Internet DRAFT - draft-wang-i2nsf-intelligent-detection
draft-wang-i2nsf-intelligent-detection
I2NSF
Internet Draft W. Wang
Intended status: Proposed Standard H. Zhou
M. Li
Q. Guo
S. Deng
Document: draft-wang-i2nsf-intelligent-detection-01.txt
Beijing Jiaotong
University
Expires: October 2023 March 2023
YANG Data Models for Attacks Intelligent Detection
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Abstract
This document describes how to extend the Interface to Network
Security Function (I2NSF) framework to make it suitable for attacks
intelligent detection. Intelligent detection means that the network
can dynamically adjust detection policies based on resource status,
traffic features, or detection results. This document describes the
application of I2NSF Framework for Security Management Automation
(SMA) for attacks intelligent detection in Software-Defined
Networking (SDN) and Service Function Chaining (SFC) environment.
This document will extend the YANG data model of Monitoring
Interface, Analytics Interface and NSF-Facing Interface in I2NSF for
SMA framework to make it suitable for attacks intelligent detection
in SDN and SFC environments.
Copyright Notice
Wang, et al. Expires – October 2023 [Page 1]
� I2NSF Intelligent Detection March 2023
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your
rights and restrictions with respect to this document. Code
Components extracted from this document must include Revised
BSD License text as described in Section 4.e of the Trust Legal
Provisions and are provided without warranty as described in the
Revised BSD License.
Table of Contents
1. Introduction...................................................2
2. Terminology....................................................3
3. I2NSF Framework for Attacks Intelligent Detection..............4
3.1 Components with I2NSF Framework for AID....................4
3.2 Interfaces with I2NSF Framework for AID....................6
4. The Extended YANG Data Models..................................6
4.1 The Extended Monitoring Interface..........................6
4.1.1 YANG Tree Structure of Extended Monitoring
Interface.............................................9
4.1.2 YANG Data Model of Extended Monitoring
Interface............................................11
4.2 The Extended Analytics Interface..........................29
4.2.1 YANG Tree Structure of Extended Analytics
Interface............................................30
4.2.2 YANG Data Model of Extended Analytics Interface .....31
4.3 The Extended NSF-Facing Interface.........................45
4.3.1 YANG Tree Structure of Extended NSF-Facing YANG
Module...............................................45
4.3.2 YANG Data Model of Extended NSF-Facing YANG
Module ....... ....................................46
5. XML Examples of I2NSF Framework for AID.......................49
6. IANA Considerations...........................................54
7. Security Considerations.......................................54
8. References....................................................54
8.1 Normative References......................................54
8.2 Informative References....................................58
Acknowledgments..................................................59
Author's Addresses...............................................59
1. Introduction
I2NSF defines the framework and interface for interacting with NSFs
[RFC8192] [RFC8329]. It is centered on the Security Controller and
Wang, et al. Expires – October 2023 [Page 2]
� I2NSF Intelligent Detection March 2023
implements consumer-facing NSFs management and configuration through
Consumer-Facing Interface and NSF-Facing Interface. I2NSF Framework
for Security Management Automation has added new components I2NSF
Analyzer, new interface Monitoring Interface and Analytics Interface,
which enable it to achieve feedback based automatic security
management [I-D. jeong-i2nsf-security-management-automation].
SDN relocates the control of network resources to a dedicated network
element, namely SDN Controller, which provides a means to program,
orchestrate, control and manage the network resources through
software [ITU-TY.3300]. SFC [RFC7665] is a technique for ordering
packets through different service functions. The SDN Controller can
manage the SFC. The SDN Controller can send traffic tables to the SFC
Classifiers (CFs) and Service Function Forwarder (SFFs), so that
different traffic passes through different Service Function Paths
(SFPs) according to different traffic table forwarding rules. I2NSF
can be combined with SDN and SFC [I-D. ietf-i2nsf-applicability]. The
application of SDN and SFC technology in I2NSF can provide more
flexible NSFs combination for I2NSF User.
NSF can provide a range of security-related services, such as
detecting, blocking, or mitigating cyber-attacks [RFC8329]. The NSFs
referred in this document specifically refers to NSFs with the
capability to detect attacks, which are called Detection Modules
(DMs). Different detection modules apply to different types of
attacks, such as Distributed Denial of service (DDoS) attacks, worm
attacks and so on. Detection modules can form different SFPs in SDN
and SFC environments. Traffic with different features, such as
protocols or port numbers, passes through different paths to improve
network detection efficiency and reduce NSFs load and traffic
transmission delay.
This document will design extended YANG data models for Monitoring
Interface, Analytics Interface and NSF-Facing Interface in I2NSF
Framework for Security Management Automation. The I2NSF Analyzer can
collect network resource information, traffic features, and detection
results through the Extended Monitoring Interface. The I2NSF Analyzer
can send resource alarms, detection results, and path reconfiguration
policies to the Security Controller through the Extended Analytics
Interface. The Security Controller can send the path configuration
rules to the SDN Controller through the Extended NSF-facing
Interface. The extended framework can realize closed-loop feedback
based dynamic adjustment of attack detection policies in SDN and
SFC environment.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
Wang, et al. Expires – October 2023 [Page 3]
� I2NSF Intelligent Detection March 2023
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the terminology described in [RFC8329], [I-D.
jeong-i2nsf-security-management-automation], [RFC7665], [ITU-TY.3300]
and [RFC8455]. In addition, the following terms are defined below:
o Intelligent Detection: The network can dynamically adjust
detection policies based on the feedback resource status, traffic
features, and detection results.
o Detection Module (DM): The NSF with detection capability.
Different DMs apply to different types of attacks, such as DDoS
attacks, worm attacks and so on.
3. I2NSF Framework for Attacks Intelligent Detection
This section summarizes the I2NSF Framework for Attacks Intelligent
Detection (I2NSF Framework for AID) in SDN and SFC environment. As
shown in Figure 1, The Security Controller and I2NSF Analyzer
implement closed-loop automatic management of SDN controller,
CFs/SFFs and DMs through Monitoring Interface, Analytics Interface
and NSF-Facing Interface.
3.1 Components with I2NSF Framework for AID
The following are the system components for the I2NSF framework for
AID.
o I2NSF User: An entity that delivers a high-level security policy to
Security Controller [RFC8329].
o Security Controller: An entity that controls and manages other
system components in the I2NSF framework. It translates a high-
level security policy (from I2NSF User) or reconfiguration policy
(from I2NSF Analyzer) into the corresponding low-level security
policy. It selects appropriate NSFs (including DMs, SDN Controller,
CFs and SFFs) to execute the security rules of the low-level
security policy [RFC8329].
o Developer's Management System (DMS): An entity that provides an
image of a virtualized NSF for a security service to the I2NSF
framework, and registers the capability and access information of
an NSF with Security Controller [RFC8329].
Wang, et al. Expires – October 2023 [Page 4]
� I2NSF Intelligent Detection March 2023
o I2NSF Analyzer: An entity that collects monitoring data from NSFs
and analyzes such data for checking the activity and performance
of the NSFs. If there is a suspicious attack activity for the
target network or NSF, I2NSF Analyzer delivers a report of the
augmentation or generation of reconfiguration policy to Security
Controller [I-D. jeong-i2nsf-security-management-automation].
+----------+
|I2NSF User|
+----------+
^
| Consumer-Facing Interface
v
+-------------------+ Registration +-----------------------+
|Security Controller|<----------------> |Developer's Mgmt System|
+-------------------+ Interface +-----------------------+
^ ^ ^
| | |
| | | Analytics Interface +--------------+
| | +--------------------->|I2NSF Analyzer|
|NSF-Facing | +--------------+
|Interface +-------+ NSF-Facing ^ Monitoring
| | Interface | Interface
+-----------------------------------------------------------+
| v | v |
| +--------------+ | |
| |SDN Controller| | |
| +--------------+ | |
| ^ | |
| | SDN Southbound | |
| | Interface | |
| v | |
| +--------------+ v |
| | +----------+ |----------------------------------+ |
| | |Classifier| | | | | |
| | +----------+ | v v v |
| | +-----+ | +------+ +------+ +------+ |
| | | SFF | | | DM-1 | | DM-2 | ... | DM-n | |
| | +-----+ | +------+ +------+ +------+ |
| +--------------+ |
+-----------------------------------------------------------+
Figure 1: I2NSF Framework for Attacks Intelligent Detection
o SDN Controller: An entity that provides a means to program,
orchestrate, control and manage the network resources through
software. It can parse path rules of the low-level security policy
and deliver flow tables to CFs and SFFs to form SFPs [ITU-TY.3300].
Wang, et al. Expires – October 2023 [Page 5]
� I2NSF Intelligent Detection March 2023
o Detection Module (DM): The NSF with detection capability.
3.2 Interfaces with I2NSF Framework for AID
The following are the interfaces for the AID I2NSF framework. Note
that the interfaces are modeled with YANG [RFC6020] and security
policies are delivered through either RESTCONF [RFC8040] or NETCONF
[RFC6241].
o Consumer-Facing Interface: An interface between I2NSF User and
Security Controller for the delivery of a high-level security
policy [RFC8329].
o NSF-Facing Interface: An interface between Security Controller and
an NSF for the delivery of a low-level security policy [RFC8329].
o Registration Interface: An interface between a DMS and Security
Controller for the registration of an NSF's capability and access
information with Security Controller or the query of an NSF for a
required low-level security policy [RFC8329].
o Analytics Interface: An interface to deliver an analytics report
for augmentation or generation of a security policy rule created
by I2NSF Analyzer to Security Controller [I-D. jeong-i2nsf-
security-management-automation].
o SDN Southbound Interface: The application programming interface
provided by the SDN Controller to interact with the SDN nodes
[RFC8455].
