SACM Working Group H. Birkholz
Internet-Draft Fraunhofer SIT
Intended status: Standards Track N. Cam-Winget
Expires: January 20, 2018 Cisco Systems
July 19, 2017

YANG subscribed notifications via SACM Statements
draft-birkholz-sacm-yang-content-00

Abstract

This document summarizes the data model designed at the IETF 99 Hackathon and is intended to grow in to a definition of general XML SACM statements (and later JSON and CBOR, respectively) for virtually every kind of Content Element (e.g. software identifiers, assessment guidance/results, ECA Policy rules, VDD, etc.). The SACM Statement data structure is based on the Information Element (IE) definitions provided by the SACM Information Model. The initial Content Element type transferred are YANG Subscribed Notification acquired via YANG push. In combination with the Origin Metadata Annotation defined in draft-ietf-netmod-revised-datastores the data model defined in this document will ultimately be able to express collected endpoint characteristics, imperative guidance that define and orchestrate assessment instructions, and also the declarative guidance for endpoint attributes.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on January 20, 2018.

Copyright Notice

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

YANG modules are a powerful established tool to provide endpoint attributes (IE) with well-defined semantics. YANG push [I-D.ietf-netconf-yang-push] and the corresponding YANG subscribed notification [I-D.ietf-netconf-subscribed-notifications] drafts make use of these modules to create streams of notifications (telemetry) providing SACM content on the data plane. Correspondingly, filter expressions used in the context of YANG subscriptions constitute SACM content that is imperative guidance consumed by SACM components on the management plane.

The SACM component illustrated in this draft incorporates a YANG Push client function and an xmpp-grid publisher function. The output of the YANG Push client function is encapsulated in a SACM Content Element envelope, which is again encapsulated in a SACM statement envelope. The corresponding SACM statements are published via the xmpp-grid publisher function into a SACM Domain.

2. Requirements notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119, BCP 14 [RFC2119].

3. Brokering of YANG push telemetry via SACM statements

Every SACM content is published into a SACM domain using a statement envelope/encapsulation. The general structure of a Statement is based in the Information Element defintion in [I-D.ietf-sacm-information-model] and can be summarized as follows:

In the scope of this document, only one type of SACM content is covered: YANG output. Correspondingly, only the minimal required structure of statements, statement-metadata, content-elements, and content-metadata are defined. A complete XML schema definition of this minimal statement can be found in Appendix A.

4. Encapsulation of YANG notifications in SACM content-elements

A YANG notification is associated with a set of YANG specific metadata. Hence, a YANG notification published to a SACM Domain MUST be encapsulated with its corresponding metadata in a Content Element as defined below.

YANG output that is SACM content is represented as an element defintion included in the content choice of the content-element.

<CODE BEGINS>
<xs:complexType name="content-element">
  <xs:sequence>
    <xs:element name="content-metadata" type="content-metadata" maxOccurs="unbounded"/>
    <xs:choice>
      <xs:element name="yang-output" type="yang-output" />
        <!-- There is only one element here now, but virtually every other content choice
             will go here, i.e. data models, such as OVAL, SCAP, SWID, etc. -->
    </xs:choice>
  </xs:sequence>
</xs:complexType>
<CODE ENDS>

4.1. Enumeration definition for content-type

One occurrence of the yang-output element MUST be instantiated in the content-metadata element if YANG push output is to be transferred. Also, the content-type must be set to the enumeration value "yang-output", respectively.

In general, the list of content-type enumerations is including every subject as defined in the SACM Information Model. For the scope of this document, the list of potential content is reduced to "yang-output" only.

