module ietf-i2nsf-analytics-interface { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-analytics-interface"; prefix i2nsfai; import ietf-inet-types{ prefix inet; reference "RFC 6991"; } import ietf-yang-types{ prefix yang; reference "RFC 6991"; } import ietf-i2nsf-nsf-facing-interface { prefix i2nsfnfi; reference "Section 4 of draft-ietf-i2nsf-nsf-facing-interface-dm-29"; } import ietf-i2nsf-monitoring-interface { prefix i2nsfmi; reference "Section 8 of draft-ietf-i2nsf-nsf-monitoring-data-model-20"; } organization "IETF OPSAWG (Operations and Management Area Working Group)"; contact "WG Web: WG List: Editor: Patrick Lingga Editor: Jaehoon Paul Jeong "; description "This module is a YANG module for Analytics Interface. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. revision "2024-08-06" { description "Initial revision."; reference "RFC XXXX: I2NSF Analytics Interface YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. } augment "/i2nsfnfi:i2nsf-security-policy" { description "Augment the NSF-Facing Interface Data Model for the policy reconfiguration"; leaf nsf-name { type union { type string; type inet:ip-address; } description "The name or IP address (IPv4 or IPv6) of the NSF to be configured. If the given nsf-name is not IP address, the name can be an arbitrary string including FQDN (Fully Qualified Domain Name)."; } container problem { description "Problem: The issue that is emitted by an NSF via the I2NSF Monitoring Interface such as DDoS detection, Virus detection, Intrusion detection, Web-attack detection, and VoIP/VoCN violation detection."; choice attack-detection { description "The detected attack type"; case ddos-detected { container ddos-detected { leaf-list attack-src-ip { type inet:ip-address-no-zone; description "The source IPv4 or IPv6 addresses of attack traffic. It can hold multiple IPv4 or IPv6 addresses. Note that all IP addresses should not be included, but only limited IP addresses are included to conserve the server resources. The listed attacking IP addresses can be an arbitrary sampling of the 'top talkers', i.e., the attackers that send the highest amount of traffic."; } leaf-list attack-dst-ip { type inet:ip-address-no-zone; description "The destination IPv4 or IPv6 addresses of attack traffic. It can hold multiple IPv4 or IPv6 addresses."; } leaf-list attack-src-port { type inet:port-number; description "The transport-layer source ports of the DDoS attack. Note that not all ports will have been seen on all the corresponding source IP addresses."; } leaf-list attack-dst-port { type inet:port-number; description "The transport-layer destination ports of the DDoS attack. Note that not all ports will have been seen on all the corresponding destination IP addresses."; } description "A container for DDoS Attack"; } description "A DDoS Attack is detected"; } case virus-detected { container virus-detected { leaf virus-name { type string; description "The name of the detected virus"; } leaf virus-type { type identityref { base i2nsfmi:virus-type; } description "The virus type of the detected virus"; } leaf host { type union { type string; type inet:ip-address-no-zone; } description "The name or IP address of the host/device. This is used to identify the host/device that is infected by the virus. If the given name is not an IP address, the name can be an arbitrary string including a FQDN (Fully Qualified Domain Name). The name MUST be unique in the scope of management domain for identifying the device that has been infected with a virus."; } leaf file-type { type string; description "The type of a file (indicated by the file's suffix, e.g., .exe) where virus code is found (if applicable)."; } leaf file-name { type string; description "The name of file virus code is found in (if applicable)."; } leaf os { type string; description "The operating system of the device."; } description "A Virus Attack is detected"; } description "A virus is detected"; } case intrusion-detected { container intrusion-detected { leaf protocol { type identityref { base i2nsfmi:transport-protocol; } description "The transport protocol type for nsf-detection-intrusion notification"; } leaf app { type identityref { base i2nsfmi:application-protocol; } description "The employed application layer protocol"; } leaf attack-type { type identityref { base i2nsfmi:intrusion-attack-type; } description "The sub attack type for intrusion attack"; } description "An intrusion is detected"; } } case web-attack-detected { container web-attack-detected { leaf attack-type { type identityref { base i2nsfmi:web-attack-type; } description "Concrete web attack type, e.g., SQL injection, command injection, XSS, and CSRF."; } leaf req-method { type identityref { base i2nsfmi:req-method; } description "The HTTP request method, e.g., PUT or GET."; reference "RFC 9110: HTTP Semantics - Request Methods"; } leaf req-uri { type string; description "The Requested URI"; } leaf req-user-agent { type string; description "The request user agent"; } leaf cookies { type string; description "The HTTP Cookies header field of the request from the user agent. The cookie information needs to be kept confidential and is NOT RECOMMENDED to be included in the monitoring data unless the information is absolutely necessary to help to enhance the security of the network."; reference "RFC 6265: HTTP State Management Mechanism - Cookie"; } leaf req-host { type string; description "The domain name of the requested host"; } leaf response-code { type string; description "The HTTP Response code"; reference "IANA Website: Hypertext Transfer Protocol (HTTP) Status Code Registry"; } description "A web attack is detected"; } description "A web attack is detected"; } case voip-vocn-detected { container voip-vocn-detected { leaf-list source-voice-id { type string; description "The detected source voice ID for Voice over Internet Protocol (VoIP) and Voice over Cellular Network (VoCN) that violates the security policy."; } leaf-list destination-voice-id { type string; description "The detected destination voice ID for Voice over Internet Protocol (VoIP) and Voice over Cellular Network (VoCN) that violates the security policy."; } leaf-list user-agent { type string; description "The detected user-agent for VoIP and VoCN that violates the security policy."; } description "A violation of VoIP/VoCN is detected"; } description "A violation of VoIP/VoCN is detected"; } } } } list i2nsf-feedback-information { key "nsf-name time"; description "Feedback information is information about problem(s) of an NSF for a security service such as system resource over-usage or malfunction. "; leaf nsf-name { type union { type string; type inet:ip-address; } description "The name or IP address (IPv4 or IPv6) of the NSF to be configured. If the given nsf-name is not IP address, the name can be an arbitrary string including FQDN (Fully Qualified Domain Name)."; } leaf time { type yang:date-and-time; description "The time of the feedback information delivered"; } leaf language { type string { pattern '(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})' + '{0,2})?