4. The Extended YANG Data Models
This section describes the extended Monitoring Interface, Analytics
Interface and NSF-Facing Interface YANG data model.
4.1 The Extended Monitoring Interface
This section describes the Extended Monitoring Interface. This
document modifies or adds traffic features, resource utilization
logs, and DM detection results for Monitoring Interface.
Traffic features contain the following information:
Wang, et al. Expires – October 2023 [Page 6]
� I2NSF Intelligent Detection March 2023
o measurement-time: The duration of the measurement in seconds for
the features of traffic flows. These traffic flow features are
measured over the past measurement duration before now.
o packets-per-second: Average number of packets forwarded per second
measured over the past 'measurement-time'.
o bytes-per-second: Average number of bytes forwarded per second
measured over the past 'measurement-time'.
o packet-size-mean: Average packet length of packets measured over
the past 'measurement-time'.
o src-ip-entropy: Entropy of the source IP address measured over the
past 'measurement-time'.
o dst-ip-entropy: The entropy of the destination IP address measured
over the past 'measurement-time'.
o TTL-entropy: Packet lifetime TTL entropy measured over the past
'measurement-time'.
o tcp-src-port-entropy: TCP Packet source port entropy measured over
the past 'measurement-time'.
o tcp-dst-port-entropy: TCP Packet destination port entropy measured
over the past 'measurement-time'.
o udp-src-port-entropy: UDP Packet source port entropy measured over
the past 'measurement-time'.
o udp-dst-port-entropy: UDP Packet destination port entropy measured
over the past 'measurement-time'.
o packet-size-entropy: The entropy of packet length measured over the
past 'measurement-time'.
o packets-variance: Variance of packets measured over the past
'measurement-time'.
Resource utilization logs contain the following information:
o system-status: The current system's running status [I-D. ietf-
i2nsf-nsf-monitoring-data-model].
o cpu-usage: Specifies the aggregated CPU usage in percentage [I-D.
ietf-i2nsf-nsf-monitoring-data-model].
Wang, et al. Expires – October 2023 [Page 7]
� I2NSF Intelligent Detection March 2023
o cpu-freq: Specifies the frequency of CPU in MHz.
o memory-usage: Specifies the MB of memory usage.
o memory-total: Specifies the MB of total memory.
o memory-available: Specifies the MB of available memory.
o disk-id: The ID of the storage disk. It is a free form identifier
to identify the storage disk [I-D. ietf-i2nsf-nsf-monitoring-data-
model].
o disk-usage: Specifies the percentage of disk usage [I-D. ietf-
i2nsf-nsf-monitoring-data-model].
o disk-space-left: Specifies the available disk space left of disk-id
in percentage [I-D. ietf-i2nsf-nsf-monitoring-data-model].
o interface-id: Specifies the interface ID to identify the network
interface [I-D. ietf-i2nsf-nsf-monitoring-data-model].
o in-traffic-rate: The total inbound data plane traffic rate in
packets per second [I-D. ietf-i2nsf-nsf-monitoring-data-model].
o out-traffic-rate: The total outbound data plane traffic rate in
packets per second [I-D. ietf-i2nsf-nsf-monitoring-data-model].
o in-traffic-throughput: The total inbound data plane traffic
throughput in bytes per second [I-D. ietf-i2nsf-nsf-monitoring-
data-model].
o out-traffic-throughput: The total outbound data plane traffic
throughput in bytes per second[I-D. ietf-i2nsf-nsf-monitoring-
data-model].
o packet-loss-rate: The percentage of discarded packets.
The DM detection result contains the following information:
o detection-module-name: The name of the specific detection module.
o time-stamp: Specify the time of a message being delivered.
o response-time: The time taken for the detection.
Wang, et al. Expires – October 2023 [Page 8]
� I2NSF Intelligent Detection March 2023
o start-time: The start time for the detection.
o end-time: The end time for the detection.
o attack-id: The ID of the specific attack traffic which has the same
src/dst IP, protocol and attack type.
o attack-type: The type of the detected attack.
o attack-src-ip: The source IPv4 or IPv6 addresses of attack traffic.
o attack-dst-ip: The destination IPv4 or IPv6 addresses of attack
traffic.
o attack-src-port: The transport-layer source ports of the attack. It
can hold multiple ports.
o attack-dst-port: The transport-layer destination ports of the
attack. It can hold multiple ports.
o protocol: The type of network protocol for the attack.
o attack-rate: The average packets per second (pps) rate of attack
traffic [I-D. ietf-i2nsf-nsf-monitoring-data-model].
o attack-throughput: The average bytes per second (Bps) throughput of
attack traffic [I-D. ietf-i2nsf-nsf-monitoring-data-model].
4.1.1 YANG Tree Structure of Extended Monitoring Interface
The tree structure of the Extended Monitoring Interface is provided
below:
module: wang-i2nsf-extended-monitoring-interface
notifications:
+---n i2nsf-event
| +--ro vendor-name? string
| +--ro device-model? string
| +--ro software-version? string
| +--ro nsf-name union
| +--ro message? string
| +--ro language? string
| +--ro acquisition-method? identityref
Wang, et al. Expires – October 2023 [Page 9]
� I2NSF Intelligent Detection March 2023
| +--ro emission-type? identityref
| +--ro dampening-type? identityref
| +--ro (sub-event-type)?
| +--:(i2nsf-flow-features)
| +--ro i2nsf-traffic-flow-features
| +--ro measurement-time? uint32
| +--ro packets-per-second? uint64
| +--ro bytes-per-second? uint64
| +--ro packet-size-mean? uint64
| +--ro src-ip-entropy? uint64
| +--ro dst-ip-entropy? uint64
| +--ro TTL-entropy? uint64
| +--ro tcp-src-port-entropy? uint64
| +--ro tcp-dst-port-entropy? uint64
| +--ro udp-src-port-entropy? uint64
| +--ro udp-dst-port-entropy? uint64
| +--ro packet-size-entropy? uint64
| +--ro packets-variance? uint64
+---n i2nsf-log
| +--ro vendor-name? string
| +--ro device-model? string
| +--ro software-version? string
| +--ro nsf-name union
| +--ro message? string
| +--ro language? string
| +--ro acquisition-method? identityref
| +--ro emission-type? identityref
| +--ro dampening-type? identityref
| +--ro (sub-logs-type)?
| +--:(i2nsf-system-res-util-log)
| +--ro i2nsf-system-res-util-log
| +--ro system-status? enumeration
| +--ro cpu-usage? uint8
| +--ro cpu-freq? uint64
| +--ro memory-usage? uint64
| +--ro memory-total? uint64
| +--ro memory-available? uint64
| +--ro disks* [disk-id]
| | +--ro disk-id string
| | +--ro disk-usage? uint8
| | +--ro disk-space-left? uint8
| +--ro interface* [interface-id]
| +--ro interface-id string
| +--ro in-traffic-rate? uint64
| +--ro out-traffic-rate? uint64
| +--ro in-traffic-throughput? uint64
| +--ro out-traffic-throughput? uint64
| +--ro packet-loss-rate? uint64
+---n i2nsf-nsf-event
Wang, et al. Expires – October 2023 [Page 10]
� I2NSF Intelligent Detection March 2023
+--ro vendor-name? string
+--ro device-model? string
+--ro software-version? string
+--ro nsf-name union
+--ro message? string
+--ro language? string
+--ro acquisition-method? identityref
+--ro emission-type? identityref
+--ro dampening-type? identityref
+--ro (sub-event-type)?
+--:(i2nsf-nsf-detection-module)
+--ro i2nsf-nsf-detection-module
+--ro detection-module* [detection-module-name]
+--ro detection-module-name string
+--ro time-stamp? yang:date-and-time
+--ro response-time? yang:date-and-time
+--ro start-time? yang:date-and-time
+--ro end-time? yang:date-and-time
+--ro detected-attacks
+--ro attack-traffic* [attack-id]
+--ro attack-id string
+--ro attack-type string
+--ro attack-src-ip? inet:ip-address-no-zone
+--ro attack-dst-ip? inet:ip-address-no-zone
+--ro attack-src-port* inet:port-number
+--ro attack-dst-port* inet:port-number
+--ro protocol? identityref
+--ro attack-rate? uint64
+--ro attack-throughput? uint64
Figure 2: YANG Tree Structure of Extended Monitoring Interface
4.1.2 YANG Data Model of Extended Monitoring Interface
This section describes a YANG module of I2NSF Extended Monitoring
Interface. This YANG module imports from [RFC6991], and makes
references to [I-D. ietf-i2nsf-nsf-monitoring-data-model] [RFC0768]
[RFC0791] [RFC0792] [RFC0854] [RFC1939] [RFC0959] [RFC2595]
[RFC4340] [RFC4443] [RFC5321] [RFC5646] [RFC6242] [RFC8200]
[RFC8641] [RFC9051] [RFC9110] [RFC9112] [RFC9113] [RFC9260]
[RFC9293].