<CODE BEGINS>
<xs:simpleType name="content-type">
  <xs:restriction base="xs:string">
    <xs:enumeration value="yang-output" />
       <!-- There is only one type here now, but virtually every other content-type
            will go here, i.e. data models, such as OVAL, SCAP, SWID, etc. -->
  </xs:restriction>
</xs:simpleType>
<CODE ENDS>

4.2. Element definition for content-metadata

The list of optional elements included in content-metadata will incorporate any every potential metadata type. For the scope of this document, the list of elements is also limited to the minimal required set of metadata elements and the yang-output metadata element to support the encapsulation of NETCONF subscribed notifications and YANG query result. As defined above, one occurrence of the yang-output element has to be included in the content-metadata element.

The general content-metadata elements are illustrated in the Appendix A.

<CODE BEGINS>
<xs:complexType name="content-metadata">
  <xs:sequence>
    <xs:element name="content-element-guid" type="content-element-guid"/>
    <xs:element name="content-creation-timestamp" type="content-creation-timestamp"/>
    <xs:element name="content-topic" type="content-topic"/>
    <xs:element name="content-type" type="content-type"/>
    <xs:element name="data-source" type="data-source" minOccurs="0"/>
    <xs:element name="data-origin" type="data-origin" minOccurs="0"/>
    <xs:element name="relationship" type="relationship" minOccurs="0" maxOccurs="unbounded"/>
    <xs:element name="yang-output-metadata" type="yang-output-metadata" minOccurs="0"/>
  </xs:sequence>
</xs:complexType>
<CODE ENDS>

4.3. Definition of the yang-output-metadata element included in content-metadata

The composition of metadata that can be associated with a XML NETCONF result depends on multiple factors:

Additionally, the actual filter expression (or in future iterations of this work a referencing label, such as a URI, UUID or other composed identifier) has to be included in the content-metadata.

<CODE BEGINS>
<xs:complexType name="yang-output-metadata">
  <xs:sequence>
    <xs:choice maxOccurs="1">
      <xs:element name="yang-query" type="yang-query" />
      <xs:element name="yang-subscribe" type="yang-subscribe" />
    </xs:choice>
    <xs:element name="encoding" type="yang-encoding" />
    <xs:element name="module-names" type="module-name" minOccurs="0" maxOccurs="unbounded" />
  </xs:sequence>
</xs:complexType>

<xs:complexType name="yang-subscribe">
  <xs:restriction base="xs:NMTOKEN">
    <xs:enumeration value="periodic" />
    <xs:enumeration value="on-change" />
  </xs:restriction>
  <xs:restriction base="xs:NMTOKEN">
    <xs:enumeration value="xpath" />
    <xs:enumeration value="subtree" />
  </xs:restriction>
<xs:complexType>

<xs:simpleType name="filter-expression">
  <xs:restriction base="xs:string" />
</xs:simpleType>

<xs:simpleType name="yang-query">
  <xs:restriction base="xs:string" />
</xs:simpleType>

<xs:simpleType name="yang-encoding">
  <xs:restriction base="xs:NMTOKEN">
    <xs:enumeration value="netconf" />
    <xs:enumeration value="restconf" />
    <xs:enumeration value="comi" />
  </xs:restriction>
</xs:simpleType>

<xs:simpleType name="module-name">
  <xs:restriction base="xs:string" />
</xs:simpleType>
<CODE ENDS>

5. SACM Component Composition

A SACM Component able to process YANG subscribed notifications requires at least two functions:

Orchestattion of functions inside a component, their discovery as capabiliites and the internal communication of SACM content inside a SACM component is out of scope of this document for now.

6. IANA considerations

This document includes requests to IANA.

