netconfcentral logo

ietf-ipsec

HTML

ietf-ipsec@2017-05-02



  module ietf-ipsec {

    yang-version 1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-ipsec";

    prefix eipsec;

    import ietf-inet-types {
      prefix inet;
    }
    import ietf-yang-types {
      prefix yang;
    }

    organization "University of Murcia";

    contact
      " Rafael Marin Lopez
   Dept. Information and Communications Engineering (DIIC)
   Faculty of Computer Science-University of Murcia
   30100 Murcia - Spain
   Telf: +34868888501
   e-mail: rafa@um.es

   Gabriel Lopez Millan
   Dept. Information and Communications Engineering (DIIC)
   Faculty of Computer Science-University of Murcia
   30100 Murcia - Spain
   Tel: +34 868888504
   email: gabilm@um.es
   ";

    description "Data model for IPSec";

    revision "2017-05-02" {
      description "Initial revision.";
      reference
        "";

    }


    feature case1 {
      description
        "feature case 1: IKE SPD PAD";
    }

    feature case2 {
      description "feature case 2: SPD SAD";
    }

    typedef encryption-algorithm-t {
      type enumeration {
        enum "reserved-0" {
          value 0;
          description "reserved";
        }
        enum "des-iv4" {
          value 1;
          description "DES IV 4";
        }
        enum "des" {
          value 2;
          description "DES";
        }
        enum "3des" {
          value 3;
          description "3DES";
        }
        enum "rc5" {
          value 4;
          description "RC5";
        }
        enum "idea" {
          value 5;
          description "IDEA";
        }
        enum "cast" {
          value 6;
          description "CAST";
        }
        enum "blowfish" {
          value 7;
          description "BlowFish";
        }
        enum "3idea" {
          value 8;
          description "3IDEA";
        }
        enum "des-iv32" {
          value 9;
          description "DES-IV32";
        }
        enum "reserved-10" {
          value 10;
          description "reserved-10";
        }
        enum "null" {
          value 11;
          description "NULL";
        }
        enum "aes-cbc" {
          value 12;
          description "AES-CBC";
        }
        enum "aes-ctr" {
          value 13;
          description "AES-CTR";
        }
        enum "aes-ccm-8" {
          value 14;
          description "AES-CCM-8";
        }
        enum "aes-ccm-12" {
          value 15;
          description "AES-CCM-12";
        }
        enum "aes-ccm-16" {
          value 16;
          description "AES-CCM-16";
        }
        enum "reserved-17" {
          value 17;
          description "reserved-17";
        }
        enum "aes-gcm-8-icv" {
          value 18;
          description "AES-GCM-8-ICV";
        }
        enum "aes-gcm-12-icv" {
          value 19;
          description "AES-GCM-12-ICV";
        }
        enum "aes-gcm-16-icv" {
          value 20;
          description "AES-GCM-16-ICV";
        }
        enum "null-auth-aes-gmac" {
          value 21;
          description "Null-Auth-AES-GMAC";
        }
        enum "ieee-p1619-xts-aes" {
          value 22;
          description
            "encr-ieee-p1619-xts-aes -> Reserved for IEEE P1619 XTS-AES.";
        }
        enum "camellia-cbc" {
          value 23;
          description "CAMELLIA-CBC";
        }
        enum "camellia-ctr" {
          value 24;
          description "CAMELLIA.CTR";
        }
        enum "camellia-ccm-8-icv" {
          value 25;
          description "CAMELLIA-CCM-8-ICV";
        }
        enum "camellia-ccm-12-icv" {
          value 26;
          description "CAMELLIA-CCM-12-ICV";
        }
        enum "camellia-ccm-16-icv" {
          value 27;
          description "CAMELLIA-CCM-16-ICV";
        }
        enum "aes-cbc-128" {
          value 28;
          description "AES-CBC-128";
        }
        enum "aes-cbc-192" {
          value 29;
          description "AES-CBC-192";
        }
        enum "aes-cbc-256" {
          value 30;
          description "AES-CBC-256";
        }
        enum "blowfish-128" {
          value 31;
          description "BlowFish-128";
        }
        enum "blowfish-192" {
          value 32;
          description "BlowFish-192";
        }
        enum "blowfish-256" {
          value 33;
          description "BlowFish-256";
        }
        enum "blowfish-448" {
          value 34;
          description "BlowFish-448";
        }
        enum "camellia-128" {
          value 35;
          description "CAMELLIA-128";
        }
        enum "camellia-192" {
          value 36;
          description "CAMELLIA-192";
        }
        enum "camellia-256" {
          value 37;
          description "CAMELLIA-256";
        }
        enum "AES-GCM-16-ICV" {
          value 38;
          description
            "AES-GCM-16-ICV (AEAD)";
        }
        enum "AES-CCM" {
          value 39;
          description "AES-CCM (AEAD)";
        }
      }
      description
        "Encryption algorithms -> RFC_5996";
    }

    typedef integrity-algorithm-t {
      type enumeration {
        enum "none" {
          value 0;
          description "NONE";
        }
        enum "hmac-md5-96" {
          value 1;
          description "HMAC-MD5-96";
        }
        enum "hmac-sha1-96" {
          value 2;
          description "HMAC-SHA1-96";
        }
        enum "des-mac" {
          value 3;
          description "DES-MAC";
        }
        enum "kpdk-md5" {
          value 4;
          description "KPDK-MD5";
        }
        enum "aes-xcbc-96" {
          value 5;
          description "AES-XCBC-96";
        }
        enum "hmac-md5-128" {
          value 6;
          description "HMAC-MD5-128";
        }
        enum "hmac-sha1-160" {
          value 7;
          description "HMAC-SHA1-160";
        }
        enum "aes-cmac-96" {
          value 8;
          description "AES-CMAC-96";
        }
        enum "aes-128-gmac" {
          value 9;
          description "AES-128-GMAC";
        }
        enum "aes-192-gmac" {
          value 10;
          description "AES-192-GMAC";
        }
        enum "aes-256-gmac" {
          value 11;
          description "AES-256-GMAC";
        }
        enum "hmac-sha2-256-128" {
          value 12;
          description "HMAC-SHA2-256-128";
        }
        enum "hmac-sha2-384-192" {
          value 13;
          description "HMAC-SHA2-384-192";
        }
        enum "hmac-sha2-512-256" {
          value 14;
          description "HMAC-SHA2-512-256";
        }
        enum "hmac-sha2-256-96" {
          value 15;
          description "HMAC-SHA2-256-096";
        }
      }
      description
        "Integrity Algorithms -> RFC_5996";
    }

