This module contains a collection of YANG definitions for crypto operational data. Copyright (c) 2017-2021 by Cisco Systems, Inc...
Version: 2021-03-01
module Cisco-IOS-XE-crypto-oper { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XE-crypto-oper"; prefix crypto-ios-xe-oper; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } import cisco-semver { prefix cisco-semver; } organization "Cisco Systems, Inc."; contact "Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com"; description "This module contains a collection of YANG definitions for crypto operational data. Copyright (c) 2017-2021 by Cisco Systems, Inc. All rights reserved."; revision "2021-03-01" { description "- Added Crypto Group Domain of Interpretation operational data - Re-arranged crypto GDOI elements in lexicographical order - Added SA tracking and IPSEC registration information"; reference "1.3.0"; } revision "2020-07-01" { description "- Added IPSEC policy statistics"; reference "1.2.0"; } revision "2019-05-01" { description "- Added info for Crypto Export Restrictions. - Added semantic version"; reference "1.1.0"; } revision "2018-12-18" { description "Initial revision"; reference "1.0.0"; } cisco-semver:module-version "1.3.0"; cisco-semver:module-version "1.2.0"; cisco-semver:module-version "1.1.0"; cisco-semver:module-version "1.0.0"; typedef crypto-dir-type { type enumeration { enum "crypto-dir-inbound" { value 0; description "Inbound direction"; } enum "crypto-dir-outbound" { value 1; description "Outbound direction"; } } description "Traffic direction"; } typedef crypto-prot-type { type enumeration { enum "crypto-prot-esp" { value 0; description "ESP protocol"; } enum "crypto-prot-ah" { value 1; description "AH protocol"; } enum "crypto-prot-pcp" { value 2; description "PCP protocol"; } } description "Crypto Protocol Type"; } typedef crypto-dh-group-type { type enumeration { enum "crypto-dh-grouptype-none" { value 0; description "No DH Group"; } enum "crypto-dh-grouptype-group1" { value 1; description "DH group 1"; } enum "crypto-dh-grouptype-group2" { value 2; description "DH group 2"; } enum "crypto-dh-grouptype-group3" { value 3; description "DH group 3"; } enum "crypto-dh-grouptype-group4" { value 4; description "DH group 4"; } enum "crypto-dh-grouptype-group5" { value 5; description "DH group 5"; } enum "crypto-dh-grouptype-group14" { value 6; description "DH group 14"; } enum "crypto-dh-grouptype-group15" { value 7; description "DH group 15"; } enum "crypto-dh-grouptype-group16" { value 8; description "DH group 16"; } enum "crypto-dh-grouptype-group19" { value 9; description "DH group 19"; } enum "crypto-dh-grouptype-group20" { value 10; description "DH group 20"; } enum "crypto-dh-grouptype-group21" { value 11; description "DH group 21"; } enum "crypto-dh-grouptype-group24" { value 12; description "DH group 24"; } } description "DH group type"; } typedef crypto-sa-status { type enumeration { enum "crypto-ipsec-sa-status-down" { value 0; description "IPSEC SA is down"; } enum "crypto-sa-status-active" { value 1; description "SA is active"; } enum "crypto-sa-status-standby" { value 2; description "SA is standby"; } enum "crypto-sa-status-pending" { value 3; description "SA is pending"; } } description "SA status"; } typedef crypto-hash-alg { type enumeration { enum "crypto-hash-alg-auth-none" { value 0; description "No Hash"; } enum "crypto-hash-alg-auth-hmac-md5-96" { value 1; description "Hash hmac md5"; } enum "crypto-hash-alg-auth-hmac-sha1-96" { value 2; description "Hash hmac sha1 96"; } enum "crypto-hash-alg-auth-hmac-des" { value 3; description "Hash hmac des"; } enum "crypto-hash-alg-auth-kpdk-md5" { value 4; description "Hash hmac kpdk md5"; } enum "crypto-hash-alg-auth-hmac-aes-xcbc-96" { value 5; description "Hash hmac aes xcbc 96"; } enum "crypto-hash-alg-auth-hmac-sha256" { value 6; description "Hash hmac sha256"; } enum "crypto-hash-alg-auth-hmac-sha384" { value 7; description "Hash hmac sha384"; } enum "crypto-hash-alg-auth-hmac-sha512" { value 8; description "Hash hmac sha512"; } } description "HASH algorithm"; } typedef crypto-auth-method { type enumeration { enum "crypto-auth-no-method" { value 0; description "IKEV2 No Authentication Method"; } enum "crypto-ikev2-auth-rsa-sig" { value 1; description "IKEv2 Authentication type RSA-SIG"; } enum "crypto-ikev2-auth-psk" { value 2; description "IKEv2 Authentication type PSK"; } enum "crypto-ikev2-auth-dss" { value 3; description "IKEv2 Authentication type DSS"; } enum "crypto-ikev2-auth-ecdsa-256" { value 4; description "IKEv2 Authentication type ECDSA 256"; } enum "crypto-ikev2-auth-ecdsa-384" { value 5; description "IKEv2 Authentication type ECDSA 384"; } enum "crypto-ikev2-auth-anyconnect-eap" { value 6; description "IKEv2 Authentication type AnyConnect EAP"; } enum "crypto-ikev2-auth-eap" { value 7; description "IKEv2 Authentication type EAP"; } } description "IKEv2 Authentication Method"; } typedef crypto-encryption-alg { type enumeration { enum "crypto-encr-alg-none" { value 0; description "No Encryption"; } enum "crypto-encr-alg-des-iv64" { value 1; description "Encryption DES IV64"; } enum "crypto-encr-alg-des" { value 2; description "Encryption DES"; } enum "crypto-encr-alg-3des" { value 3; description "Encryption 3DES"; } enum "crypto-encr-alg-rc5" { value 4; description "Encryption RC5"; } enum "crypto-encr-alg-idea" { value 5; description "Encryption IDEA"; } enum "crypto-encr-alg-cast" { value 6; description "Encryption CAST"; } enum "crypto-encr-alg-blowfish" { value 7; description "Encryption BLOWFISH"; } enum "crypto-encr-alg-3idea" { value 8; description "Encryption 3IDEA"; } enum "crypto-encr-alg-iv32" { value 9; description "Encryption IV32"; } enum "crypto-encr-alg-rc4" { value 10; description "Encryption RC4"; } enum "crypto-encr-alg-null" { value 11; description "Encryption Null"; } enum "crypto-encr-alg-aes-cbc" { value 12; description "Encryption AES CBC"; } enum "crypto-encr-alg-aes-ctr" { value 13; description "Encryption AES CTR"; } enum "crypto-encr-alg-aes-gcm" { value 14; description "Encryption AES GCM"; } enum "crypto-encr-alg-aes-gmac" { value 15; description "Encryption AES GMAC"; } } description "Encryption algorithm"; } typedef crypto-policy-notify-type { type enumeration { enum "crypto-notify-rp" { value 0; description "Notify RP"; } enum "crypto-notify-sa-dead" { value 1; description "SA dead"; } enum "crypto-notify-sa-soft-lifetime" { value 2; description "SA soft lifetime"; } enum "crypto-notify-idle-timer" { value 3; description "Idle timer"; } enum "crypto-notify-dpd-timer" { value 4; description "Dead peer detection timer"; } enum "crypto-notify-invalid-spi" { value 5; description "Invalid SPI"; } } description "Crypto policy notification types"; } typedef crypto-policy-cmd-type { type enumeration { enum "crypto-cmd-sadb-init-start" { value 0; description "SA database initialization"; } enum "crypto-cmd-sadb-init-complete" { value 