<CODE BEGINS> file "wang-i2nsf-extended-monitoring-interface@2023-
03-28.yang"
module ietf-wang-i2nsf-extended-monitoring-interface{
Wang, et al. Expires – October 2023 [Page 11]
� I2NSF Intelligent Detection March 2023
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:wang-i2nsf-extended-
monitoring-interface";
prefix i2nsf-exmi;
import ietf-inet-types{
prefix inet;
reference "Section 4 of RFC 6991";
}
import ietf-yang-types{
prefix yang;
reference "Section 3 of RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Author: Weilin Wang
<mailto:21111026@bjtu.edu.cn>
Author: Huachun Zhou
<mailto:hchzhou@bjtu.edu.cn>
Author: Man Li
<mailto:20111018@bjtu.edu.cn>
Author: Qi Guo
<mailto:20120044@bjtu.edu.cn>
Author: Shuangxing Deng
<mailto:21120038@bjtu.edu.cn>";
description
"This module is a YANG module for the extension of I2NSF
NSF Monitoring.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
Wang, et al. Expires – October 2023 [Page 12]
� I2NSF Intelligent Detection March 2023
in all capitals, as shown here.
Copyright (c) 2022 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision "2023-03-28" {
description "Initial revision.";
reference
"RFC XXXX: Extension of I2NSF NSF Monitoring Interface
YANG Data Model";
}
/*
* Identity
*/
identity characteristics {
description
"Base identity for monitoring information
characteristics.";
reference
"I-D: I2NSF NSF Monitoring Interface YANG Data Model";
}
identity acquisition-method {
base characteristics;
description
"The type of acquisition-method. It can be multiple
types at once.";
}
identity subscription {
base acquisition-method;
description
"The acquisition-method type is subscription.";
}
identity query {
base acquisition-method;
description
"The acquisition-method type is query.";
}
Wang, et al. Expires – October 2023 [Page 13]
� I2NSF Intelligent Detection March 2023
identity emission-type {
base characteristics;
description
"The type of emission-type.";
}
identity periodic {
base emission-type;
description
"The emission-type type is periodic.";
}
identity on-change {
base emission-type;
description
"The emission-type type is on-change.";
}
identity dampening-type {
base characteristics;
description
"The type of message dampening to stop the rapid
transmission of messages, such as on-repetition
and no-dampening.";
}
identity no-dampening {
base dampening-type;
description
"The dampening-type is no-dampening. No-dampening
type does not limit the transmission for the
messages of the same type.";
}
identity on-repetition {
base dampening-type;
description
"The dampening-type is on-repetition. On-repetition
type limits the transmitted on-change message to one
message at a certain interval.";
}
identity protocol {
description
"An identity used to enable type choices in leaves
and leaf-lists with respect to protocol metadata.
This is used to identify the type of protocol that
goes through the NSF.";
}
identity ip {
base protocol;
description
"General IP protocol type.";
reference
"RFC0791: Internet Protocol
Wang, et al. Expires – October 2023 [Page 14]
� I2NSF Intelligent Detection March 2023
RFC8200: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC0791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC8200: Internet Protocol, Version 6 (IPv6)";
}
identity icmp {
base protocol;
description
"Base identity for ICMPv4 and ICMPv6 condition
capability";
reference
"RFC0792: Internet Control Message Protocol
RFC4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification- ICMPv6";
}
identity icmpv4 {
base icmp;
description
"ICMPv4 protocol type.";
reference
"RFC0791: Internet Protocol
RFC0792: Internet Control Message Protocol";
}
identity icmpv6 {
base icmp;
description
"ICMPv6 protocol type.";
reference
"RFC8200: Internet Protocol, Version 6 (IPv6)
RFC4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
identity transport-protocol {
base protocol;
description
"Base identity for Layer 4 protocol condition
Wang, et al. Expires – October 2023 [Page 15]
� I2NSF Intelligent Detection March 2023
capabilities, e.g., TCP, UDP, SCTP, DCCP, and
ICMP.";
}
identity tcp {
base transport-protocol;
description
"TCP protocol type.";
reference
"[RFC9293]: Transmission Control
Protocol (TCP).";
}
identity udp {
base transport-protocol;
description
"UDP protocol type.";
reference
"RFC0768: User Datagram Protocol";
}
identity sctp {
base transport-protocol;
description
"Identity for SCTP condition capabilities";
reference
"RFC9260: Stream Control
Transmission Protocol";
}
identity dccp {
base transport-protocol;
description
"Identity for DCCP condition capabilities";
reference
"RFC4340: Datagram Congestion Control Protocol";
}
identity application-protocol {
base protocol;
description
"Base identity for Application protocol. Note that a
subset of application protocols (e.g., HTTP, HTTPS,
FTP, POP3, and IMAP) are handled in this YANG module,
rather than all the existing application protocols.";
}
identity http {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 1.1 (HTTP/1.1).";
reference
"[RFC9110]: HTTP Semantics
[RFC9112]: HTTP/1.1";
Wang, et al. Expires – October 2023 [Page 16]
� I2NSF Intelligent Detection March 2023
}
identity https {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 1.1 (HTTP/1.1) over TLS.";
reference
"[RFC9110]: HTTP Semantics
[RFC9112]: HTTP/1.1";
}
identity http2 {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 2 (HTTP/2).";
reference
"RFC9113: HTTP/2";
}
identity https2 {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 2 (HTTP/2) over TLS.";
reference
"RFC9113: HTTP/2";
}
identity ftp {
base application-protocol;
description
"FTP protocol type.";
reference
"RFC0959: File Transfer Protocol";
}
identity ssh {
base application-protocol;
description
"SSH protocol type.";
reference
"RFC6242: Using the NETCONF Protocol over
Secure Shell (SSH)";
}
identity telnet {
base application-protocol;
description
"The identity for telnet.";
reference
"RFC0854: Telnet Protocol";
}
identity smtp {
Wang, et al. Expires – October 2023 [Page 17]
� I2NSF Intelligent Detection March 2023
base application-protocol;
description
"The identity for smtp.";
reference
"RFC5321: Simple Mail Transfer Protocol (SMTP)";
}
identity pop3 {
base application-protocol;
description
"The identity for Post Office
Protocol 3 (POP3).";
reference
"RFC1939: Post Office Protocol - Version 3
(POP3)";
}
identity pop3s {
base application-protocol;
description
"The identity for Post Office Protocol 3
(POP3) over TLS";
reference
"RFC1939: Post Office Protocol -Version 3(POP3)
RFC2595: Using TLS with IMAP, POP3 and ACAP";
}
identity imap {
base application-protocol;
description
"The identity for Internet Message Access
Protocol (IMAP).";
reference
"RFC9051: Internet Message Access Protocol
(IMAP) - Version 4rev2";
}
identity imaps {
base application-protocol;
description
"The identity for Internet Message Access
Protocol (IMAP) over TLS";
reference
"RFC9051: Internet Message Access Protocol
(IMAP) - Version 4rev2
RFC2595: Using TLS with IMAP, POP3 and ACAP";
}
/*
* Grouping
*/
grouping common-monitoring-data {
description
Wang, et al. Expires – October 2023 [Page 18]
� I2NSF Intelligent Detection March 2023
"A set of common monitoring data that is needed
as the basic information.";
leaf vendor-name {
type string;
description
"The name of the NSF vendor. The string is
unrestricted to identify the provider or
vendor of the NSF.";
}
leaf device-model {
type string;
description
"The model of the device, can be represented
by the device model name or serial number.
This field is used to identify the model of
the device that provides the security
service.";
}
leaf software-version {
type string;
description
"The version of the software used to provide the
security service.";
}
leaf nsf-name {
type union{
type string;
type inet:ip-address-no-zone;
}
mandatory true;
description
"The name or IP address of the NSF generating
the message.If the given nsf-name is not an
IP address, the name can be an arbitrary string
including a FQDN (Fully Qualified Domain Name).
The name MUST be unique in the scope of
management domain for a different NSF to
identify the NSF that generates the message.";
}
}
grouping message {
description
"A set of common monitoring data that is needed
as the basic information.";
leaf message {
type string;
description
"This is a freetext annotation for
monitoring a notification's content.";
Wang, et al. Expires – October 2023 [Page 19]
� I2NSF Intelligent Detection March 2023
}
leaf language {
type string {
pattern '((([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})'
+ '{0,2})?)|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?'
+ '(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}'
+ '|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WYZa-wyz]'
+ '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]'
+ '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|'
+ '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-'
+ '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-'
+ '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-'
+ '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]'
+ '|[Ii]-[Hh][Aa][Kk]|'
+ '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|'
+ '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|'
+ '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|'
+ '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|'
+ '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|'
+ '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-'
+ '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-'
+ '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-'
+ '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|'
+ '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-'
+ '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|'
+ '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-'
+ '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-'
+ '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))';
}
default "en-US";
description
"The value in this field indicates the language tag
used for the human readable fields (i.e., '../message',
'/i2nsf-log/i2nsf-nsf-system-access-log/output', and
'/i2nsf-log/i2nsf-system-user-activity-log/additional-info
/cause').
