ietf-ipsec
HTML
ietf-ipsec@2017-05-02
module ietf-ipsec { yang-version 1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; prefix eipsec; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } organization "University of Murcia"; contact " Rafael Marin Lopez Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 e-mail: rafa@um.es Gabriel Lopez Millan Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Tel: +34 868888504 email: gabilm@um.es "; description "Data model for IPSec"; revision "2017-05-02" { description "Initial revision."; reference ""; } feature case1 { description "feature case 1: IKE SPD PAD"; } feature case2 { description "feature case 2: SPD SAD"; } typedef encryption-algorithm-t { type enumeration { enum "reserved-0" { value 0; description "reserved"; } enum "des-iv4" { value 1; description "DES IV 4"; } enum "des" { value 2; description "DES"; } enum "3des" { value 3; description "3DES"; } enum "rc5" { value 4; description "RC5"; } enum "idea" { value 5; description "IDEA"; } enum "cast" { value 6; description "CAST"; } enum "blowfish" { value 7; description "BlowFish"; } enum "3idea" { value 8; description "3IDEA"; } enum "des-iv32" { value 9; description "DES-IV32"; } enum "reserved-10" { value 10; description "reserved-10"; } enum "null" { value 11; description "NULL"; } enum "aes-cbc" { value 12; description "AES-CBC"; } enum "aes-ctr" { value 13; description "AES-CTR"; } enum "aes-ccm-8" { value 14; description "AES-CCM-8"; } enum "aes-ccm-12" { value 15; description "AES-CCM-12"; } enum "aes-ccm-16" { value 16; description "AES-CCM-16"; } enum "reserved-17" { value 17; description "reserved-17"; } enum "aes-gcm-8-icv" { value 18; description "AES-GCM-8-ICV"; } enum "aes-gcm-12-icv" { value 19; description "AES-GCM-12-ICV"; } enum "aes-gcm-16-icv" { value 20; description "AES-GCM-16-ICV"; } enum "null-auth-aes-gmac" { value 21; description "Null-Auth-AES-GMAC"; } enum "ieee-p1619-xts-aes" { value 22; description "encr-ieee-p1619-xts-aes -> Reserved for IEEE P1619 XTS-AES."; } enum "camellia-cbc" { value 23; description "CAMELLIA-CBC"; } enum "camellia-ctr" { value 24; description "CAMELLIA.CTR"; } enum "camellia-ccm-8-icv" { value 25; description "CAMELLIA-CCM-8-ICV"; } enum "camellia-ccm-12-icv" { value 26; description "CAMELLIA-CCM-12-ICV"; } enum "camellia-ccm-16-icv" { value 27; description "CAMELLIA-CCM-16-ICV"; } enum "aes-cbc-128" { value 28; description "AES-CBC-128"; } enum "aes-cbc-192" { value 29; description "AES-CBC-192"; } enum "aes-cbc-256" { value 30; description "AES-CBC-256"; } enum "blowfish-128" { value 31; description "BlowFish-128"; } enum "blowfish-192" { value 32; description "BlowFish-192"; } enum "blowfish-256" { value 33; description "BlowFish-256"; } enum "blowfish-448" { value 34; description "BlowFish-448"; } enum "camellia-128" { value 35; description "CAMELLIA-128"; } enum "camellia-192" { value 36; description "CAMELLIA-192"; } enum "camellia-256" { value 37; description "CAMELLIA-256"; } enum "AES-GCM-16-ICV" { value 38; description "AES-GCM-16-ICV (AEAD)"; } enum "AES-CCM" { value 39; description "AES-CCM (AEAD)"; } } description "Encryption algorithms -> RFC_5996"; } typedef integrity-algorithm-t { type enumeration { enum "none" { value 0; description "NONE"; } enum "hmac-md5-96" { value 1; description "HMAC-MD5-96"; } enum "hmac-sha1-96" { value 2; description "HMAC-SHA1-96"; } enum "des-mac" { value 3; description "DES-MAC"; } enum "kpdk-md5" { value 4; description "KPDK-MD5"; } enum "aes-xcbc-96" { value 5; description "AES-XCBC-96"; } enum "hmac-md5-128" { value 6; description "HMAC-MD5-128"; } enum "hmac-sha1-160" { value 7; description "HMAC-SHA1-160"; } enum "aes-cmac-96" { value 8; description "AES-CMAC-96"; } enum "aes-128-gmac" { value 9; description "AES-128-GMAC"; } enum "aes-192-gmac" { value 10; description "AES-192-GMAC"; } enum "aes-256-gmac" { value 11; description "AES-256-GMAC"; } enum "hmac-sha2-256-128" { value 12; description "HMAC-SHA2-256-128"; } enum "hmac-sha2-384-192" { value 13; description "HMAC-SHA2-384-192"; } enum "hmac-sha2-512-256" { value 14; description "HMAC-SHA2-512-256"; } enum "hmac-sha2-256-96" { value 15; description "HMAC-SHA2-256-096"; } } description "Integrity Algorithms -> RFC_5996"; } typedef type-autostartup { type enumeration { enum "ALWAYSON" { value 0; description " "; } enum "INITIATE-ON-DEMAND" { value 1; description " "; } enum "RESPOND-ONLY" { value 2; description " "; } } description "Different types of how IKEv2 starts the IPsec SAs"; } typedef auth-protocol-type { type enumeration { enum "IKEv1" { value 0; description "Authentication protocol based on IKEv1"; } enum "IKEv2" { value 1; description "Authentication protocol based on IKEv2"; } enum "KINK" { value 2; description "Authentication protocol based on KINK"; } } description "Peer authentication protocols"; } typedef ipsec-mode { type enumeration { enum "TRANSPORT" { value 0; description "Transport mode"; } enum "TUNNEL" { value 1; description "Tunnel mode"; } enum "BEET" { value 2; description "Bound End-to-End Tunnel (BEET) mode for ESP."; } enum "RO" { value 3; description "Route Optimization mode for Mobile IPv6"; } enum "IN_TRIGGER" { value 4; description "In trigger mode for Mobile