1; description "SA database init complete"; } enum "crypto-cmd-sadb-delete" { value 2; description "SA database deletion"; } enum "crypto-cmd-sadb-attr-update" { value 3; description "SA database attr update"; } enum "crypto-cmd-sadb-intf-attach" { value 4; description "SA database interface attach"; } enum "crypto-cmd-sadb-intf-update" { value 5; description "SA database interface update"; } enum "crypto-cmd-sadb-intf-detach" { value 6; description "SA database interface detach"; } enum "crypto-cmd-acl-insert" { value 7; description "ACL insert"; } enum "crypto-cmd-acl-modify" { value 8; description "ACL modify"; } enum "crypto-cmd-acl-delete" { value 9; description "ACL delete"; } enum "crypto-cmd-peer-insert" { value 10; description "Peer insert"; } enum "crypto-cmd-peer-delete" { value 11; description "Peer delete"; } enum "crypto-cmd-spi-insert" { value 12; description "SPI insert"; } enum "crypto-cmd-spi-delete" { value 13; description "SPI delete"; } enum "crypto-cmd-cflow-insert" { value 14; description "Outbound flow insert"; } enum "crypto-cmd-cflow-modify" { value 15; description "Outbound flow modify"; } enum "crypto-cmd-cflow-delete" { value 16; description "Outbound flow delete"; } enum "crypto-cmd-ipsec-sa-delete" { value 17; description "IPSEC SA delete"; } enum "crypto-cmd-tbar-create" { value 18; description "Time based anti replay create"; } enum "crypto-cmd-tbar-update" { value 19; description "Time based anti replay update"; } enum "crypto-cmd-tbar-remove" { value 20; description "Time based anti replay remove"; } } description "Crypto policy command types"; } typedef crypto-policy-dbase-type { type enumeration { enum "crypto-policy-db-pal-sadb" { value 0; description "PAL SA database"; } enum "crypto-policy-db-pal-sadb-id" { value 1; description "PAL SA ID database"; } enum "crypto-policy-db-pal-intf" { value 2; description "PAL interface database"; } enum "crypto-policy-db-pal-sa-id" { value 3; description "PAL SA ID database"; } enum "crypto-policy-db-pal-acl" { value 4; description "PAL ACL database"; } enum "crypto-policy-db-pal-peer" { value 5; description "PAL peer database"; } enum "crypto-policy-db-pal-spi" { value 6; description "PAL SPI database"; } enum "crypto-policy-db-pal-cflow" { value 7; description "PAL outbound flow database"; } enum "crypto-policy-db-pal-tbar" { value 8; description "PAL time base replay database"; } } description "Crypto policy database types"; } typedef crypto-gdoi-group-type { type enumeration { enum "crypto-group-type-gdoi" { value 0; description "GDOI Group"; } enum "crypto-group-type-gikev2" { value 1; description "GIKEV2 Group"; } } description "Crypto GDOI Group Type"; } typedef crypto-gdoi-coop-ks-role { type enumeration { enum "crypto-ks-role-primary" { value 0; description "Primary Key Server"; } enum "crypto-ks-role-secondary" { value 1; description "Secondary Key Server"; } enum "crypto-ks-role-invalid" { value 2; description "Invalid Key Server role"; } } description "Crypto GDOI Key Server COOP Role"; } typedef crypto-gdoi-coop-ks-status { type enumeration { enum "crypto-ks-status-unknown" { value 0; description "Unknown status"; } enum "crypto-ks-status-alive" { value 1; description "Alive status"; } enum "crypto-ks-status-dead" { value 2; description "Dead status"; } enum "crypto-ks-status-invalid" { value 3; description "Invalid status"; } } description "Crypto GDOI KS COOP Status"; } typedef crypto-rekey-trans-type { type enumeration { enum "crypto-rekey-transport-multicast" { value 0; description "Multicast transport"; } enum "crypto-rekey-transport-unicast" { value 1; description "Unicast transport"; } } description "Crypto GDOI Rekey Transport type"; } typedef coop-ks-gmdb-state { type enumeration { enum "crypto-ks-state-redundant" { value 0; description "Peer Key Server"; } enum "crypto-ks-state-local" { value 1; description "Local Key Server"; } } description "Crypto GDOI KS COOP GM database state"; } typedef crypto-gdoi-gm-state { type enumeration { enum "crypto-reg-status-uninit" { value 0; description "GM registration not initialized"; } enum "crypto-reg-status-registering" { value 1; description "GM is registering"; } enum "crypto-reg-status-re-registering" { value 2; description "GM is re-registering"; } enum "crypto-reg-status-registered" { value 3; description "GM registered"; } enum "crypto-reg-status-unknown" { value 4; description "GM registration state unknown"; } } description "Crypto GDOI GM state"; } typedef crypto-rekey-ack-type { type enumeration { enum "crypto-rekey-ack-none" { value 0; description "Acknowledgement None"; } enum "crypto-rekey-ack-cisco" { value 1; description "Acknowledgement Cisco"; } enum "crypto-rekey-ack-interop" { value 2; description "Acknowledgement Interop"; } enum "crypto-rekey-ack-any" { value 3; description "Acknowledgement Any"; } enum "crypto-rekey-ack-unknown" { value 4; description "Acknowledgement Unknown"; } } description "Crypto Rekey acknowledgement type"; } typedef crypto-encaps-mode { type enumeration { enum "crypto-encaps-mode-transport" { value 0; description "Transport mode"; } enum "crypto-encaps-mode-tunnel" { value 1; description "Tunnel mode"; } enum "crypto-encaps-mode-udp-tunnel" { value 2; description "UDP Tunnel mode"; } enum "crypto-encaps-mode-udp-transport" { value 3; description "UDP Transport mode"; } enum "crypto-encaps-mode-unknown" { value 4; description "Unknown Encapsulation mode"; } } description "Crypto Encapsulation mode"; } typedef crypto-rekey-encr-alg { type enumeration { enum "crypto-encr-des" { value 0; description "DES Encryption Algorithm"; } enum "crypto-encr-3des" { value 1; description "3DES Encryption Algorithm"; } enum "crypto-encr-aes" { value 2; description "AES Encryption Algorithm"; } enum "crypto-encr-unsupported" { value 3; description "Unsupported Encryption Algorithm"; } } description "Crypto Rekey Encryption Algorithm"; } typedef coop-ike-status { type enumeration { enum "crypto-ike-uninit" { value 0; description "IKE uninitialized"; } enum "crypto-ike-in-progress" { value 1; description "IKE in progress"; } enum "crypto-ike-established" { value 2; description "IKE established"; } enum "crypto-ike-failed" { value 3; description "IKE status failed"; } enum "crypto-ike-init-failed" { value 4; description "IKE Initialization failed"; } enum "crypto-ike-invalid" { value 5; description "IKE status invalid"; } } description "Crypto GDOI COOP IKE Status"; } typedef crypto-ipsec-sa-direction { type enumeration { enum "crypto-sa-dir-both" { value 0; description "IPSec SA is active in both directions"; } enum "crypto-sa-dir-inbound-only" { value 1; description "IPSec SA is active in inbound direction only"; } } description "IPSec SA direction for traffic encryption"; } typedef crypto-acl-action-type { type enumeration { enum "acl-action-permit" { value 0; description "Permit matching packets"; } enum "acl-action-deny" { value 1; description "Deny matching