The attribute is encoded following the rules in Section 2.1
in RFC 5646. The default language tag is 'en-US'";
reference
"RFC 5646: Tags for Identifying Languages.";
}
}
grouping characteristics {
description
"A set of characteristics of a monitoring information.";
leaf acquisition-method {
type identityref {
base acquisition-method;
}
Wang, et al. Expires – October 2023 [Page 20]
� I2NSF Intelligent Detection March 2023
description
"The acquisition-method for characteristics";
}
leaf emission-type {
when "derived-from-or-self(../acquisition-method, "
+ "'i2nsf-exmi:subscription')";
type identityref {
base emission-type;
}
description
"The emission-type for characteristics. This attribute is
used only when the acquisition-method is a
'subscription'.";
}
}
grouping characteristics-extended {
description
"An extended characteristics for the monitoring
information.";
uses characteristics;
leaf dampening-type {
type identityref {
base dampening-type;
}
description
"The dampening-type for characteristics";
}
}
grouping attack-rates {
description
"A set of traffic rates for monitoring attack traffic data.";
leaf attack-rate {
type uint64;
units "pps";
description
"The average packets per second (pps) rate of
attack traffic.";
}
leaf attack-throughput {
type uint64;
units "Bps";
description
"The average bytes per second (Bps) throughput of
attack traffic.";
}
}
/*
* Notification nodes
*/
Wang, et al. Expires – October 2023 [Page 21]
� I2NSF Intelligent Detection March 2023
notification i2nsf-event {
description
"Notification for I2NSF Event. This notification provides
general information that can be supported by most types of
NSFs.";
uses common-monitoring-data;
uses message;
uses characteristics-extended;
choice sub-event-type {
description
"This choice must be augmented with cases for each allowed
sub-event. Only 1 sub-event will be instantiated in each
i2nsf-event message. Each case is expected to define one
container with all the sub-event fields.";
case i2nsf-flow-features {
container i2nsf-traffic-flow-features {
description
"This notification is sent to inform about the traffic
flow features.";
leaf measurement-time {
type uint32;
units "seconds";
description
"The duration of the measurement in seconds
for the features of traffic flows. These
traffic flow features are measured over the
past measurement duration before now.";
}
leaf packets-per-second {
type uint64;
description
"Average number of packets forwarded per
second measured over the past 'measurement-time'.";
}
leaf bytes-per-second {
type uint64;
description
"Average number of bytes forwarded per second
measured over the past 'measurement-time'.";
}
leaf packet-size-mean {
type uint64;
description
"Average packet length of packets measured over
the past 'measurement-time'.";
}
Wang, et al. Expires – October 2023 [Page 22]
� I2NSF Intelligent Detection March 2023
leaf src-ip-entropy {
type uint64;
description
"Entropy of the source IP address measured over
the past 'measurement-time'.";
}
leaf dst-ip-entropy {
type uint64;
description
"The entropy of the destination IP address
measured over the past 'measurement-time'.";
}
leaf TTL-entropy {
type uint64;
description
"Packet lifetime TTL entropy measured over
the past 'measurement-time'.";
}
leaf tcp-src-port-entropy {
type uint64;
description
"TCP Packet source port entropy measured
over the past 'measurement-time'.";
}
leaf tcp-dst-port-entropy {
type uint64;
description
"TCP Packet destination port entropy measured
over the past 'measurement-time'.";
}
leaf udp-src-port-entropy {
type uint64;
description
"UDP Packet source port entropy measured
over the past 'measurement-time'.";
}
leaf udp-dst-port-entropy {
type uint64;
description
"UDP Packet destination port entropy measured
over the past 'measurement-time'.";
}
leaf packet-size-entropy {
type uint64;
description
"The entropy of packet length measured over the
past 'measurement-time'.";
}
leaf packets-variance {
Wang, et al. Expires – October 2023 [Page 23]
� I2NSF Intelligent Detection March 2023
type uint64;
description
"Variance of packets measured over the
past 'measurement-time'.";
}
}
}
}
}
notification i2nsf-log {
description
"Notification for I2NSF log. The notification
is generated from the logs of the NSF.";
uses common-monitoring-data;
uses message;
uses characteristics-extended;
choice sub-logs-type {
description
"This choice must be augmented with cases for each
allowed sub-logs. Only 1 sub-event will be
instantiated in each i2nsf-logs message. Each case
is expected to define one container with all the
sub-logs fields.";
case i2nsf-system-res-util-log {
container i2nsf-system-res-util-log {
description
"This notification is sent, if there is a new log
entry representing resource utilization updates.";
leaf system-status {
type enumeration {
enum running {
description
"The system is active and running the
security service.";
}
enum waiting {
description
"The system is active but waiting for an
event to provide the security service.";
}
enum inactive {
description
"The system is inactive and not running the
security service.";
}
}
description
Wang, et al. Expires – October 2023 [Page 24]
� I2NSF Intelligent Detection March 2023
"The current system's running status.";
}
leaf cpu-usage {
type uint8;
units "percent";
description
"Specifies the aggregated CPU usage in
percentage.";
}
leaf cpu-freq {
type uint64;
units "MHz";
description
"Specifies the frequency of CPU in MHz.";
}
leaf memory-usage {
type uint64;
units "MB";
description
"Specifies the MB of memory usage.";
}
leaf memory-total {
type uint64;
units "MB";
description
"Specifies the MB of total memory.";
}
leaf memory-available {
type uint64;
units "MB";
description
"Specifies the MB of available memory.";
}
list disks {
key disk-id;
description
"Disk is the hardware to store information for a
long period, i.e., Hard Disk or Solid-State Drive.";
leaf disk-id {
type string;
description
"The ID of the storage disk. It is a free form
identifier to identify the storage disk.";
}
leaf disk-usage {
type uint8;
units "percent";
description
"Specifies the percentage of disk usage.";
}
Wang, et al. Expires – October 2023 [Page 25]
� I2NSF Intelligent Detection March 2023
leaf disk-space-left {
type uint8;
units "percent";
description
"Specifies the available disk space left of
disk-id in percentage.";
}
}
list interface {
key interface-id;
description
"The network interface for connecting a device
with the network.";
leaf interface-id {
type string;
description
"The ID of the network interface. It is a free
form identifier to identify the network
interface.";
}
leaf in-traffic-rate {
type uint64;
units "pps";
description
"The total inbound traffic rate in packets
per second";
}
leaf out-traffic-rate {
type uint64;
units "pps";
description
"The total outbound traffic rate in packets
per second";
}
leaf in-traffic-throughput {
type uint64;
units "Bps";
description
"The total inbound traffic throughput in
bytes per second";
}
leaf out-traffic-throughput {
type uint64;
units "Bps";
description
"The total outbound traffic throughput in
bytes per second.";
}
leaf packet-loss-rate {
Wang, et al. Expires – October 2023 [Page 26]
� I2NSF Intelligent Detection March 2023
type uint64;
units "percent";
description
"The percentage of discarded packets.";
}
}
}
}
}
}
notification i2nsf-nsf-event {
description
"Notification for I2NSF NSF Event. This notification
provides specific information that can only be
provided by an NSF that supports additional features
(e.g., DDoS attack detection).";
uses common-monitoring-data;
uses message;
uses characteristics-extended;
choice sub-event-type {
description
"This choice must be augmented with cases for
each allowed sub-event. Only 1 sub-event will be
instantiated in each container with all the
sub-event fields.";
case i2nsf-nsf-detection-module {
container i2nsf-nsf-detection-module {
description
"This notification is sent, when a specific
attack is detected.";
list detection-module {
key detection-module-name;
description
"The specific detection module.";
leaf detection-module-name {
type string;
description
"The name of the specific detection module.";
}
leaf time-stamp {
type yang:date-and-time;
description
"Specify the time of a message being delivered.";
}
leaf response-time {
type yang:date-and-time;
description
Wang, et al. Expires – October 2023 [Page 27]
� I2NSF Intelligent Detection March 2023
"The time taken for the detection.";
}
leaf start-time {
type yang:date-and-time;
description
"The start time for the detection.";
}
leaf end-time {
type yang:date-and-time;
description
"The end time for the detection.";
}
container detected-attacks {
description
"The information of detected attacks.";
list attack-traffic{
key attack-id;
description
"The five-tuple (src/dst ip, port and protocol)
and attack type information of specific attack
traffic.";
leaf attack-id {
type string;
description
"The ID of the specific attack traffic which
has the same src/dst IP,protocol and attack
type.";
}
leaf attack-type {
type string;
description
"The type of the detected attack.";
}
leaf attack-src-ip {
type inet:ip-address-no-zone;
description
"The source IPv4 or IPv6 addresses of attack
traffic. ";
}
leaf attack-dst-ip {
type inet:ip-address-no-zone;
description
"The destination IPv4 or IPv6 addresses of
attack traffic. ";
}
leaf-list attack-src-port {
type inet:port-number;
description
"The transport-layer source ports of the
Wang, et al. Expires – October 2023 [Page 28]
� I2NSF Intelligent Detection March 2023
attack. It can hold multiple ports.";
}
leaf-list attack-dst-port {
type inet:port-number;
description
"The transport-layer destination
ports of the attack. It can hold multiple
ports.";
}
leaf protocol {
type identityref {
base protocol;
}
description
"The type of network protocol for the
attack.";
}
uses attack-rates;
}
}
}
}
}
}
}
}
<CODE ENDS>
4.2 The Extended Analytics Interface
This section describes the Extended Analytics Interface. The I2NSF
Analyzer sends feedback information and reconfiguration policies to
the Security Controller through this interface. The reconfiguration
policy in this document specifically refers to the path
reconfiguration policy.
The system feedback information refers to [I-D. lingga-i2nsf-
analytics-interface-dm], including the following information:
memory, CPU, disk, and interface alarm.
The NSF feedback in this document specifically refers to the DM
feedback, which is the same as the detection results defined in the
Extended Monitoring Interface.
The path reconfiguration policy is a new NSF path generated by
analyzing traffic features or detection results through the I2NSF
Analyzer to better detect attacks. The path reconfiguration policy
contains the following information:
Wang, et al. Expires – October 2023 [Page 29]
� I2NSF Intelligent Detection March 2023
o name: The name of the reconfiguration policy.
o path-id: Identify the different service function paths.
o nsf-name: Use the name to identify the NSF.
o sequence-number: Identifies the sequence of the NSF in the service
function path.