IPv6"; } } description "type define of ipsec mode"; } typedef esp-encap { type enumeration { enum "ESPINTCP" { value 0; description "ESP in TCP encapulation."; } enum "ESPINTLS" { value 1; description "ESP in TCP encapsulation using TLS."; } enum "ESPINUDP" { value 2; description "ESP in UDP encapsulation. RFC 3948 "; } } description "type defining types of ESP encapsulation"; } typedef ipsec-protocol { type enumeration { enum "ah" { value 0; description "AH Protocol"; } enum "esp" { value 1; description "ESP Protocol"; } enum "comp" { value 2; description "IP Compression"; } enum "route2" { value 3; description "Routing Header type 2. Mobile IPv6"; } enum "hao" { value 4; description "Home Agent Option"; } } description "type define of ipsec security protocol"; } typedef ipsec-spi { type uint32 { range "1..max"; } description "SPI"; } typedef lifetime-action { type enumeration { enum "terminate" { value 0; description "Terminate the IPsec SA"; } enum "replace" { value 1; description "Replace the IPsec SA with a new one"; } } description "Action when lifetime expiration"; } typedef ipsec-traffic-direction { type enumeration { enum "INBOUND" { value 0; description "Inbound traffic"; } enum "OUTBOUND" { value 1; description "Outbound traffic"; } enum "FORWARD" { value 2; description "Forwarded traffic"; } } description "IPsec traffic direction"; } typedef ipsec-spd-operation { type enumeration { enum "PROTECT" { value 0; description "PROTECT the traffic with IPsec"; } enum "BYPASS" { value 1; description "BYPASS the traffic"; } enum "DISCARD" { value 2; description "DISCARD the traffic"; } } description "The operation when traffic matches IPsec security policy"; } typedef ipsec-next-layer-proto { type enumeration { enum "TCP" { value 0; description "PROTECT the traffic with IPsec"; } enum "UDP" { value 1; description "BYPASS the traffic"; } enum "SCTP" { value 2; description "PROTECT the traffic with IPsec"; } enum "DCCP" { value 3; description "PROTECT the traffic with IPsec"; } enum "ICMP" { value 4; description "PROTECT the traffic with IPsec"; } enum "IPv6-ICMP" { value 5; description "PROTECT the traffic with IPsec"; } enum "MH" { value 6; description "PROTECT the traffic with IPsec"; } enum "GRE" { value 7; description "PROTECT the traffic with IPsec"; } } description "Next layer proto on top of IP"; } typedef ipsec-spd-name { type enumeration { enum "id_rfc_822_addr" { value 0; description "Fully qualified user name string."; } enum "id_fqdn" { value 1; description "Fully qualified DNS name."; } enum "id_der_asn1_dn" { value 2; description "X.500 distinguished name."; } enum "id_key" { value 3; description "IKEv2 Key ID."; } } description "IPsec SPD name type"; } typedef auth-method-type { type enumeration { enum "pre-shared" { value 0; description "Select pre-shared key message as the authentication method"; } enum "rsa-signature" { value 1; description "Select rsa digital signature as the authentication method"; } enum "dss-signature" { value 2; description "Select dss digital signature as the authentication method"; } enum "eap" { value 3; description "Select EAP as the authentication method"; } } description "Peer authentication method"; } grouping auth-method-grouping { description "Peer authentication method data"; container auth-method { description "Peer authentication method container"; leaf auth-m { type auth-method-type; description "Type of authentication method (preshared, rsa, etc.)"; } container pre-shared { when "../auth-m = 'pre-shared'"; description "Shared secret value"; leaf secret { type string; description "Pre-shared secret value"; } } // container pre-shared container rsa-signature { when "../auth-m = 'rsa-signature'"; description "RSA signature container"; leaf key-data { type string; description "RSA private key data - PEM"; } leaf key-file { type string; description "RSA private key file name "; } leaf-list ca-data { type string; description "List of trusted CA certs - PEM"; } leaf ca-file { type string; description "List of trusted CA certs file"; } leaf cert-data { type string; description "X.509 certificate data - PEM4"; } leaf cert-file { type string; description "X.509 certificate file"; } leaf crl-data { type string; description "X.509 CRL certificate data in base64"; } leaf crl-file { type string; description " X.509 CRL certificate file"; } } // container rsa-signature } // container auth-method } // grouping auth-method-grouping grouping identity-grouping { description "Identification type. It is an union identity"; choice identity { description "Choice of identity."