packets"; } } description "Action to be taken on packets matching the rule"; } typedef crypto-acl-port-operator-type { type enumeration { enum "port-oper-equals" { value 0; description "Equals to the given port"; } enum "port-oper-not-equals" { value 1; description "Not equal to the given port"; } enum "port-oper-lesser-than" { value 2; description "Lesser than the given port"; } enum "port-oper-greater-than" { value 3; description "Greater than the given port"; } enum "port-oper-range" { value 4; description "Range between the ports, including the given ports"; } } description "Operation to use while checking if the protocol port matches the given port(s)"; } typedef crypto-acl-protocol-type { type enumeration { enum "proto-any" { value 0; description "Any IP protocol"; } enum "proto-number" { value 1; description "Number assigned to the IP protocol"; } enum "proto-object-group" { value 2; description "Service object-group name containing the protocol(s)"; } } description "Options to configure the protocol for matching packets"; } typedef crypto-acl-port-option-type { type enumeration { enum "port-any" { value 0; description "Protocol port is not configured"; } enum "port-conf" { value 1; description "Protocol port is configured"; } } description "ACL port configuration options"; } typedef crypto-acl-v4-address-type { type enumeration { enum "v4-addr-wildcard" { value 0; description "IPv4 address and wildcard"; } enum "v4-host" { value 1; description "IPv4 host address"; } enum "v4-object-group" { value 2; description "IPv4 network object group containing IPv4 addresses"; } enum "v4-fqdn-group" { value 3; description "Name of the FQDN group associated with this entry"; } enum "v4-any" { value 4; description "Any IPv4 address in this position"; } enum "v4-geo-group" { value 5; description "Name of the geolocation group associated with this entry"; } } description "Options to configure IPv4 address"; } typedef crypto-transform-options { type bits { bit crypto-transform-ah-hmac-sha { position 0; description "AH-HMAC-SHA"; } bit crypto-transform-ah-hmac-sha256 { position 1; description "AH-HMAC-SHA-256"; } bit crypto-transform-ah-hmac-sha384 { position 2; description "AH-HMAC-SHA-384"; } bit crypto-transform-ah-hmac-sha512 { position 3; description "AH-HMAC-SHA-512"; } bit crypto-transform-ah-hmac-md5 { position 4; description "AH-HMAC-MD5"; } bit crypto-transform-esp-des { position 5; description "ESP-DES"; } bit crypto-transform-esp-3-des { position 6; description "ESP-3DES"; } bit crypto-transform-esp-seal { position 7; description "ESP-SEAL"; } bit crypto-transform-esp-aes-cbc { position 8; description "ESP-AES-CBC"; } bit crypto-transform-esp-aes-cbc-192 { position 9; description "ESP-AES-CBC-192"; } bit crypto-transform-esp-aes-cbc-256 { position 10; description "ESP-AES-CBC-256"; } bit crypto-transform-esp-aes-gcm { position 11; description "ESP-AES-GCM"; } bit crypto-transform-esp-aes-gcm-192 { position 12; description "ESP-AES-GCM-192"; } bit crypto-transform-esp-aes-gcm-256 { position 13; description "ESP-AES-GCM-256"; } bit crypto-transform-esp-aes-gmac { position 14; description "ESP-AES-GMAC"; } bit crypto-transform-esp-aes-gmac-192 { position 15; description "ESP-AES-GMAC-192"; } bit crypto-transform-esp-aes-gmac-256 { position 16; description "ESP-AES-GMAC-256"; } bit crypto-transform-esp-null { position 17; description "ESP-NULL"; } bit crypto-transform-esp-hmac-md5 { position 18; description "ESP-HMAC-MD5"; } bit crypto-transform-esp-hmac-sha { position 19; description "ESP-HMAC-SHA"; } bit crypto-transform-esp-hmac-sha256 { position 20; description "ESP-HMAC-SHA-256"; } bit crypto-transform-esp-hmac-sha384 { position 21; description "ESP-HMAC-SHA-384"; } bit crypto-transform-esp-hmac-sha512 { position 22; description "ESP-HMAC-SHA-512"; } bit crypto-transform-pcp-lzs { position 23; description "PCP-LZS"; } } description "The cryptographic transform set options available in the connection"; } container crypto-oper-data { config false; description "crypto operational data"; list crypto-ipsec-ident { key "interface"; description "Crypto IPSEC Identity Entry"; leaf interface { type string; description "Interface"; } container ident-data { description "IPSEC Identity Data"; leaf protected-vrf { type uint32; description "Protected VRF"; } leaf local-ident-addr { type inet:ip-address; description "Local IPSEC Identity Address"; } leaf local-ident-mask { type inet:ip-address; description "Local IPSEC Identity Mask"; } leaf local-ident-protocol { type uint32; description "Local IPSEC Identity Protocol"; } leaf remote-ident-addr { type inet:ip-address; description "Remote IPSEC Identity Address"; } leaf remote-ident-mask { type inet:ip-address; description "Remote IPSEC Identity Mask"; } leaf remote-ident-protocol { type uint32; description "Remote IPSEC Identity Protocol"; } leaf plaintext-mtu { type uint16; description "Plain text MTU value"; } leaf local-endpt-addr { type inet:ip-address; description "Local Endpoint Address"; } leaf remote-endpt-addr { type inet:ip-address; description "Remote Endpoint Address"; } leaf dh-group { type crypto-dh-group-type; description "DH group"; } container inbound-esp-sa { description "Inbound ESP SA"; leaf spi { type uint32; description "IPSEC SPI number"; } leaf dir { type crypto-dir-type; description "Traffic Direction"; } leaf protocol { type crypto-prot-type; description "IPSEC Protocol"; } leaf flow-id { type uint32; description "FLow ID"; } leaf sa-status { type crypto-sa-status; description "IPSEC SA status"; } leaf transform-set { type crypto-transform-options; description "Crypto transform set"; } } // container inbound-esp-sa container inbound-ah-sa { description "Inbound AH SA"; leaf spi { type uint32; description "IPSEC SPI number"; } leaf dir { type crypto-dir-type; description "Traffic Direction"; } leaf protocol { type crypto-prot-type; description "IPSEC Protocol"; } leaf flow-id { type uint32; description "FLow ID"; } leaf sa-status { type crypto-sa-status; description "IPSEC SA status"; } leaf transform-set { type crypto-transform-options; description "Crypto transform set"; } } // container inbound-ah-sa container inbound-pcp-sa { description "Inbound PCP SA"; leaf spi { type uint32; description "IPSEC SPI number"; } leaf dir { type crypto-dir-type; description "Traffic Direction"; } leaf protocol { type crypto-prot-type; description "IPSEC Protocol"; } leaf flow-id { type uint32; description "FLow ID"; } leaf sa-status { type crypto-sa-status; description "IPSEC SA status"; } leaf transform-set { type crypto-transform-options; description "Crypto transform set"; } } // container inbound-pcp-sa container outbound-esp-sa { description "Outbound ESP SA"; leaf spi { type uint32; description "IPSEC SPI number"; } leaf dir { type crypto-dir-type; description "Traffic Direction"; } leaf protocol { type crypto-prot-type; description "IPSEC Protocol"; } leaf flow-id { type