7. Security Considerations

TBD

8. Acknowledgements

Christoph Vigano, Guangying Zheng, Eric Voit, Alexander Clemm

9. Change Log

First version -00

10. Contributors

11. Normative References

[I-D.ietf-mile-xmpp-grid] Cam-Winget, N., Appala, S. and S. Pope, "Using XMPP Protocol and its Extensions for Use with IODEF", Internet-Draft draft-ietf-mile-xmpp-grid-03, July 2017.
[I-D.ietf-netconf-subscribed-notifications] Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E. and A. Tripathy, "Custom Subscription to Event Notifications", Internet-Draft draft-ietf-netconf-subscribed-notifications-03, July 2017.
[I-D.ietf-netconf-yang-push] Clemm, A., Voit, E., Prieto, A., Tripathy, A., Nilsen-Nygaard, E., Bierman, A. and B. Lengyel, "Subscribing to YANG datastore push updates", Internet-Draft draft-ietf-netconf-yang-push-07, June 2017.
[I-D.ietf-sacm-information-model] Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, M., Haynes, D. and H. Birkholz, "SACM Information Model", Internet-Draft draft-ietf-sacm-information-model-10, April 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.

Appendix A. Minimal SACM Statement Definition for YANG Output

The definitions of statements, statement-metadata, content-element, and content-metadata are provided by the SACM Information Model [I-D.ietf-sacm-information-model].

Due to the stripping down of content-elements to YANG output, the enumerations still included in the relationship type are not able to point to other content actually.

<CODE BEGINS>
<?xml version="1.0"?>
<xs:schema version="1.0"
           xmlns:xs="http://www.w3.org/2001/XMLSchema"
           elementFormDefault="qualified">

  <xs:complexType name="StatementMetadata">
    <xs:sequence>
      <xs:element name="statement-guid" type="statement-guid" />
      <xs:element name="data-origin" type="data-origin" />
      <xs:element name="statement-creation-timestamp" type="statement-creation-timestamp" minOccurs="0" />
      <xs:element name="statement-publish-timestamp" type="statement-creation-timestamp" />
      <xs:element name="statement-type" type="statement-type" />
      <xs:element name="content-elements" type="content-elements" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="sacm-statement">
    <xs:sequence>
      <xs:element name="statement-metadata" type="StatementMetadata" />
      <xs:element name="content-element" type="content-element" minOccurs="1" maxOccurs="unbounded" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:element name="sacm-statement" type="sacm-statement">
  </xs:element>

  <xs:simpleType name="statement-guid">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="decimal-fraction-denominator">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>
  
  <xs:simpleType name="decimal-fraction-numerator">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>
  
  <xs:simpleType name="content-elements">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>
  
  <xs:complexType name="statement-creation-timestamp">
    <xs:sequence>
      <xs:element name="decimal-fraction-denominator" type="decimal-fraction-denominator"/>
      <xs:element name="decimal-fraction-numerator" type="decimal-fraction-numerator"/>
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="content-creation-timestamp">
    <xs:sequence>
      <xs:element name="decimal-fraction-denominator" type="decimal-fraction-denominator"/>
      <xs:element name="decimal-fraction-numerator" type="decimal-fraction-numerator"/>
    </xs:sequence>
  </xs:complexType>
  
  <xs:simpleType name="statement-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="Observation" />
      <xs:enumeration value="DirectoryContent" />
      <xs:enumeration value="Correlation" />
      <xs:enumeration value="Assessment" />
      <xs:enumeration value="Guidance" />
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="content-topic">
    <xs:restriction base="xs:string">
      <xs:enumeration value="Session" />
      <xs:enumeration value="User" />
      <xs:enumeration value="Interface" />
      <xs:enumeration value="PostureProfile" />
      <xs:enumeration value="Flow" />
      <xs:enumeration value="PostureAssessment" />
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="content-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="EndpointConfiguration" />
      <xs:enumeration value="EndpointState" />
      <xs:enumeration value="DirectoryEntry" />
      <xs:enumeration value="Event" />
      <xs:enumeration value="Incident" />
      <xs:enumeration value="yang-output" />
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="content-element-guid">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:complexType name="yang-output-metadata">
    <xs:sequence>
      <xs:choice maxOccurs="1">
        <xs:element name="yang-query" type="yang-query" />
        <xs:element name="yang-subscribe" type="yang-subscribe" />
      </xs:choice>
      <xs:element name="encoding" type="yang-encoding" />
      <xs:element name="module-names" type="module-name" minOccurs="0" maxOccurs="unbounded" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="yang-subscribe">
    <xs:restriction base="xs:NMTOKEN">
      <xs:enumeration value="periodic" />
      <xs:enumeration value="on-change" />
    </xs:restriction>
    <xs:restriction base="xs:NMTOKEN">
      <xs:enumeration value="xpath" />
      <xs:enumeration value="subtree" />
    </xs:restriction>
  </xs:complexType>