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) octet IPv6 address. An example is FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf dnX509 { type string; description "Specifies the identity as a distinguished name in the X.509 tradition."; } leaf id_key { type string; description "Key id"; } } // choice identity } // grouping identity-grouping grouping ip-addr-range { description "IP address range grouping"; leaf start { type inet:ip-address; description "Start IP address"; } leaf end { type inet:ip-address; description "End IP address"; } } // grouping ip-addr-range grouping port-range { description "Port range grouping"; leaf start { type inet:port-number; description "Start IP address"; } leaf end { type inet:port-number; description "End IP address"; } } // grouping port-range grouping tunnel-grouping { description "Tunnel mode grouping"; leaf local { type inet:ip-address; description "Local tunnel endpoint"; } leaf remote { type inet:ip-address; description "Remote tunnel enpoint"; } leaf bypass-df { type boolean; description "bypass DF bit"; } leaf bypass-dscp { type boolean; description "bypass DSCP"; } leaf dscp-mapping { type yang:hex-string; description "DSCP mapping"; } leaf ecn { type boolean; description "Bit ECN"; } } // grouping tunnel-grouping grouping selector-grouping { description "Traffic selector grouping"; list local-addresses { key "start end"; description "List of local addresses"; uses ip-addr-range; } // list local-addresses list remote-addresses { key "start end"; description "List of remote addresses"; uses ip-addr-range; } // list remote-addresses leaf-list next-layer-protocol { type ipsec-next-layer-proto; description "List of Next Layer Protocol"; } list local-ports { key "start end"; description "List of local ports"; uses port-range; } // list local-ports list remote-ports { key "start end"; description "List of remote ports"; uses port-range; } // list remote-ports } // grouping selector-grouping grouping ipsec-sa-grouping { description "Configure Security Association (SA). Section 4.4.2.1 in RFC 4301"; leaf spi { type ipsec-spi; description "Security Parameter Index"; } leaf seq-number { type uint64; description "Current sequence number of IPsec packet."; } leaf seq-number-overflow-flag { type boolean; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted."; } leaf anti-replay-window { type uint16 { range "0 | 32..1024"; } description "Anti replay window"; } leaf rule-number { type uint32; description "This value links the SA with the SPD entry"; } uses selector-grouping; leaf security-protocol { type ipsec-protocol; description "Security protocol of IPsec SA: Either AH or ESP."; } container ah-sa { when "../security-protocol = 'ah'"; description "Configure Authentication Header (AH) for SA"; container integrity { description "Configure integrity for IPSec Authentication Header (AH)"; leaf integrity-algorithm { type integrity-algorithm-t; description "Configure Authentication Header (AH)."; } leaf key { type string; description "AH key value"; } } // container integrity } // container ah-sa container esp-sa { when "../security-protocol = 'esp'"; description "Set IPSec Encapsulation Security Payload (ESP)"; container encryption { description "Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)"; leaf encryption-algorithm { type encryption-algorithm-t; description "Configure ESP encryption"; } leaf key { type string; description "ESP encryption key value"; } leaf iv { type string; description "ESP encryption IV value"; } } // container encryption container integrity { description "Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)"; leaf integrity-algorithm { type integrity-algorithm-t; description "Configure Authentication Header (AH)."; } leaf key { type string; description "ESP integrity key value"; } } // container integrity leaf combined-enc-intr { type boolean; description "ESP combined mode algorithms. The algorithm is specified in encryption-algorithm in the container encryption"; } } // container esp-sa container sa-lifetime { description "This may be expressed as a time or byte count, or a simultaneous use of both with the first lifetime to expire taking precedence"; leaf time-soft { type uint32; default '0'; description "Soft time lifetime"; } leaf time-hard { type uint32; default '0'; description "Hard time lifetime"; } leaf time-use-soft { type uint32; default '0'; description "Use Soft time lifetime"; } leaf time-use-hard { type uint32; default '0'; description "Use Hard time lifetime"; } leaf byte-soft { type uint32; default '0'; description "Byte soft lifetime"; } leaf byte-hard { type uint32; default '0'; description "Byte hard lifetime"; } leaf packet-soft { type uint32; default '0'; description "Packet soft lifetime"; } leaf packet-hard { type uint32; default '0'; description "Packet hard lifetime"; } leaf action { type lifetime-action; description "action lifetime"; } } // container sa-lifetime leaf mode { type ipsec-mode; description "SA Mode"; } leaf statefulfragCheck { type boolean; description "TRUE stateful fragment checking, FALSE no stateful fragment checking"; } leaf dscp { type yang:hex-string; description "DSCP value"; } container tunnel { when "../mode = 'TUNNEL'"; description "Container for tunnel grouping"; uses tunnel-grouping; } // container tunnel leaf path-mtu { type uint16; description "Maximum size of an IPsec packet that can be transmitted without fragmentation"; } container encap { description "Encapsulation container"; leaf espencap { type esp-encap; description "ESP in TCP, ESP in UDP or ESP in TLS"; } leaf sport { type inet:port-number; description "Encapsulation source port"; } leaf dport { type inet:port-number; description "Encapsulation destination port"; } leaf oaddr { type inet:ip-address; description "Encapsulation Original Address "; } } // container encap } // grouping ipsec-sa-grouping grouping ipsec-policy-grouping { description "Holds configuration information for an IPSec SPD entry."; leaf rule-number { type uint64; description "SPD index. RFC4301 does not mention an index however real implementations provide a policy index/or id to refer a policy. "; } leaf priority { type uint32; default '0'; description "Policy priority"; } list names { key "name"; description "List of policy names"; leaf name-type { type ipsec-spd-name; description "SPD name type."; } leaf name { type string; description "Policy name"; } } // list names container condition { description "SPD condition -> RFC4301"; list traffic-selector-list { key "ts-number"; ordered-by user; description "List of traffic selectors"; leaf ts-number { type uint32; description "Traffic selector number"; } leaf direction { type ipsec-traffic-direction; description "in/fwd/out"; } uses selector-grouping; leaf selector-priority { type uint32; default '0'; description "It establishes a priority to the traffic selector"; } } // list traffic-selector-list } // container condition container processing-info { description "SPD processing -> RFC4301"; leaf action { type ipsec-spd-operation; mandatory true; description "If the action is bypass or discard processing container ipsec-sa-cfg is empty"; } container ipsec-sa-cfg { when "../action = 'PROTECT'"; description " IPSec SA configuration container"; leaf pfp-flag { type boolean; description "Each selector has with a pfp flag."; } leaf extSeqNum { type boolean; description "TRUE 64 bit counter, FALSE 32 bit"; } leaf seqOverflow { type boolean; description "TRUE rekey, FALSE terminare & audit"; } leaf statefulfragCheck { type boolean; description "TRUE stateful fragment checking, FALSE no stateful fragment checking"; } leaf security-protocol { type ipsec-protocol; description "Security protocol of IPsec SA: Either AH or ESP."; } leaf mode { type ipsec-mode; description "transport/tunnel"; } container ah-algorithms { when "../security-protocol = 'ah'"; description "AH algoritms "; leaf-list ah-algorithm { type integrity-algorithm-t; description "Configure Authentication Header (AH)."; } } // container ah-algorithms container esp-algorithms { when "../security-protocol = 'esp'"; description "Configure Encapsulating Security Payload (ESP)."; leaf-list authentication { type integrity-algorithm-t; description "Configure ESP authentication"; } leaf-list encryption { type encryption-algorithm-t; description "Configure ESP encryption"; } } // container esp-algorithms container tunnel { when "../mode = 'TUNNEL'"; description "tunnel grouping container"; uses tunnel-grouping; } // container tunnel } // container ipsec-sa-cfg } // container processing-info container spd-lifetime { description "SPD lifetime parameters"; leaf time-soft { type uint32; default '0'; description "Soft time lifetime"; } leaf time-hard { type uint32; default '0'; description "Hard time lifetime"; } leaf time-use-soft { type uint32; default '0'; description "Use soft lifetime"; } leaf time-use-hard { type uint32; default '0'; description "Use hard lifetime"; } leaf byte-soft { type uint32; default '0'; description "Byte soft lifetime"; } leaf byte-hard { type uint32; default '0'; description "Hard soft lifetime"; } leaf packet-soft { type uint32; default '0'; description "Packet soft lifetime"; } leaf packet-hard { type uint32; default '0'; description "Packet hard lifetime"; } } // container spd-lifetime } // grouping ipsec-policy-grouping grouping isakmp-proposal { description "ISAKMP proposal grouping"; leaf phase1-lifetime { type uint32; mandatory true; description "lifetime for IKE Phase 1 SAs"; } leaf-list phase1-authalg { type integrity-algorithm-t; description "Auth algorigthm for IKE Phase 1 SAs"; } leaf-list phase1-encalg { type encryption-algorithm-t; description "Auth algorigthm for IKE Phase 1 SAs"; } leaf combined-enc-intr { type boolean; description "Combined mode algorithms (encryption and integrity)."; } leaf dh_group { type uint32; mandatory true; description "Group number for Diffie Hellman Exponentiation"; } } // grouping isakmp-proposal grouping phase2-info { description "IKE Phase 2 Information"; leaf-list pfs_group { type uint32; description "If non-zero, require perfect forward secrecy when requesting new SA. The non-zero value is the required group number"; } } // grouping phase2-info grouping local-grouping { description "Configure the local peer in an IKE connection"; container local { description "Local container"; choice my-identifier-type { default 'ipv4'; description "Local ID type"; leaf ipv4 { type inet:ipv4-address; description "IPv4 dotted-decimal address"; } leaf ipv6 { type inet:ipv6-address; description "numerical IPv6 address"; } leaf fqdn { type inet:domain-name; description "Fully Qualifed Domain name "; } leaf dn { type string; description "Domain name"; } leaf user_fqdn { type string; description "User FQDN"; } } // choice my-identifier-type leaf my-identifier { type string; mandatory true; description "Local id used for authentication"; } } // container local } // grouping local-grouping grouping remote-grouping { description "Configure the remote peer in an IKE connection"; container remote { description "Remote container"; choice my-identifier-type { default 'ipv4'; description "Local ID type"; leaf ipv4 { type inet:ipv4-address; description "IPv4 dotted-decimal address"; } leaf ipv6 { type inet:ipv6-address; description "numerical IPv6 address"; } leaf fqdn { type inet:domain-name; description "Fully Qualifed Domain name "; } leaf dn { type string; description "Domain name"; } leaf user_fqdn { type string; description "User FQDN"; } } // choice my-identifier-type leaf my-identifier { type string; mandatory true; description "Local id used for authentication"; } } // container remote } // grouping remote-grouping typedef sadb-msg-type { type enumeration { enum "sadb_reserved" { value 0; description "SADB_RESERVED"; } enum "sadb_getspi" { value 1; description "SADB_GETSPI"; } enum "sadb_update" { value 2; description "SADB_UPDATE"; } enum "sadb_add" { value 3; description "SADB_ADD"; } enum "sadb_delete" { value 4; description "SADB_DELETE"; } enum "sadb_get" { value 5; description "SADB_GET"; } enum "sadb_acquire" { value 6; description "SADB_ACQUIRE"; } enum "sadb_register" { value 7; description "SADB_REGISTER"; } enum "sadb_expire" { value 8; description "SADB_EXPIRE"; } enum "sadb_flush" { value 9; description "SADB_FLUSH"; } enum "sadb_dump" { value 10; description "SADB_DUMP"; } enum "sadb_x_promisc" { value 11; description "SADB_X_PROMISC"; } enum "sadb_x_pchange" { value 12; description "SADB_X_PCHANGE"; } enum "sadb_max" { value 13; description "SADB_MAX"; } } description "PF_KEY base message types"; } typedef sadb-msg-satype { type enumeration { enum "sadb_satype_unspec" { value 0; description "SADB_SATYPE_UNSPEC"; } enum "sadb_satype_ah" { value 1; description "SADB_SATYPE_AH"; } enum "sadb_satype_esp" { value 2; description "SADB_SATYPE_ESP"; } enum "sadb_satype_rsvp" { value 3; description "SADB_SATYPE_RSVP"; } enum "sadb_satype_ospfv2" { value 4; description "SADB_SATYPE_OSPFv2"; } enum "sadb_satype_ripv2" { value 5; description "SADB_SATYPE_RIPv2"; } enum "sadb_satype_mip" { value 6; description "SADB_SATYPE_MIP"; } enum "sadb_satype_max" { value 7; description "SADB_SATYPE_MAX"; } } description "PF_KEY Security Association types"; } grouping base-grouping { description "Configuration for the message header format"; list base-list { key "version"; description "Configuration for a specific message header format"; leaf version { type string; description "Version of PF_KEY (MUST be PF_KEY_V2)"; } leaf msg_type { type sadb-msg-type; description "Identifies the type of message"; } leaf msg_satype { type sadb-msg-satype; description "Defines the type of Security Association"; } leaf msg_seq { type uint32; description "Sequence number of this message."; } } // list base-list } // grouping base-grouping grouping algorithm-grouping { description "List of supported authentication and encryptation algorithms"; list algorithm-supported { description "List for a specific algorithm"; container authentication { description "Authentication algorithm supported"; leaf name { type integrity-algorithm-t; description "Name of authentication algorithm"; } leaf ivlen { type uint8; description "Length of the initialization vector to be used for the algorithm"; } leaf min-bits { type uint16; description "The minimun acceptable key length, in bits"; } leaf max-bits { type uint16; description "The maximun acceptable key length, in bits"; } } // container authentication container encryption { description "Encryptation algorithm supported"; leaf name { type encryption-algorithm-t; description "Name of encryption algorithm"; } leaf ivlen { type uint8; description "Length of the initialization vector to be used for the algorithm"; } leaf min-bits { type uint16; description "The minimun acceptable key length, in bits"; } leaf max-bits { type uint16; description "The maximun acceptable key length, in bits"; } } // container encryption } // list algorithm-supported } // grouping algorithm-grouping container ietf-ipsec { description "Main IPsec container "; container ikev2 { if-feature case1; description "Configure the IKEv2"; container ike-connection { description "IKE connections configuration"; list ike-conn-entries { key "conn-name"; description "IKE peer connetion information"; leaf conn-name { type string; mandatory true; description "Name of IKE connection"; } leaf autostartup { type type-autostartup; mandatory true; description "if True: automatically start tunnel at startup; else we do lazy tunnel setup based on trigger from datapath"; } leaf nat-traversal { type boolean; default 'false'; description "Enable/Disable NAT traversal"; } container encap { when "../nat-traversal = 'true'"; description "Encapsulation container"; leaf espencap { type esp-encap; description "ESP in TCP, ESP in UDP or ESP in TLS"; } leaf sport { type inet:port-number; description "Encapsulation source port"; } leaf dport { type inet:port-number; description "Encapsulation destination port"; } leaf oaddr { type inet:ip-address; description "Encapsulation Original Address "; } } // container encap leaf version { type enumeration { enum "ikev2" { value 2; description "IKE version 2"; } } description "IKE version"; } uses isakmp-proposal; uses local-grouping; uses remote-grouping; uses phase2-info; } // list ike-conn-entries } // container ike-connection } // container