uint32; description "FLow ID"; } leaf sa-status { type crypto-sa-status; description "IPSEC SA status"; } leaf transform-set { type crypto-transform-options; description "Crypto transform set"; } } // container outbound-esp-sa container outbound-ah-sa { description "Outbound AH SA"; leaf spi { type uint32; description "IPSEC SPI number"; } leaf dir { type crypto-dir-type; description "Traffic Direction"; } leaf protocol { type crypto-prot-type; description "IPSEC Protocol"; } leaf flow-id { type uint32; description "FLow ID"; } leaf sa-status { type crypto-sa-status; description "IPSEC SA status"; } leaf transform-set { type crypto-transform-options; description "Crypto transform set"; } } // container outbound-ah-sa container outbound-pcp-sa { description "Outbound PCP SA"; leaf spi { type uint32; description "IPSEC SPI number"; } leaf dir { type crypto-dir-type; description "Traffic Direction"; } leaf protocol { type crypto-prot-type; description "IPSEC Protocol"; } leaf flow-id { type uint32; description "FLow ID"; } leaf sa-status { type crypto-sa-status; description "IPSEC SA status"; } leaf transform-set { type crypto-transform-options; description "Crypto transform set"; } } // container outbound-pcp-sa } // container ident-data } // list crypto-ipsec-ident list crypto-ikev2-sa { key "sa-id"; description "Crypto IKEv2 SA Entry"; leaf sa-id { type uint32; description "Security association identifier"; } container sa-data { description "Security association Data"; leaf sa-id { type uint32; description "IKE security association identifier"; } leaf sa-status { type crypto-sa-status; description "IKE security association Status"; } leaf local-ip-addr { type inet:ip-address; description "Local IP Address"; } leaf local-port { type uint16; description "Local Port number"; } leaf remote-ip-addr { type inet:ip-address; description "Remote IP Address"; } leaf remote-port { type uint16; description "Remote Port number"; } leaf dh-group { type crypto-dh-group-type; description "DH group"; } leaf init-spi { type binary; description "Initiator security parameter index"; } leaf resp-spi { type binary; description "Responder security parameter index"; } leaf ivrf { type string; description "IKE IVRF"; } leaf fvrf { type string; description "IKE FVRF"; } leaf lifetime { type uint32; units "seconds"; description "Security association lifetime"; } leaf hash-algo { type crypto-hash-alg; description "HASH Algorithm"; } leaf encr-alg { type crypto-encryption-alg; description "Encryption algorithm"; } leaf my-auth-method { type crypto-auth-method; description "Self authentication method"; } leaf peer-auth-method { type crypto-auth-method; description "Peer authentication Method"; } } // container sa-data } // list crypto-ikev2-sa list crypto-ikev1-sa { key "sa-id"; description "Crypto IKEv1 SA Entry"; leaf sa-id { type uint32; description "Security association identifier"; } container sa-data { description "Security association Data"; leaf sa-id { type uint32; description "IKE security association identifier"; } leaf sa-status { type crypto-sa-status; description "IKE security association Status"; } leaf local-ip-addr { type inet:ip-address; description "Local IP Address"; } leaf local-port { type uint16; description "Local Port number"; } leaf remote-ip-addr { type inet:ip-address; description "Remote IP Address"; } leaf remote-port { type uint16; description "Remote Port number"; } leaf dh-group { type crypto-dh-group-type; description "DH group"; } leaf init-spi { type binary; description "Initiator security parameter index"; } leaf resp-spi { type binary; description "Responder security parameter index"; } leaf ivrf { type string; description "IKE IVRF"; } leaf fvrf { type string; description "IKE FVRF"; } leaf lifetime { type uint32; units "seconds"; description "Security association lifetime"; } leaf hash-algo { type crypto-hash-alg; description "HASH Algorithm"; } leaf encr-alg { type crypto-encryption-alg; description "Encryption algorithm"; } leaf my-auth-method { type crypto-auth-method; description "Self authentication method"; } leaf peer-auth-method { type crypto-auth-method; description "Peer authentication Method"; } } // container sa-data } // list crypto-ikev1-sa container crypto-cerm-info { presence "crypto-cerm-info"; description "Crypto Export Restrictions Entry"; leaf enabled { type boolean; description "Indicates if Export Restriction has been enabled"; } container resource-info { description "Export Resource Limits for the platform"; container ipsec-tunnels { description "Number of IPSEC tunnels"; leaf maximum { type uint32; description "Maximum tunnels supported on platform due to Export Restrictions"; } leaf available { type uint32; description "Currently Available tunnels based on Export Restriction"; } } // container ipsec-tunnels container tls-sessions { description "Number of TLS sessions"; leaf maximum { type uint32; description "Maximum tunnels supported on platform due to Export Restrictions"; } leaf available { type uint32; description "Currently Available tunnels based on Export Restriction"; } } // container tls-sessions } // container resource-info container resv-info { description "Dynamic Client Reservation Information"; container voice { description "Voice client"; leaf tunnels { type uint32; description "Number of tunnels created by a client"; } leaf tls-sessions { type uint32; description "Number of TLS sessions created by a client"; } } // container voice container ipsec { description "IPSEC client"; leaf tunnels { type uint32; description "Number of tunnels created by a client"; } leaf tls-sessions { type uint32; description "Number of TLS sessions created by a client"; } } // container ipsec container sslvpn { description "SSLVPN client"; leaf tunnels { type uint32; description "Number of tunnels created by a client"; } leaf tls-sessions { type uint32; description "Number of TLS sessions created by a client"; } } // container sslvpn } // container resv-info container stats-info { description "Statistics info resulting from Export Restrictions"; leaf failed-tunnels { type uint32; description "Failed tunnel creation attempts due to Export Restriction"; } leaf failed-sessions { type uint32; description "Failed session creation attempts due to Export Restriction"; } } // container stats-info } // container crypto-cerm-info container crypto-ipsec-policy-stats { presence "crypto-ipsec-policy-stats"; description "Crypto policy statistics"; list notify-stats { description "Policy Notification Statistics"; leaf notification-type { type crypto-policy-notify-type; description "Notification type"; } leaf num-received { type uint32; description "Number of notify messages received"; } leaf num-completed { type uint32; description "Number of successful notifications to PAL"; } leaf num-rcv-error { type uint32; description "Number of message processing error"; } leaf num-rcv-ignore { type uint32; description "Number of