF,
e.g., pre-configured-key and certificate-authority";
}
identity pre-configured-key {
base authentication-mode;
description
"The pre-configured-key is an authentication using a key
authentication.";
}
identity certificate-authority {
base authentication-mode;
description
"The certificate-authority (CA) is an authentication using a
digital certificate.";
}
identity event {
description
"Base identity for I2NSF events.";
}
identity system-event {
base event;
description
"Identity for system event";
}
identity system-alarm {
base event;
description
"Base identity for detectable system alarm types";
}
identity memory-alarm {
base system-alarm;
description
"A memory alarm is alerted.";
}
identity cpu-alarm {
base system-alarm;
description
"A CPU alarm is alerted.";
}
identity disk-alarm {
base system-alarm;
description
"A disk alarm is alerted.";
}
identity hardware-alarm {
base system-alarm;
description
"A hardware alarm (i.e., hardware failure) is alerted.";
}
identity interface-alarm {
base system-alarm;
description
"An interface alarm is alerted.";
}
identity access-violation {
base system-event;
description
"The access-violation system event is an event when a user
tries to access (read or write) any information above their
privilege.";
}
identity configuration-change {
base system-event;
description
"The configuration-change system event is an event when a user
adds a new configuration or modify an existing configuration
(write configuration).";
}
identity attack-type {
description
"The root ID of attack-based notification
in the notification taxonomy";
}
identity nsf-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of NSF event.";
}
identity virus-type {
base nsf-attack-type;
description
"The type of virus. It can be multiple types at once.
This attack type is associated with a detected
system-log virus-attack.";
}
identity trojan {
base virus-type;
description
"The virus type is a trojan. Trojan is able to disguise the
intent of the files or programs to misleads the users.";
}
identity worm {
base virus-type;
description
"The virus type is a worm. Worm can self-replicate and
spread through the network automatically.";
}
identity macro {
base virus-type;
description
"The virus type is a macro virus. Macro causes a series of
threats automatically after the program is executed.";
}
identity boot-sector {
base virus-type;
description
"The virus type is a boot sector virus. Boot sector is a virus
that infects the core of the computer, affecting the startup
process.";
}
identity polymorphic {
base virus-type;
description
"The virus type is a polymorphic virus. Polymorphic can
modify its version when it replicates, making it hard to
detect.";
}
identity overwrite {
base virus-type;
description
"The virus type is an overwrite virus. Overwrite can remove
existing software and replace it with malicious code by
overwriting it.";
}
identity resident {
base virus-type;
description
"The virus-type is a resident virus. Resident saves itself in
the computer's memory and infects other files and software.";
}
identity non-resident {
base virus-type;
description
"The virus-type is a non-resident virus. Non-resident attaches
directly to an executable file and enters the device when
executed.";
}
identity multipartite {
base virus-type;
description
"The virus-type is a multipartite virus. Multipartite attacks
both the boot sector and executables files of a computer.";
}
identity spacefiller {
base virus-type;
description
"The virus-type is a spacefiller virus. Spacefiller fills empty
spaces of a file or software with malicious code.";
}
identity intrusion-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
system-log intrusion.";
}
identity brute-force {
base intrusion-attack-type;
description
"The intrusion type is brute-force.";
}
identity buffer-overflow {
base intrusion-attack-type;
description
"The intrusion type is buffer-overflow.";
}
identity web-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
system-log web-attack.";
}
identity command-injection {
base web-attack-type;
description
"The detected web attack type is command injection.";
}
identity xss {
base web-attack-type;
description
"The detected web attack type is XSS.";
}
identity csrf {
base web-attack-type;
description
"The detected web attack type is CSRF.";
}
identity ddos-type {
base nsf-attack-type;
description
"Base identity for detectable flood types";
}
identity syn-flood {
base ddos-type;
description
"A SYN flood is detected.";
}
identity ack-flood {
base ddos-type;
description
"An ACK flood is detected.";
}
identity syn-ack-flood {
base ddos-type;
description
"A SYN-ACK flood is detected.";
}
identity fin-rst-flood {
base ddos-type;
description
"A FIN-RST flood is detected.";
}
identity tcp-con-flood {
base ddos-type;
description
"A TCP connection flood is detected.";
}
identity udp-flood {
base ddos-type;
description
"A UDP flood is detected.";
}
identity icmpv4-flood {
base ddos-type;
description
"An ICMPv4 flood is detected.";
}
identity icmpv6-flood {
base ddos-type;
description
"An ICMPv6 flood is detected.";
}
identity http-flood {
base ddos-type;
description