    typedef type-autostartup {
      type enumeration {
        enum "ALWAYSON" {
          value 0;
          description " ";
        }
        enum "INITIATE-ON-DEMAND" {
          value 1;
          description " ";
        }
        enum "RESPOND-ONLY" {
          value 2;
          description " ";
        }
      }
      description
        "Different types of how IKEv2 starts the IPsec SAs";
    }

    typedef auth-protocol-type {
      type enumeration {
        enum "IKEv1" {
          value 0;
          description
            "Authentication protocol based on IKEv1";
        }
        enum "IKEv2" {
          value 1;
          description
            "Authentication protocol based on IKEv2";
        }
        enum "KINK" {
          value 2;
          description
            "Authentication protocol based on KINK";
        }
      }
      description
        "Peer authentication protocols";
    }

    typedef ipsec-mode {
      type enumeration {
        enum "TRANSPORT" {
          value 0;
          description "Transport mode";
        }
        enum "TUNNEL" {
          value 1;
          description "Tunnel mode";
        }
        enum "BEET" {
          value 2;
          description
            "Bound End-to-End Tunnel (BEET) mode for ESP.";
        }
        enum "RO" {
          value 3;
          description
            "Route Optimization mode for Mobile IPv6";
        }
        enum "IN_TRIGGER" {
          value 4;
          description
            "In trigger mode for Mobile IPv6";
        }
      }
      description
        "type define of ipsec mode";
    }

    typedef esp-encap {
      type enumeration {
        enum "ESPINTCP" {
          value 0;
          description
            "ESP in TCP encapulation.";
        }
        enum "ESPINTLS" {
          value 1;
          description
            "ESP in TCP encapsulation using TLS.";
        }
        enum "ESPINUDP" {
          value 2;
          description
            "ESP in UDP encapsulation. RFC 3948 ";
        }
      }
      description
        "type defining types of ESP encapsulation";
    }

    typedef ipsec-protocol {
      type enumeration {
        enum "ah" {
          value 0;
          description "AH Protocol";
        }
        enum "esp" {
          value 1;
          description "ESP Protocol";
        }
        enum "comp" {
          value 2;
          description "IP Compression";
        }
        enum "route2" {
          value 3;
          description
            "Routing Header type 2. Mobile IPv6";
        }
        enum "hao" {
          value 4;
          description "Home Agent Option";
        }
      }
      description
        "type define of ipsec security protocol";
    }

    typedef ipsec-spi {
      type uint32 {
        range "1..max";
      }
      description "SPI";
    }

    typedef lifetime-action {
      type enumeration {
        enum "terminate" {
          value 0;
          description
            "Terminate the IPsec SA";
        }
        enum "replace" {
          value 1;
          description
            "Replace the IPsec SA with a new one";
        }
      }
      description
        "Action when lifetime expiration";
    }

    typedef ipsec-traffic-direction {
      type enumeration {
        enum "INBOUND" {
          value 0;
          description "Inbound traffic";
        }
        enum "OUTBOUND" {
          value 1;
          description "Outbound traffic";
        }
        enum "FORWARD" {
          value 2;
          description "Forwarded traffic";
        }
      }
      description "IPsec traffic direction";
    }

    typedef ipsec-spd-operation {
      type enumeration {
        enum "PROTECT" {
          value 0;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "BYPASS" {
          value 1;
          description "BYPASS the traffic";
        }
        enum "DISCARD" {
          value 2;
          description "DISCARD the traffic";
        }
      }
      description
        "The operation when traffic matches IPsec security policy";
    }

    typedef ipsec-next-layer-proto {
      type enumeration {
        enum "TCP" {
          value 0;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "UDP" {
          value 1;
          description "BYPASS the traffic";
        }
        enum "SCTP" {
          value 2;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "DCCP" {
          value 3;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "ICMP" {
          value 4;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "IPv6-ICMP" {
          value 5;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "MH" {
          value 6;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "GRE" {
          value 7;
          description
            "PROTECT the traffic with IPsec";
        }
      }
      description
        "Next layer proto on top of IP";
    }

    typedef ipsec-spd-name {
      type enumeration {
        enum "id_rfc_822_addr" {
          value 0;
          description
            "Fully qualified user name string.";
        }
        enum "id_fqdn" {
          value 1;
          description
            "Fully qualified DNS name.";
        }
        enum "id_der_asn1_dn" {
          value 2;
          description
            "X.500 distinguished name.";
        }
        enum "id_key" {
          value 3;
          description "IKEv2 Key ID.";
        }
      }
      description "IPsec SPD name type";
    }

    typedef auth-method-type {
      type enumeration {
        enum "pre-shared" {
          value 0;
          description
            "Select pre-shared key message as the authentication method";
        }
        enum "rsa-signature" {
          value 1;
          description
            "Select rsa digital signature as the authentication method";
        }
        enum "dss-signature" {
          value 2;
          description
            "Select dss digital signature as the authentication method";
        }
        enum "eap" {
          value 3;
          description
            "Select EAP as the authentication method";
        }
      }
      description
        "Peer authentication method";
    }

    grouping auth-method-grouping {
      description
        "Peer authentication method data";
      container auth-method {
        description
          "Peer authentication method container";
        leaf auth-m {
          type auth-method-type;
          description
            "Type of authentication method (preshared, rsa, etc.)";
        }