|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?' + '(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}' + '|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WY-Za-wy-z]' + '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]' + '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|' + '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-' + '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-' + '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-' + '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]' + '|[Ii]-[Hh][Aa][Kk]|' + '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|' + '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|' + '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|' + '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|' + '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|' + '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-' + '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-' + '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-' + '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|' + '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-' + '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|' + '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-' + '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-' + '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))'; } default "en-US"; description "The value in this field indicates the language tag used for all of the text in the module (i.e., 'leaf message' and 'leaf-list solution'). The attribute is encoded following the rules in Section 2.1 in RFC 5646. The default language tag is 'en-US'"; reference "RFC 5646: Tags for Identifying Languages"; } container problem { description "The issue that is emitted by an NSF via the I2NSF Monitoring Interface. The problem for feedback information includes the system alarms, such as Memory alarm, CPU alarm, Disk alarm, Hardware alarm, and Interface alarm."; choice alarm-type { description "The detected alarm type"; case memory-alarm { container memory-alarm { leaf usage { type uint8 { range "0..100"; } units "percent"; description "The average usage for the duration of the alarm."; } leaf message { type string; description "A message explaining the problem."; } leaf duration { type uint32; description "Specify the duration of the first alarm triggered until the feedback information is created."; } description "The container for memory-alarm"; } description "The detected alarm type is memory-alarm"; } case cpu-alarm { container cpu-alarm { leaf usage { type uint8 { range "0..100"; } units "percent"; description "The average usage for the duration of the alarm."; } leaf message { type string; description "A message explaining the problem."; } leaf duration { type uint32; description "Specify the duration of the first alarm triggered until the feedback information is created."; } description "The container for cpu-alarm"; } description "The detected alarm type is cpu-alarm"; } case disk-alarm { container disk-alarm { leaf disk-id { type string; description "The ID of the storage disk. It is a free form identifier to identify the storage disk."; } leaf usage { type uint8 { range "0..100"; } units "percent"; description "The average usage for the duration of the alarm."; } leaf message { type string; description "A message explaining the problem."; } leaf duration { type uint32; description "Specify the duration of the first alarm triggered until the feedback information is created."; } description "The container for disk-alarm"; } description "The detected alarm type is disk-alarm"; } case hardware-alarm { container hardware-alarm { leaf component-name { type string; description "The hardware component responsible for generating the message. Applicable for Hardware Failure Alarm."; } leaf message { type string; description "A message explaining the problem."; } leaf duration { type uint32; description "Specify the duration of the first alarm triggered until the feedback information is created."; } description "The container for hardware-alarm"; } description "The detected alarm type is hardware-alarm"; } case interface-alarm { container interface-alarm { leaf interface-id { type string; description "The interface ID responsible for generating the message."; } leaf interface-state { type enumeration { enum up { value 1; description "The interface state is up and not congested. The interface is ready to pass packets."; } enum down { value 2; description "The interface state is down, i.e., does not pass any packets."; } enum congested { value 3; description "The interface state is up but congested."; } enum testing { value 4; description "In some test mode. No operational packets can be passed."; } enum unknown { value 5; description "Status cannot be determined for some reason."; } enum dormant { value 6; description "Waiting for some external event."; } enum not-present { value 7; description "Some component (typically hardware) is missing."; } enum lower-layer-down { value 8; description "Down due to state of lower-layer interface(s)."; } } description "The state of the interface. Applicable for Network Interface Failure Alarm."; reference "RFC 8343: A YANG Data Model for Interface Management - Operational States"; } leaf message { type string; description "A message explaining the problem."; } leaf duration { type uint32; description "Specify the duration of the first alarm triggered until the feedback information is created."; } description "The container for interface-alarm"; } description "The detected alarm type is interface-alarm"; } } } leaf-list solution { type string; description "A possible solution given as feedback is in the form of a free-form string (as a high-level instruction)."; } } }