"An HTTP flood is detected.";
}
identity https-flood {
base ddos-type;
description
"An HTTPS flood is detected.";
}
identity dns-query-flood {
base ddos-type;
description
"A Domain Name System (DNS) query flood is detected.";
}
identity dns-reply-flood {
base ddos-type;
description
"A Domain Name System (DNS) reply flood is detected.";
}
identity sip-flood {
base ddos-type;
description
"A Session Initiation Protocol (SIP) flood is detected.";
}
identity ssl-flood {
base ddos-type;
description
"An Secure Sockets Layer (SSL) flood is detected";
}
identity ntp-amp-flood {
base ddos-type;
description
"A Network Time Protocol (NTP) amplification is detected";
}
identity request-method {
description
"A set of request types in HTTP (if applicable).";
}
identity put {
base request-method;
description
"The detected request type is PUT.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method PUT";
}
identity post {
base request-method;
description
"The detected request type is POST.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method POST";
}
identity get {
base request-method;
description
"The detected request type is GET.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method GET";
}
identity head {
base request-method;
description
"The detected request type is HEAD.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method HEAD";
}
identity delete {
base request-method;
description
"The detected request type is DELETE.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method DELETE";
}
identity connect {
base request-method;
description
"The detected request type is CONNECT.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method CONNECT";
}
identity options {
base request-method;
description
"The detected request type is OPTIONS.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method OPTIONS";
}
identity trace {
base request-method;
description
"The detected request type is TRACE.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content - Request Method TRACE";
}
identity filter-type {
description
"The type of filter used to detect an attack,
for example, a web-attack. It can be applicable to
more than web-attacks.";
}
identity allow-list {
base filter-type;
description
"The applied filter type is an allow list. This filter blocks
all connection except the specified list.";
}
identity deny-list {
base filter-type;
description
"The applied filter type is a deny list. This filter opens all
connection except the specified list.";
}
identity unknown-filter {
base filter-type;
description
"The applied filter is unknown.";
}
identity protocol {
description
"An identity used to enable type choices in leaves
and leaflists with respect to protocol metadata. This is used
to identify the type of protocol that goes through the NSF.";
}
identity ip {
base protocol;
description
"General IP protocol type.";
reference
"RFC 791: Internet Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC 791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity icmp {
base protocol;
description
"Base identity for ICMPv4 and ICMPv6 condition capability";
reference
"RFC 792: Internet Control Message Protocol
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification
- ICMPv6";
}
identity icmpv4 {
base icmp;
description
"ICMPv4 protocol type.";
reference
"RFC 791: Internet Protocol
RFC 792: Internet Control Message Protocol";
}
identity icmpv6 {
base icmp;
description
"ICMPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
identity transport-protocol {
base protocol;
description
"Base identity for Layer 4 protocol condition capabilities,
e.g., TCP, UDP, SCTP, DCCP, and ICMP";
}
identity tcp {
base transport-protocol;
description
"TCP protocol type.";
reference
"RFC 793: Transmission Control Protocol
draft-ietf-tcpm-rfc793bis-25: Transmission Control Protocol
(TCP) Specification";
}
identity udp {
base transport-protocol;
description
"UDP protocol type.";
reference
"RFC 768: User Datagram Protocol";
}
identity sctp {
base transport-protocol;
description
"Identity for SCTP condition capabilities";
reference
"RFC 4960: Stream Control Transmission Protocol";
}
identity dccp {
base transport-protocol;
description
"Identity for DCCP condition capabilities";
reference
"RFC 4340: Datagram Congestion Control Protocol";
}
identity application-protocol {
base protocol;
description
"Base identity for Application protocol, e.g., HTTP, FTP";
}
identity http {
base application-protocol;
description
"HTTP protocol type.";
reference
"RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing
RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content";
}
identity https {
base application-protocol;
description
"HTTPS protocol type.";
reference
"RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing
RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content";
}
identity ftp {
base application-protocol;
description
"FTP protocol type.";
reference
"RFC 959: File Transfer Protocol";
}
identity ssh {
base application-protocol;
description
"SSH protocol type.";
reference
"RFC 959: File Transfer Protocol";
}
identity telnet {
base application-protocol;