        container pre-shared {
          when "../auth-m = 'pre-shared'";
          description "Shared secret value";
          leaf secret {
            type string;
            description
              "Pre-shared secret value";
          }
        }  // container pre-shared

        container rsa-signature {
          when "../auth-m = 'rsa-signature'";
          description
            "RSA signature container";
          leaf key-data {
            type string;
            description
              "RSA private key data - PEM";
          }

          leaf key-file {
            type string;
            description
              "RSA private key file name ";
          }

          leaf-list ca-data {
            type string;
            description
              "List of trusted CA certs - PEM";
          }

          leaf ca-file {
            type string;
            description
              "List of trusted CA certs file";
          }

          leaf cert-data {
            type string;
            description
              "X.509 certificate data - PEM4";
          }

          leaf cert-file {
            type string;
            description
              "X.509 certificate file";
          }

          leaf crl-data {
            type string;
            description
              "X.509 CRL certificate data in base64";
          }

          leaf crl-file {
            type string;
            description
              " X.509 CRL certificate file";
          }
        }  // container rsa-signature
      }  // container auth-method
    }  // grouping auth-method-grouping

    grouping identity-grouping {
      description
        "Identification type. It is an union identity";
      choice identity {
        description "Choice of identity.";
        leaf ipv4-address {
          type inet:ipv4-address;
          description
            "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. ";
        }
        leaf ipv6-address {
          type inet:ipv6-address;
          description
            "Specifies the identity as a single sixteen (16) octet IPv6 address. An example is FF01::101, 2001:DB8:0:0:8:800:200C:417A .";
        }
        leaf fqdn-string {
          type inet:domain-name;
          description
            "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.).";
        }
        leaf rfc822-address-string {
          type string;
          description
            "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.).";
        }
        leaf dnX509 {
          type string;
          description
            "Specifies the identity as a distinguished name in the X.509 tradition.";
        }
        leaf id_key {
          type string;
          description "Key id";
        }
      }  // choice identity
    }  // grouping identity-grouping

    grouping ip-addr-range {
      description
        "IP address range grouping";
      leaf start {
        type inet:ip-address;
        description "Start IP address";
      }

      leaf end {
        type inet:ip-address;
        description "End IP address";
      }
    }  // grouping ip-addr-range

    grouping port-range {
      description "Port range grouping";
      leaf start {
        type inet:port-number;
        description "Start IP address";
      }

      leaf end {
        type inet:port-number;
        description "End IP address";
      }
    }  // grouping port-range

    grouping tunnel-grouping {
      description "Tunnel mode grouping";
      leaf local {
        type inet:ip-address;
        description "Local tunnel endpoint";
      }

      leaf remote {
        type inet:ip-address;
        description "Remote tunnel enpoint";
      }

      leaf bypass-df {
        type boolean;
        description "bypass DF bit";
      }

      leaf bypass-dscp {
        type boolean;
        description "bypass DSCP";
      }

      leaf dscp-mapping {
        type yang:hex-string;
        description "DSCP mapping";
      }

      leaf ecn {
        type boolean;
        description "Bit ECN";
      }
    }  // grouping tunnel-grouping

    grouping selector-grouping {
      description
        "Traffic selector grouping";
      list local-addresses {
        key "start end";
        description
          "List of local addresses";
        uses ip-addr-range;
      }  // list local-addresses

      list remote-addresses {
        key "start end";
        description
          "List of remote addresses";
        uses ip-addr-range;
      }  // list remote-addresses

      leaf-list next-layer-protocol {
        type ipsec-next-layer-proto;
        description
          "List of Next Layer Protocol";
      }

      list local-ports {
        key "start end";
        description "List of local ports";
        uses port-range;
      }  // list local-ports

      list remote-ports {
        key "start end";
        description "List of remote ports";
        uses port-range;
      }  // list remote-ports
    }  // grouping selector-grouping

    grouping ipsec-sa-grouping {
      description
        "Configure Security Association (SA). Section 4.4.2.1 in RFC 4301";
      leaf spi {
        type ipsec-spi;
        description
          "Security Parameter Index";
      }

      leaf seq-number {
        type uint64;
        description
          "Current sequence number of IPsec packet.";
      }

      leaf seq-number-overflow-flag {
        type boolean;
        description
          "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted.";
      }

      leaf anti-replay-window {
        type uint16 {
          range "0 | 32..1024";
        }
        description "Anti replay window";
      }

      leaf rule-number {
        type uint32;
        description
          "This value links the SA with the SPD entry";
      }

      uses selector-grouping;

      leaf security-protocol {
        type ipsec-protocol;
        description
          "Security protocol of IPsec SA: Either AH or ESP.";
      }

      container ah-sa {
        when "../security-protocol = 'ah'";
        description
          "Configure Authentication Header (AH) for SA";
        container integrity {
          description
            "Configure integrity for IPSec Authentication Header (AH)";
          leaf integrity-algorithm {
            type integrity-algorithm-t;
            description
              "Configure Authentication Header (AH).";
          }

          leaf key {
            type string;
            description "AH key value";
          }
        }  // container integrity
      }  // container ah-sa

      container esp-sa {
        when "../security-protocol = 'esp'";
        description
          "Set IPSec Encapsulation Security Payload (ESP)";
        container encryption {
          description
            "Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)";
          leaf encryption-algorithm {
            type encryption-algorithm-t;
            description
              "Configure ESP encryption";
          }

          leaf key {
            type string;
            description
              "ESP encryption key value";
          }

          leaf iv {
            type string;
            description
              "ESP encryption IV value";
          }
        }  // container encryption

        container integrity {
          description
            "Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)";
          leaf integrity-algorithm {
            type integrity-algorithm-t;
            description
              "Configure Authentication Header (AH).";
          }

          leaf key {
            type string;
            description
              "ESP integrity key value";
          }
        }  // container integrity

        leaf combined-enc-intr {
          type boolean;
          description
            "ESP combined mode algorithms. The algorithm is specified in encryption-algorithm in the container encryption";
        }
      }  // container esp-sa