ikev2 container ipsec { description "Configuration IPsec"; container spd { description "Configure the Security Policy Database (SPD)"; list spd-entry { key "rule-number"; ordered-by user; description "List of SPD entries"; uses ipsec-policy-grouping; } // list spd-entry } // container spd container sad { if-feature case2; description "Configure the IPSec Security Association Database (SAD)"; list sad-entry { key "spi"; description "List of SAD entries"; uses ipsec-sa-grouping; } // list sad-entry } // container sad container pad { if-feature case1; description "Configure Peer Authorization Database (PAD)"; list pad-entries { key "pad-entry-id"; ordered-by user; description "Peer Authorization Database (PAD)"; leaf pad-entry-id { type uint64; description "SAD index. "; } uses identity-grouping; leaf pad-auth-protocol { type auth-protocol-type; description "IKEv1, IKEv2, KINK, etc. "; } uses auth-method-grouping; } // list pad-entries } // container pad } // container ipsec } // container ietf-ipsec rpc sadb_register { description "Allows netconf to register its key socket as able to acquire new security associations for the kernel"; input { uses base-grouping; } output { uses base-grouping; uses algorithm-grouping; } } // rpc sadb_register notification spdb_expire { description "A SPD entry has expired"; leaf index { type uint64; description "SPD index. RFC4301 does not mention an index however real implementations (e.g. XFRM or PFKEY_v2 with KAME extensions provide a policy index to refer a policy. "; } } // notification spdb_expire notification sadb_acquire { description "A IPsec SA is required "; leaf state { type uint32; mandatory true; description "Request the creation of a SADB entry"; } } // notification sadb_acquire notification sadb_expire { description "....."; leaf state { type uint32; mandatory true; description "Notify the expiration of a entry in the SADB"; } } // notification sadb_expire notification sadb_bad-spi { description "....."; leaf state { type ipsec-spi; mandatory true; description "Notify when a SPI"; } } // notification sadb_bad-spi } // module ietf-ipsec
Summary
| Organization | University of Murcia |
| Module | ietf-ipsec |
| Version | 2017-05-02 |
| File | ietf-ipsec@2017-05-02.yang |
| Prefix | eipsec |
| Namespace | urn:ietf:params:xml:ns:yang:ietf-ipsec |
| Cooked | /cookedmodules/ietf-ipsec/2017-05-02 |
| YANG | /src/ietf-ipsec@2017-05-02.yang |
| XSD | /xsd/ietf-ipsec@2017-05-02.xsd |
| Abstract | Data model for IPSec |
| Contact | Rafael Marin Lopez Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 e-mail: rafa@um.es Gabriel Lopez Millan Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Tel: +34 868888504 email: gabilm@um.es |
Description
Data model for IPSec |
Typedefs
| Typedef | Base type | Abstract |
| auth-method-type | enumeration | Peer authentication method |
| auth-protocol-type | enumeration | Peer authentication protocols |
| encryption-algorithm-t | enumeration | Encryption algorithms -> RFC_5996 |
| esp-encap | enumeration | type defining types of ESP encapsulation |
| integrity-algorithm-t | enumeration | Integrity Algorithms -> RFC_5996 |
| ipsec-mode | enumeration | type define of ipsec mode |
| ipsec-next-layer-proto | enumeration | Next layer proto on top of IP |
| ipsec-protocol | enumeration | type define of ipsec security protocol |
| ipsec-spd-name | enumeration | IPsec SPD name type |
| ipsec-spd-operation | enumeration | The operation when traffic matches IPsec security policy |
| ipsec-spi | uint32 | SPI |
| ipsec-traffic-direction | enumeration | IPsec traffic direction |
| lifetime-action | enumeration | Action when lifetime expiration |
| sadb-msg-satype | enumeration | PF_KEY Security Association types |
| sadb-msg-type | enumeration | PF_KEY base message types |
| type-autostartup | enumeration | Different types of how IKEv2 starts the IPsec SAs |
Groupings
| Grouping | Objects | Abstract |
| algorithm-grouping | algorithm-supported | List of supported authentication and encryptation algorithms |
| auth-method-grouping | auth-method | Peer authentication method data |
| base-grouping | base-list | Configuration for the message header format |
| identity-grouping | identity | Identification type. It is an union identity |
| ip-addr-range | start end | IP address range grouping |
| ipsec-policy-grouping | rule-number priority names condition processing-info spd-lifetime | Holds configuration information for an IPSec SPD entry. |
| ipsec-sa-grouping | spi seq-number seq-number-overflow-flag anti-replay-window rule-number local-addresses remote-addresses next-layer-protocol local-ports remote-portssecurity-protocol ah-sa esp-sa sa-lifetime mode statefulfragCheck dscp tunnel path-mtu encap | Configure Security Association (SA). Section 4.4.2.1 in RFC 4301 |
| isakmp-proposal | phase1-lifetime phase1-authalg phase1-encalg combined-enc-intr dh_group | ISAKMP proposal grouping |
| local-grouping | local | Configure the local peer in an IKE connection |
| phase2-info | pfs_group | IKE Phase 2 Information |
| port-range | start end | Port range grouping |
| remote-grouping | remote | Configure the remote peer in an IKE connection |
| selector-grouping | local-addresses remote-addresses next-layer-protocol local-ports remote-ports | Traffic selector grouping |
