netconfcentral logo

ietf-ipsec@2017-05-02



  module ietf-ipsec {

    yang-version 1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-ipsec";

    prefix eipsec;

    import ietf-inet-types {
      prefix inet;
    }
    import ietf-yang-types {
      prefix yang;
    }

    organization "University of Murcia";

    contact
      " Rafael Marin Lopez
   Dept. Information and Communications Engineering (DIIC)
   Faculty of Computer Science-University of Murcia
   30100 Murcia - Spain
   Telf: +34868888501
   e-mail: rafa@um.es

   Gabriel Lopez Millan
   Dept. Information and Communications Engineering (DIIC)
   Faculty of Computer Science-University of Murcia
   30100 Murcia - Spain
   Tel: +34 868888504
   email: gabilm@um.es
   ";

    description "Data model for IPSec";

    revision "2017-05-02" {
      description "Initial revision.";
      reference
        "";

    }


    feature case1 {
      description
        "feature case 1: IKE SPD PAD";
    }

    feature case2 {
      description "feature case 2: SPD SAD";
    }

    typedef encryption-algorithm-t {
      type enumeration {
        enum "reserved-0" {
          value 0;
          description "reserved";
        }
        enum "des-iv4" {
          value 1;
          description "DES IV 4";
        }
        enum "des" {
          value 2;
          description "DES";
        }
        enum "3des" {
          value 3;
          description "3DES";
        }
        enum "rc5" {
          value 4;
          description "RC5";
        }
        enum "idea" {
          value 5;
          description "IDEA";
        }
        enum "cast" {
          value 6;
          description "CAST";
        }
        enum "blowfish" {
          value 7;
          description "BlowFish";
        }
        enum "3idea" {
          value 8;
          description "3IDEA";
        }
        enum "des-iv32" {
          value 9;
          description "DES-IV32";
        }
        enum "reserved-10" {
          value 10;
          description "reserved-10";
        }
        enum "null" {
          value 11;
          description "NULL";
        }
        enum "aes-cbc" {
          value 12;
          description "AES-CBC";
        }
        enum "aes-ctr" {
          value 13;
          description "AES-CTR";
        }
        enum "aes-ccm-8" {
          value 14;
          description "AES-CCM-8";
        }
        enum "aes-ccm-12" {
          value 15;
          description "AES-CCM-12";
        }
        enum "aes-ccm-16" {
          value 16;
          description "AES-CCM-16";
        }
        enum "reserved-17" {
          value 17;
          description "reserved-17";
        }
        enum "aes-gcm-8-icv" {
          value 18;
          description "AES-GCM-8-ICV";
        }
        enum "aes-gcm-12-icv" {
          value 19;
          description "AES-GCM-12-ICV";
        }
        enum "aes-gcm-16-icv" {
          value 20;
          description "AES-GCM-16-ICV";
        }
        enum "null-auth-aes-gmac" {
          value 21;
          description "Null-Auth-AES-GMAC";
        }
        enum "ieee-p1619-xts-aes" {
          value 22;
          description
            "encr-ieee-p1619-xts-aes -> Reserved for IEEE P1619 XTS-AES.";
        }
        enum "camellia-cbc" {
          value 23;
          description "CAMELLIA-CBC";
        }
        enum "camellia-ctr" {
          value 24;
          description "CAMELLIA.CTR";
        }
        enum "camellia-ccm-8-icv" {
          value 25;
          description "CAMELLIA-CCM-8-ICV";
        }
        enum "camellia-ccm-12-icv" {
          value 26;
          description "CAMELLIA-CCM-12-ICV";
        }
        enum "camellia-ccm-16-icv" {
          value 27;
          description "CAMELLIA-CCM-16-ICV";
        }
        enum "aes-cbc-128" {
          value 28;
          description "AES-CBC-128";
        }
        enum "aes-cbc-192" {
          value 29;
          description "AES-CBC-192";
        }
        enum "aes-cbc-256" {
          value 30;
          description "AES-CBC-256";
        }
        enum "blowfish-128" {
          value 31;
          description "BlowFish-128";
        }
        enum "blowfish-192" {
          value 32;
          description "BlowFish-192";
        }
        enum "blowfish-256" {
          value 33;
          description "BlowFish-256";
        }
        enum "blowfish-448" {
          value 34;
          description "BlowFish-448";
        }
        enum "camellia-128" {
          value 35;
          description "CAMELLIA-128";
        }
        enum "camellia-192" {
          value 36;
          description "CAMELLIA-192";
        }
        enum "camellia-256" {
          value 37;
          description "CAMELLIA-256";
        }
        enum "AES-GCM-16-ICV" {
          value 38;
          description
            "AES-GCM-16-ICV (AEAD)";
        }
        enum "AES-CCM" {
          value 39;
          description "AES-CCM (AEAD)";
        }
      }
      description
        "Encryption algorithms -> RFC_5996";
    }