      container sa-lifetime {
        description
          "This may be expressed as a time or byte count, or a simultaneous use of both with the first lifetime to expire taking precedence";
        leaf time-soft {
          type uint32;
          default '0';
          description "Soft time lifetime";
        }

        leaf time-hard {
          type uint32;
          default '0';
          description "Hard time lifetime";
        }

        leaf time-use-soft {
          type uint32;
          default '0';
          description
            "Use Soft time lifetime";
        }

        leaf time-use-hard {
          type uint32;
          default '0';
          description
            "Use Hard time lifetime";
        }

        leaf byte-soft {
          type uint32;
          default '0';
          description "Byte soft lifetime";
        }

        leaf byte-hard {
          type uint32;
          default '0';
          description "Byte hard lifetime";
        }

        leaf packet-soft {
          type uint32;
          default '0';
          description "Packet soft lifetime";
        }

        leaf packet-hard {
          type uint32;
          default '0';
          description "Packet hard lifetime";
        }

        leaf action {
          type lifetime-action;
          description "action lifetime";
        }
      }  // container sa-lifetime

      leaf mode {
        type ipsec-mode;
        description "SA Mode";
      }

      leaf statefulfragCheck {
        type boolean;
        description
          "TRUE stateful fragment checking, FALSE no stateful fragment checking";
      }

      leaf dscp {
        type yang:hex-string;
        description "DSCP value";
      }

      container tunnel {
        when "../mode = 'TUNNEL'";
        description
          "Container for tunnel grouping";
        uses tunnel-grouping;
      }  // container tunnel

      leaf path-mtu {
        type uint16;
        description
          "Maximum size of an IPsec packet that can be transmitted without fragmentation";
      }

      container encap {
        description
          "Encapsulation container";
        leaf espencap {
          type esp-encap;
          description
            "ESP in TCP, ESP in UDP or ESP in TLS";
        }

        leaf sport {
          type inet:port-number;
          description
            "Encapsulation source port";
        }

        leaf dport {
          type inet:port-number;
          description
            "Encapsulation destination port";
        }

        leaf oaddr {
          type inet:ip-address;
          description
            "Encapsulation Original Address ";
        }
      }  // container encap
    }  // grouping ipsec-sa-grouping

    grouping ipsec-policy-grouping {
      description
        "Holds configuration information for an IPSec SPD entry.";
      leaf rule-number {
        type uint64;
        description
          "SPD index. RFC4301 does not mention an index however real implementations provide a policy index/or id to refer a policy. ";
      }

      leaf priority {
        type uint32;
        default '0';
        description "Policy priority";
      }

      list names {
        key "name";
        description "List of policy names";
        leaf name-type {
          type ipsec-spd-name;
          description "SPD name type.";
        }

        leaf name {
          type string;
          description "Policy name";
        }
      }  // list names

      container condition {
        description
          "SPD condition -> RFC4301";
        list traffic-selector-list {
          key "ts-number";
          ordered-by user;
          description
            "List of traffic selectors";
          leaf ts-number {
            type uint32;
            description
              "Traffic selector number";
          }

          leaf direction {
            type ipsec-traffic-direction;
            description "in/fwd/out";
          }

          uses selector-grouping;

          leaf selector-priority {
            type uint32;
            default '0';
            description
              "It establishes a priority to the traffic selector";
          }
        }  // list traffic-selector-list
      }  // container condition

      container processing-info {
        description
          "SPD processing -> RFC4301";
        leaf action {
          type ipsec-spd-operation;
          mandatory true;
          description
            "If the action is bypass or discard processing container ipsec-sa-cfg is empty";
        }

        container ipsec-sa-cfg {
          when "../action = 'PROTECT'";
          description
            " IPSec SA configuration container";
          leaf pfp-flag {
            type boolean;
            description
              "Each selector has with a pfp flag.";
          }

          leaf extSeqNum {
            type boolean;
            description
              "TRUE 64 bit counter, FALSE 32 bit";
          }

          leaf seqOverflow {
            type boolean;
            description
              "TRUE rekey, FALSE terminare & audit";
          }

          leaf statefulfragCheck {
            type boolean;
            description
              "TRUE stateful fragment checking, FALSE no stateful fragment checking";
          }

          leaf security-protocol {
            type ipsec-protocol;
            description
              "Security protocol of IPsec SA: Either AH or ESP.";
          }

          leaf mode {
            type ipsec-mode;
            description "transport/tunnel";
          }

          container ah-algorithms {
            when
              "../security-protocol = 'ah'";
            description "AH algoritms ";
            leaf-list ah-algorithm {
              type integrity-algorithm-t;
              description
                "Configure Authentication Header (AH).";
            }
          }  // container ah-algorithms

          container esp-algorithms {
            when
              "../security-protocol = 'esp'";
            description
              "Configure Encapsulating Security Payload (ESP).";
            leaf-list authentication {
              type integrity-algorithm-t;
              description
                "Configure ESP authentication";
            }

            leaf-list encryption {
              type encryption-algorithm-t;
              description
                "Configure ESP encryption";
            }
          }  // container esp-algorithms

          container tunnel {
            when "../mode = 'TUNNEL'";
            description
              "tunnel grouping container";
            uses tunnel-grouping;
          }  // container tunnel
        }  // container ipsec-sa-cfg
      }  // container processing-info

      container spd-lifetime {
        description
          "SPD lifetime parameters";
        leaf time-soft {
          type uint32;
          default '0';
          description "Soft time lifetime";
        }

        leaf time-hard {
          type uint32;
          default '0';
          description "Hard time lifetime";
        }

        leaf time-use-soft {
          type uint32;
          default '0';
          description "Use soft lifetime";
        }

        leaf time-use-hard {
          type uint32;
          default '0';
          description "Use hard lifetime";
        }

        leaf byte-soft {
          type uint32;
          default '0';
          description "Byte soft lifetime";
        }

        leaf byte-hard {
          type uint32;
          default '0';
          description "Hard soft lifetime";
        }