notify messages ignored"; } } // list notify-stats list cmd-stats { description "Policy Command Statistics"; leaf cmd-type { type crypto-policy-cmd-type; description "Command type"; } leaf num-request { type uint32; description "Number of command messages received from PAL"; } leaf num-reply-ok { type uint32; description "Number of successful replies sent to PAL"; } leaf num-reply-error { type uint32; description "Number of error replies sent to PAL"; } leaf num-abort { type uint32; description "Number of command messages aborted by PAL"; } leaf total-time { type uint64; units "milliseconds"; description "Round trip time"; } } // list cmd-stats list dbase-stats { description "Policy Database Summary Statistics"; leaf dbase-type { type crypto-policy-dbase-type; description "Database type"; } leaf num-add { type uint32; description "Number of additions to database"; } leaf num-delete { type uint32; description "Number of deletions from database"; } leaf num-abort { type uint32; description "Number of aborted calls to database"; } } // list dbase-stats } // container crypto-ipsec-policy-stats list gdoi-gm { key "group-name"; description "Crypto GDOI Group Member Information"; leaf group-name { type string; description "Name of the group"; } leaf sa-dir { type crypto-ipsec-sa-direction; description "Indicates the SA direction is active in inbound direction or both directions"; } leaf acl-rcvd { type string; description "ACL Received from KS"; } list gm-entry { description "Entry for each GM"; leaf group-name { type string; description "Name of the group"; } leaf local-addr { type inet:ip-address; description "Local address of GM"; } leaf remote-addr { type inet:ip-address; description "Registered with KS (Remote KS address)"; } leaf vrf-enabled { type boolean; description "True if VRF (Virtual Routing and Forwarding) is enabled"; } leaf vrf-name { when "(../vrf-enabled='true')"; type string; description "VRF configured on the interface"; } leaf gm-ver { type string; description "GM Version"; } leaf gm-state { type crypto-gdoi-gm-state; description "GM registration status"; } leaf prev-reg-time { when "(../gm-state = 'crypto-reg-status-registered')"; type yang:date-and-time; description "Previous registration timestamp"; } leaf secs-to-re-reg { type uint32; units "seconds"; description "GM re-registers after in seconds. Reference time is previous registration time stamp. This is the time remaining until the GM re-registers"; } leaf succ-reg { type uint32; description "The number of successful registrations"; } leaf att-reg { type uint32; description "Number of attempted registrations"; } leaf last-rekey-from-ks { type inet:ip-address; description "Last rekey from KS"; } leaf last-rekey-seq-num { type uint32; description "Sequence number of last rekey"; } leaf last-rekey-time { when "(../rekeys-rcvd > 0) and (../gm-state = 'crypto-reg-status-registered')"; type yang:date-and-time; description "Last rekey timestamp"; } leaf rekeys-rcvd { when "(../gm-state = 'crypto-reg-status-registered')"; type uint32; description "Number of unicast rekey received"; } leaf rekey-acks-sent { when "(../gm-state = 'crypto-reg-status-registered')"; type uint32; description "Number of Rekey acknowledgements sent"; } leaf pfs-rekeys { type uint32; description "Number of PFS rekey received"; } leaf dp-error { type boolean; description "True if DataPlane Error monitoring is enabled"; } leaf dp-interval { type uint32; description "DP Interval"; } leaf dp-reg { type uint32; description "DP registration count"; } leaf num-ipsec-init-reg-exec { type uint32; description "Number of IPSec initialization registrations executed"; } leaf num-ipsec-init-reg-ppnd { type uint32; description "Number of IPSec initialization registrations postponed"; } leaf active-tek-count { type uint8; description "Active TEK count"; } leaf sa-track { type boolean; description "True if SA tracking is enabled"; } leaf sa-track-oid { when "(../sa-track='true')"; type uint32; description "SA Track object identifier"; } leaf sa-track-is-up { when "(../sa-track='true')"; type boolean; description "SA Tracking status"; } leaf fail-close-revert { type boolean; description "Fail-close revert"; } leaf ks-policy-removal-time { when "(../fail-close-revert='true')"; type yang:date-and-time; description "KS policy removal timestamp"; } } // list gm-entry } // list gdoi-gm list gdoi-gm-acl { key "group-name"; description "Crypto GDOI Group Member downloaded ACL"; leaf group-name { type string; description "Name of the group"; } list dwnld-acl-entry { key "rule-name"; description "Downloaded access-list-entry(ACE) information"; leaf rule-name { type uint32; description "Entry number"; } container ace-data { description "Per access list entry traffic match data"; leaf match-counter { type yang:counter64; description "Number of matches for an access list entry"; } } // container ace-data container acl-rules { description "Per access list entries rule data"; container v4-ext-ace-rule { description "IPv4 extended ACL rule matching parameters"; leaf action { type crypto-acl-action-type; description "Indicates if the packets were permitted or denied"; } container proto { description "Protocol used to match the packets"; choice proto-choice { description "Protocol configuration options"; leaf any { type empty; description "Any IP protocol"; } leaf number { type uint8; description "Number assigned to the IP protocol"; } leaf object-group { type string; description "Service object-group name containing the protocol(s)"; } } // choice proto-choice } // container proto container src-addr { description "Source address used to match the packets"; choice v4-address-choice { description "Options to configure IPv4 address"; container addr-wcard { description "IPv4 address and wildcard"; leaf address { type inet:ipv4-address; description "IPv4 network address"; } leaf wildcard { type inet:ipv4-address; description "Wildcard or inverted network mask"; } } // container addr-wcard leaf host { type inet:ipv4-address; description "IPv4 host address"; } leaf object-group { type string; description "IPv4 network object group containing IPv4 addresses"; } leaf fqdn-group { type string; description "Name of the FQDN group associated with this entry"; } leaf any { type empty; description "Any IPv4 address in this position"; } leaf geo-group { type string; description "Name of the geolocation group associated with this entry"; } } // choice v4-address-choice } // container src-addr container src-port { description "Source port used to match the packets"; choice port-option-choice { description "Indicates whether the port was configured"; leaf any { type empty; description "Port is not configured. So, all ports will be matched"; } container port-data { description "Port configuration to be matched against the packet"; leaf port-oper { type crypto-acl-port-operator-type; description "Operation to use while checking if the protocol