4.2.1 YANG Tree Structure of Extended Analytics Interface
The tree structure of the Extended Analytics Interface is provided
below:
module: wang-i2nsf-extended-analytics-interface
+--rw i2nsf-feedback-information* [time-stamp]
| +--rw time-stamp yang:date-and-time
| +--rw message? string
| +--rw language? string
| +--rw system-feedback-information
| | +--rw (alarm-type)?
| | +--:(memory-alarm)
| | | +--rw memory-alarm
| | | +--rw usage? uint8
| | | +--rw duration? uint32
| | +--:(cpu-alarm)
| | | +--rw cpu-alarm
| | | +--rw usage? uint8
| | | +--rw duration? uint32
| | +--:(disk-alarm)
| | | +--rw disk-alarm
| | | +--rw disk-id? string
| | | +--rw usage? uint8
| | | +--rw duration? uint32
| | +--:(interface-alarm)
| | +--rw interface-alarm
| | +--rw interface-id? string
| | +--rw interface-state? enumeration
| | +--rw duration? uint32
| +--rw nsf-feedback-information
| +--rw (nsf-type)?
| +--:(detection-module)
| +--rw detection-module
| +--rw detection-module-name? string
| +--rw detected-attacks
| +--rw attack-traffic* [attack-id]
| +--rw attack-id string
Wang, et al. Expires – October 2023 [Page 30]
� I2NSF Intelligent Detection March 2023
| +--rw attack-src-ip? inet:ip-address-no-zone
| +--rw attack-dst-ip? inet:ip-address-no-zone
| +--rw attack-src-port* inet:port-number
| +--rw attack-dst-port* inet:port-number
| +--rw protocol? identityref
| +--rw attack-rate? uint64
| +--rw attack-throughput? uint64
+--rw i2nsf-reconfiguration-policy* [name]
+--rw name string
+--rw (policy-type)?
+--:(path-reconfiguration-policy)
+--rw path-reconfiguration-policy
+--rw service-function-path* [path-id]
+--rw path-id string
+--rw nsfs
+--rw nsf* [nsf-name]
+--rw nsf-name string
+--rw sequence-number? uint64
Figure3 YANG Tree Structure of Extended Analytics Interface
4.2.2 YANG Data Model of Extended Analytics Interface
This section describes a YANG module of I2NSF Extended Analytics
interface. This YANG module imports from [RFC6991], and makes
references to [I-D. lingga-analytics-interface-dm] [RFC0768]
[RFC0791] [RFC0792] [RFC0854] [RFC1939] [RFC0959] [RFC2595]
[RFC4340] [RFC4443] [RFC5321] [RFC5646] [RFC6242] [RFC8200]
[RFC9051] [RFC9110] [RFC9112] [RFC9113] [RFC9260] [RFC9293].
<CODE BEGINS> file "wang-i2nsf-extended-analytics-interface@2023-03-
21.yang"
module ietf-wang-i2nsf-extended-analytics-interface {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:wang-i2nsf-extension-
analytics-interface";
prefix i2nsf-exai;
import ietf-inet-types {
prefix inet;
reference "RFC6991";
}
import ietf-yang-types {
Wang, et al. Expires – October 2023 [Page 31]
� I2NSF Intelligent Detection March 2023
prefix yang;
reference "RFC6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Author: Weilin Wang
<mailto:21111026@bjtu.edu.cn>
Author: Qi Guo
<mailto:20120044@bjtu.edu.cn>
Author: Shuangxing Deng
<mailto:21120038@bjtu.edu.cn>";
description
"This module is a YANG module for the extension of I2NSF
Analytics Interface.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here.
Copyright (c) 2022 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision "2023-03-21"{
description "Initial revision.";
reference
"RFC XXXX: Extension of I2NSF NSF Analytics Interface
Wang, et al. Expires – October 2023 [Page 32]
� I2NSF Intelligent Detection March 2023
YANG Data Model";
}
/*
*Identity
*/
identity protocol {
description
"An identity used to enable type choices in leaves
and leaf-lists with respect to protocol metadata. This is used
to identify the type of protocol that goes through the NSF.";
}
identity ip {
base protocol;
description
"General IP protocol type.";
reference
"RFC0791: Internet Protocol
RFC8200: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC0791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC8200: Internet Protocol, Version 6 (IPv6)";
}
identity icmp {
base protocol;
description
"Base identity for ICMPv4 and ICMPv6 condition capability";
reference
"RFC0792: Internet Control Message Protocol
RFC4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6) Specification
- ICMPv6";
}
identity icmpv4 {
base icmp;
description
"ICMPv4 protocol type.";
reference
Wang, et al. Expires – October 2023 [Page 33]
� I2NSF Intelligent Detection March 2023
"RFC0791: Internet Protocol
RFC0792: Internet Control Message Protocol";
}
identity icmpv6 {
base icmp;
description
"ICMPv6 protocol type.";
reference
"RFC8200: Internet Protocol, Version 6 (IPv6)
RFC4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
identity transport-protocol {
base protocol;
description
"Base identity for Layer 4 protocol condition
capabilities, e.g., TCP, UDP, SCTP, DCCP, and ICMP.";
}
identity tcp {
base transport-protocol;
description
"TCP protocol type.";
reference
"[RFC9293]: Transmission
Control Protocol (TCP).";
}
identity udp {
base transport-protocol;
description
"UDP protocol type.";
reference
"RFC0768: User Datagram Protocol";
}
identity sctp {
base transport-protocol;
description
"Identity for SCTP condition capabilities";
reference
"RFC9260: Stream
Control Transmission Protocol";
}
identity dccp {
base transport-protocol;
description
"Identity for DCCP condition capabilities";
reference
"RFC4340: Datagram Congestion Control Protocol";
}
Wang, et al. Expires – October 2023 [Page 34]
� I2NSF Intelligent Detection March 2023
identity application-protocol {
base protocol;
description
"Base identity for Application protocol. Note
that a subset of application protocols (e.g.,
HTTP, HTTPS, FTP, POP3, and IMAP) are handled
in this YANG module, rather than all the
existing application protocols.";
}
identity http {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 1.1 (HTTP/1.1).";
reference
"[RFC9110]: HTTP Semantics
[RFC9112]: HTTP/1.1";
}
identity https {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 1.1 (HTTP/1.1) over TLS.";
reference
"[RFC9110]: HTTP Semantics
[RFC9112]: HTTP/1.1";
}
identity http2 {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 2 (HTTP/2).";
reference
"RFC9113: HTTP/2";
}
identity https2 {
base application-protocol;
description
"The identity for Hypertext Transfer Protocol
version 2 (HTTP/2) over TLS.";
reference
"RFC9113: HTTP/2";
}
identity ftp {
base application-protocol;
description
"FTP protocol type.";
reference
"RFC 0959: File Transfer Protocol";
Wang, et al. Expires – October 2023 [Page 35]
� I2NSF Intelligent Detection March 2023
}
identity ssh {
base application-protocol;
description
"SSH protocol type.";
reference
"RFC6242: Using the NETCONF Protocol over
Secure Shell (SSH)";
}
identity telnet {
base application-protocol;
description
"The identity for telnet.";
reference
"RFC 0854: Telnet Protocol";
}
identity smtp {
base application-protocol;
description
"The identity for smtp.";
reference
"RFC 5321: Simple Mail Transfer
Protocol (SMTP)";
}
identity pop3 {
base application-protocol;
description
"The identity for Post Office
Protocol 3 (POP3).";
reference
"RFC1939: Post Office Protocol
- Version 3 (POP3)";
}
identity pop3s {
base application-protocol;
description
"The identity for Post Office Protocol
3 (POP3) over TLS";
reference
"RFC1939: Post Office Protocol
- Version 3 (POP3)
RFC2595: Using TLS with IMAP, POP3 and ACAP";
}
identity imap {
base application-protocol;
description
"The identity for Internet Message Access
Protocol (IMAP).";
reference
Wang, et al. Expires – October 2023 [Page 36]
� I2NSF Intelligent Detection March 2023
"RFC9051: Internet Message Access Protocol
(IMAP) - Version 4rev2";
}
identity imaps {
base application-protocol;
description
"The identity for Internet Message Access
Protocol (IMAP) over TLS";
reference
"RFC9051: Internet Message Access Protocol
(IMAP) - Version 4rev2
RFC2595: Using TLS with IMAP, POP3 and ACAP";
}
/*
*Grouping
*/
grouping message {
description
"A set of common monitoring data that is needed
as the basic information.";
leaf message {
type string;
description
"This is a free text annotation for
monitoring a notification's content.";
}
leaf language {
type string {
pattern '((([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})'
+ '{0,2})?)|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?'
+ '(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}'
+ '|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WYZa-wyz]'
+ '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]'
+ '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|'
+ '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-'
+ '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-'
+ '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-'
+ '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]'
+ '|[Ii]-[Hh][Aa][Kk]|'
+ '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|'
+ '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|'
+ '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|'
+ '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|'
+ '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|'
+ '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-'
+ '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-'
+ '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-'
Wang, et al. Expires – October 2023 [Page 37]
� I2NSF Intelligent Detection March 2023
+ '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|'
+ '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-'
+ '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|'
+ '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-'
+ '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-'
+ '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))';
}
default "en-US";
description
"The value in this field indicates the language tag
used for the human readable fields (i.e., '../message',
'/i2nsf-log/i2nsf-nsf-system-access-log/output', and
'/i2nsf-log/i2nsf-system-user-activity-log/additional-info
/cause').