        leaf packet-soft {
          type uint32;
          default '0';
          description "Packet soft lifetime";
        }

        leaf packet-hard {
          type uint32;
          default '0';
          description "Packet hard lifetime";
        }
      }  // container spd-lifetime
    }  // grouping ipsec-policy-grouping

    grouping isakmp-proposal {
      description "ISAKMP proposal grouping";
      leaf phase1-lifetime {
        type uint32;
        mandatory true;
        description
          "lifetime for IKE Phase 1 SAs";
      }

      leaf-list phase1-authalg {
        type integrity-algorithm-t;
        description
          "Auth algorigthm for IKE Phase 1 SAs";
      }

      leaf-list phase1-encalg {
        type encryption-algorithm-t;
        description
          "Auth algorigthm for IKE Phase 1 SAs";
      }

      leaf combined-enc-intr {
        type boolean;
        description
          "Combined mode algorithms (encryption and integrity).";
      }

      leaf dh_group {
        type uint32;
        mandatory true;
        description
          "Group number for Diffie Hellman Exponentiation";
      }
    }  // grouping isakmp-proposal

    grouping phase2-info {
      description "IKE Phase 2 Information";
      leaf-list pfs_group {
        type uint32;
        description
          "If non-zero, require perfect forward secrecy
                        when requesting new SA. The non-zero value is
                        the required group number";
      }
    }  // grouping phase2-info

    grouping local-grouping {
      description
        "Configure the local peer in an IKE connection";
      container local {
        description "Local container";
        choice my-identifier-type {
          default 'ipv4';
          description "Local ID type";
          leaf ipv4 {
            type inet:ipv4-address;
            description
              "IPv4 dotted-decimal address";
          }
          leaf ipv6 {
            type inet:ipv6-address;
            description
              "numerical IPv6 address";
          }
          leaf fqdn {
            type inet:domain-name;
            description
              "Fully Qualifed Domain name ";
          }
          leaf dn {
            type string;
            description "Domain name";
          }
          leaf user_fqdn {
            type string;
            description "User FQDN";
          }
        }  // choice my-identifier-type

        leaf my-identifier {
          type string;
          mandatory true;
          description
            "Local id used for authentication";
        }
      }  // container local
    }  // grouping local-grouping

    grouping remote-grouping {
      description
        "Configure the remote peer in an IKE connection";
      container remote {
        description "Remote container";
        choice my-identifier-type {
          default 'ipv4';
          description "Local ID type";
          leaf ipv4 {
            type inet:ipv4-address;
            description
              "IPv4 dotted-decimal address";
          }
          leaf ipv6 {
            type inet:ipv6-address;
            description
              "numerical IPv6 address";
          }
          leaf fqdn {
            type inet:domain-name;
            description
              "Fully Qualifed Domain name ";
          }
          leaf dn {
            type string;
            description "Domain name";
          }
          leaf user_fqdn {
            type string;
            description "User FQDN";
          }
        }  // choice my-identifier-type

        leaf my-identifier {
          type string;
          mandatory true;
          description
            "Local id used for authentication";
        }
      }  // container remote
    }  // grouping remote-grouping

    typedef sadb-msg-type {
      type enumeration {
        enum "sadb_reserved" {
          value 0;
          description "SADB_RESERVED";
        }
        enum "sadb_getspi" {
          value 1;
          description "SADB_GETSPI";
        }
        enum "sadb_update" {
          value 2;
          description "SADB_UPDATE";
        }
        enum "sadb_add" {
          value 3;
          description "SADB_ADD";
        }
        enum "sadb_delete" {
          value 4;
          description "SADB_DELETE";
        }
        enum "sadb_get" {
          value 5;
          description "SADB_GET";
        }
        enum "sadb_acquire" {
          value 6;
          description "SADB_ACQUIRE";
        }
        enum "sadb_register" {
          value 7;
          description "SADB_REGISTER";
        }
        enum "sadb_expire" {
          value 8;
          description "SADB_EXPIRE";
        }
        enum "sadb_flush" {
          value 9;
          description "SADB_FLUSH";
        }
        enum "sadb_dump" {
          value 10;
          description "SADB_DUMP";
        }
        enum "sadb_x_promisc" {
          value 11;
          description "SADB_X_PROMISC";
        }
        enum "sadb_x_pchange" {
          value 12;
          description "SADB_X_PCHANGE";
        }
        enum "sadb_max" {
          value 13;
          description "SADB_MAX";
        }
      }
      description
        "PF_KEY base message types";
    }

    typedef sadb-msg-satype {
      type enumeration {
        enum "sadb_satype_unspec" {
          value 0;
          description "SADB_SATYPE_UNSPEC";
        }
        enum "sadb_satype_ah" {
          value 1;
          description "SADB_SATYPE_AH";
        }
        enum "sadb_satype_esp" {
          value 2;
          description "SADB_SATYPE_ESP";
        }
        enum "sadb_satype_rsvp" {
          value 3;
          description "SADB_SATYPE_RSVP";
        }
        enum "sadb_satype_ospfv2" {
          value 4;
          description "SADB_SATYPE_OSPFv2";
        }
        enum "sadb_satype_ripv2" {
          value 5;
          description "SADB_SATYPE_RIPv2";
        }
        enum "sadb_satype_mip" {
          value 6;
          description "SADB_SATYPE_MIP";
        }
        enum "sadb_satype_max" {
          value 7;
          description "SADB_SATYPE_MAX";
        }
      }
      description
        "PF_KEY Security Association types";
    }

    grouping base-grouping {
      description
        "Configuration for the  message header format";
      list base-list {
        key "version";
        description
          "Configuration for a specific message header format";
        leaf version {
          type string;
          description
            "Version of PF_KEY (MUST be PF_KEY_V2)";
        }

        leaf msg_type {
          type sadb-msg-type;
          description
            "Identifies the type of message";
        }

        leaf msg_satype {
          type sadb-msg-satype;
          description
            "Defines the type of Security Association";
        }