    typedef integrity-algorithm-t {
      type enumeration {
        enum "none" {
          value 0;
          description "NONE";
        }
        enum "hmac-md5-96" {
          value 1;
          description "HMAC-MD5-96";
        }
        enum "hmac-sha1-96" {
          value 2;
          description "HMAC-SHA1-96";
        }
        enum "des-mac" {
          value 3;
          description "DES-MAC";
        }
        enum "kpdk-md5" {
          value 4;
          description "KPDK-MD5";
        }
        enum "aes-xcbc-96" {
          value 5;
          description "AES-XCBC-96";
        }
        enum "hmac-md5-128" {
          value 6;
          description "HMAC-MD5-128";
        }
        enum "hmac-sha1-160" {
          value 7;
          description "HMAC-SHA1-160";
        }
        enum "aes-cmac-96" {
          value 8;
          description "AES-CMAC-96";
        }
        enum "aes-128-gmac" {
          value 9;
          description "AES-128-GMAC";
        }
        enum "aes-192-gmac" {
          value 10;
          description "AES-192-GMAC";
        }
        enum "aes-256-gmac" {
          value 11;
          description "AES-256-GMAC";
        }
        enum "hmac-sha2-256-128" {
          value 12;
          description "HMAC-SHA2-256-128";
        }
        enum "hmac-sha2-384-192" {
          value 13;
          description "HMAC-SHA2-384-192";
        }
        enum "hmac-sha2-512-256" {
          value 14;
          description "HMAC-SHA2-512-256";
        }
        enum "hmac-sha2-256-96" {
          value 15;
          description "HMAC-SHA2-256-096";
        }
      }
      description
        "Integrity Algorithms -> RFC_5996";
    }

    typedef type-autostartup {
      type enumeration {
        enum "ALWAYSON" {
          value 0;
          description " ";
        }
        enum "INITIATE-ON-DEMAND" {
          value 1;
          description " ";
        }
        enum "RESPOND-ONLY" {
          value 2;
          description " ";
        }
      }
      description
        "Different types of how IKEv2 starts the IPsec SAs";
    }

    typedef auth-protocol-type {
      type enumeration {
        enum "IKEv1" {
          value 0;
          description
            "Authentication protocol based on IKEv1";
        }
        enum "IKEv2" {
          value 1;
          description
            "Authentication protocol based on IKEv2";
        }
        enum "KINK" {
          value 2;
          description
            "Authentication protocol based on KINK";
        }
      }
      description
        "Peer authentication protocols";
    }

    typedef ipsec-mode {
      type enumeration {
        enum "TRANSPORT" {
          value 0;
          description "Transport mode";
        }
        enum "TUNNEL" {
          value 1;
          description "Tunnel mode";
        }
        enum "BEET" {
          value 2;
          description
            "Bound End-to-End Tunnel (BEET) mode for ESP.";
        }
        enum "RO" {
          value 3;
          description
            "Route Optimization mode for Mobile IPv6";
        }
        enum "IN_TRIGGER" {
          value 4;
          description
            "In trigger mode for Mobile IPv6";
        }
      }
      description
        "type define of ipsec mode";
    }

    typedef esp-encap {
      type enumeration {
        enum "ESPINTCP" {
          value 0;
          description
            "ESP in TCP encapulation.";
        }
        enum "ESPINTLS" {
          value 1;
          description
            "ESP in TCP encapsulation using TLS.";
        }
        enum "ESPINUDP" {
          value 2;
          description
            "ESP in UDP encapsulation. RFC 3948 ";
        }
      }
      description
        "type defining types of ESP encapsulation";
    }

    typedef ipsec-protocol {
      type enumeration {
        enum "ah" {
          value 0;
          description "AH Protocol";
        }
        enum "esp" {
          value 1;
          description "ESP Protocol";
        }
        enum "comp" {
          value 2;
          description "IP Compression";
        }
        enum "route2" {
          value 3;
          description
            "Routing Header type 2. Mobile IPv6";
        }
        enum "hao" {
          value 4;
          description "Home Agent Option";
        }
      }
      description
        "type define of ipsec security protocol";
    }