| tunnel-grouping | local remote bypass-df bypass-dscp dscp-mapping ecn | Tunnel mode grouping |
Objects
| Type Key |
| Mandatory config |
| Optional config |
| Not config |
| Object | Type | Abstract |
| ietf-ipsec | container | Main IPsec container |
| ikev2 | container | Configure the IKEv2 |
| ike-connection | container | IKE connections configuration |
| ike-conn-entries | list | IKE peer connetion information |
| autostartup | leaf | if True: automatically start tunnel at startup; else we do lazy tunnel setup based on trigger from datapath |
| combined-enc-intr | leaf | Combined mode algorithms (encryption and integrity). |
| conn-name | leaf | Name of IKE connection |
| dh_group | leaf | Group number for Diffie Hellman Exponentiation |
| encap | container | Encapsulation container |
| dport | leaf | Encapsulation destination port |
| espencap | leaf | ESP in TCP, ESP in UDP or ESP in TLS |
| oaddr | leaf | Encapsulation Original Address |
| sport | leaf | Encapsulation source port |
| local | container | Local container |
| my-identifier | leaf | Local id used for authentication |
| my-identifier-type | choice | Local ID type |
| dn | case | dn |
| dn | leaf | Domain name |
| fqdn | case | fqdn |
| fqdn | leaf | Fully Qualifed Domain name |
| ipv4 | case | ipv4 |
| ipv4 | leaf | IPv4 dotted-decimal address |
| ipv6 | case | ipv6 |
| ipv6 | leaf | numerical IPv6 address |
| user_fqdn | case | user_fqdn |
| user_fqdn | leaf | User FQDN |
| nat-traversal | leaf | Enable/Disable NAT traversal |
| pfs_group | leaf-list | If non-zero, require perfect forward secrecy when requesting new SA. The non-zero value is the required group number |
| phase1-authalg | leaf-list | Auth algorigthm for IKE Phase 1 SAs |
| phase1-encalg | leaf-list | Auth algorigthm for IKE Phase 1 SAs |
| phase1-lifetime | leaf | lifetime for IKE Phase 1 SAs |
| remote | container | Remote container |
| my-identifier | leaf | Local id used for authentication |
| my-identifier-type | choice | Local ID type |
| dn | case | dn |
| dn | leaf | Domain name |
| fqdn | case | fqdn |
| fqdn | leaf | Fully Qualifed Domain name |
| ipv4 | case | ipv4 |
| ipv4 | leaf | IPv4 dotted-decimal address |
| ipv6 | case | ipv6 |
| ipv6 | leaf | numerical IPv6 address |
| user_fqdn | case | user_fqdn |
| user_fqdn | leaf | User FQDN |
| version | leaf | IKE version |
| ipsec | container | Configuration IPsec |
| pad | container | Configure Peer Authorization Database (PAD) |
| pad-entries | list | Peer Authorization Database (PAD) |
| auth-method | container | Peer authentication method container |
| auth-m | leaf | Type of authentication method (preshared, rsa, etc.) |
| pre-shared | container | Shared secret value |
| secret | leaf | Pre-shared secret value |
| rsa-signature | container | RSA signature container |
| ca-data | leaf-list | List of trusted CA certs - PEM |
| ca-file | leaf | List of trusted CA certs file |
| cert-data | leaf | X.509 certificate data - PEM4 |
| cert-file | leaf | X.509 certificate file |
| crl-data | leaf | X.509 CRL certificate data in base64 |
| crl-file | leaf | X.509 CRL certificate file |
| key-data | leaf | RSA private key data - PEM |
| key-file | leaf | RSA private key file name |
| identity | choice | Choice of identity. |
| dnX509 | case | dnX509 |
| dnX509 | leaf | Specifies the identity as a distinguished name in the X.509 tradition. |
| fqdn-string | case | fqdn-string |
| fqdn-string | leaf | Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.). |
| id_key | case | id_key |
| id_key | leaf | Key id |
| ipv4-address | case | ipv4-address |
| ipv4-address | leaf | Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. |
| ipv6-address | case | ipv6-address |
| ipv6-address | leaf | Specifies the identity as a single sixteen (16) octet IPv6 address. An example is FF01::101, 2001:DB8:0:0:8:800:200C:417A . |
| rfc822-address-string | case | rfc822-address-string |
| rfc822-address-string | leaf | Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.). |
| pad-auth-protocol | leaf | IKEv1, IKEv2, KINK, etc. |
| pad-entry-id | leaf | SAD index. |
| sad | container | Configure the IPSec Security Association Database (SAD) |
| sad-entry | list | List of SAD entries |
| ah-sa | container | Configure Authentication Header (AH) for SA |
| integrity | container | Configure integrity for IPSec Authentication Header (AH) |
| integrity-algorithm | leaf | Configure Authentication Header (AH). |
| key | leaf | AH key value |
| anti-replay-window | leaf | Anti replay window |
| dscp | leaf | DSCP value |
| encap | container | Encapsulation container |
| dport | leaf | Encapsulation destination port |
| espencap | leaf | ESP in TCP, ESP in UDP or ESP in TLS |
| oaddr | leaf | Encapsulation Original Address |
| sport | leaf | Encapsulation source port |
| esp-sa | container | Set IPSec Encapsulation Security Payload (ESP) |
| combined-enc-intr | leaf | ESP combined mode algorithms. The algorithm is specified in encryption-algorithm in the container encryption |
| encryption | container | Configure encryption for IPSec Encapsulation Secutiry Payload (ESP) |
| encryption-algorithm | leaf | Configure ESP encryption |