description
"The identity for telnet.";
reference
"RFC 854: Telnet Protocol";
}
identity smtp {
base application-protocol;
description
"The identity for smtp.";
reference
"RFC 5321: Simple Mail Transfer Protocol (SMTP)";
}
identity pop3 {
base application-protocol;
description
"The identity for pop3.";
reference
"RFC 1939: Post Office Protocol - Version 3 (POP3)";
}
identity imap {
base application-protocol;
description
"The identity for Internet Message Access Protocol.";
reference
"RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1";
}
/*
* Grouping
*/
grouping timestamp {
description
"Grouping for identifying the time of the message.";
leaf timestamp {
type yang:date-and-time;
description
"Specify the time of a message being delivered.";
}
}
grouping common-monitoring-data {
description
"A set of common monitoring data that is needed
as the basic information.";
leaf message {
type string;
description
"This is a freetext annotation for
monitoring a notification's content.";
}
leaf vendor-name {
type string;
description
"The name of the NSF vendor. The string is unrestricted to
identify the provider or vendor of the NSF.";
}
leaf nsf-name {
type union {
type string;
type inet:ip-address-no-zone;
}
description
"The name or IP address of the NSF generating the message.
If the given nsf-name is not IP address, the name can be an
arbitrary string including FQDN (Fully Qualified Domain
Name). The name MUST be unique for different NSF to
identify the NSF that generates the message.";
}
leaf severity {
type severity;
description
"The severity of the alarm such as critical, high,
middle, and low.";
}
}
grouping characteristics {
description
"A set of characteristics of a notification.";
leaf acquisition-method {
type identityref {
base acquisition-method;
}
description
"The acquisition-method for characteristics";
}
leaf emission-type {
type identityref {
base emission-type;
}
description
"The emission-type for characteristics";
}
leaf dampening-type {
type identityref {
base dampening-type;
}
description
"The dampening-type for characteristics";
}
}
grouping i2nsf-system-alarm-type-content {
description
"A set of contents for alarm type notification.";
leaf usage {
type uint8 {
range "0..100";
}
units "percent";
description
"Specifies the used percentage";
}
leaf threshold {
type uint8 {
range "0..100";
}
units "percent";
description
"The threshold percentage triggering the alarm or
the event";
}
}
grouping i2nsf-system-event-type-content {
description
"System event metadata associated with system events
caused by user activity.";
leaf user {
type string;
mandatory true;
description
"The name of a user";
}
leaf-list group {
type string;
description
"The group(s) to which a user belongs.";
}
leaf ip-address {
type inet:ip-address-no-zone;
mandatory true;
description
"The IPv4 (or IPv6) address of a user that trigger the
event.";
}
leaf authentication {
type identityref {
base authentication-mode;
}
description
"The authentication-mode of a user.";
}
}
grouping i2nsf-nsf-event-type-content {
description
"A set of common IPv4 (or IPv6)-related NSF event
content elements";
leaf dst-ip {
type inet:ip-address-no-zone;
description
"The destination IPv4 (IPv6) address of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf rule-name {
type leafref {
path
"/nsfintf:i2nsf-security-policy"
+"/nsfintf:rules/nsfintf:rule-name";
}
mandatory true;
description
"The name of the I2NSF Policy Rule being triggered";
}
leaf raw-info {
type string;
description
"The information describing the packet
triggering the event.";
}
}
grouping i2nsf-nsf-event-type-content-extend {
description
"A set of extended common IPv4 (or IPv6)-related NSF
event content elements";
uses i2nsf-nsf-event-type-content;
leaf src-ip {
type inet:ip-address-no-zone;
description
"The source IPv4 (or IPv6) address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf src-location {
type string {
length "1..100";
pattern "[0-9a-zA-Z ]*";
}
description
"The source geographical location (e.g., country and city) of
the packet.";
}
leaf dst-location {
type string {
length "1..100";
pattern "[0-9a-zA-Z ]*";
}
description
"The destination geographical location (e.g., country and
city) of the packet.";
}
}
grouping log-action {
description
"A grouping for logging action.";
leaf-list action {
type log-action;
description
"Action type: allow, alert, block, discard, declare,
block-ip, block-service";
}
}
grouping attack-rates {
description
"A set of traffic rates for monitoring attack traffic
data";
leaf attack-rate {
type uint32;
units "pps";
description
"The average packets per second (pps) rate of attack
traffic";
}
leaf attack-speed {
type uint32;
units "bps";
description
"The average bits per second (bps) speed of attack traffic";
}
}
grouping traffic-rates {
description
"A set of traffic rates for statistics data";
leaf total-traffic {
type yang:counter32;
units "packets";
description
"The total number of traffic packets (in and out) in the
NSF.";
}
leaf in-traffic-average-rate {
type uint32;
units "pps";
description
"Inbound traffic average rate in packets per second (pps).