  <xs:simpleType name="filter-expression">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="yang-query">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="yang-encoding">
    <xs:restriction base="xs:NMTOKEN">
      <xs:enumeration value="netconf" />
      <xs:enumeration value="restconf" />
      <xs:enumeration value="comi" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="module-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="relationship-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="associated_with_user" />
      <xs:enumeration value="applies_to_session" />
      <xs:enumeration value="seen_on_interface" />
      <xs:enumeration value="associated_with_flow" />
      <xs:enumeration value="contains_virtual_device" />
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="relationship-content-element-guid">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="relationship-statement-guid">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="relationship-object-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="data-source-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="data-origin">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="host-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="administrative-domain-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="sub-administrative-domain">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="super-administrative-domain">
    <xs:restriction base="xs:string" />
  </xs:simpleType>  
  
  <xs:complexType name="relationship">
    <xs:sequence>
      <xs:element name="relationship-type" type="relationship-type" />
      <xs:element name="relationship-content-element-guid" type="relationship-content-element-guid" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="relationship-statement-guid" type="relationship-statement-guid" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="relationship-object-label" type="relationship-object-label" minOccurs="0" maxOccurs="unbounded" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="flow-element">
    <xs:sequence>
      <xs:element name="network-address" type="network-address"/>
      <xs:element name="layer4-port-address" type="layer4-port-address" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="flow-record">
    <xs:sequence>
      <xs:element name="src-flow-element" type="flow-element" />
      <xs:element name="dst-flow-element" type="flow-element" />
      <xs:element name="protocol" type="protocol" />
      <xs:element name="layer4-protocol" type="layer4-protocol" />
      <xs:element name="flow-statistics" type="flow-statistics" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="content-metadata">
    <xs:sequence>
      <xs:element name="content-element-guid" type="content-element-guid" />
      <xs:element name="content-creation-timestamp" type="content-creation-timestamp" />
      <xs:element name="content-topic" type="content-topic" />
      <xs:element name="content-type" type="content-type" />
      <xs:element name="data-source" type="data-source" minOccurs="0" />
      <xs:element name="data-origin" type="data-origin" minOccurs="0" />
      <xs:element name="relationship" type="relationship" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element name="yang-output-metadata" type="yang-output-metadata" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="content-element">
    <xs:sequence>
      <xs:element name="content-metadata" type="content-metadata" maxOccurs="unbounded"/>
      <xs:choice maxOccurs="unbounded">
        <xs:element name="yang-output" type="yang-output" />
        <xs:element name="flow" type="flow-record" />
        <xs:element name="posture" type="xs:string" />
        <xs:element name="user" type="user" />
        <xs:element name="session" type="session" />
        <xs:element name="ethernet-interface" type="ethernet-interface" />
        <xs:element name="target-endpoint" type="target-endpoint" />
        <xs:element name="port" type="port" />
        <xs:element name="posture-assessment" type="posture-assessment" />
      </xs:choice>
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="posture-assessment"></xs:complexType>
  