The attribute is encoded following the rules in Section 2.1
in RFC5646. The default language tag is 'en-US'";
reference
"RFC5646: Tags for Identifying Languages.";
}
}
grouping attack-rates {
description
"A set of traffic rates for monitoring
attack traffic data.";
leaf attack-rate {
type uint64;
units "pps";
description
"The average packets per second (pps)
rate of attack traffic";
}
leaf attack-throughput {
type uint64;
units "Bps";
description
"The average bytes per second (Bps)
throughput of attack traffic";
}
}
list i2nsf-feedback-information {
key time-stamp;
description
"Feedback information includes system
feedback information about resources
and NSF feedback information.";
leaf time-stamp {
type yang:date-and-time;
description
Wang, et al. Expires – October 2023 [Page 38]
� I2NSF Intelligent Detection March 2023
"Specify the time of the information
being delivered.";
}
uses message;
container system-feedback-information {
description
"The resources alarm about CPU, memory,
disks or interfaces will be sent to
I2NSF security controller.";
choice alarm-type {
description
"The alarm type.";
case memory-alarm {
container memory-alarm {
description
"The container for memory alarm.";
leaf usage {
type uint8 {
range "0..100";
}
units "percent";
description
"The average usage for the duration
of the alarm.";
}
leaf duration {
type uint32;
description
"Specify the duration of the first
alarm triggered until the feedback
information is created.";
}
}
}
case cpu-alarm {
container cpu-alarm {
description
"The case for CPU alarm.";
leaf usage {
type uint8 {
range "0..100";
}
units "percent";
description
"The average usage for the duration
of the alarm.";
}
leaf duration {
type uint32;
Wang, et al. Expires – October 2023 [Page 39]
� I2NSF Intelligent Detection March 2023
description
"Specify the duration of the first
alarm triggered until the feedback
information is created.";
}
}
}
case disk-alarm {
container disk-alarm {
description
"The container for disk alarm.";
leaf disk-id {
type string;
description
"The ID of the storage disk. It is
free form identifier to identify
the storage disk.";
}
leaf usage {
type uint8 {
range "0..100";
}
units "percent";
description
"The average usage for the duration
of the alarm.";
}
leaf duration {
type uint32;
description
"Specify the duration of the first
alarm triggered until the feedback
information is created.";
}
}
}
case interface-alarm {
container interface-alarm {
description
"The container for interface alarm.";
leaf interface-id {
type string;
description
"The ID of the network interface. It is
a free form identifier to identify
the network interface.";
}
leaf interface-state {
type enumeration {
Wang, et al. Expires – October 2023 [Page 40]
� I2NSF Intelligent Detection March 2023
enum up {
value 1;
description
"The interface state is up and
not congested. The interface is ready to
pass packets.";
}
enum down {
value 2;
description
"The interface state is down, i.e.,
does not pass any packets.";
}
enum congested {
value 3;
description
"The interface state is up but
congested.";
}
enum testing {
value 4;
description
"In some test mode. No operational
packets can be passed.";
}
enum unknown {
value 5;
description
"Status cannot be determined for
some reason.";
}
enum dormant {
value 6;
description
"Waiting for some external event.";
}
enum not-present {
value 7;
description
"Some component (typically hardware) is
missing.";
}
enum lower-layer-down {
value 8;
description
"Down due to state of lower-layer
interface(s).";
}
}
Wang, et al. Expires – October 2023 [Page 41]
� I2NSF Intelligent Detection March 2023
description
"The state of the interface. Applicable
for Network Interface Failure Alarm.";
reference
"RFC 8343: A YANG Data Model for Interface
Management- Operational States";
}
leaf duration {
type uint32;
description
"Specify the duration of the first
alarm triggered until the feedback
information is created.";
}
}
}
}
}
container nsf-feedback-information {
description
"The output of NSFs will be sent to the I2NSF
security controller.";
choice nsf-type {
description
"The NSF type.";
case detection-module {
container detection-module{
description
"The container for the detection
module.";
leaf detection-module-name {
type string;
description
"The name of the specific
detection module.";
}
container detected-attacks {
description
"The information of detected attacks.";
list attack-traffic{
key attack-id;
description
"The five-tuple (src/dst ip, port and
protocol) and attack type information
of specific attack traffic.";
leaf attack-id {
type string;
description
"The ID of the specific attack traffic
Wang, et al. Expires – October 2023 [Page 42]
� I2NSF Intelligent Detection March 2023
which has the same src/dst ip,
protocol and attack type.";
}
leaf attack-type {
type string;
description
"The type of the detected attack.";
}
leaf attack-src-ip {
type inet:ip-address-no-zone;
description
"The source IPv4 or IPv6 addresses
of attack traffic. It can hold
multiple IPv4 or IPv6 addresses.";
}
leaf attack-dst-ip {
type inet:ip-address-no-zone;
description
"The destination IPv4 or IPv6
addresses of attack traffic. It can hold
multiple IPv4 or IPv6 addresses.";
}
leaf-list attack-src-port {
type inet:port-number;
description
"The transport-layer source ports
of the attack.";
}
leaf-list attack-dst-port {
type inet:port-number;
description
"The transport-layer destination ports
of the attack.";
}
leaf protocol {
type identityref {
base protocol;
}
description
"The type of network protocol for
the interface counter. If this field
is empty, then the counter includes
all protocols (e.g., IPv4, IPv6,
TCP, and UDP)";
}
uses attack-rates;
}
}
}
Wang, et al. Expires – October 2023 [Page 43]
� I2NSF Intelligent Detection March 2023
}
}
}
}
list i2nsf-reconfiguration-policy {
description
"The reconfiguration policy generated
by the I2NSF Analyzer, which will
be sent to the I2NSF security controller.";
key name;
leaf name {
type string;
description
"The name of the reconfiguration policy.";
}
choice policy-type {
case path-reconfiguration-policy{
container path-reconfiguration-policy{
description
"The container for path reconfiguration
policy.";
list service-function-path{
key path-id;
description
"Indicates the NSFs through which
traffic passes in sequence.";
leaf path-id{
type string;
description
"Identify the different service
function paths.";
}
container nsfs {
description
"The container for the NSFs in the
service function chain (SFC).";
list nsf {
key nsf-name;
description
"The container for the NSF.";
leaf nsf-name {
type string;
description
"Use the name to identify the NSF.";
}
leaf sequence-number {
type uint64;
description
"Identifies the sequence of the NSF
Wang, et al. Expires – October 2023 [Page 44]
� I2NSF Intelligent Detection March 2023
in the service function path.";
}
}
}
}
}
}
}
}
}
<CODE ENDS>
4.3 The Extended NSF-Facing Interface
This section describes the Extended NSF-Facing Interface. The
extension to the interface is the path configuration rule.
The path configuration rule contains the following information:
o path-id: Identify the different service function paths.
o classifier-name: Use the name to identity the classifier.
o classifier-ip: The IPv4 or IPv6 address of the classifier.
o nsf-name: Use the name to identify the NSF.
o sequence-number: Identifies the sequence of the NSF in the
service function path.
o nsf-ip: The IPv4 or IPv6 address of the NSF.
o sff-ip: The IPv4 or IPv6 address of the corresponding SFF.
4.3.1 YANG Tree Structure of Extended NSF-Facing YANG Module
The tree structure of the Extended NSF-Facing YANG module is
provided below:
module: wang-i2nsf-extension-nsf-facing-interface
+--rw i2nsf-security-policy* [policy-name]
+--rw policy-name string
+--rw path-configuration-rule
+--rw path-id? string
Wang, et al. Expires – October 2023 [Page 45]
� I2NSF Intelligent Detection March 2023
+--rw classifiers
| +--rw classifier* [classifier-name]
| +--rw classifier-name string
| +--rw classifier-ip? inet:ip-address-no-zone
+--rw nsfs
+--rw nsf* [nsf-name]
+--rw nsf-name string
+--rw sequence-number? uint64
+--rw ip-address
+--rw nsf-ip? inet:ip-address-no-zone
+--rw sff-ip? inet:ip-address-no-zone
Figure 4: YANG Tree Structure of Extended NSF-Facing YANG Module
4.3.2 YANG Data Model of Extended NSF-Facing YANG Module
This section describes a YANG module of I2NSF extended NSF facing
interface. This YANG module imports from [RFC6991], and makes
references to [I-D. ietf-i2nsf-nsf-facing-interface-dm].
<CODE BEGINS> file "wang-i2nsf-extended-nsf-facing-interface@2023-
03-21.yang"
module ietf-wang-i2nsf-extension-nsf-facing-interface {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:wang-i2nsf-extension-
nsf-facing-interface";
prefix i2nsf-exnfi;
import ietf-inet-types {
prefix inet;
reference "RFC 6991";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Author: Weilin Wang
<mailto:21111026@bjtu.edu.cn>
Author: Qi Guo
<mailto:20120044@bjtu.edu.cn>
Wang, et al. Expires – October 2023 [Page 46]
� I2NSF Intelligent Detection March 2023
Author: Shuangxing Deng
<mailto:21120038@bjtu.edu.cn>";
description
"This module is a YANG module for the extension of I2NSF
NSF-Facing Interface.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here.