The average is calculated from the start of the NSF service
until the generation of this record.";
}
leaf in-traffic-peak-rate {
type uint32;
units "pps";
description
"Inbound traffic peak rate in packets per second (pps).";
}
leaf in-traffic-average-speed {
type uint32;
units "bps";
description
"Inbound traffic average speed in bits per second (bps).
The average is calculated from the start of the NSF service
until the generation of this record.";
}
leaf in-traffic-peak-speed {
type uint32;
units "bps";
description
"Inbound traffic peak speed in bits per second (bps).";
}
leaf out-traffic-average-rate {
type uint32;
units "pps";
description
"Outbound traffic average rate in packets per second (pps).
The average is calculated from the start of the NSF service
until the generation of this record.";
}
leaf out-traffic-peak-rate {
type uint32;
units "pps";
description
"Outbound traffic peak rate in packets per Second (pps).";
}
leaf out-traffic-average-speed {
type uint32;
units "bps";
description
"Outbound traffic average speed in bits per second (bps).
The average is calculated from the start of the NSF service
until the generation of this record.";
}
leaf out-traffic-peak-speed {
type uint32;
units "bps";
description
"Outbound traffic peak speed in bits per second (bps).";
}
}
grouping i2nsf-system-counter-type-content{
description
"A set of counters for an interface traffic data.";
leaf interface-name {
type string;
description
"Network interface name configured in an NSF";
}
leaf in-total-traffic-pkts {
type yang:counter32;
description
"Total inbound packets";
}
leaf out-total-traffic-pkts {
type yang:counter32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint64;
units "bytes";
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint64;
units "bytes";
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type yang:counter32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type yang:counter32;
description
"Total outbound drop packets";
}
leaf in-drop-traffic-bytes {
type uint64;
units "bytes";
description
"Total inbound drop bytes";
}
leaf out-drop-traffic-bytes {
type uint64;
units "bytes";
description
"Total outbound drop bytes";
}
uses traffic-rates;
}
grouping i2nsf-nsf-counters-type-content{
description
"A set of contents of a policy in an NSF.";
leaf policy-name {
type leafref {
path
"/nsfintf:i2nsf-security-policy"
+"/nsfintf:system-policy-name";
}
mandatory true;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"The I2NSF User's name who generates the policy.";
}
}
grouping enable-notification {
description
"A grouping for enabling or disabling notification";
leaf enabled {
type boolean;
default "true";
description
"Enables or Disables the notification.
If 'true', then the notification is enabled.