  <xs:complexType name="target-endpoint">
    <xs:sequence>
      <xs:element name="host-name" type="host-name" />
      <xs:element name="te-label" type="te-label" />
      <xs:element name="administrative-domain" type="administrative-domain" minOccurs="0" />
      <xs:element name="application-instance" type="application-instance" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="ethernet-interface" type="ethernet-interface" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="address-association" type="address-association" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="data-source" type="data-source" minOccurs="0" />
      <xs:element name="operating-system" type="operating-system" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:simpleType name="te-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:complexType name="application-instance">
    <xs:sequence>
      <xs:element name="application-label" type="application-label" />
      <xs:element name="target-endpoint" type="target-endpoint" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="attribute-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="attribute-value">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:complexType name="attribute-value-pair">
    <xs:sequence>
      <xs:element name="attribute-name" type="attribute-name" />
      <xs:element name="attribute-value" type="attribute-value" />
    </xs:sequence>
  </xs:complexType>    
  
  <xs:simpleType name="application-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="application-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="application-version">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="application-manufacturer">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <!--     TODO: is it possible to declare this as an enumeration or is that unrealistic? -->
  <xs:simpleType name="application-type">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="application-component">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  
  
  <xs:complexType name="application">
    <xs:sequence>
      <xs:element name="application-label" type="application-label" minOccurs="0" />
      <xs:element name="application-name" type="application-name" />
      <xs:element name="application-type" type="application-type" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="application-component" type="application-component" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="application-manufacturer" type="application-manufacturer" minOccurs="0" />
      <xs:element name="application-version" type="application-version" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="address-association">
    <xs:sequence>
      <xs:element name="address" type="address" />
      <xs:element name="address-association-type" type="address-association-type" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="address">
    <xs:sequence>
      <xs:element name="address-mask-value" type="address-mask-value" />
      <xs:element name="address-type" type="address-type" />
      <xs:element name="address-value" type="address-value" />          
    </xs:sequence>
  </xs:complexType>
  
  <xs:simpleType name="address-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="Ethernet" />
      <xs:enumeration value="ZigBee" />
      <xs:enumeration value="ModBus" />
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="session-state-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="Authenticating"></xs:enumeration>
      <xs:enumeration value="Authenticated"></xs:enumeration>
      <xs:enumeration value="Postured"></xs:enumeration>
      <xs:enumeration value="Started"></xs:enumeration>
      <xs:enumeration value="Disconnected"></xs:enumeration>
    </xs:restriction>
  </xs:simpleType>
  
  <xs:complexType name="session">
    <xs:sequence>
      <xs:element name="session-state-type" type="session-state-type" />
      <!-- TODO: add additional elements for Session Type -->
    </xs:sequence>
  </xs:complexType>
  
  <xs:simpleType name="user-id">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="username">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="user-directory">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:complexType name="user">
    <xs:sequence>
      <xs:element name="user-id" type="user-id" />
      <xs:element name="username" type="username" minOccurs="0" />
      <xs:element name="data-source" type="data-source" minOccurs="0" />
      <xs:element name="user-directory" type="user-directory" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>
  
  <xs:complexType name="ethernet-interface">
    <xs:sequence>
      <xs:element name="interface-label" type="interface-label" />
      <xs:element name="network-interface-name" type="network-interface-name" minOccurs="0"/>
      <xs:element name="mac-address" type="mac-address" />
      <xs:element name="network-name" type="network-name" minOccurs="0"/>
      <xs:element name="network-id" type="network-id" minOccurs="0"/>
      <xs:element name="layer2-interface-type" type="layer2-interface-type" minOccurs="0"/>
      <xs:element name="sub-interface-label" type="sub-interface-label" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element name="super-interface-label" type="super-interface-label" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="event-type">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="event-threshold">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>
  
  <xs:simpleType name="event-threshold-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="event-trigger">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="timestamp-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="discovered" />
      <xs:enumeration value="classified" />
      <xs:enumeration value="collected" />
      <xs:enumeration value="published" />
    </xs:restriction>
  </xs:simpleType>