port matches the given port(s)"; } leaf-list port { type uint16; ordered-by user; description "When the port match is less than or greater than the given port then the port list will have one entry for the operation. When the port match is range then port list will have two values with the range being between the values. When the port match is equals and not equals to the given port, then there may be up to 10 number of ports."; } } // container port-data } // choice port-option-choice } // container src-port container dest-addr { description "Destination address used to match the packets"; choice v4-address-choice { description "Options to configure IPv4 address"; container addr-wcard { description "IPv4 address and wildcard"; leaf address { type inet:ipv4-address; description "IPv4 network address"; } leaf wildcard { type inet:ipv4-address; description "Wildcard or inverted network mask"; } } // container addr-wcard leaf host { type inet:ipv4-address; description "IPv4 host address"; } leaf object-group { type string; description "IPv4 network object group containing IPv4 addresses"; } leaf fqdn-group { type string; description "Name of the FQDN group associated with this entry"; } leaf any { type empty; description "Any IPv4 address in this position"; } leaf geo-group { type string; description "Name of the geolocation group associated with this entry"; } } // choice v4-address-choice } // container dest-addr container dest-port { description "Destination port used to match the packets"; choice port-option-choice { description "Indicates whether the port was configured"; leaf any { type empty; description "Port is not configured. So, all ports will be matched"; } container port-data { description "Port configuration to be matched against the packet"; leaf port-oper { type crypto-acl-port-operator-type; description "Operation to use while checking if the protocol port matches the given port(s)"; } leaf-list port { type uint16; ordered-by user; description "When the port match is less than or greater than the given port then the port list will have one entry for the operation. When the port match is range then port list will have two values with the range being between the values. When the port match is equals and not equals to the given port, then there may be up to 10 number of ports."; } } // container port-data } // choice port-option-choice } // container dest-port } // container v4-ext-ace-rule } // container acl-rules } // list dwnld-acl-entry } // list gdoi-gm-acl list gdoi-gm-dp-counters { key "group-name"; description "Crypto GDOI Group Member Dataplane Counters"; leaf group-name { type string; description "Name of the group"; } leaf pkts-encrypt { type uint32; description "Packets encrypted"; } leaf pkts-decrypt { type uint32; description "Packets decrypted"; } leaf pkts-tagged { type uint32; description "Packets tagged (SEND)"; } leaf pkts-untagged { type uint32; description "Packets untagged (RCV)"; } leaf pkts-no-sa { type uint32; description "Packets no SA (SEND)"; } leaf pkts-invalid-sa { type uint32; description "Packets invalid SA (RCV)"; } leaf pkts-encaps-fail { type uint32; description "Packets encapsulation fail (SEND)"; } leaf pkts-decap-fail { type uint32; description "Packets decapsulation fail (RCV)"; } leaf pkts-invalid-prot { type uint32; description "Packets invalid protocol (RCV)"; } leaf pkts-verify-fail { type uint32; description "Packets verify fail (RCV)"; } leaf pkts-not-tagged { type uint32; description "Packets not tagged (SEND)"; } leaf pkts-not-untagged { type uint32; description "Packets not untagged (RCV)"; } leaf pkts-internal-err-send { type uint32; description "Packets internal error (SEND)"; } leaf pkts-internal-err-rcv { type uint32; description "Packets internal error (RCV)"; } } // list gdoi-gm-dp-counters list gdoi-gm-rekey { key "group-name"; description "Crypto GDOI Group Member Rekey Information"; leaf group-name { type string; description "Name of the group"; } leaf transport-type { type crypto-rekey-trans-type; description "Rekey transport type"; } leaf total-rekeys-rcv { type uint32; description "Total rekey received"; } leaf rekeys-rcv-after-reg { type uint32; description "Rekey received after reg"; } leaf rekey-acks-sent { type uint32; description "Rekey acknowledgements sent"; } } // list gdoi-gm-rekey list gdoi-gm-replay { key "group-name"; description "Crypto GDOI Group Member Replay Entry"; leaf group-name { type string; description "Name of the group"; } leaf time-based-replay { type boolean; description "True if time based replay is configured"; } leaf replay-value { when "(../time-based-replay = 'true')"; type uint32; description "Replay value"; } leaf input-pkts { when "(../time-based-replay = 'true')"; type uint32; description "Input packets"; } leaf output-pkts { when "(../time-based-replay = 'true')"; type uint32; description "Output Packets"; } leaf input-error-pkts { when "(../time-based-replay = 'true')"; type uint32; description "Input error packets"; } leaf output-error-pkts { when "(../time-based-replay = 'true')"; type uint32; description "Output error packets"; } leaf time-sync-error { when "(../time-based-replay = 'true')"; type uint32; units "seconds"; description "The difference of pseudo time between the Group members"; } leaf max-time-delta { when "(../time-based-replay = 'true')"; type uint32; units "seconds"; description "Max time difference between the GMs"; } } // list gdoi-gm-replay list gdoi-ks { key "group-name"; description "Crypto GDOI(Group Domain of interpretation) Key Server Entry"; leaf group-name { type string; description "Group Name"; } leaf group-id { type uint32; description "Group Identifier Number"; } leaf re-auth { type boolean; description "Re-authentication on new CRL(Certificate Revocation List) enabled or disabled"; } leaf group-type { type crypto-gdoi-group-type; description "Group type GDOI or GIKEV2"; } leaf gikev2-prof { when "(../group-type = 'crypto-group-type-gikev2')"; type string; description "IKEV2 profile name"; } leaf total-mem { type uint16; description "Total number of group members"; } leaf gdoi-mem { type uint16; description "Total number of GDOI group members"; } leaf gikev2-mem { type uint16; description "Total number of GIKEV2 group members"; } leaf rekey-ack { type crypto-rekey-ack-type; description "Rekey acknowledgement type"; } leaf sa-dir { type crypto-ipsec-sa-direction; description "Indicates the SA direction is active in inbound direction or both directions"; } leaf ipd3p-window { type uint32; description "IPD3P window size (0 if disabled)"; } leaf pfs { type boolean; description "True if PFS(Perfect Forward Secrecy) is enabled"; } leaf sp-resil-factor { type uint16; description "Split resiliency factor"; } leaf redundancy { type boolean; description "True if redundancy is configured"; } leaf ks-addr { type inet:ip-address; description "Local Key Server IP address"; } leaf priority { type