        leaf msg_seq {
          type uint32;
          description
            "Sequence number of this message.";
        }
      }  // list base-list
    }  // grouping base-grouping

    grouping algorithm-grouping {
      description
        "List of supported authentication and encryptation algorithms";
      list algorithm-supported {
        description
          "List for a specific algorithm";
        container authentication {
          description
            "Authentication algorithm supported";
          leaf name {
            type integrity-algorithm-t;
            description
              "Name of authentication algorithm";
          }

          leaf ivlen {
            type uint8;
            description
              "Length of the initialization vector to be used for the algorithm";
          }

          leaf min-bits {
            type uint16;
            description
              "The minimun acceptable key length, in bits";
          }

          leaf max-bits {
            type uint16;
            description
              "The maximun acceptable key length, in bits";
          }
        }  // container authentication

        container encryption {
          description
            "Encryptation algorithm supported";
          leaf name {
            type encryption-algorithm-t;
            description
              "Name of encryption algorithm";
          }

          leaf ivlen {
            type uint8;
            description
              "Length of the initialization vector to be used for the algorithm";
          }

          leaf min-bits {
            type uint16;
            description
              "The minimun acceptable key length, in bits";
          }

          leaf max-bits {
            type uint16;
            description
              "The maximun acceptable key length, in bits";
          }
        }  // container encryption
      }  // list algorithm-supported
    }  // grouping algorithm-grouping

    container ietf-ipsec {
      description "Main IPsec container ";
      container ikev2 {
        if-feature case1;
        description "Configure the IKEv2";
        container ike-connection {
          description
            "IKE connections configuration";
          list ike-conn-entries {
            key "conn-name";
            description
              "IKE peer connetion information";
            leaf conn-name {
              type string;
              mandatory true;
              description
                "Name of IKE connection";
            }

            leaf autostartup {
              type type-autostartup;
              mandatory true;
              description
                "if True: automatically start tunnel at startup; else we do lazy tunnel setup based on trigger from datapath";
            }

            leaf nat-traversal {
              type boolean;
              default 'false';
              description
                "Enable/Disable NAT traversal";
            }

            container encap {
              when
                "../nat-traversal = 'true'";
              description
                "Encapsulation container";
              leaf espencap {
                type esp-encap;
                description
                  "ESP in TCP, ESP in UDP or ESP in TLS";
              }

              leaf sport {
                type inet:port-number;
                description
                  "Encapsulation source port";
              }

              leaf dport {
                type inet:port-number;
                description
                  "Encapsulation destination port";
              }

              leaf oaddr {
                type inet:ip-address;
                description
                  "Encapsulation Original Address ";
              }
            }  // container encap

            leaf version {
              type enumeration {
                enum "ikev2" {
                  value 2;
                  description
                    "IKE version 2";
                }
              }
              description "IKE version";
            }

            uses isakmp-proposal;

            uses local-grouping;

            uses remote-grouping;

            uses phase2-info;
          }  // list ike-conn-entries
        }  // container ike-connection
      }  // container ikev2

      container ipsec {
        description "Configuration IPsec";
        container spd {
          description
            "Configure the Security Policy Database (SPD)";
          list spd-entry {
            key "rule-number";
            ordered-by user;
            description
              "List of SPD entries";
            uses ipsec-policy-grouping;
          }  // list spd-entry
        }  // container spd

        container sad {
          if-feature case2;
          description
            "Configure the IPSec Security Association Database (SAD)";
          list sad-entry {
            key "spi";
            description
              "List of SAD entries";
            uses ipsec-sa-grouping;
          }  // list sad-entry
        }  // container sad

        container pad {
          if-feature case1;
          description
            "Configure Peer Authorization Database (PAD)";
          list pad-entries {
            key "pad-entry-id";
            ordered-by user;
            description
              "Peer Authorization Database (PAD)";
            leaf pad-entry-id {
              type uint64;
              description "SAD index. ";
            }

            uses identity-grouping;

            leaf pad-auth-protocol {
              type auth-protocol-type;
              description
                "IKEv1, IKEv2, KINK, etc. ";
            }

            uses auth-method-grouping;
          }  // list pad-entries
        }  // container pad
      }  // container ipsec
    }  // container ietf-ipsec

    rpc sadb_register {
      description
        "Allows netconf to register its key socket as able to acquire new security associations for the kernel";
      input {
        uses base-grouping;
      }

      output {
        uses base-grouping;

        uses algorithm-grouping;
      }
    }  // rpc sadb_register

    notification spdb_expire {
      description "A SPD entry has expired";
      leaf index {
        type uint64;
        description
          "SPD index. RFC4301 does not mention an index however real implementations (e.g. XFRM or PFKEY_v2 with KAME extensions provide a policy index to refer a policy. ";
      }
    }  // notification spdb_expire

    notification sadb_acquire {
      description "A IPsec SA is required ";
      leaf state {
        type uint32;
        mandatory true;
        description
          "Request the creation of a SADB entry";
      }
    }  // notification sadb_acquire

    notification sadb_expire {
      description ".....";
      leaf state {
        type uint32;
        mandatory true;
        description
          "Notify the expiration of a entry in the SADB";
      }
    }  // notification sadb_expire

    notification sadb_bad-spi {
      description ".....";
      leaf state {
        type ipsec-spi;
        mandatory true;
        description "Notify when a SPI";
      }
    }  // notification sadb_bad-spi
  }  // module ietf-ipsec

Summary

  
  
Organization University of Murcia
  
Module ietf-ipsec
Version 2017-05-02
File ietf-ipsec@2017-05-02.yang
  
Prefix eipsec
Namespace urn:ietf:params:xml:ns:yang:ietf-ipsec
  
Cooked /cookedmodules/ietf-ipsec/2017-05-02
YANG /src/ietf-ipsec@2017-05-02.yang
XSD /xsd/ietf-ipsec@2017-05-02.xsd
  
Abstract Data model for IPSec
  
Contact
 Rafael Marin Lopez
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501
e-mail: rafa@um.es

Gabriel Lopez Millan
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Tel: +34 868888504
email: gabilm@um.es