  <xs:complexType name="typed-timestamp">
    <xs:sequence>
      <xs:element name="decimal-fraction-denominator" type="decimal-fraction-denominator"/>
      <xs:element name="decimal-fraction-numerator" type="decimal-fraction-numerator"/>
      <xs:element name="timestamp-type" type="timestamp-type" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="event">
    <xs:sequence>
      <xs:element name="event-type" type="event-type" minOccurs="0" />
      <xs:element name="event-threshold" type="event-threshold" minOccurs="0" />
      <xs:element name="event-threshold-name" type="event-threshold-name" minOccurs="0" />
      <xs:element name="event-trigger" type="event-trigger" minOccurs="0" />
      <xs:element name="typed-timestamp" type="typed-timestamp" />
      <xs:element name="content" type="xs:anySimpleType" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="os-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="os-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="os-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="real-time" />
      <xs:enumeration value="consumer" />
      <xs:enumeration value="server" />
      <xs:enumeration value="security-enhanced" />
    </xs:restriction>
  </xs:simpleType>  
  
  <xs:simpleType name="os-component">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="os-manufacturer">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="os-version">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:complexType name="operating-system">
    <xs:sequence>
      <xs:element name="os-label" type="os-label" minOccurs="0" />
      <xs:element name="os-name" type="os-name" />
      <xs:element name="os-type" type="os-type" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="os-component" type="os-component" minOccurs="0" maxOccurs="unbounded"/>
      <xs:element name="os-manufacturer" type="os-manufacturer" minOccurs="0" />
      <xs:element name="os-version" type="os-version" minOccurs="0" />      
    </xs:sequence>
  </xs:complexType>  
  
  <xs:simpleType name="sub-interface-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="super-interface-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="address-association-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="broadcast-domain-member-list" />
      <xs:enumeration value="ip-subnet-member-list" />
      <xs:enumeration value="ip-mac" />
      <xs:enumeration value="shared-backhaul-interface" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="address-mask-value">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  <xs:simpleType name="address-value">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="interface-label">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="network-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="network-id">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="network-interface-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>
  
  <xs:simpleType name="layer2-interface-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="fastEther" />
      <xs:enumeration value="fastEtherFX" />
      <xs:enumeration value="gigabitEthernet" />
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="ipv6-address-subnet-mask-cidrnot">
    <xs:restriction base="xs:string">
    </xs:restriction>
  </xs:simpleType>
  <xs:simpleType name="ipv6-address-value">
    <xs:restriction base="xs:string">
    </xs:restriction>
  </xs:simpleType>
  
  <xs:simpleType name="ipv4-address-subnet-mask-cidrnot">
    <xs:restriction base="xs:string">
    </xs:restriction>
  </xs:simpleType>
  <xs:simpleType name="ipv4-address-subnet-mask">
    <xs:restriction base="xs:string">
    </xs:restriction>
  </xs:simpleType>
  <xs:simpleType name="ipv4-address-value">
    <xs:restriction base="xs:string">
    </xs:restriction>
  </xs:simpleType>

  <xs:complexType name="network-address">
    <xs:choice>
      <xs:element name="ipv4-address" type="ipv4-address" />
      <xs:element name="ipv6-address" type="ipv6-address" />
      <xs:element name="mac-address" type="mac-address" />
    </xs:choice>
  </xs:complexType>

  <xs:complexType name="endpoint-identifier">
    <xs:choice>
      <xs:element name="certificate" type="certificate" />
      <xs:element name="firmware-id" type="firmware-id" />
      <xs:element name="hardware-serial-number" type="hardware-serial-number" />
      <xs:element name="host-name" type="host-name" />
      <xs:element name="ipv4-address-value" type="ipv4-address-value" />
      <xs:element name="ipv6-address-value" type="ipv6-address-value" />
      <xs:element name="mac-address" type="mac-address" />
      <xs:element name="public-key" type="public-key" />
      <xs:element name="username" type="username" />
    </xs:choice>
  </xs:complexType>  