| iv | leaf | ESP encryption IV value |
| key | leaf | ESP encryption key value |
| integrity | container | Configure authentication for IPSec Encapsulation Secutiry Payload (ESP) |
| integrity-algorithm | leaf | Configure Authentication Header (AH). |
| key | leaf | ESP integrity key value |
| local-addresses | list | List of local addresses |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| local-ports | list | List of local ports |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| mode | leaf | SA Mode |
| next-layer-protocol | leaf-list | List of Next Layer Protocol |
| path-mtu | leaf | Maximum size of an IPsec packet that can be transmitted without fragmentation |
| remote-addresses | list | List of remote addresses |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| remote-ports | list | List of remote ports |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| rule-number | leaf | This value links the SA with the SPD entry |
| sa-lifetime | container | This may be expressed as a time or byte count, or a simultaneous use of both with the first lifetime to expire taking precedence |
| action | leaf | action lifetime |
| byte-hard | leaf | Byte hard lifetime |
| byte-soft | leaf | Byte soft lifetime |
| packet-hard | leaf | Packet hard lifetime |
| packet-soft | leaf | Packet soft lifetime |
| time-hard | leaf | Hard time lifetime |
| time-soft | leaf | Soft time lifetime |
| time-use-hard | leaf | Use Hard time lifetime |
| time-use-soft | leaf | Use Soft time lifetime |
| security-protocol | leaf | Security protocol of IPsec SA: Either AH or ESP. |
| seq-number | leaf | Current sequence number of IPsec packet. |
| seq-number-overflow-flag | leaf | The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted. |
| spi | leaf | Security Parameter Index |
| statefulfragCheck | leaf | TRUE stateful fragment checking, FALSE no stateful fragment checking |
| tunnel | container | Container for tunnel grouping |
| bypass-df | leaf | bypass DF bit |
| bypass-dscp | leaf | bypass DSCP |
| dscp-mapping | leaf | DSCP mapping |
| ecn | leaf | Bit ECN |
| local | leaf | Local tunnel endpoint |
| remote | leaf | Remote tunnel enpoint |
| spd | container | Configure the Security Policy Database (SPD) |
| spd-entry | list | List of SPD entries |
| condition | container | SPD condition -> RFC4301 |
| traffic-selector-list | list | List of traffic selectors |
| direction | leaf | in/fwd/out |
| local-addresses | list | List of local addresses |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| local-ports | list | List of local ports |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| next-layer-protocol | leaf-list | List of Next Layer Protocol |
| remote-addresses | list | List of remote addresses |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| remote-ports | list | List of remote ports |
| end | leaf | End IP address |
| start | leaf | Start IP address |
| selector-priority | leaf | It establishes a priority to the traffic selector |
| ts-number | leaf | Traffic selector number |
| names | list | List of policy names |
| name | leaf | Policy name |
| name-type | leaf | SPD name type. |
| priority | leaf | Policy priority |
| processing-info | container | SPD processing -> RFC4301 |
| action | leaf | If the action is bypass or discard processing container ipsec-sa-cfg is empty |
| ipsec-sa-cfg | container | IPSec SA configuration container |
| ah-algorithms | container | AH algoritms |
| ah-algorithm | leaf-list | Configure Authentication Header (AH). |
| esp-algorithms | container | Configure Encapsulating Security Payload (ESP). |
| authentication | leaf-list | Configure ESP authentication |
| encryption | leaf-list | Configure ESP encryption |
| extSeqNum | leaf | TRUE 64 bit counter, FALSE 32 bit |
| mode | leaf | transport/tunnel |
| pfp-flag | leaf | Each selector has with a pfp flag. |
| security-protocol | leaf | Security protocol of IPsec SA: Either AH or ESP. |
| seqOverflow | leaf | TRUE rekey, FALSE terminare & audit |
| statefulfragCheck | leaf | TRUE stateful fragment checking, FALSE no stateful fragment checking |
| tunnel | container | tunnel grouping container |
| bypass-df | leaf | bypass DF bit |
| bypass-dscp | leaf | bypass DSCP |
| dscp-mapping | leaf | DSCP mapping |
| ecn | leaf | Bit ECN |
| local | leaf | Local tunnel endpoint |
| remote | leaf | Remote tunnel enpoint |
| rule-number | leaf | SPD index. RFC4301 does not mention an index however real implementations provide a policy index/or id to refer a policy. |
| spd-lifetime | container | SPD lifetime parameters |
| byte-hard | leaf | Hard soft lifetime |
| byte-soft | leaf | Byte soft lifetime |
| packet-hard | leaf | Packet hard lifetime |
| packet-soft | leaf | Packet soft lifetime |
| time-hard | leaf | Hard time lifetime |
| time-soft | leaf | Soft time lifetime |
| time-use-hard | leaf | Use hard lifetime |
| time-use-soft | leaf | Use soft lifetime |
RPC Methods
| RPC | Abstract |
| sadb_register | Allows netconf to register its key socket as able to acquire new security associations for the kernel |
Notifications
| Notification | Abstract |
| sadb_acquire | A IPsec SA is required |
| sadb_bad-spi | ..... |
| sadb_expire | ..... |
| spdb_expire | A SPD entry has expired |