Description

 
Data model for IPSec

Typedefs

Typedef Base type Abstract
auth-method-type enumeration Peer authentication method
auth-protocol-type enumeration Peer authentication protocols
encryption-algorithm-t enumeration Encryption algorithms -> RFC_5996
esp-encap enumeration type defining types of ESP encapsulation
integrity-algorithm-t enumeration Integrity Algorithms -> RFC_5996
ipsec-mode enumeration type define of ipsec mode
ipsec-next-layer-proto enumeration Next layer proto on top of IP
ipsec-protocol enumeration type define of ipsec security protocol
ipsec-spd-name enumeration IPsec SPD name type
ipsec-spd-operation enumeration The operation when traffic matches IPsec security policy
ipsec-spi uint32 SPI
ipsec-traffic-direction enumeration IPsec traffic direction
lifetime-action enumeration Action when lifetime expiration
sadb-msg-satype enumeration PF_KEY Security Association types
sadb-msg-type enumeration PF_KEY base message types
type-autostartup enumeration Different types of how IKEv2 starts the IPsec SAs

Groupings

Grouping Objects Abstract
algorithm-grouping algorithm-supported List of supported authentication and encryptation algorithms
auth-method-grouping auth-method Peer authentication method data
base-grouping base-list Configuration for the message header format
identity-grouping identity Identification type. It is an union identity
ip-addr-range start end IP address range grouping
ipsec-policy-grouping rule-number priority names condition processing-info spd-lifetime Holds configuration information for an IPSec SPD entry.
ipsec-sa-grouping spi seq-number seq-number-overflow-flag anti-replay-window rule-number local-addresses remote-addresses next-layer-protocol local-ports remote-portssecurity-protocol ah-sa esp-sa sa-lifetime mode statefulfragCheck dscp tunnel path-mtu encap Configure Security Association (SA). Section 4.4.2.1 in RFC 4301
isakmp-proposal phase1-lifetime phase1-authalg phase1-encalg combined-enc-intr dh_group ISAKMP proposal grouping
local-grouping local Configure the local peer in an IKE connection
phase2-info pfs_group IKE Phase 2 Information
port-range start end Port range grouping
remote-grouping remote Configure the remote peer in an IKE connection
selector-grouping local-addresses remote-addresses next-layer-protocol local-ports remote-ports Traffic selector grouping
tunnel-grouping local remote bypass-df bypass-dscp dscp-mapping ecn Tunnel mode grouping