  <xs:complexType name="ipv4-address">
    <xs:sequence>
      <xs:element name="ipv4-address-value" type="ipv4-address-value" />
      <xs:element name="ipv4-address-subnet-mask-cidrnot" type="ipv4-address-subnet-mask-cidrnot"/>
      <xs:element name="ipv4-address-subnet-mask" type="ipv4-address-subnet-mask"/>
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="ipv6-address">
    <xs:sequence>
      <xs:element name="ipv6-address-value" type="ipv6-address-value" />
      <xs:element name="ipv6-address-subnet-mask-cidrnot" type="ipv6-address-subnet-mask-cidrnot"/>
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="mac-address">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="layer4-port-address">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="protocol">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="layer4-protocol">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="bytes-received">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>

  <xs:simpleType name="bytes-sent">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>

  <xs:simpleType name="units-received">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>

  <xs:simpleType name="units-sent">
    <xs:restriction base="xs:integer" />
  </xs:simpleType>    
  
  <xs:complexType name="flow-statistics">
    <xs:sequence>
      <xs:element name="bytes-received" type="bytes-received" />
      <xs:element name="bytes-sent" type="bytes-sent" />
      <xs:element name="units-received" type="units-received" />
      <xs:element name="units-sent" type="units-sent" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="person">
    <xs:sequence>
      <xs:element name="person-first-name" type="person-first-name" />
      <xs:element name="person-last-name" type="person-last-name" />
      <xs:element name="person-middle-name" type="person-middle-name" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="phone-contact" type="phone-contact" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="email-address" type="email-address" minOccurs="0" maxOccurs="unbounded" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="person-first-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="person-last-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="person-middle-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="email-address">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:complexType name="phone-contact">
    <xs:sequence>
      <xs:element name="phone-number" type="phone-number" />
      <xs:element name="phone-number-type" type="phone-number-type" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="phone-number">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="phone-number-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="DSN" />
      <xs:enumeration value="Fax" />
      <xs:enumeration value="Home" />
      <xs:enumeration value="Mobile" />
      <xs:enumeration value="Pager" />
      <xs:enumeration value="Secure" />
      <xs:enumeration value="Unsecure" />
      <xs:enumeration value="Work" />
      <xs:enumeration value="Other" /> 
    </xs:restriction>
  </xs:simpleType>

  <xs:complexType name="privilege">
    <xs:sequence>
      <xs:element name="privilege-name" type="privilege-name" />
      <xs:element name="privilege-value" type="privilege-value" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="privilege-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="privilege-value">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:complexType name="location">
    <xs:sequence>
      <xs:element name="WGS84-longitude" type="WGS84-longitude" />
      <xs:element name="WGS84-latitude" type="WGS84-latitude" />
      <xs:element name="WGS84-altitude" type="WGS84-altitude" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="WGS84-longitude">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="WGS84-latitude">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="WGS84-altitude">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="organization-id">
    <xs:restriction base="xs:string" />
  </xs:simpleType>  

  <xs:simpleType name="organization-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>  
  
  <xs:complexType name="organization">
    <xs:sequence>
      <xs:element name="organization-id" type="organization-id" />
      <xs:element name="organization-name" type="organization-name" />
      <xs:element name="location" type="location" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="data-source">
    <xs:sequence>
      <xs:element name="data-source-label" type="data-source-label" minOccurs="0" />
      <xs:element name="endpoint-identifier" type="endpoint-identifier" minOccurs="0" maxOccurs="unbounded" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="administrative-domain">
    <xs:sequence>
      <xs:element name="administrative-domain-label" type="administrative-domain-label" />
      <xs:element name="sub-administrative-domain" type="sub-administrative-domain" minOccurs="0" maxOccurs="unbounded" />
      <xs:element name="super-administrative-domain" type="super-administrative-domain" minOccurs="0" />
      <xs:element name="location" type="location" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>