If 'false, then the notification is disabled.";
}
}
grouping dampening {
description
"A grouping for dampening period of notification.";
leaf dampening-period {
type uint32;
units "centiseconds";
default "0";
description
"Specifies the minimum interval between the assembly of
successive update records for a single receiver of a
subscription. Whenever subscribed objects change and
a dampening-period interval (which may be zero) has
elapsed since the previous update record creation for
a receiver, any subscribed objects and properties
that have changed since the previous update record
will have their current values marshalled and placed
in a new update record. But if the subscribed objects change
when the dampening-period is active, it should update the
record without sending the notification until the dampening-
period is finished. If multiple changes happen during the
active dampening-period, it should update the record with
the latest data. And at the end of the dampening-period, it
should send the record as a notification with the latest
updated record and restart the countdown.";
reference
"RFC 8641: Subscription to YANG Notifications for
Datastore Updates - Section 5.";
}
}
/*
* Feature Nodes
*/
feature i2nsf-nsf-detection-ddos {
description
"This feature means it supports I2NSF nsf-detection-ddos
notification";
}
feature i2nsf-nsf-detection-virus {
description
"This feature means it supports I2NSF nsf-detection-virus
notification";
}
feature i2nsf-nsf-detection-intrusion {
description
"This feature means it supports I2NSF nsf-detection-intrusion
notification";
}
feature i2nsf-nsf-detection-web-attack {
description
"This feature means it supports I2NSF nsf-detection-web-attack
notification";
}
feature i2nsf-nsf-detection-voip-volte {
description
"This feature means it supports I2NSF nsf-detection-voip-volte
notification";
}
feature i2nsf-nsf-log-dpi {
description
"This feature means it supports I2NSF nsf-log-dpi
notification";
}
/*
* Notification nodes
*/
notification i2nsf-event {
description
"Notification for I2NSF Event.";
choice sub-event-type {
description
"This choice must be augmented with cases for each allowed
sub-event. Only 1 sub-event will be instantiated in each
i2nsf-event message. Each case is expected to define one
container with all the sub-event fields.";
case i2nsf-system-detection-alarm {
container i2nsf-system-detection-alarm{
description
"This notification is sent, when a system alarm
is detected.";
leaf alarm-category {
type identityref {
base system-alarm;
}
description
"The alarm category for
system-detection-alarm notification";
}
leaf component-name {
type string;
description
"The hardware component responsible for generating
the message. Applicable for Hardware Failure
Alarm.";
}
leaf interface-name {
type string;
description
"The interface name responsible for generating
the message. Applicable for Network Interface
Failure Alarm.";
}
leaf interface-state {
type enumeration {
enum down {
description
"The interface state is down.";
}
enum up {
description
"The interface state is up and not congested.";
}
enum congested {
description
"The interface state is up but congested.";
}
}
description
"The state of the interface (i.e., up, down,
congested). Applicable for Network Interface Failure
Alarm.";
}
uses characteristics;
uses i2nsf-system-alarm-type-content;
uses common-monitoring-data;
}
}
case i2nsf-system-detection-event {
container i2nsf-system-detection-event {
description
"This notification is sent when a security-sensitive
authentication action fails.";
leaf event-category {
type identityref {
base system-event;
}
description
"The event category for system-detection-event";
}
uses characteristics;
uses i2nsf-system-event-type-content;
uses common-monitoring-data;
}
}
case i2nsf-traffic-flows {
container i2nsf-traffic-flows {
description
"This notification is sent to inform about the traffic
flows.";
leaf src-ip {
type inet:ip-address-no-zone;
description
"The source IPv4 (or IPv6) address of the flow";
}
leaf dst-ip {
type inet:ip-address-no-zone;
description
"The destination IPv4 (or IPv6) address of the flow";
}
leaf protocol {
type identityref {
base protocol;
}
description
"The protocol type for nsf-detection-intrusion
notification";
}
leaf src-port {
type inet:port-number;
description
"The source port of the flow";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the flow";
}
leaf arrival-rate {
type uint32;
units "pps";
description
"The average arrival rate of the flow in packets per
second. The average is calculated from the start of
the NSF service until the generation of this
record.";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-session-table {
container i2nsf-nsf-detection-session-table {
description
"This notification is sent, when a session table
event is detected.";
leaf current-session {
type uint32;
description
"The number of concurrent sessions";
}
leaf maximum-session {
type uint32;
description
"The maximum number of sessions that the session