    typedef ipsec-spi {
      type uint32 {
        range "1..max";
      }
      description "SPI";
    }

    typedef lifetime-action {
      type enumeration {
        enum "terminate" {
          value 0;
          description
            "Terminate the IPsec SA";
        }
        enum "replace" {
          value 1;
          description
            "Replace the IPsec SA with a new one";
        }
      }
      description
        "Action when lifetime expiration";
    }

    typedef ipsec-traffic-direction {
      type enumeration {
        enum "INBOUND" {
          value 0;
          description "Inbound traffic";
        }
        enum "OUTBOUND" {
          value 1;
          description "Outbound traffic";
        }
        enum "FORWARD" {
          value 2;
          description "Forwarded traffic";
        }
      }
      description "IPsec traffic direction";
    }

    typedef ipsec-spd-operation {
      type enumeration {
        enum "PROTECT" {
          value 0;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "BYPASS" {
          value 1;
          description "BYPASS the traffic";
        }
        enum "DISCARD" {
          value 2;
          description "DISCARD the traffic";
        }
      }
      description
        "The operation when traffic matches IPsec security policy";
    }

    typedef ipsec-next-layer-proto {
      type enumeration {
        enum "TCP" {
          value 0;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "UDP" {
          value 1;
          description "BYPASS the traffic";
        }
        enum "SCTP" {
          value 2;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "DCCP" {
          value 3;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "ICMP" {
          value 4;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "IPv6-ICMP" {
          value 5;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "MH" {
          value 6;
          description
            "PROTECT the traffic with IPsec";
        }
        enum "GRE" {
          value 7;
          description
            "PROTECT the traffic with IPsec";
        }
      }
      description
        "Next layer proto on top of IP";
    }

    typedef ipsec-spd-name {
      type enumeration {
        enum "id_rfc_822_addr" {
          value 0;
          description
            "Fully qualified user name string.";
        }
        enum "id_fqdn" {
          value 1;
          description
            "Fully qualified DNS name.";
        }
        enum "id_der_asn1_dn" {
          value 2;
          description
            "X.500 distinguished name.";
        }
        enum "id_key" {
          value 3;
          description "IKEv2 Key ID.";
        }
      }
      description "IPsec SPD name type";
    }

    typedef auth-method-type {
      type enumeration {
        enum "pre-shared" {
          value 0;
          description
            "Select pre-shared key message as the authentication method";
        }
        enum "rsa-signature" {
          value 1;
          description
            "Select rsa digital signature as the authentication method";
        }
        enum "dss-signature" {
          value 2;
          description
            "Select dss digital signature as the authentication method";
        }
        enum "eap" {
          value 3;
          description
            "Select EAP as the authentication method";
        }
      }
      description
        "Peer authentication method";
    }

    grouping auth-method-grouping {
      description
        "Peer authentication method data";
      container auth-method {
        description
          "Peer authentication method container";
        leaf auth-m {
          type auth-method-type;
          description
            "Type of authentication method (preshared, rsa, etc.)";
        }

        container pre-shared {
          when "../auth-m = 'pre-shared'";
          description "Shared secret value";
          leaf secret {
            type string;
            description
              "Pre-shared secret value";
          }
        }  // container pre-shared

        container rsa-signature {
          when "../auth-m = 'rsa-signature'";
          description
            "RSA signature container";
          leaf key-data {
            type string;
            description
              "RSA private key data - PEM";
          }

          leaf key-file {
            type string;
            description
              "RSA private key file name ";
          }

          leaf-list ca-data {
            type string;
            description
              "List of trusted CA certs - PEM";
          }

          leaf ca-file {
            type string;
            description
              "List of trusted CA certs file";
          }

          leaf cert-data {
            type string;
            description
              "X.509 certificate data - PEM4";
          }

          leaf cert-file {
            type string;
            description
              "X.509 certificate file";
          }

          leaf crl-data {
            type string;
            description
              "X.509 CRL certificate data in base64";
          }

          leaf crl-file {
            type string;
            description
              " X.509 CRL certificate file";
          }
        }  // container rsa-signature
      }  // container auth-method
    }  // grouping auth-method-grouping