uint8; description "Local Key Server priority"; } leaf status { when "(../redundancy = 'true')"; type crypto-gdoi-coop-ks-status; description "Local Key Server status"; } leaf role { when "(../redundancy = 'true')"; type crypto-gdoi-coop-ks-role; description "Local Key Server role"; } leaf version { type string; description "Local Key Server version"; } } // list gdoi-ks list gdoi-ks-coop { key "group-name"; description "Crypto GDOI Key Server Co operative Data"; leaf group-name { type string; description "Name of the group"; } leaf redundancy { type boolean; description "True if redundancy is configured"; } container local-ks { when "(../redundancy = 'true')"; description "Local KS COOP Information"; leaf ks-addr { type inet:ip-address; description "Local Key Server Address"; } leaf priority { type uint8; description "Local KS Priority"; } leaf role { type crypto-gdoi-coop-ks-role; description "Local KS Role"; } leaf status { type crypto-gdoi-coop-ks-status; description "Local KS Status"; } leaf version { type string; description "Local KS Version"; } leaf coop-version { type string; description "Local KS COOP Version"; } leaf coop-refresh-time { type uint8; units "seconds"; description "COOP KS(Co-operative KS) Refresh policy time It is a constant value"; } leaf anti-replay-seq-num { type uint16; description "Anti replay sequence number"; } } // container local-ks list peer-ks { when "(../redundancy = 'true')"; description "Peer KS COOP Information"; leaf ks-addr { type inet:ip-address; description "Peer Key Server Address"; } leaf priority { type uint8; description "Peer KS Priority"; } leaf role { type crypto-gdoi-coop-ks-role; description "Peer KS Role"; } leaf status { type crypto-gdoi-coop-ks-status; description "Peer KS Status"; } leaf version { type string; description "Peer KS Version"; } leaf coop-version { type string; description "Peer KS COOP Version"; } leaf anti-replay-seq-num { type uint16; description "Anti replay sequence number"; } leaf ike-status { type coop-ike-status; description "Status of IKE connection"; } leaf ann-msgs-sent { type uint16; description "Announcement messages sent"; } leaf reply-req-sent { type uint16; description "Reply requests sent"; } leaf ann-msgs-rcv { type uint16; description "Announcement messages received"; } leaf reply-req-rcv { type uint16; description "Reply requests received"; } leaf pkts-sent-drops { type uint32; description "COOP packets sent drops"; } leaf pkts-rcv-drops { type uint32; description "COOP packets receive drops"; } leaf bytes-sent { type uint32; description "Total bytes sent"; } leaf bytes-rcv { type uint32; description "Total bytes received"; } } // list peer-ks } // list gdoi-ks-coop list gdoi-ks-mem { key "group-name"; description "Crypto GDOI Key Server Members"; leaf group-name { type string; description "Name of the group"; } leaf group-id { type uint32; description "Group ID"; } leaf tot-group-mem { type uint32; description "Total GMs in the group"; } leaf num-rekeys-sent { type uint32; description "Number of rekey sent"; } leaf num-rexmit { type uint32; description "Number of rekey retransmit during last rekey"; } leaf duration { type uint32; units "seconds"; description "Duration of last rekey(in msec)"; } list ks-entry { description "Entry of each KS"; leaf ks-ip { type inet:ip-address; description "IP address of KS"; } leaf gmdb-state { type coop-ks-gmdb-state; description "GM Database state"; } leaf group-mem { type uint32; description "Number of GMs registered to this KS"; } } // list ks-entry list gm-entry { key "gm-number"; description "Entry for each GM"; leaf gm-number { type uint32; description "Position of GM in the list"; } leaf gm-id { type inet:ip-address; description "Group member IP address"; } leaf gm-ver { type string; description "GM version"; } leaf group-type { type crypto-gdoi-group-type; description "Group type"; } leaf gm-state { type crypto-gdoi-gm-state; description "GM state"; } leaf ks-id { type inet:ip-address; description "Key server ID"; } leaf rekeys-sent { type uint32; description "Number of rekey sent"; } leaf rekey-retries { type uint32; description "Number of rekey retries"; } leaf rekey-acks-rcvd { type uint32; description "Number of rekey acks received"; } leaf rekey-acks-missed { type uint32; description "Number of rekey acks missed"; } } // list gm-entry } // list gdoi-ks-mem list gdoi-ks-policy { key "group-name"; description "Crypto GDOI Key Server Policy"; leaf group-name { type string; description "Name of the group"; } list ks-entry { description "Each KS entry"; leaf ks-ip { type inet:ip-address; description "IP Address of Key server"; } leaf total-tek { type uint8; description "Total number of TEK"; } leaf seq-num { type uint32; description "Sequence number"; } leaf valid-kek { type boolean; description "True if valid KEK is present for the current key server"; } container kek { when "(../valid-kek='true')"; description "KEK policy"; leaf rekey-transport-type { type crypto-rekey-trans-type; description "Rekey transport type"; } leaf kek-spi { type string; description "KEK SPI"; } leaf mgmt-alg { type boolean; description "Management algorithm"; } leaf encr-alg { type crypto-rekey-encr-alg; description "Encryption algorithm"; } leaf crypto-iv-len { type uint8; units "bytes"; description "Crypto IV length"; } leaf key-size { type uint8; units "bytes"; description "Key size"; } leaf orig-life { type uint32; units "seconds"; description "Configured life of this KEK. It is a constant value. It is the lifetime of KEK starting from KEK birth time"; } leaf kek-birth-time { type yang:date-and-time; description "Birth time of this KEK and also called as last KEK rekey timestamp"; } leaf rem-life { type uint32; units "seconds"; description "KEK remaining lifetime in seconds. Reference time is KEK birth timestamp. It is the time remaining until the KEK reaches its expiry"; } leaf time-to-rekey { type uint32; units "seconds"; description "Reference time is KEK birth timestamp It is the time remaining until KS sends a new KEK rekey Key server sends rekey even before the old KEK expires"; } leaf sig-hash-alg { type boolean; description "Signature hash algorithm"; } leaf sig-key-len { type uint16; units "bits"; description "Signature key length"; } leaf sig-size { type uint16; units "bits"; description "Signature size"; } leaf sig-key-name { type string; description "Signature key name"; } leaf rekey-ack-type { type crypto-rekey-ack-type; description "Rekey acknowledgement type"; } } // container kek list tek { description "TEK policy list"; leaf encaps-mode { type crypto-encaps-mode; description "Encapsulation mode"; } leaf tek-spi { type string; description "TEK SPI"; } leaf acl { type string; description "Name of the access-list"; } leaf transform-mode { type crypto-transform-options; description "The cryptographic transform mode"; } leaf alg-key-size { type uint8; units "bits"; description "Algorithm key size"; } leaf