table can support";
}
leaf threshold {
type uint32;
description
"The threshold triggering the event";
}
uses common-monitoring-data;
}
}
}
}
notification i2nsf-log {
description
"Notification for I2NSF log. The notification is generated
from the logs of the NSF.";
choice sub-logs-type {
description
"This choice must be augmented with cases for each allowed
sub-logs. Only 1 sub-event will be instantiated in each
i2nsf-logs message. Each case is expected to define one
container with all the sub-logs fields.";
case i2nsf-nsf-system-access-log {
container i2nsf-nsf-system-access-log {
description
"The notification is sent, if there is a new system
log entry about a system access event.";
leaf login-ip {
type inet:ip-address-no-zone;
mandatory true;
description
"Login IP address of a user";
}
leaf username {
type string;
description
"The login username that maintains the device";
}
leaf login-role {
type login-role;
description
"Specifies the user log-in role, i.e., administrator,
user, or guest.";
}
leaf operation-type {
type operation-type;
description
"The operation type that the user executes";
}
leaf input {
type string;
description
"The operation performed by a user after login. The
operation is a command given by a user.";
}
leaf output {
type string;
description
"The result in text format after executing the
input.";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-system-res-util-log {
container i2nsf-system-res-util-log {
description
"This notification is sent, if there is a new log
entry representing resource utilization updates.";
leaf system-status {
type enumeration {
enum running {
description
"The system is active and running the security
service.";
}
enum waiting {
description
"The system is active but waiting for an event to
provide the security service.";
}
enum inactive {
description
"The system is inactive and not running the
security service.";
}
}
description
"The current system's running status";
}
leaf cpu-usage {
type uint8;
units "percent";
description
"Specifies the relative percentage of CPU usage with
respect to platform resources";
}
leaf memory-usage {
type uint8;
units "percent";
description
"Specifies the percentage of memory usage.";
}
list disk {
key disk-id;
description
"Disk is the hardware to store information for a
long period, i.e., Hard Disk or Solid-State Drive.";
leaf disk-id {
type string;
description
"The ID of the storage disk. It is a free form
identifier to identify the storage disk.";
}
leaf disk-usage {
type uint8;
units "percent";
description
"Specifies the percentage of disk usage";
}
leaf disk-left {
type uint8;
units "percent";
description
"Specifies the percentage of disk left";
}
}
leaf session-num {
type uint32;
description
"The total number of sessions";
}
leaf process-num {
type uint32;
description
"The total number of processes";
}
list interface {
key interface-id;
description
"The network interface for connecting a device
with the network.";
leaf interface-id {
type string;
description
"The ID of the network interface. It is a free form
identifier to identify the network interface.";
}
leaf in-traffic-rate {
type uint32;
units "pps";
description
"The total inbound traffic rate in packets per
second";
}
leaf out-traffic-rate {
type uint32;
units "pps";
description
"The total outbound traffic rate in packets per
second";
}
leaf in-traffic-speed {
type uint32;
units "bps";
description
"The total inbound traffic speed in bits per second";
}
leaf out-traffic-speed {
type uint32;
units "bps";
description
"The total outbound traffic speed in bits per
second";
}
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-system-user-activity-log {
container i2nsf-system-user-activity-log {
description
"This notification is sent, if there is a new user
activity log entry.";
uses characteristics;
uses i2nsf-system-event-type-content;
uses common-monitoring-data;
leaf online-duration {
type uint32;
units "seconds";
description
"The duration of a user's activeness (stays in login)
during a session.";
}
leaf logout-duration {
type uint32;
units "seconds";
description
"The duration of a user's inactiveness (not in login)
from the last session.";
}
leaf additional-info {
type enumeration {
enum successful-login {
description
"The user has succeeded in login.";
}
enum failed-login {
description
"The user has failed in login (e.g., wrong
password)";
}
enum logout {
description
"The user has succeeded in logout";
}
enum successful-password-changed {
description
"The password has been changed successfully";
}
enum failed-password-changed{
description
"The attempt to change password has failed";
}
enum lock {
description
"The user has been locked. A locked user cannot
login.";
}
enum unlock {
description
"The user has been unlocked.";
}
}
description
"User activities, e.g., Successful User Login,
Failed Login attempts, User Logout, Successful User
Password Change, Failed User Password Change, User
Lockout, User Unlocking, and Unknown.";
}
}
}
}
}
notification i2nsf-nsf-event {
description