    grouping identity-grouping {
      description
        "Identification type. It is an union identity";
      choice identity {
        description "Choice of identity.";
        leaf ipv4-address {
          type inet:ipv4-address;
          description
            "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. ";
        }
        leaf ipv6-address {
          type inet:ipv6-address;
          description
            "Specifies the identity as a single sixteen (16) octet IPv6 address. An example is FF01::101, 2001:DB8:0:0:8:800:200C:417A .";
        }
        leaf fqdn-string {
          type inet:domain-name;
          description
            "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.).";
        }
        leaf rfc822-address-string {
          type string;
          description
            "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.).";
        }
        leaf dnX509 {
          type string;
          description
            "Specifies the identity as a distinguished name in the X.509 tradition.";
        }
        leaf id_key {
          type string;
          description "Key id";
        }
      }  // choice identity
    }  // grouping identity-grouping

    grouping ip-addr-range {
      description
        "IP address range grouping";
      leaf start {
        type inet:ip-address;
        description "Start IP address";
      }

      leaf end {
        type inet:ip-address;
        description "End IP address";
      }
    }  // grouping ip-addr-range

    grouping port-range {
      description "Port range grouping";
      leaf start {
        type inet:port-number;
        description "Start IP address";
      }

      leaf end {
        type inet:port-number;
        description "End IP address";
      }
    }  // grouping port-range

    grouping tunnel-grouping {
      description "Tunnel mode grouping";
      leaf local {
        type inet:ip-address;
        description "Local tunnel endpoint";
      }

      leaf remote {
        type inet:ip-address;
        description "Remote tunnel enpoint";
      }

      leaf bypass-df {
        type boolean;
        description "bypass DF bit";
      }

      leaf bypass-dscp {
        type boolean;
        description "bypass DSCP";
      }

      leaf dscp-mapping {
        type yang:hex-string;
        description "DSCP mapping";
      }

      leaf ecn {
        type boolean;
        description "Bit ECN";
      }
    }  // grouping tunnel-grouping

    grouping selector-grouping {
      description
        "Traffic selector grouping";
      list local-addresses {
        key "start end";
        description
          "List of local addresses";
        uses ip-addr-range;
      }  // list local-addresses

      list remote-addresses {
        key "start end";
        description
          "List of remote addresses";
        uses ip-addr-range;
      }  // list remote-addresses

      leaf-list next-layer-protocol {
        type ipsec-next-layer-proto;
        description
          "List of Next Layer Protocol";
      }

      list local-ports {
        key "start end";
        description "List of local ports";
        uses port-range;
      }  // list local-ports

      list remote-ports {
        key "start end";
        description "List of remote ports";
        uses port-range;
      }  // list remote-ports
    }  // grouping selector-grouping

    grouping ipsec-sa-grouping {
      description
        "Configure Security Association (SA). Section 4.4.2.1 in RFC 4301";
      leaf spi {
        type ipsec-spi;
        description
          "Security Parameter Index";
      }

      leaf seq-number {
        type uint64;
        description
          "Current sequence number of IPsec packet.";
      }

      leaf seq-number-overflow-flag {
        type boolean;
        description
          "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted.";
      }

      leaf anti-replay-window {
        type uint16 {
          range "0 | 32..1024";
        }
        description "Anti replay window";
      }

      leaf rule-number {
        type uint32;
        description
          "This value links the SA with the SPD entry";
      }

      uses selector-grouping;

      leaf security-protocol {
        type ipsec-protocol;
        description
          "Security protocol of IPsec SA: Either AH or ESP.";
      }

      container ah-sa {
        when "../security-protocol = 'ah'";
        description
          "Configure Authentication Header (AH) for SA";
        container integrity {
          description
            "Configure integrity for IPSec Authentication Header (AH)";
          leaf integrity-algorithm {
            type integrity-algorithm-t;
            description
              "Configure Authentication Header (AH).";
          }

          leaf key {
            type string;
            description "AH key value";
          }
        }  // container integrity
      }  // container ah-sa

      container esp-sa {
        when "../security-protocol = 'esp'";
        description
          "Set IPSec Encapsulation Security Payload (ESP)";
        container encryption {
          description
            "Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)";
          leaf encryption-algorithm {
            type encryption-algorithm-t;
            description
              "Configure ESP encryption";
          }

          leaf key {
            type string;
            description
              "ESP encryption key value";
          }

          leaf iv {
            type string;
            description
              "ESP encryption IV value";
          }
        }  // container encryption

        container integrity {
          description
            "Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)";
          leaf integrity-algorithm {
            type integrity-algorithm-t;
            description
              "Configure Authentication Header (AH).";
          }

          leaf key {
            type string;
            description
              "ESP integrity key value";
          }
        }  // container integrity

        leaf combined-enc-intr {
          type boolean;
          description
            "ESP combined mode algorithms. The algorithm is specified in encryption-algorithm in the container encryption";
        }
      }  // container esp-sa

      container sa-lifetime {
        description
          "This may be expressed as a time or byte count, or a simultaneous use of both with the first lifetime to expire taking precedence";
        leaf time-soft {
          type uint32;
          default '0';
          description "Soft time lifetime";
        }

        leaf time-hard {
          type uint32;
          default '0';
          description "Hard time lifetime";
        }

        leaf time-use-soft {
          type uint32;
          default '0';
          description
            "Use Soft time lifetime";
        }

        leaf time-use-hard {
          type uint32;
          default '0';
          description
            "Use Hard time lifetime";
        }

        leaf byte-soft {
          type uint32;
          default '0';
          description "Byte soft lifetime";
        }

        leaf byte-hard {
          type uint32;
          default '0';
          description "Byte hard lifetime";
        }

        leaf packet-soft {
          type uint32;
          default '0';
          description "Packet soft lifetime";
        }

        leaf packet-hard {
          type uint32;
          default '0';
          description "Packet hard lifetime";
        }

        leaf action {
          type lifetime-action;
          description "action lifetime";
        }
      }  // container sa-lifetime

      leaf mode {
        type ipsec-mode;
        description "SA Mode";
      }

      leaf statefulfragCheck {
        type boolean;
        description
          "TRUE stateful fragment checking, FALSE no stateful fragment checking";
      }

      leaf dscp {
        type yang:hex-string;
        description "DSCP value";
      }

      container tunnel {
        when "../mode = 'TUNNEL'";
        description
          "Container for tunnel grouping";
        uses tunnel-grouping;
      }  // container tunnel

      leaf path-mtu {
        type uint16;
        description
          "Maximum size of an IPsec packet that can be transmitted without fragmentation";
      }

      container encap {
        description
          "Encapsulation container";
        leaf espencap {
          type esp-encap;
          description
            "ESP in TCP, ESP in UDP or ESP in TLS";
        }

        leaf sport {
          type inet:port-number;
          description
            "Encapsulation source port";
        }

        leaf dport {
          type inet:port-number;
          description
            "Encapsulation destination port";
        }

        leaf oaddr {
          type inet:ip-address;
          description
            "Encapsulation Original Address ";
        }
      }  // container encap
    }  // grouping ipsec-sa-grouping

    grouping ipsec-policy-grouping {
      description
        "Holds configuration information for an IPSec SPD entry.";
      leaf rule-number {
        type uint64;
        description
          "SPD index. RFC4301 does not mention an index however real implementations provide a policy index/or id to refer a policy. ";
      }

      leaf priority {
        type uint32;
        default '0';
        description "Policy priority";
      }

      list names {
        key "name";
        description "List of policy names";
        leaf name-type {
          type ipsec-spd-name;
          description "SPD name type.";
        }

        leaf name {
          type string;
          description "Policy name";
        }
      }  // list names

      container condition {
        description
          "SPD condition -> RFC4301";
        list traffic-selector-list {
          key "ts-number";
          ordered-by user;
          description
            "List of traffic selectors";
          leaf ts-number {
            type uint32;
            description
              "Traffic selector number";
          }

          leaf direction {
            type ipsec-traffic-direction;
            description "in/fwd/out";
          }

          uses selector-grouping;

          leaf selector-priority {
            type uint32;
            default '0';
            description
              "It establishes a priority to the traffic selector";
          }
        }  // list traffic-selector-list
      }  // container condition

      container processing-info {
        description
          "SPD processing -> RFC4301";
        leaf action {
          type ipsec-spd-operation;
          mandatory true;
          description
            "If the action is bypass or discard processing container ipsec-sa-cfg is empty";
        }

        container ipsec-sa-cfg {
          when "../action = 'PROTECT'";
          description
            " IPSec SA configuration container";
          leaf pfp-flag {
            type boolean;
            description
              "Each selector has with a pfp flag.";
          }

          leaf extSeqNum {
            type boolean;
            description
              "TRUE 64 bit counter, FALSE 32 bit";
          }

          leaf seqOverflow {
            type boolean;
            description
              "TRUE rekey, FALSE terminare & audit";
          }

          leaf statefulfragCheck {
            type boolean;
            description
              "TRUE stateful fragment checking, FALSE no stateful fragment checking";
          }

          leaf security-protocol {
            type ipsec-protocol;
            description
              "Security protocol of IPsec SA: Either AH or ESP.";
          }

          leaf mode {
            type ipsec-mode;
            description "transport/tunnel";
          }

          container ah-algorithms {
            when
              "../security-protocol = 'ah'";
            description "AH algoritms ";
            leaf-list ah-algorithm {
              type integrity-algorithm-t;
              description
                "Configure Authentication Header (AH).";
            }
          }  // container ah-algorithms

          container esp-algorithms {
            when
              "../security-protocol = 'esp'";
            description
              "Configure Encapsulating Security Payload (ESP).";
            leaf-list authentication {
              type integrity-algorithm-t;
              description
                "Configure ESP authentication";
            }

            leaf-list encryption {
              type encryption-algorithm-t;
              description
                "Configure ESP encryption";
            }
          }  // container esp-algorithms

          container tunnel {
            when "../mode = 'TUNNEL'";
            description
              "tunnel grouping container";
            uses tunnel-grouping;
          }  // container tunnel
        }  // container ipsec-sa-cfg
      }  // container processing-info

      container spd-lifetime {
        description
          "SPD lifetime parameters";
        leaf time-soft {
          type uint32;
          default '0';
          description "Soft time lifetime";
        }

        leaf time-hard {
          type uint32;
          default '0';
          description "Hard time lifetime";
        }

        leaf time-use-soft {
          type uint32;
          default '0';
          description "Use soft lifetime";
        }

        leaf time-use-hard {
          type uint32;
          default '0';
          description "Use hard lifetime";
        }

        leaf byte-soft {
          type uint32;
          default '0';
          description "Byte soft lifetime";
        }

        leaf byte-hard {
          type uint32;
          default '0';
          description "Hard soft lifetime";
        }

        leaf packet-soft {
          type uint32;
          default '0';
          description "Packet soft lifetime";
        }

        leaf packet-hard {
          type uint32;
          default '0';
          description "Packet hard lifetime";
        }
      }  // container spd-lifetime
    }  // grouping ipsec-policy-grouping

    grouping isakmp-proposal {
      description "ISAKMP proposal grouping";
      leaf phase1-lifetime {
        type uint32;
        mandatory true;
        description
          "lifetime for IKE Phase 1 SAs";
      }

      leaf-list phase1-authalg {
        type integrity-algorithm-t;
        description
          "Auth algorigthm for IKE Phase 1 SAs";
      }

      leaf-list phase1-encalg {
        type encryption-algorithm-t;
        description
          "Auth algorigthm for IKE Phase 1 SAs";
      }

      leaf combined-enc-intr {
        type boolean;
        description
          "Combined mode algorithms (encryption and integrity).";
      }

      leaf dh_group {
        type uint32;
        mandatory true;
        description
          "Group number for Diffie Hellman Exponentiation";
      }
    }  // grouping isakmp-proposal

    grouping phase2-info {
      description "IKE Phase 2 Information";
      leaf-list pfs_group {
        type uint32;
        description
          "If non-zero, require perfect forward secrecy
                        when requesting new SA. The non-zero value is
                        the required group number";
      }
    }  // grouping phase2-info

    grouping local-grouping {
      description
        "Configure the local peer in an IKE connection";
      container local {
        description "Local container";
        choice my-identifier-type {
          default 'ipv4';
          description "Local ID type";
          leaf ipv4 {
            type inet:ipv4-address;
            description
              "IPv4 dotted-decimal address";
          }
          leaf ipv6 {
            type inet:ipv6-address;
            description
              "numerical IPv6 address";
          }
          leaf fqdn {
            type inet:domain-name;
            description
              "Fully Qualifed Domain name ";
          }
          leaf dn {
            type string;
            description "Domain name";
          }
          leaf user_fqdn {
            type string;
            description "User FQDN";
          }
        }  // choice my-identifier-type

        leaf my-identifier {
          type string;
          mandatory true;
          description
            "Local id used for authentication";
        }
      }  // container local
    }  // grouping local-grouping

    grouping remote-grouping {
      description
        "Configure the remote peer in an IKE connection";
      container remote {
        description "Remote container";
        choice my-identifier-type {
          default 'ipv4';
          description "Local ID type";
          leaf ipv4 {
            type inet:ipv4-address;
            description
              "IPv4 dotted-decimal address";
          }
          leaf ipv6 {
            type inet:ipv6-address;
            description
              "numerical IPv6 address";
          }
          leaf fqdn {
            type inet:domain-name;
            description
              "Fully Qualifed Domain name ";
          }
          leaf dn {
            type string;
            description "Domain name";
          }
          leaf user_fqdn {
            type string;
            description "User FQDN";
          }
        }  // choice my-identifier-type

        leaf my-identifier {
          type string;
          mandatory true;
          description
            "Local id used for authentication";
        }
      }  // container remote
    }  // grouping remote-grouping

    typedef sadb-msg-type {
      type enumeration {
        enum "sadb_reserved" {
          value 0;
          description "SADB_RESERVED";
        }
        enum "sadb_getspi" {
          value 1;
          description "SADB_GETSPI";
        }
        enum "sadb_update" {
          value 2;
          description "SADB_UPDATE";
        }
        enum "sadb_add" {
          value 3;
          description "SADB_ADD";
        }
        enum "sadb_delete" {
          value 4;
          description "SADB_DELETE";
        }
        enum "sadb_get" {
          value 5;
          description "SADB_GET";
        }
        enum "sadb_acquire" {
          value 6;
          description "SADB_ACQUIRE";
        }
        enum "sadb_register" {
          value 7;
          description "SADB_REGISTER";
        }
        enum "sadb_expire" {
          value 8;
          description "SADB_EXPIRE";
        }
        enum "sadb_flush" {
          value 9;
          description "SADB_FLUSH";
        }
        enum "sadb_dump" {
          value 10;
          description "SADB_DUMP";
        }
        enum "sadb_x_promisc" {
          value 11;
          description "SADB_X_PROMISC";
        }
        enum "sadb_x_pchange" {
          value 12;
          description "SADB_X_PCHANGE";
        }
        enum "sadb_max" {
          value 13;
          description "SADB_MAX";
        }
      }
      description
        "PF_KEY base message types";
    }

    typedef sadb-msg-satype {
      type enumeration {
        enum "sadb_satype_unspec" {
          value 0;
          description "SADB_SATYPE_UNSPEC";
        }
        enum "sadb_satype_ah" {
          value 1;
          description "SADB_SATYPE_AH";
        }
        enum "sadb_satype_esp" {
          value 2;
          description "SADB_SATYPE_ESP";
        }
        enum "sadb_satype_rsvp" {
          value 3;
          description "SADB_SATYPE_RSVP";
        }
        enum "sadb_satype_ospfv2" {
          value 4;
          description "SADB_SATYPE_OSPFv2";
        }
        enum "sadb_satype_ripv2" {
          value 5;
          description "SADB_SATYPE_RIPv2";
        }
        enum "sadb_satype_mip" {
          value 6;
          description "SADB_SATYPE_MIP";
        }
        enum "sadb_satype_max" {
          value 7;
          description "SADB_SATYPE_MAX";
        }
      }
      description
        "PF_KEY Security Association types";
    }

    grouping base-grouping {
      description
        "Configuration for the  message header format";
      list base-list {
        key "version";
        description
          "Configuration for a specific message header format";
        leaf version {
          type string;
          description
            "Version of PF_KEY (MUST be PF_KEY_V2)";
        }

        leaf msg_type {
          type sadb-msg-type;
          description
            "Identifies the type of message";
        }

        leaf msg_satype {
          type sadb-msg-satype;
          description
            "Defines the type of Security Association";
        }

        leaf msg_seq {
          type uint32;
          description
            "Sequence number of this message.";
        }
      }  // list base-list
    }  // grouping base-grouping

    grouping algorithm-grouping {
      description
        "List of supported authentication and encryptation algorithms";
      list algorithm-supported {
        description
          "List for a specific algorithm";
        container authentication {
          description
            "Authentication algorithm supported";
          leaf name {
            type integrity-algorithm-t;
            description
              "Name of authentication algorithm";
          }

          leaf ivlen {
            type uint8;
            description
              "Length of the initialization vector to be used for the algorithm";
          }

          leaf min-bits {
            type uint16;
            description
              "The minimun acceptable key length, in bits";
          }

          leaf max-bits {
            type uint16;
            description
              "The maximun acceptable key length, in bits";
          }
        }  // container authentication

        container encryption {
          description
            "Encryptation algorithm supported";
          leaf name {
            type encryption-algorithm-t;
            description
              "Name of encryption algorithm";
          }

          leaf ivlen {
            type uint8;
            description
              "Length of the initialization vector to be used for the algorithm";
          }

          leaf min-bits {
            type uint16;
            description
              "The minimun acceptable key length, in bits";
          }

          leaf max-bits {
            type uint16;
            description
              "The maximun acceptable key length, in bits";
          }
        }  // container encryption
      }  // list algorithm-supported
    }  // grouping algorithm-grouping

    container ietf-ipsec {
      description "Main IPsec container ";
      container ikev2 {
        if-feature case1;
        description "Configure the IKEv2";
        container ike-connection {
          description
            "IKE connections configuration";
          list ike-conn-entries {
            key "conn-name";
            description
              "IKE peer connetion information";
            leaf conn-name {
              type string;
              mandatory true;
              description
                "Name of IKE connection";
            }

            leaf autostartup {
              type type-autostartup;
              mandatory true;
              description
                "if True: automatically start tunnel at startup; else we do lazy tunnel setup based on trigger from datapath";
            }

            leaf nat-traversal {
              type boolean;
              default 'false';
              description
                "Enable/Disable NAT traversal";
            }

            container encap {
              when
                "../nat-traversal = 'true'";
              description
                "Encapsulation container";
              leaf espencap {
                type esp-encap;
                description
                  "ESP in TCP, ESP in UDP or ESP in TLS";
              }

              leaf sport {
                type inet:port-number;
                description
                  "Encapsulation source port";
              }

              leaf dport {
                type inet:port-number;
                description
                  "Encapsulation destination port";
              }

              leaf oaddr {
                type inet:ip-address;
                description
                  "Encapsulation Original Address ";
              }
            }  // container encap

            leaf version {
              type enumeration {
                enum "ikev2" {
                  value 2;
                  description
                    "IKE version 2";
                }
              }
              description "IKE version";
            }

            uses isakmp-proposal;

            uses local-grouping;

            uses remote-grouping;

            uses phase2-info;
          }  // list ike-conn-entries
        }  // container ike-connection
      }  // container ikev2

      container ipsec {
        description "Configuration IPsec";
        container spd {
          description
            "Configure the Security Policy Database (SPD)";
          list spd-entry {
            key "rule-number";
            ordered-by user;
            description
              "List of SPD entries";
            uses ipsec-policy-grouping;
          }  // list spd-entry
        }  // container spd

        container sad {
          if-feature case2;
          description
            "Configure the IPSec Security Association Database (SAD)";
          list sad-entry {
            key "spi";
            description
              "List of SAD entries";
            uses ipsec-sa-grouping;
          }  // list sad-entry
        }  // container sad

        container pad {
          if-feature case1;
          description
            "Configure Peer Authorization Database (PAD)";
          list pad-entries {
            key "pad-entry-id";
            ordered-by user;
            description
              "Peer Authorization Database (PAD)";
            leaf pad-entry-id {
              type uint64;
              description "SAD index. ";
            }

            uses identity-grouping;

            leaf pad-auth-protocol {
              type auth-protocol-type;
              description
                "IKEv1, IKEv2, KINK, etc. ";
            }

            uses auth-method-grouping;
          }  // list pad-entries
        }  // container pad
      }  // container ipsec
    }  // container ietf-ipsec

    rpc sadb_register {
      description
        "Allows netconf to register its key socket as able to acquire new security associations for the kernel";
      input {
        uses base-grouping;
      }

      output {
        uses base-grouping;

        uses algorithm-grouping;
      }
    }  // rpc sadb_register

    notification spdb_expire {
      description "A SPD entry has expired";
      leaf index {
        type uint64;
        description
          "SPD index. RFC4301 does not mention an index however real implementations (e.g. XFRM or PFKEY_v2 with KAME extensions provide a policy index to refer a policy. ";
      }
    }  // notification spdb_expire

    notification sadb_acquire {
      description "A IPsec SA is required ";
      leaf state {
        type uint32;
        mandatory true;
        description
          "Request the creation of a SADB entry";
      }
    }  // notification sadb_acquire

    notification sadb_expire {
      description ".....";
      leaf state {
        type uint32;
        mandatory true;
        description
          "Notify the expiration of a entry in the SADB";
      }
    }  // notification sadb_expire

    notification sadb_bad-spi {
      description ".....";
      leaf state {
        type ipsec-spi;
        mandatory true;
        description "Notify when a SPI";
      }
    }  // notification sadb_bad-spi
  }  // module ietf-ipsec