Copyright (c) 2022 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision "2023-03-21"{
description "Initial revision.";
reference
"RFC XXXX: Extension of I2NSF NSF-Facing Interface
YANG Data Model";
}
list i2nsf-security-policy {
key policy-name;
description
"The container for the security policy.";
leaf policy-name {
type string;
description
"The name of the security policy.";
}
container path-configuration-rule {
description
"The container for path configuration rule.";
leaf path-id {
Wang, et al. Expires – October 2023 [Page 47]
� I2NSF Intelligent Detection March 2023
type string;
description
"Identify the different service function paths.";
}
container classifiers {
description
"The container for classifiers in the service
function chain (SFC).";
list classifier {
key classifier-name;
description
"The container for the classifier.";
leaf classifier-name {
type string;
description
"Use the name to identity the classifier.";
}
leaf classifier-ip {
type inet:ip-address-no-zone;
description
"The IPv4 or IPv6 address of the classifier.";
}
}
}
container nsfs {
description
"The container for the nsfs in the
service function chain (SFC).";
list nsf {
key nsf-name;
description
"The container for the NSF.";
leaf nsf-name {
type string;
description
"Use the name to identify the NSF.";
}
leaf sequence-number {
type uint64;
description
"Identifies the sequence of the NSF in the
service function path.";
}
container ip-address {
description
"The IPv4 or IPv6 address of the NSF and
the corresponding service function
forwarder (SFF).";
leaf nsf-ip {
description
Wang, et al. Expires – October 2023 [Page 48]
� I2NSF Intelligent Detection March 2023
"The IPv4 or IPv6 address of the NSF.";
type inet:ip-address-no-zone;
}
leaf sff-ip {
description
"The IPv4 or IPv6 address of the
corresponding SFF.";
type inet:ip-address-no-zone;
}
}
}
}
}
}
}
<CODE ENDS>
5. XML Examples of I2NSF Framework for AID
This section shows XML examples for the DDoS attacks [Two-Stage
Intelligent Model for Detecting Malicious DDoS Behavior] intelligent
detection, including XMLs of traffic flow features, path
reconfiguration policy and path configuration rules. Refer to
[RFC5277] for more detailed explanation of Event Streams. The XML
examples in this document follow the line breaks as per [RFC8792].
+----------------------------------------------+
| Secure Network |
| CF/SFF:192.168.14.0/24,DDoS-DM:172.17.0.0/16 |
| +-------------------------+ |
+-------------+ | +---+ | +---------+ | +---+ |
|DDoS Attacker| | |CF1|-->| |SFF1 | |->|CF2| |
|23.1.0.22, |DDoS | +---+ | |DDoS-DM-1| +---------+ | +---+ |
|23.1.0.23, +----->| | +---------+ |SFF3 | | | |
|23.1.0.24 |Attack| | +---------+ |DDoS-DM-3| | | |
+-------------+ | | |SFF2 | |DDoS-DM-5| | v |
| | |DDoS-DM-2| +---------+ | +------+ |
| | |DDoS-DM-4| | |Server| |
| | +---------+ | +------+ |
| +-------------------------+ |
+----------------------------------------------+
Figure 5: A Scenario Example of a DDoS Attack
In this example, the scenario can be seen in Figure 5. This example
contains five DDoS DMs to detect different types of DDoS attacks.
The system presets an SFC path, path1= {DDoS-DM-2,
DDoS-DM-1, DDoS-DM-4, DDoS-DM-3}.
Wang, et al. Expires – October 2023 [Page 49]
� I2NSF Intelligent Detection March 2023
The entrance classifier (CF1) feeds back traffic features to the
I2NSF Analyzer through the Extended Monitoring Interface. The
following XML file shows the feedback traffic flow features:
<?xml version="1.0" encoding="UTF-8"?>
<notification
xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
<eventTime>2022-09-20T11:28:01.00Z</eventTime>
<i2nsf-event
xmlns="urn:ietf:params:xml:ns:yang:wang-i2nsf-extended-
monitoring-interface">
<nsf-name>CF1</nsf-name>
<acquisition-method>subscription</acquisition-method>
<emission-type>on-change</emission-type>
<dampening-type>on-repetition</dampening-type>
<i2nsf-traffic-flow-features>
<measurement-time>5</measurement-time>
<packets-per-second>400.18</packets-per-second>
<bytes-per-second>450643.1</bytes-per-second>
<packet-size-mean>1126.1</packet-size-mean>
<src-ip-entropy>3.27</src-ip-entropy>
<dst-ip-entropy>1.71</dst-ip-entropy>
<TTL-entropy>3.17</TTL-entropy>
<tcp-src-port-entropy>5.34</tcp-src-port-entropy>
<tcp-dst-port-entropy>4.44</tcp-dst-port-entropy>
<udp-src-port-entropy>5.02</udp-src-port-entropy>
<udp-dst-port-entropy>5.02</udp-dst-port-entropy>
<packet-size-entropy>2.5</packet-size-entropy>
<packets-variance>0</packets-variance>
</i2nsf-traffic-flow-features>
</i2nsf-event>
</notification>
Figure 6: The Feedback Traffic Flow Features by CF1
The XML file in Figure6 shows:
o The NSF that sends the information is named "CF1".
o The monitoring information is received by subscription method.
o The monitoring information is emitted "on-change".
o The monitoring information is dampened "on-repetition".
o The measurement time is 5s.
Wang, et al. Expires – October 2023 [Page 50]
� I2NSF Intelligent Detection March 2023
o The packets per second is 400.18.
o The bytes per second is 450643.1.
o The packet size mean is 1126.1.
o The source IP entropy is 3.27.
o The destination IP entropy is 1.71.
o The TTL entropy is 3.17.
o The TCP source port entropy is 5.34.
o The TCP destination port entropy is 4.44.
o The UDP source port entropy is 5.02.
o The UDP destination port entropy is 5.02.
o The packet size entropy is 2.5.
o The packets variance is 0.
I2NSF Analyzer analyzes traffic features and generates path
reconfiguration policies for the current traffic. The policy is sent
to the Security Controller through the Extended Analytics Interface.
The following XML file shows the path reconfiguration policy:
<?xml version="1.0" encoding="UTF-8"?>
<i2nsf-reconfiguration-policy
xmlns="urn:ietf:params:xml:ns:yang:wang-i2nsf-extension-analytics-
interface">
<name>detection-path-reconfiguration-policy</name>
<path-reconfiguration-policy>
<service-function-path>
<path-id>path2</path-id>
<nsfs>
<nsf>
<nsf-name>DDoS-DM-5</nsf-name>
<sequence-number>1</sequence-number>
</nsf>
<nsf>
<nsf-name>DDoS-DM-3</nsf-name>
<sequence-number>2</sequence-number>
</nsf>
<nsf>
Wang, et al. Expires – October 2023 [Page 51]
� I2NSF Intelligent Detection March 2023
<nsf-name>DDoS-DM-4</nsf-name>
<sequence-number>3</sequence-number>
</nsf>
</nsfs>
</service-function-path>
</path-reconfiguration-policy>
</i2nsf-reconfiguration-policy>
Figure 7: The Path Reconfiguration Policy Generated by I2NSF Analyzer
The XML file in Figure7 shows:
o The policy name is "detection-path-reconfiguration-policy".
o The path ID is "path2".
o The NSFs in the path are named "DDoS-DM-5", "DDoS-DM-3" and
"DDoS-DM-4". Their sequence numbers are "1", "2" and "3"
respectively.
The Security Controller translates this policy into path
configuration rules and sends these rules to the SDN Controller
through the Extended NSF-Facing Interface. The following XML file
shows the path configuration rules for SDN Controller:
<?xml version="1.0" encoding="UTF-8"?>
<i2nsf-security-policy
xmlns="urn:ietf:params:xml:ns:yang:wang-i2nsf-extension-nsf-facing-
interface">
<policy-name>detection-path-reconfiguration-policy</policy-name>
<path-configuration-rule>
<path-id>path2</path-id>
<classifiers>
<classifier>
<classifier-name>CF1</classifier-name>
<classifier-ip>192.168.14.7</classifier-ip>
</classifier>
<classifier>
<classifier-name>CF2</classifier-name>
<classifier-ip>192.168.14.8</classifier-ip>
</classifier>
</classifiers>
<nsfs>
<nsf>
<nsf-name>DDoS-DM-5</nsf-name>
<sequence-number>1</sequence-number>
<ip-address>
<nsf-ip>172.17.23.2</nsf-ip>
<sff-ip>192.168.14.23</sff-ip>
Wang, et al. Expires – October 2023 [Page 52]
� I2NSF Intelligent Detection March 2023
</ip-address>
</nsf>
<nsf>
<nsf-name>DDoS-DM-3</nsf-name>
<sequence-number>2</sequence-number>
<ip-address>
<nsf-ip>172.17.23.3</nsf-ip>
<sff-ip>192.168.14.23</sff-ip>
</ip-address>
</nsf>
<nsf>
<nsf-name>DDoS-DM-4</nsf-name>
<sequence-number>3</sequence-number>
<ip-address>
<nsf-ip>172.17.24.2</nsf-ip>
<sff-ip>192.168.14.24</sff-ip>
</ip-address>
</nsf>
</nsfs>
</path-configuration-rule>
Figure 8: The Path Configuration Rules for SDN Controller
The XML file in Figure8 shows:
o The policy name is "detection-path-reconfiguration-policy".
o The path ID is "path2".
o The classifiers in the path are named "CF1" and "CF2". Their IP
addresses are "192.168.14.7" and "192.168.14.8" respectively.
o The first NSF in the path is named "DDoS-DM-5". Its IP address is
"172.17.23.2", and its corresponding SFF IP address is
"192.168.14.23".
o The second NSF in the path is named "DDoS-DM-3". Its IP address
is "172.17.23.3", and its corresponding SFF IP address is
"192.168.14.23".
o The third NSF in the path is named "DDoS-DM-4". Its IP address is
"172.17.24.2", and its corresponding SFF IP address is
"192.168.14.24".