"Notification for I2NSF NSF Event. This notification is
used for a specific NSF that supported such feature.";
choice sub-event-type {
description
"This choice must be augmented with cases for each allowed
sub-event. Only 1 sub-event will be instantiated in each
i2nsf-event message. Each case is expected to define one
container with all the sub-event fields.";
case i2nsf-nsf-detection-ddos {
if-feature "i2nsf-nsf-detection-ddos";
container i2nsf-nsf-detection-ddos {
description
"This notification is sent, when a specific flood type
is detected.";
leaf attack-type {
type identityref {
base ddos-type;
}
description
"Any one of Syn flood, ACK flood, SYN-ACK flood,
FIN/RST flood, TCP Connection flood, UDP flood,
ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood,
HTTPS flood, DNS query flood, DNS reply flood, SIP
flood, etc.";
}
leaf start-time {
type yang:date-and-time;
mandatory true;
description
"The time stamp indicating when the attack started";
}
leaf end-time {
type yang:date-and-time;
mandatory true;
description
"The time stamp indicating when the attack ended";
}
leaf-list attack-src-ip {
type inet:ip-address-no-zone;
description
"The source IPv4 (or IPv6) addresses of attack
traffic. It can hold multiple IPv4 (or IPv6)
addresses.";
}
leaf-list attack-dst-ip {
type inet:ip-prefix;
description
"The destination IPv4 (or IPv6) addresses of attack
traffic. It can hold multiple IPv4 (or IPv6)
addresses.";
}
leaf-list attack-src-port {
type inet:port-number;
description
"The source ports of the DDoS attack";
}
leaf-list attack-dst-port {
type inet:port-number;
description
"The destination ports of the DDoS attack";
}
leaf rule-name {
type leafref {
path
"/nsfintf:i2nsf-security-policy"
+"/nsfintf:rules/nsfintf:rule-name";
}
mandatory true;
description
"The name of the I2NSF Policy Rule being triggered";
}
leaf raw-info {
type string;
description
"The information describing the packet
triggering the event.";
}
uses attack-rates;
uses log-action;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-virus {
if-feature "i2nsf-nsf-detection-virus";
container i2nsf-nsf-detection-virus {
description
"This notification is sent, when a virus is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf virus {
type identityref {
base virus-type;
}
description
"The virus type for nsf-detection-virus notification";
}
leaf virus-name {
type string;
description
"The name of the detected virus";
}
leaf file-type {
type string;
description
"The type of file virus code is found in (if
applicable).";
reference
"IANA Website: Media Types";
}
leaf file-name {
type string;
description
"The name of file virus code is found in (if
applicable).";
}
leaf os {
type string;
description
"The operating system of the device.";
}
uses log-action;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-intrusion {
if-feature "i2nsf-nsf-detection-intrusion";
container i2nsf-nsf-detection-intrusion {
description
"This notification is sent, when an intrusion event
is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf protocol {
type identityref {
base transport-protocol;
}
description
"The transport protocol type for
nsf-detection-intrusion notification";
}
leaf app {
type identityref {
base application-protocol;
}
description
"The employed application layer protocol";
}
leaf attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The sub attack type for intrusion attack";
}
uses log-action;
uses attack-rates;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-web-attack {
if-feature "i2nsf-nsf-detection-web-attack";
container i2nsf-nsf-detection-web-attack {
description
"This notification is sent, when an attack event is
detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf attack-type {
type identityref {
base web-attack-type;
}
description
"Concrete web attack type, e.g., SQL injection,
command injection, XSS, and CSRF.";
}
leaf request-method {
type identityref {
base request-method;
}
description
"The HTTP request method, e.g., PUT or GET.";
reference
"RFC 7231: Hypertext Transfer Protocol (HTTP/1.1):
Semantics and Content - Request Methods";
}
leaf req-uri {
type string;
description
"The Requested URI";
}
leaf-list filtering-type {
type identityref {
base filter-type;
}
description
"URL filtering type, e.g., deny-list, allow-list,
and Unknown";
}
leaf req-user-agent {
type string;
description
"The request user agent";
}
leaf req-cookie {
type string;
description
"The HTTP Cookie previously sent by the server with
Set-Cookie";
}
leaf req-host {
type string;
description
"The domain name of the requested host";
}
leaf response-code {
type string;
description
"The HTTP Response code";
reference
"IANA Website: Hypertext Transfer Protocol (HTTP)
Status Code Registry";
}
uses characteristics;
uses log-action;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-voip-volte{
if-feature "i2nsf-nsf-detection-voip-volte";
container i2nsf-nsf-detection-voip-volte {
description
"This notification is sent, when a VoIP/VoLTE violation