  <xs:simpleType name="access-privilege-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="read" />
      <xs:enumeration value="write" />
      <xs:enumeration value="none" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="account-name">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="authenticator">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="authentication-type">
    <xs:restriction base="xs:string">
      <!-- To be done -->
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="birthdate">
    <xs:restriction base="xs:date" />
  </xs:simpleType>

  <xs:simpleType name="certificate">
    <xs:restriction base="xs:string" />
  </xs:simpleType>

  <xs:simpleType name="collection-task-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="network-observation" />
      <xs:enumeration value="remote-acquisition" />
      <xs:enumeration value="self-reported" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="confidence">
    <xs:restriction base="xs:float">
      <xs:minInclusive value="0" />
      <xs:maxInclusive value="1" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="content-action">
    <xs:restriction base="xs:string">
      <xs:enumeration value="add" />
      <xs:enumeration value="delete" />
      <xs:enumeration value="update" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="country-code">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="default-depth">
    <xs:restriction base="xs:integer" />  
  </xs:simpleType>

  <xs:simpleType name="discoverer">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="firmware-id">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="hardware-serial-number">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="location-name">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="method-label">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>
 
  <xs:simpleType name="method-repository">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="network-access-level-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="block" />
      <xs:enumeration value="quarantine" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="patch-id">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="patch-name">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <!-- FIXME: is this type appropriate? -->
  <xs:simpleType name="public-key">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="role-name">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="status">
    <xs:restriction base="xs:string">
      <xs:enumeration value="true" />
      <xs:enumeration value="false" />
      <xs:enumeration value="error" />
      <xs:enumeration value="unknown" />
      <xs:enumeration value="not applicable" />
      <xs:enumeration value="not evaluated" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="te-assessment-state">
    <xs:restriction base="xs:string">
      <xs:enumeration value="in-discovery" />
      <xs:enumeration value="discovered" />
      <xs:enumeration value="in-classification" />
      <xs:enumeration value="classified" />
      <xs:enumeration value="in-assessment" />
      <xs:enumeration value="assessed" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="timestamp">
    <xs:restriction base="xs:dateTime" />  
  </xs:simpleType>

  <xs:simpleType name="web-site">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="port-id">
    <xs:restriction base="xs:string" />  
  </xs:simpleType>

  <xs:simpleType name="atm-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="lowSpeed" />
      <xs:enumeration value="highSpeed" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="enet-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="enet" />
      <xs:enumeration value="1genet" />
      <xs:enumeration value="10genet" />
      <xs:enumeration value="100genet" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="wifi-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="11n" />
      <xs:enumeration value="11a" />
      <xs:enumeration value="11gb" />
    </xs:restriction>
  </xs:simpleType>

  <xs:simpleType name="virtual-type">
    <xs:restriction base="xs:string">
      <xs:enumeration value="virtual-1g" />
    </xs:restriction>
  </xs:simpleType>  

  <xs:complexType name="port">
    <xs:sequence>
      <xs:element name="port-id" type="port-id"/>
      <xs:element name="atm-type" type="atm-type" maxOccurs="1" minOccurs="0" />
      <xs:element name="enet-type" type="enet-type" maxOccurs="1" minOccurs="0" />
      <xs:element name="wifi-type" type="wifi-type" maxOccurs="1" minOccurs="0" />
      <xs:element name="virtual-type" type="virtual-type" maxOccurs="1" minOccurs="0" />
    </xs:sequence>
  </xs:complexType>

  <xs:complexType name="user-account">
    <xs:sequence>
      <xs:element name="user" type="user"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>
<CODE ENDS>

Authors' Addresses

Henk Birkholz Fraunhofer SIT Rheinstrasse 75 Darmstadt, 64295 Germany EMail: henk.birkholz@sit.fraunhofer.de
Nancy Cam-Winget Cisco Systems 3550 Cisco Way San Jose, CA 95134 USA EMail: ncamwing@cisco.com