The SDN Controller generates flow tables according to the path
configuration rules and sends them to CFs and SFFs to make the
traffic pass the new detection path, path2= {DDoS-DM-5, DDoS-DM-3,
DDoS-DM-4}. Through three extended interfaces, I2NSF Analyzer and
Wang, et al. Expires – October 2023 [Page 53]
� I2NSF Intelligent Detection March 2023
Security Controller realize dynamic automatic adjustment of DDoS
attack detection path policy based on the closed-loop feedback.
6. IANA Considerations
This document has no IANA actions
7. Security Considerations
The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is
the secure transport layer, and the required secure transport is
Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS,
and the required secure transport is TLS [RFC8446].
The NETCONF access control model [RFC8341] provides a means of
restricting access to specific NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
There are a number of data nodes defined in this YANG module that are
writable/creatable/delectable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) to
these data nodes without proper protection can have a negative effect
on network operations. The data models in this document uses the data
model from NSF Monitoring data model, Analytics Interface YANG data
model and NSF-Facing Interface data model, they MUST follow the
Security Considerations mentioned in [I-D. ietf-i2nsf-nsf-monitoring-
data-model], [I-D. lingga-i2nsf-analytics-interface-dm] and [I-D.
ietf-i2nsf-nsf-facing-interface-dm].
Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. Thus, it is
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. This document MUST also follow the
Security Considerations about the readable data nodes mentioned in
[I-D. ietf-i2nsf-nsf-monitoring-data-model], [I-D. lingga-i2nsf-
analytics-interface-dm] and [I-D. ietf-i2nsf-nsf-facing-interface-
dm].
8. References
8.1 Normative References
Wang, et al. Expires – October 2023 [Page 54]
� I2NSF Intelligent Detection March 2023
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI
10.17487/RFC0768, August 1980, <https://www.rfc-
editor.org/info/rfc768>.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI
10.17487/RFC0791, September 1981, <https://www.rfc-
editor.org/info/rfc791>.
[RFC0792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, DOI 10.17487/RFC0792, September 1981,
<https://www.rfc-editor.org/info/rfc792>.
[RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, RFC 854, DOI 10.17487/RFC0854, May
1983, <https://www.rfc-editor.org/info/rfc854>.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", STD
9, RFC 959, DOI 10.17487/RFC0959, October 1985,
<https://www.rfc-editor.org/info/rfc959>.
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
<https://www.rfc-editor.org/info/rfc1939>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP", RFC 2595,
DOI 10.17487/RFC2595, June 1999, <https://www.rfc-
editor.org/info/rfc2595>.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, DOI
10.17487/RFC4340, March 2006,<https://www.rfc-
editor.org/info/rfc4340>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443,
DOI 10.17487/RFC4443, March 2006, <https://www.rfc-
editor.org/info/rfc4443>.
[RFC5277] Chisholm, S. and H. Trevino, "NETCONF Event Notifications",
RFC 5277, DOI 10.17487/RFC5277, July 2008,
<https://www.rfc-editor.org/info/rfc5277>.
Wang, et al. Expires – October 2023 [Page 55]
� I2NSF Intelligent Detection March 2023
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008, <https://www.rfc-
editor.org/info/rfc5321>.
[RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
September 2009, <https://www.rfc-editor.org/info/rfc5646>.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010, <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991,
DOI 10.17487/RFC6991, July 2013, <https://www.rfc-
editor.org/info/rfc6991>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, DOI
10.17487/RFC8200, July 2017, <https://www.rfc-
editor.org/info/rfc8200>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", RFC 8341, DOI 10.17487/RFC8341, STD
91, March 2018, <https://www.rfc-editor.org/info/rfc8341>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications
for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641,
September 2019, <https://www.rfc-editor.org/info/rfc8641>.
Wang, et al. Expires – October 2023 [Page 56]
� I2NSF Intelligent Detection March 2023
[RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet
MessageAccess Protocol (IMAP) - Version 4rev2", RFC 9051,
DOI 10.17487/RFC9051, August 2021, <https://www.rfc-
editor.org/info/rfc9051>.
[RFC9110] R. Fielding, M. Nottingham and J. Reschke, "HTTP
Semantics", RFC9110, DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/info/rfc9110>.
[RFC9112] Fielding, R. T., Nottingham, M., and J. Reschke,
"HTTP/1.1", RFC9112, DOI 10.17487/RFC9112, June 2022,
<https://www.rfc-editor.org/info/rfc9112>.
[RFC9113] Thomson, M. and C. Benfield, "HTTP/2", RFC9113, DOI
10.17487/RFC9113, June 2022, <https://www.rfc-
editor.org/info/rfc9113>.
[RFC9260] R. Stewart, M. Tüxen and K. Nielsen, "Stream Control
Transmission Protocol", DOI 10.17487/RFC9260, June 2022,
<https://www.rfc-editor.org/info/rfc9260>.
[RFC9293] W. Eddy, "Transmission Control Protocol (TCP)", DOI
10.17487/RFC9293, August 2022, <https://www.rfc-
editor.org/info/rfc9293>.
[I-D. lingga-i2nsf-analytics-interface-dm]
P. Lingga, Ed., J. Jeong, Ed. and Y. Choi, "I2NSF Analytics
Interface YANG Data Model", Work in Progress, Internet-Draft,
draft-lingga-i2nsf-analytics-interface-dm-00, 25 July 2022, <
https://www.ietf.org/archive/id/draft-lingga-i2nsf-analytics-
interface-dm-00.txt>.
[I-D. ietf-i2nsf-applicability]
Jeong, J. P., Hyun, S., Ahn, T., Hares, S., and D. R. Lopez,
"Applicability of Interfaces to Network Security Functions to
Network-Based Security Services", Work in Progress, Internet-
Draft, draft-ietf-i2nsf-applicability-18, 16 September 2019,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-
applicability-18.txt>.
[I-D. ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. T., Jeong, J. P., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietfi2nsf-nsf-
facing-interface-dm-29, 1 June 2022,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsffacing-
interface-dm-29.txt>.
Wang, et al. Expires – October 2023 [Page 57]
� I2NSF Intelligent Detection March 2023
[I-D. ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. P., Lingga, P., Hares, S., Xia, L. F., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Model",
Work in Progress, Internet-Draft, draft-ietfi2nsf-nsf-
monitoring-data-model-20, 1 June 2022,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-
nsfmonitoring-data-model-20.txt>.
[I-D. jeong-i2nsf-security-management-automation]
Jeong, J. (., Lingga, P., and J. Park, "An Extension of I2NSF
Framework for Security Management Automation in Cloud-Based
Security Services", Work in Progress, Internet-Draft, draft-
jeong-i2nsf-security-managementautomation-04, 25 July 2022,
<https://www.ietf.org/archive/id/draft-jeong-i2nsfsecurity-
management-automation-04.txt>.
[ITU-TY.3300]
International Telecommunications Union "Y.3300: Framework of
software defined networking", June 2014,
<https://www.itu.int/rec/T-REC-Y.3300/en>.
8.2 Informative References
[RFC7665] Halpern, J. and C. Pignataro, "Service Function Chaining
(SFC) Architecture", RFC 7665, October 2015,
<https://www.rfc-editor.org/info/rfc7665>.
[RFC8192] Hares, S. Lopez, D. Zarny, M. Jacquenet, C. Kumar, R. and
J. Jeong "Interface to Network Security Functions (I2NSF):
Problem Statement and Use Cases" RFC8192 DOI
10.17487/RFC8192 <https://www.rfc-editor.org/info/rfc8192>.
[RFC8329] Lopez, D. Lopez, E. Dunbar, L. Strassner, J. R. Kumar
"Framework for Interface to Network Security Functions",
RFC 8329, DOI 10.17487/RFC8329, <https://www.rfc-
editor.org/info/rfc8329>.
[RFC8455] V. Bhuvaneswaran, A. Basil, M. Tassinari, V. Manral and S.
Banks, "Terminology for Benchmarking Software-Defined
Networking (SDN) Controller Performance", RFC8455, DOI
10.17487/RFC8455, <https://www.rfc-
editor.org/info/rfc8455>.
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>.
Wang, et al. Expires – October 2023 [Page 58]
� I2NSF Intelligent Detection March 2023
[Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior]
Li, M.; Zhou, H.; Qin, Y. Two-Stage Intelligent Model for
Detecting Malicious DDoS Behavior. Sensors 2022, 22, 2532.
https:// doi.org/10.3390/s22072532
Acknowledgments
TBC
Author's Addresses
Weilin Wang
Beijing Jiaotong University
Beijing
Phone: <86-15910887582>
Email: 21111026@bjtu.edu.cn
Huachun Zhou
Beijing Jiaotong University
Beijing
Phone: <86-13718168186>
Email: hchzhou@bjtu.edu.cn
Man Li
Beijing Jiaotong University
Beijing
Phone: <86-18810911698>
Email: 20111018@bjtu.edu.cn
Qi Guo
Beijing Jiaotong University
Beijing
Phone: <86-18310379269>
Email: 20120044@bjtu.edu.cn
Shuangxing Deng
Beijing Jiaotong University
Beijing
Phone: <86-13040062046>
Email: 21120038@bjtu.edu.cn
Wang, et al. Expires – October 2023 [Page 59]
�
