module ietf-ipsec { namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; prefix "eipsec"; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } organization "University of Murcia"; contact " Rafael Marin Lopez Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 e-mail: rafa@um.es Gabriel Lopez Millan Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Tel: +34 868888504 email: gabilm@um.es "; description "Data model for IPSec"; revision "2017-05-02" { description "Initial revision."; reference ""; } feature case1 { description "feature case 1: IKE SPD PAD"; } // IKE/IPSec in the NSFs feature case2 { description "feature case 2: SPD SAD"; } // Only IPSec in the NSFs typedef encryption-algorithm-t { type enumeration { enum reserved-0 {description "reserved";} enum des-iv4 { description "DES IV 4";} enum des { description "DES"; } enum 3des { description "3DES"; } enum rc5 { description "RC5"; } enum idea { description "IDEA"; } enum cast { description "CAST"; } enum blowfish { description "BlowFish"; } enum 3idea { description "3IDEA"; } enum des-iv32 { description "DES-IV32"; } enum reserved-10 { description "reserved-10"; } enum null { description "NULL"; } enum aes-cbc { description "AES-CBC"; } enum aes-ctr { description "AES-CTR"; } enum aes-ccm-8 { description "AES-CCM-8"; } enum aes-ccm-12 { description "AES-CCM-12"; } enum aes-ccm-16 { description "AES-CCM-16"; } enum reserved-17 { description "reserved-17"; } enum aes-gcm-8-icv { description "AES-GCM-8-ICV"; } enum aes-gcm-12-icv { description "AES-GCM-12-ICV"; } enum aes-gcm-16-icv { description "AES-GCM-16-ICV"; } enum null-auth-aes-gmac { description "Null-Auth-AES-GMAC"; } enum ieee-p1619-xts-aes { description "encr-ieee-p1619-xts-aes -> Reserved for IEEE P1619 XTS-AES."; } enum camellia-cbc { description "CAMELLIA-CBC"; } enum camellia-ctr { description "CAMELLIA.CTR"; } enum camellia-ccm-8-icv { description "CAMELLIA-CCM-8-ICV"; } enum camellia-ccm-12-icv { description "CAMELLIA-CCM-12-ICV"; } enum camellia-ccm-16-icv { description "CAMELLIA-CCM-16-ICV"; } enum aes-cbc-128 { description "AES-CBC-128"; } enum aes-cbc-192 { description "AES-CBC-192"; } enum aes-cbc-256 { description "AES-CBC-256"; } enum blowfish-128 { description "BlowFish-128"; } enum blowfish-192 { description "BlowFish-192"; } enum blowfish-256 { description "BlowFish-256"; } enum blowfish-448 { description "BlowFish-448"; } enum camellia-128 { description "CAMELLIA-128"; } enum camellia-192 { description "CAMELLIA-192"; } enum camellia-256 { description "CAMELLIA-256"; } enum AES-GCM-16-ICV { description "AES-GCM-16-ICV (AEAD)"; } enum AES-CCM { description "AES-CCM (AEAD)"; } } description "Encryption algorithms -> RFC_5996"; } typedef integrity-algorithm-t { type enumeration { enum none { description "NONE"; } enum hmac-md5-96 { description "HMAC-MD5-96"; } enum hmac-sha1-96 { description "HMAC-SHA1-96"; } enum des-mac { description "DES-MAC"; } enum kpdk-md5 {description "KPDK-MD5"; } enum aes-xcbc-96 { description "AES-XCBC-96"; } enum hmac-md5-128 { description "HMAC-MD5-128"; } enum hmac-sha1-160 { description "HMAC-SHA1-160"; } enum aes-cmac-96 { description "AES-CMAC-96"; } enum aes-128-gmac { description "AES-128-GMAC"; } enum aes-192-gmac { description "AES-192-GMAC"; } enum aes-256-gmac { description "AES-256-GMAC"; } enum hmac-sha2-256-128 { description "HMAC-SHA2-256-128"; } enum hmac-sha2-384-192 { description "HMAC-SHA2-384-192"; } enum hmac-sha2-512-256 { description "HMAC-SHA2-512-256"; } enum hmac-sha2-256-96 { description "HMAC-SHA2-256-096"; } } description "Integrity Algorithms -> RFC_5996"; } typedef type-autostartup { type enumeration { enum ALWAYSON { description " ";} enum INITIATE-ON-DEMAND {description " ";} enum RESPOND-ONLY {description " ";} } description "Different types of how IKEv2 starts the IPsec SAs"; } typedef auth-protocol-type { type enumeration { enum IKEv1 { // not supported by model description "Authentication protocol based on IKEv1"; } enum IKEv2 { description "Authentication protocol based on IKEv2"; } enum KINK { // not supported by model description "Authentication protocol based on KINK"; } } description "Peer authentication protocols"; } typedef ipsec-mode { type enumeration { enum TRANSPORT { description "Transport mode"; } enum TUNNEL { description "Tunnel mode"; } enum BEET { description "Bound End-to-End Tunnel (BEET) mode for ESP.";} enum RO { description "Route Optimization mode for Mobile IPv6";} enum IN_TRIGGER {description "In trigger mode for Mobile IPv6";} } description "type define of ipsec mode"; } typedef esp-encap { type enumeration { enum ESPINTCP { description "ESP in TCP encapulation.";} enum ESPINTLS { description "ESP in TCP encapsulation using TLS.";} enum ESPINUDP { description "ESP in UDP encapsulation. RFC 3948 ";} } description "type defining types of ESP encapsulation"; } typedef ipsec-protocol { type enumeration { enum ah { description "AH Protocol"; } enum esp { description "ESP Protocol"; } enum comp { description "IP Compression";} /*Supported by XFRM*/ enum route2 { description "Routing Header type 2. Mobile IPv6";} /*Supported by XFRM*/ enum hao {description "Home Agent Option";} /*Supported by XFRM*/ } description "type define of ipsec security protocol"; } typedef ipsec-spi { type uint32 { range "1..max"; } description "SPI"; } typedef lifetime-action { type enumeration { enum terminate {description "Terminate the IPsec SA";} enum replace {description "Replace the IPsec SA with a new one";} } description "Action when lifetime expiration"; } typedef ipsec-traffic-direction { type enumeration { enum INBOUND { description "Inbound traffic"; } enum OUTBOUND { description "Outbound traffic"; } enum FORWARD{ description "Forwarded traffic"; } } description "IPsec traffic direction"; } typedef ipsec-spd-operation { type enumeration { enum PROTECT { description "PROTECT the traffic with IPsec"; } enum BYPASS { description "BYPASS the traffic"; } enum DISCARD { description "DISCARD the traffic"; } } description "The operation when traffic matches IPsec security policy"; } typedef ipsec-next-layer-proto { type enumeration { enum TCP { description "PROTECT the traffic with IPsec"; } enum UDP { description "BYPASS the traffic"; } enum SCTP { description "PROTECT the traffic with IPsec";} enum DCCP { description "PROTECT the traffic with IPsec";} enum ICMP { description "PROTECT the traffic with IPsec";} enum IPv6-ICMP { description "PROTECT the traffic with IPsec";} enum MH {description "PROTECT the traffic with IPsec";} enum GRE {description "PROTECT the traffic with IPsec";} } description "Next layer proto on top of IP"; } typedef ipsec-spd-name { type enumeration { enum id_rfc_822_addr { description "Fully qualified user name string."; } enum id_fqdn { description "Fully qualified DNS name."; } enum id_der_asn1_dn { description "X.500 distinguished name."; } enum id_key { description "IKEv2 Key ID."; } } description "IPsec SPD name type"; } typedef auth-method-type { /* Most implementations also provide XAUTH protocol, others used are: BLISS, P12, NTLM, PIN */ type enumeration { enum pre-shared { description "Select pre-shared key message as the authentication method"; } enum rsa-signature { description "Select rsa digital signature as the authentication method"; } enum dss-signature { description "Select dss digital signature as the authentication method"; } enum eap { description "Select EAP as the authentication method"; } } description "Peer authentication method"; } /*################## PAD grouping ####################*/ grouping auth-method-grouping { description "Peer authentication method data"; container auth-method { description "Peer authentication method container"; leaf auth-m { type auth-method-type; description "Type of authentication method (preshared, rsa, etc.)"; } container pre-shared { when "../auth-m = 'pre-shared'"; leaf secret { type string; description "Pre-shared secret value";} description "Shared secret value"; } container rsa-signature { when "../auth-m = 'rsa-signature'"; leaf key-data { type string; description "RSA private key data - PEM"; } leaf key-file { type string; description "RSA private key file name "; } leaf-list ca-data { type string; description "List of trusted CA certs - PEM"; } leaf ca-file { type string; description "List of trusted CA certs file"; } leaf cert-data { type string; description "X.509 certificate data - PEM4"; } leaf cert-file { type string; description "X.509 certificate file"; } leaf crl-data { type string; description "X.509 CRL certificate data in base64"; } leaf crl-file { type string; description " X.509 CRL certificate file"; } description "RSA signature container"; } } } grouping identity-grouping { description "Identification type. It is an union identity"; choice identity { description "Choice of identity."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) octet IPv6 address. An example is FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf dnX509 { type string; description "Specifies the identity as a distinguished name in the X.509 tradition."; } leaf id_key { type string; description "Key id"; } /* From RFC4301 list of id types */ } } /* grouping identity-grouping */ /*################ end PAD grouping ##################*/ /*################## SAD and SPD grouping ####################*/ grouping ip-addr-range { description "IP address range grouping"; leaf start { type inet:ip-address; description "Start IP address"; } leaf end { type inet:ip-address; description "End IP address"; } } grouping port-range { description "Port range grouping"; leaf start { type inet:port-number; description "Start IP address"; } leaf end { type inet:port-number; description "End IP address"; } } grouping tunnel-grouping { description "Tunnel mode grouping"; leaf local{ type inet:ip-address; description "Local tunnel endpoint"; } leaf remote{ type inet:ip-address; description "Remote tunnel enpoint"; } leaf bypass-df { type boolean; description "bypass DF bit"; } leaf bypass-dscp { type boolean; description "bypass DSCP"; } leaf dscp-mapping { type yang:hex-string; description "DSCP mapping"; } leaf ecn { type boolean; description "Bit ECN"; } /* RFC 4301 ASN1 notation. Annex C*/ } grouping selector-grouping { description "Traffic selector grouping"; list local-addresses { key "start end"; uses ip-addr-range; description "List of local addresses"; } list remote-addresses { key "start end"; uses ip-addr-range; description "List of remote addresses"; } leaf-list next-layer-protocol { type ipsec-next-layer-proto; description "List of Next Layer Protocol";} list local-ports { key "start end"; uses port-range; description "List of local ports"; } list remote-ports { key "start end"; uses port-range; description "List of remote ports"; } } /*################## SAD grouping ####################*/ grouping ipsec-sa-grouping { description "Configure Security Association (SA). Section 4.4.2.1 in RFC 4301"; leaf spi { type ipsec-spi; description "Security Parameter Index";} leaf seq-number { type uint64; description "Current sequence number of IPsec packet."; } leaf seq-number-overflow-flag { type boolean; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted."; } leaf anti-replay-window { type uint16 { range "0 | 32..1024"; } description "Anti replay window"; } leaf rule-number {type uint32; description "This value links the SA with the SPD entry";} uses selector-grouping; leaf security-protocol { type ipsec-protocol; description "Security protocol of IPsec SA: Either AH or ESP."; } container ah-sa { when "../security-protocol = 'ah'"; description "Configure Authentication Header (AH) for SA"; container integrity { description "Configure integrity for IPSec Authentication Header (AH)"; leaf integrity-algorithm { type integrity-algorithm-t; description "Configure Authentication Header (AH)."; } leaf key { type string; description "AH key value";} } } container esp-sa { when "../security-protocol = 'esp'"; description "Set IPSec Encapsulation Security Payload (ESP)"; container encryption { description "Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)"; leaf encryption-algorithm { type encryption-algorithm-t; description "Configure ESP encryption"; } leaf key { type string; description "ESP encryption key value";} leaf iv {type string; description "ESP encryption IV value"; } } container integrity { description "Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)"; leaf integrity-algorithm { type integrity-algorithm-t; description "Configure Authentication Header (AH)."; } leaf key { type string; description "ESP integrity key value";} } leaf combined-enc-intr { type boolean; description "ESP combined mode algorithms. The algorithm is specified in encryption-algorithm in the container encryption";} } container sa-lifetime { description "This may be expressed as a time or byte count, or a simultaneous use of both with the first lifetime to expire taking precedence"; leaf time-soft { type uint32; default 0; description "Soft time lifetime";} leaf time-hard { type uint32; default 0; description "Hard time lifetime"; } leaf time-use-soft { type uint32; default 0; description "Use Soft time lifetime";} leaf time-use-hard { type uint32; default 0; description "Use Hard time lifetime";} leaf byte-soft { type uint32; default 0;description "Byte soft lifetime"; } leaf byte-hard { type uint32; default 0; description "Byte hard lifetime";} leaf packet-soft {type uint32; default 0; description "Packet soft lifetime";} leaf packet-hard { type uint32; default 0; description "Packet hard lifetime";} leaf action {type lifetime-action; description "action lifetime";} } leaf mode { type ipsec-mode; description "SA Mode"; } leaf statefulfragCheck { type boolean; description "TRUE stateful fragment checking, FALSE no stateful fragment checking"; } leaf dscp { type yang:hex-string; description "DSCP value"; } container tunnel { when "../mode = 'TUNNEL'"; uses tunnel-grouping; description "Container for tunnel grouping"; } leaf path-mtu { type uint16; description "Maximum size of an IPsec packet that can be transmitted without fragmentation"; } container encap { /* This is defined by XFRM */ description "Encapsulation container"; leaf espencap { type esp-encap; description "ESP in TCP, ESP in UDP or ESP in TLS";} leaf sport {type inet:port-number; description "Encapsulation source port";} leaf dport {type inet:port-number; description "Encapsulation destination port"; } leaf oaddr {type inet:ip-address; description "Encapsulation Original Address ";} } } /*################## end SAD grouping ##################*/ /*################## SPD grouping ####################*/ grouping ipsec-policy-grouping { description "Holds configuration information for an IPSec SPD entry."; leaf rule-number { type uint64; description "SPD index. RFC4301 does not mention an index however real implementations provide a policy index/or id to refer a policy. "; } leaf priority {type uint32; default 0; description "Policy priority";} list names { key "name"; leaf name-type { type ipsec-spd-name; description "SPD name type."; } leaf name { type string; description "Policy name"; } description "List of policy names"; } container condition { description "SPD condition -> RFC4301"; list traffic-selector-list { key "ts-number"; leaf ts-number { type uint32; description "Traffic selector number"; } leaf direction { type ipsec-traffic-direction; description "in/fwd/out"; } uses selector-grouping; leaf selector-priority {type uint32; default 0; description "It establishes a priority to the traffic selector";} ordered-by user; description "List of traffic selectors"; } } container processing-info { description "SPD processing -> RFC4301"; leaf action{ type ipsec-spd-operation; mandatory true; description "If the action is bypass or discard processing container ipsec-sa-cfg is empty";} container ipsec-sa-cfg { when "../action = 'PROTECT'"; leaf pfp-flag { type boolean; description "Each selector has with a pfp flag."; } leaf extSeqNum { type boolean; description "TRUE 64 bit counter, FALSE 32 bit"; } leaf seqOverflow { type boolean; description "TRUE rekey, FALSE terminare & audit"; } leaf statefulfragCheck { type boolean; description "TRUE stateful fragment checking, FALSE no stateful fragment checking"; } leaf security-protocol { type ipsec-protocol; description "Security protocol of IPsec SA: Either AH or ESP."; } leaf mode { type ipsec-mode; description "transport/tunnel"; } container ah-algorithms { when "../security-protocol = 'ah'"; leaf-list ah-algorithm { type integrity-algorithm-t; description "Configure Authentication Header (AH)."; } description "AH algoritms "; } container esp-algorithms { when "../security-protocol = 'esp'"; description "Configure Encapsulating Security Payload (ESP)."; leaf-list authentication { type integrity-algorithm-t; description "Configure ESP authentication"; } leaf-list encryption { type encryption-algorithm-t; description "Configure ESP encryption"; } } container tunnel { when "../mode = 'TUNNEL'"; uses tunnel-grouping; description "tunnel grouping container"; } description " IPSec SA configuration container"; } } container spd-lifetime { description "SPD lifetime parameters"; leaf time-soft { type uint32; default 0; description "Soft time lifetime";} leaf time-hard { type uint32; default 0; description "Hard time lifetime";} leaf time-use-soft { type uint32; default 0; description "Use soft lifetime";} leaf time-use-hard { type uint32; default 0; description "Use hard lifetime";} leaf byte-soft { type uint32; default 0; description "Byte soft lifetime";} leaf byte-hard { type uint32; default 0; description "Hard soft lifetime";} leaf packet-soft {type uint32; default 0; description "Packet soft lifetime";} leaf packet-hard { type uint32; default 0; description "Packet hard lifetime";} } }/* grouping ipsec-policy-grouping */ /*################ end SPD grouping ##################*/ /*################## IKEv2-grouping ##################*/ grouping isakmp-proposal { description "ISAKMP proposal grouping"; leaf phase1-lifetime { type uint32; mandatory true; description "lifetime for IKE Phase 1 SAs"; } leaf-list phase1-authalg { type integrity-algorithm-t; description "Auth algorigthm for IKE Phase 1 SAs"; } leaf-list phase1-encalg { type encryption-algorithm-t; description "Auth algorigthm for IKE Phase 1 SAs"; } leaf combined-enc-intr { type boolean; description "Combined mode algorithms (encryption and integrity).";} leaf dh_group { type uint32; mandatory true; description "Group number for Diffie Hellman Exponentiation"; } } /* list isakmp-proposal */ grouping phase2-info { description "IKE Phase 2 Information"; leaf-list pfs_group { type uint32; description "If non-zero, require perfect forward secrecy when requesting new SA. The non-zero value is the required group number"; } } grouping local-grouping { description "Configure the local peer in an IKE connection"; container local { description "Local container"; choice my-identifier-type { default ipv4; case ipv4 { leaf ipv4 { type inet:ipv4-address; description "IPv4 dotted-decimal address"; } } case ipv6 { leaf ipv6 { type inet:ipv6-address; description "numerical IPv6 address"; } } case fqdn { leaf fqdn { type inet:domain-name; description "Fully Qualifed Domain name "; } } case dn { leaf dn { type string; description "Domain name"; } } case user_fqdn { leaf user_fqdn { type string; description "User FQDN"; } } description "Local ID type"; } leaf my-identifier { type string; mandatory true; description "Local id used for authentication"; } } } grouping remote-grouping { description "Configure the remote peer in an IKE connection"; container remote { description "Remote container"; choice my-identifier-type { default ipv4; case ipv4 { leaf ipv4 { type inet:ipv4-address; description "IPv4 dotted-decimal address"; } } case ipv6 { leaf ipv6 { type inet:ipv6-address; description "numerical IPv6 address"; } } case fqdn { leaf fqdn { type inet:domain-name; description "Fully Qualifed Domain name "; } } case dn { leaf dn { type string; description "Domain name"; } } case user_fqdn { leaf user_fqdn { type string; description "User FQDN"; } } description "Local ID type"; } leaf my-identifier { type string; mandatory true; description "Local id used for authentication"; } } } /*################## End IKEv2-groupingUMU ##################*/ /*################# Register grouping #################*/ typedef sadb-msg-type { type enumeration { enum sadb_reserved { description "SADB_RESERVED";} enum sadb_getspi { description "SADB_GETSPI";} enum sadb_update { description "SADB_UPDATE";} enum sadb_add { description "SADB_ADD";} enum sadb_delete { description "SADB_DELETE"; } enum sadb_get { description "SADB_GET"; } enum sadb_acquire { description "SADB_ACQUIRE"; } enum sadb_register { description "SADB_REGISTER"; } enum sadb_expire { description "SADB_EXPIRE"; } enum sadb_flush { description "SADB_FLUSH"; } enum sadb_dump { description "SADB_DUMP"; } enum sadb_x_promisc { description "SADB_X_PROMISC"; } enum sadb_x_pchange { description "SADB_X_PCHANGE"; } enum sadb_max{ description "SADB_MAX"; } } description "PF_KEY base message types"; } typedef sadb-msg-satype { type enumeration { enum sadb_satype_unspec { description "SADB_SATYPE_UNSPEC"; } enum sadb_satype_ah { description "SADB_SATYPE_AH"; } enum sadb_satype_esp { description "SADB_SATYPE_ESP"; } enum sadb_satype_rsvp { description "SADB_SATYPE_RSVP"; } enum sadb_satype_ospfv2 { description "SADB_SATYPE_OSPFv2"; } enum sadb_satype_ripv2 { description "SADB_SATYPE_RIPv2"; } enum sadb_satype_mip { description "SADB_SATYPE_MIP"; } enum sadb_satype_max { description "SADB_SATYPE_MAX"; } } description "PF_KEY Security Association types"; } grouping base-grouping { description "Configuration for the message header format"; list base-list { key "version"; leaf version { type string; description "Version of PF_KEY (MUST be PF_KEY_V2)"; } leaf msg_type { type sadb-msg-type; description "Identifies the type of message"; } leaf msg_satype { type sadb-msg-satype; description "Defines the type of Security Association"; } leaf msg_seq { type uint32; description "Sequence number of this message."; } description "Configuration for a specific message header format"; } } grouping algorithm-grouping { description "List of supported authentication and encryptation algorithms"; list algorithm-supported{ container authentication { description "Authentication algorithm supported"; leaf name { type integrity-algorithm-t; description "Name of authentication algorithm"; } leaf ivlen { type uint8; description "Length of the initialization vector to be used for the algorithm"; } leaf min-bits { type uint16; description "The minimun acceptable key length, in bits"; } leaf max-bits { type uint16; description "The maximun acceptable key length, in bits"; } } container encryption { description "Encryptation algorithm supported"; leaf name { type encryption-algorithm-t; description "Name of encryption algorithm"; } leaf ivlen { type uint8; description "Length of the initialization vector to be used for the algorithm"; } leaf min-bits { type uint16; description "The minimun acceptable key length, in bits"; } leaf max-bits { type uint16; description "The maximun acceptable key length, in bits"; } } description "List for a specific algorithm"; } } /*################# End Register grouping #################*/ /*################## ipsec ##################*/ container ietf-ipsec { description "Main IPsec container "; container ikev2 { if-feature case1; description "Configure the IKEv2"; container ike-connection { description "IKE connections configuration"; list ike-conn-entries { key "conn-name"; description "IKE peer connetion information"; leaf conn-name { type string; mandatory true; description "Name of IKE connection"; } leaf autostartup { type type-autostartup; mandatory true; description "if True: automatically start tunnel at startup; else we do lazy tunnel setup based on trigger from datapath"; } leaf nat-traversal { type boolean; default false; description "Enable/Disable NAT traversal"; } container encap { when "../nat-traversal = 'true'"; description "Encapsulation container"; leaf espencap { type esp-encap; description "ESP in TCP, ESP in UDP or ESP in TLS";} leaf sport {type inet:port-number; description "Encapsulation source port";} leaf dport {type inet:port-number; description "Encapsulation destination port"; } leaf oaddr {type inet:ip-address; description "Encapsulation Original Address ";} } leaf version { type enumeration { /* we only support ikev2 in this version */ enum ikev2 {value 2; description "IKE version 2";} } description "IKE version"; } uses isakmp-proposal; uses local-grouping; uses remote-grouping; uses phase2-info; } /* ike-conn-entries */ } /* container ike-connection */ } /* container ikev2 */ container ipsec { description "Configuration IPsec"; container spd { description "Configure the Security Policy Database (SPD)"; list spd-entry { key "rule-number"; uses ipsec-policy-grouping; ordered-by user; description "List of SPD entries"; } } container sad { if-feature case2; description "Configure the IPSec Security Association Database (SAD)"; list sad-entry { key "spi"; uses ipsec-sa-grouping; description "List of SAD entries"; } } container pad { if-feature case1; description "Configure Peer Authorization Database (PAD)"; list pad-entries { key "pad-entry-id"; ordered-by user; description "Peer Authorization Database (PAD)"; leaf pad-entry-id { type uint64; description "SAD index. "; } uses identity-grouping; leaf pad-auth-protocol { type auth-protocol-type; description "IKEv1, IKEv2, KINK, etc. "; } uses auth-method-grouping; } } } } /* container ietf-ipsec */ /*########## State Data ############*/ // TBD /*################## RPC and Notifications ##################*/ /* Note: not yet completed */ // Those RPCs are needed by a Security Controller in case 2 */ rpc sadb_register { description "Allows netconf to register its key socket as able to acquire new security associations for the kernel"; input { uses base-grouping; } output { uses base-grouping; uses algorithm-grouping; } } notification spdb_expire { description "A SPD entry has expired"; leaf index { type uint64; description "SPD index. RFC4301 does not mention an index however real implementations (e.g. XFRM or PFKEY_v2 with KAME extensions provide a policy index to refer a policy. "; } } notification sadb_acquire { description "A IPsec SA is required "; leaf state { type uint32; mandatory "true"; description "Request the creation of a SADB entry"; } } notification sadb_expire { description "....."; leaf state { type uint32; mandatory "true"; description "Notify the expiration of a entry in the SADB"; } } notification sadb_bad-spi { description "....."; leaf state { type ipsec-spi; mandatory "true"; description "Notify when a SPI"; } } } /*module ietf-ipsec*/