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
ietf-ipsec container Main IPsec container
   ikev2 container Configure the IKEv2
      ike-connection container IKE connections configuration
         ike-conn-entries list IKE peer connetion information
            autostartup leaf if True: automatically start tunnel at startup; else we do lazy tunnel setup based on trigger from datapath
            combined-enc-intr leaf Combined mode algorithms (encryption and integrity).
            conn-name leaf Name of IKE connection
            dh_group leaf Group number for Diffie Hellman Exponentiation
            encap container Encapsulation container
               dport leaf Encapsulation destination port
               espencap leaf ESP in TCP, ESP in UDP or ESP in TLS
               oaddr leaf Encapsulation Original Address
               sport leaf Encapsulation source port
            local container Local container
               my-identifier leaf Local id used for authentication
               my-identifier-type choice Local ID type
                  dn case dn
                     dn leaf Domain name
                  fqdn case fqdn
                     fqdn leaf Fully Qualifed Domain name
                  ipv4 case ipv4
                     ipv4 leaf IPv4 dotted-decimal address
                  ipv6 case ipv6
                     ipv6 leaf numerical IPv6 address
                  user_fqdn case user_fqdn
                     user_fqdn leaf User FQDN
            nat-traversal leaf Enable/Disable NAT traversal
            pfs_group leaf-list If non-zero, require perfect forward secrecy when requesting new SA. The non-zero value is the required group number
            phase1-authalg leaf-list Auth algorigthm for IKE Phase 1 SAs
            phase1-encalg leaf-list Auth algorigthm for IKE Phase 1 SAs
            phase1-lifetime leaf lifetime for IKE Phase 1 SAs
            remote container Remote container
               my-identifier leaf Local id used for authentication
               my-identifier-type choice Local ID type
                  dn case dn
                     dn leaf Domain name
                  fqdn case fqdn
                     fqdn leaf Fully Qualifed Domain name
                  ipv4 case ipv4
                     ipv4 leaf IPv4 dotted-decimal address
                  ipv6 case ipv6
                     ipv6 leaf numerical IPv6 address
                  user_fqdn case user_fqdn
                     user_fqdn leaf User FQDN
            version leaf IKE version
   ipsec container Configuration IPsec
      pad container Configure Peer Authorization Database (PAD)
         pad-entries list Peer Authorization Database (PAD)
            auth-method container Peer authentication method container
               auth-m leaf Type of authentication method (preshared, rsa, etc.)
               pre-shared container Shared secret value
                  secret leaf Pre-shared secret value
               rsa-signature container RSA signature container
                  ca-data leaf-list List of trusted CA certs - PEM
                  ca-file leaf List of trusted CA certs file
                  cert-data leaf X.509 certificate data - PEM4
                  cert-file leaf X.509 certificate file
                  crl-data leaf X.509 CRL certificate data in base64
                  crl-file leaf X.509 CRL certificate file
                  key-data leaf RSA private key data - PEM
                  key-file leaf RSA private key file name
            identity choice Choice of identity.
               dnX509 case dnX509
                  dnX509 leaf Specifies the identity as a distinguished name in the X.509 tradition.
               fqdn-string case fqdn-string
                  fqdn-string leaf Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.).
               id_key case id_key
                  id_key leaf Key id
               ipv4-address case ipv4-address
                  ipv4-address leaf Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10.
               ipv6-address case ipv6-address
                  ipv6-address leaf Specifies the identity as a single sixteen (16) octet IPv6 address. An example is FF01::101, 2001:DB8:0:0:8:800:200C:417A .
               rfc822-address-string case rfc822-address-string
                  rfc822-address-string leaf Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.).
            pad-auth-protocol leaf IKEv1, IKEv2, KINK, etc.
            pad-entry-id leaf SAD index.
      sad container Configure the IPSec Security Association Database (SAD)
         sad-entry list List of SAD entries
            ah-sa container Configure Authentication Header (AH) for SA
               integrity container Configure integrity for IPSec Authentication Header (AH)
                  integrity-algorithm leaf Configure Authentication Header (AH).
                  key leaf AH key value
            anti-replay-window leaf Anti replay window
            dscp leaf DSCP value
            encap container Encapsulation container
               dport leaf Encapsulation destination port
               espencap leaf ESP in TCP, ESP in UDP or ESP in TLS
               oaddr leaf Encapsulation Original Address
               sport leaf Encapsulation source port
            esp-sa container Set IPSec Encapsulation Security Payload (ESP)
               combined-enc-intr leaf ESP combined mode algorithms. The algorithm is specified in encryption-algorithm in the container encryption
               encryption container Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)
                  encryption-algorithm leaf Configure ESP encryption
                  iv leaf ESP encryption IV value
                  key leaf ESP encryption key value
               integrity container Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)
                  integrity-algorithm leaf Configure Authentication Header (AH).
                  key leaf ESP integrity key value
            local-addresses list List of local addresses
               end leaf End IP address
               start leaf Start IP address
            local-ports list List of local ports
               end leaf End IP address
               start leaf Start IP address
            mode leaf SA Mode
            next-layer-protocol leaf-list List of Next Layer Protocol
            path-mtu leaf Maximum size of an IPsec packet that can be transmitted without fragmentation
            remote-addresses list List of remote addresses
               end leaf End IP address
               start leaf Start IP address
            remote-ports list List of remote ports
               end leaf End IP address
               start leaf Start IP address
            rule-number leaf This value links the SA with the SPD entry
            sa-lifetime container This may be expressed as a time or byte count, or a simultaneous use of both with the first lifetime to expire taking precedence
               action leaf action lifetime
               byte-hard leaf Byte hard lifetime
               byte-soft leaf Byte soft lifetime
               packet-hard leaf Packet hard lifetime
               packet-soft leaf Packet soft lifetime
               time-hard leaf Hard time lifetime
               time-soft leaf Soft time lifetime
               time-use-hard leaf Use Hard time lifetime
               time-use-soft leaf Use Soft time lifetime
            security-protocol leaf Security protocol of IPsec SA: Either AH or ESP.
            seq-number leaf Current sequence number of IPsec packet.
            seq-number-overflow-flag leaf The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted.
            spi leaf Security Parameter Index
            statefulfragCheck leaf TRUE stateful fragment checking, FALSE no stateful fragment checking
            tunnel container Container for tunnel grouping
               bypass-df leaf bypass DF bit
               bypass-dscp leaf bypass DSCP
               dscp-mapping leaf DSCP mapping
               ecn leaf Bit ECN
               local leaf Local tunnel endpoint
               remote leaf Remote tunnel enpoint
      spd container Configure the Security Policy Database (SPD)
         spd-entry list List of SPD entries
            condition container SPD condition -> RFC4301
               traffic-selector-list list List of traffic selectors
                  direction leaf in/fwd/out
                  local-addresses list List of local addresses
                     end leaf End IP address
                     start leaf Start IP address
                  local-ports list List of local ports
                     end leaf End IP address
                     start leaf Start IP address
                  next-layer-protocol leaf-list List of Next Layer Protocol
                  remote-addresses list List of remote addresses
                     end leaf End IP address
                     start leaf Start IP address
                  remote-ports list List of remote ports
                     end leaf End IP address
                     start leaf Start IP address
                  selector-priority leaf It establishes a priority to the traffic selector
                  ts-number leaf Traffic selector number
            names list List of policy names
               name leaf Policy name
               name-type leaf SPD name type.
            priority leaf Policy priority
            processing-info container SPD processing -> RFC4301
               action leaf If the action is bypass or discard processing container ipsec-sa-cfg is empty
               ipsec-sa-cfg container IPSec SA configuration container
                  ah-algorithms container AH algoritms
                     ah-algorithm leaf-list Configure Authentication Header (AH).
                  esp-algorithms container Configure Encapsulating Security Payload (ESP).
                     authentication leaf-list Configure ESP authentication
                     encryption leaf-list Configure ESP encryption
                  extSeqNum leaf TRUE 64 bit counter, FALSE 32 bit
                  mode leaf transport/tunnel
                  pfp-flag leaf Each selector has with a pfp flag.
                  security-protocol leaf Security protocol of IPsec SA: Either AH or ESP.
                  seqOverflow leaf TRUE rekey, FALSE terminare & audit
                  statefulfragCheck leaf TRUE stateful fragment checking, FALSE no stateful fragment checking
                  tunnel container tunnel grouping container
                     bypass-df leaf bypass DF bit
                     bypass-dscp leaf bypass DSCP
                     dscp-mapping leaf DSCP mapping
                     ecn leaf Bit ECN
                     local leaf Local tunnel endpoint
                     remote leaf Remote tunnel enpoint
            rule-number leaf SPD index. RFC4301 does not mention an index however real implementations provide a policy index/or id to refer a policy.
            spd-lifetime container SPD lifetime parameters
               byte-hard leaf Hard soft lifetime
               byte-soft leaf Byte soft lifetime
               packet-hard leaf Packet hard lifetime
               packet-soft leaf Packet soft lifetime
               time-hard leaf Hard time lifetime
               time-soft leaf Soft time lifetime
               time-use-hard leaf Use hard lifetime
               time-use-soft leaf Use soft lifetime

RPC Methods

RPC Abstract
sadb_register Allows netconf to register its key socket as able to acquire new security associations for the kernel

Notifications

Notification Abstract
sadb_acquire A IPsec SA is required
sadb_bad-spi .....
sadb_expire .....
spdb_expire A SPD entry has expired