is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf-list source-voice-id {
type string;
description
"The detected source voice ID for VoIP and VoLTE that
violates the security policy.";
}
leaf-list destination-voice-id {
type string;
description
"The detected destination voice ID for VoIP and VoLTE
that violates the security policy.";
}
leaf-list user-agent {
type string;
description
"The detected user-agent for VoIP and VoLTE that
violates the security policy.";
}
}
}
case i2nsf-nsf-log-dpi {
if-feature "i2nsf-nsf-log-dpi";
container i2nsf-nsf-log-dpi {
description
"This notification is sent, if there is a new DPI
event in the NSF log.";
leaf attack-type {
type dpi-type;
description
"The type of the DPI";
}
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
}
}
}
}
/*
* Data nodes
*/
container i2nsf-counters {
config false;
description
"The state data representing continuous value changes of
information elements that occur very frequently. The value
should be calculated from the start of the service of the
NSF.";
list system-interface {
key interface-name;
description
"Interface counters provide the visibility of traffic into
and out of an NSF, and bandwidth usage.";
uses characteristics;
uses i2nsf-system-counter-type-content;
uses common-monitoring-data;
uses timestamp;
}
list nsf-firewall {
key policy-name;
description
"Firewall counters provide the visibility of traffic
signatures, bandwidth usage, and how the configured security
and bandwidth policies have been applied.";
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses traffic-rates;
uses common-monitoring-data;
uses timestamp;
}
list nsf-policy-hits {
key policy-name;
description
"Policy Hit Counters record the number of hits that traffic
packets match a security policy. It can check if policy
configurations are correct or not.";
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
leaf hit-times {
type yang:counter32;
description
"The number of times a policy is hit";
}
uses timestamp;
}
}
container i2nsf-monitoring-configuration {
description
"The container for configuring I2NSF monitoring.";
container i2nsf-system-detection-alarm {
description
"The container for configuring I2NSF system-detection-alarm
notification";
uses enable-notification;
list system-alarm {
key alarm-type;
description
"Configuration for system alarm (i.e., CPU, Memory,
and Disk Usage)";
leaf alarm-type {
type enumeration {
enum cpu {
description
"To configure the CPU usage threshold to trigger the
cpu-alarm";
}
enum memory {
description
"To configure the Memory usage threshold to trigger
the memory-alarm";
}
enum disk {
description
"To configure the Disk (storage) usage threshold to
trigger the disk-alarm";
}
}
description
"Type of alarm to be configured";
}
leaf threshold {
type uint8 {
range "1..100";
}
units "percent";
description
"The configuration for threshold percentage to trigger
the alarm. The alarm will be triggered if the usage
is exceeded the threshold.";
}
uses dampening;
}
}
container i2nsf-system-detection-event {
description
"The container for configuring I2NSF system-detection-event
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-traffic-flows {
description
"The container for configuring I2NSF traffic-flows
notification";
uses dampening;
uses enable-notification;
}
container i2nsf-nsf-detection-ddos {
if-feature "i2nsf-nsf-detection-ddos";
description
"The container for configuring I2NSF nsf-detection-ddos
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-detection-session-table-configuration {
description
"The container for configuring I2NSF nsf-detection-session-
table notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-detection-intrusion {
if-feature "i2nsf-nsf-detection-intrusion";
description
"The container for configuring I2NSF nsf-detection-intrusion
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-detection-web-attack {
if-feature "i2nsf-nsf-detection-web-attack";
description
"The container for configuring I2NSF nsf-detection-web-attack
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-system-access-log {
description
"The container for configuring I2NSF system-access-log
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-system-res-util-log {
description
"The container for configuring I2NSF system-res-util-log
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-system-user-activity-log {
description
"The container for configuring I2NSF system-user-activity-log
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-log-dpi {
if-feature "i2nsf-nsf-log-dpi";
description
"The container for configuring I2NSF nsf-log-dpi
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-counter {
description
"This is used to configure the counters
for monitoring an NSF";
leaf period {
type uint16;
units "minutes";
default 0;
description
"The configuration for the period interval of reporting
the counter. If 0, then the counter period is disabled.
If value is not 0, then the counter will be reported
following the period value.";
}
}
}
}
<CODE ENDS>