sig-key-size { type uint8; units "bits"; description "Signature key size"; } leaf orig-life { type uint32; units "seconds"; description "Configured lifetime of this TEK. It is a constant value. It is the lifetime of the TEK starting from TEK birth time"; } leaf tek-birth-time { type yang:date-and-time; description "TEK birth timestamp and also called as last TEK rekey timestamp"; } leaf rem-life { type uint32; units "seconds"; description "It is the remaining time until the TEK reaches its expiry. Reference time is TEK birth timestamp"; } leaf override-life { type uint32; units "seconds"; description "Override life in seconds. This is the new lifetime of the TEK that will be over ridden when there is a policy change in the group It is a constant value calculated based on the original life (configured lifetime) of the TEK"; } leaf anti-replay-window { type uint8; units "seconds"; description "Anti replay window size"; } leaf time-to-rekey { type uint32; units "seconds"; description "It is the time remaining until KS sends a new TEK rekey. Reference time is TEK birth timestamp Key server sends rekey even before the old TEK expires"; } } // list tek } // list ks-entry } // list gdoi-ks-policy list gdoi-ks-rekey { key "group-name"; description "Crypto GDOI Ker Server Rekey Detail"; leaf group-name { type string; description "Name of the group"; } leaf rekey-ack { type crypto-rekey-ack-type; description "Acknowledgement type in-use"; } leaf rekey-in-progress { type boolean; description "Rekey in-progress"; } leaf rekeys-sent { type uint32; description "Number of rekey sent"; } leaf rekeys-rexmit { type uint32; description "Number of rekey retransmitted"; } leaf kek-lifetime { type uint32; units "seconds"; description "Configured KEK lifetime in seconds. It is a constant value. It is the lifetime of the KEK rekey starting from KEK birth timestamp"; } leaf kek-birth-time { type yang:date-and-time; description "KEK birth timestamp and also called as last KEK rekey timestamp"; } leaf kek-rem-life { type uint32; units "seconds"; description "KEK remaining lifetime in seconds. Reference time is KEK birth timestamp. It is the remaining lifetime till the KEK reaches its expiry"; } leaf rem-time-kek-rekey { type uint32; units "seconds"; description "It is the time remaining until KS sends a new KEK rekey Reference time is KEK birth timestamp Key server sends rekey even before the old KEK expiry"; } leaf rexmit-period { type uint32; units "seconds"; description "Rekey Retransmit period"; } leaf num-rexmit { type uint32; description "Number of rekey retransmissions"; } leaf cur-rexmit { type uint32; description "Current number of rekey retransmissions"; } list ipsec-sa { description "IPSec SA information"; leaf ipsec-sa-num { type uint16; description "IPSec SA number"; } leaf tek-birth-time { type yang:date-and-time; description "TEK birth timestamp and also called as last TEK rekey timestamp"; } leaf tek-lifetime { type uint32; units "seconds"; description "Configured IPSec SA TEK lifetime. It is a constant value. This is the lifetime of TEK key starting from TEK birth time"; } leaf rem-tek-lifetime { type uint32; units "seconds"; description "Remaining lifetime of this TEK Reference time is the TEK birth timestamp of this TEK This is the time remaining for the KEK to reach its expiry"; } leaf rem-time-tek-rekey { type uint32; units "seconds"; description "Remaining time until rekey Reference time is the TEK birth timestamp of this TEK This is the time remaining until KS sends a new TEK rekey Key server sends rekey even before the old TEK expires"; } } // list ipsec-sa leaf delete-in-progress { type boolean; description "True if delete in-progress"; } } // list gdoi-ks-rekey list gdoi-ks-replay { key "group-name"; description "Crypto GDOI Key Server Replay Entry"; leaf group-name { type string; description "Name of the group"; } leaf time-based-replay { type boolean; description "Time based Replay"; } leaf replay-value { when "(../time-based-replay = 'true')"; type uint32; description "Replay value"; } leaf rem-sync-time { when "(../time-based-replay = 'true')"; type uint32; units "seconds"; description "Remaining sync time Reference time is last sync time stamp This is the time remaining to sync the pseudo time."; } leaf last-sync-timestamp { when "(../time-based-replay = 'true')"; type yang:date-and-time; description "Time at which the next sync happens and time between every sync is 7200 seconds"; } } // list gdoi-ks-replay list gdoi-rekey-sa { key "group-name"; description "Crypto GDOI Rekey Security Association"; leaf group-name { type string; description "Name of the group"; } container kek-db-stats { description "KEK SA Database Statistics"; leaf num-active { type uint32; description "Number of active KEK"; } leaf num-malloc { type uint32; description "Number of KEK allocated memory"; } leaf num-free { type uint32; description "Number of KEK freed"; } } // container kek-db-stats list kek-entry { description "Each entry of KEK policy"; leaf transport-type { type crypto-rekey-trans-type; description "Rekey transport type"; } leaf local-addr { type inet:ip-address; description "Local IP Address"; } leaf remote-addr { type inet:ip-address; description "Remote IP Address"; } leaf kek-spi { type string; description "KEK SPI"; } leaf mgmt-alg { type boolean; description "Management algorithm"; } leaf encr-alg { type crypto-rekey-encr-alg; description "Encryption algorithm"; } leaf crypto-iv-len { type uint8; units "bytes"; description "Crypto IV length"; } leaf key-size { type uint8; units "bytes"; description "Key size"; } leaf birth-time { type yang:date-and-time; description "KEK birth timestamp and also called as last KEK rekey timestamp"; } leaf orig-life { type uint32; units "seconds"; description "Configured lifetime of the key. It is a constant value. KEK is valid till original life seconds after the birth time"; } leaf sig-hash-alg { type boolean; description "Signature hash algorithm"; } leaf sig-key-len { type uint16; units "bits"; description "Signature key length"; } leaf sig-size { type uint16; units "bits"; description "Signature size"; } leaf rekey-ack-type { type crypto-rekey-ack-type; description "Rekey acknowledgement type"; } leaf ikev1-conn-id { type uint16; description "IKEV1 connection ID"; } leaf ikev2-conn-id { type uint16; description "IKEV2 connection ID"; } leaf seq-num { type uint32; description "Sequence number"; } leaf prev-seq-num { type uint32; description "Previous sequence number"; } leaf ike-handle { type string; description "Established IKE handle"; } leaf gm-mode { type boolean; description "True if the device is in GM mode"; } leaf if-name { when "(../gm-mode = 'true')"; type string; description "Name of the interface through which the GM registered"; } } // list kek-entry } // list gdoi-rekey-sa } // container crypto-oper-data } // module Cisco-IOS-XE-crypto-oper
© 2023 YumaWorks, Inc. All rights reserved.