Media Access Control (MAC) Security.
Version: 2020-04-01
module huawei-macsec { yang-version 1; namespace "urn:huawei:yang:huawei-macsec"; prefix macsec; import huawei-pub-type { prefix pub-type; } import huawei-extension { prefix ext; } import huawei-ifm { prefix ifm; } import huawei-license { prefix lcs; } import huawei-ethernet { prefix ethernet; } organization "Huawei Technologies Co., Ltd."; contact "Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com"; description "Media Access Control (MAC) Security."; revision "2020-04-01" { description "Add new nodes."; reference "Huawei private."; } revision "2020-02-27" { description "Add new nodes."; reference "Huawei private."; } revision "2019-11-06" { description "Initial revision."; reference "Huawei private."; } ext:task-name "macsec"; typedef cipher-flag-type { type enumeration { enum "simple" { value 1; description "The simple cak-mode."; } enum "cipher" { value 2; description "The cipher cak-mode."; } } description "The type of cak-mode."; } typedef encrypt-mode-type { type enumeration { enum "normal" { value 1; description "The normal mode."; } enum "integrity-only" { value 2; description "The integrity-only mode."; } } description "The type of cryptographic mode."; } typedef cipher-suite-type { type enumeration { enum "gcm-aes-128" { value 1; description "The gcm-aes-128 cipher suite."; } enum "gcm-aes-xpn-128" { value 2; description "The gcm-aes-xpn-128 cipher suite."; } enum "gcm-aes-xpn-128-compatible" { value 3; description "The gcm-aes-xpn-128-compatible cipher suite."; } enum "gcm-aes-256" { value 4; description "The gcm-aes-256 cipher suite."; } enum "gcm-aes-xpn-256" { value 5; description "The gcm-aes-xpn-256 cipher suite."; } } description "The type of cipher suite."; } typedef vlan-in-clear-type { type enumeration { enum "dot1q-in-clear" { value 1; description "The single layer VLAN tag."; } enum "qinq-in-clear" { value 2; description "The double layer VLAN tag."; } } description "The type of VLAN tag."; } typedef lcs-active-status-type { type enumeration { enum "allocated" { value 1; description "Allocated."; } enum "activated" { value 2; description "Activated."; } } description "Liscense active status type."; } container macsec { description "Containers of MACsec nodes."; container statistics { config false; description "Statistics of MACsec under interface."; container interface-macsecs { description "List of MACsec data packet statistics."; list interface-macsec { key "interface-name"; description "MACsec data packet statistics."; leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Interface name."; } leaf valid-packets { type uint64; units "packet"; description "Number of packets protected by MACsec."; } leaf input-protected-bytes { type uint64; units "Byte"; description "Number of bytes for input which only integrity check is implemented but encryption is not."; } leaf decrypted-bytes { type uint64; units "Byte"; description "Number of bytes for which both integrity check and encryption are implemented."; } leaf late-packets { type uint64; units "packet"; description "Number of packets that fail the replay window size check."; } leaf not-valid-packets { type uint64; units "packet"; description "Number of packets that fail the integrity check or encounter decryption errors."; } leaf badtag-packets { type uint64; units "packet"; description "Number of packets with incorrect ICV length or invalid sectag header."; } leaf no-using-sa-packets { type uint64; units "packet"; description "Number of packets with SAs obtained from received sectag being unavailable."; } leaf protected-packets { type uint64; units "packet"; description "Number of packets for which only ICV is encapsulated."; } leaf output-protected-bytes { type uint64; units "Byte"; description "Protected bytes for output."; } leaf encrypted-packets { type uint64; units "packet"; description "Number of packets for which ICV is encapsulated and encryption is implemented."; } leaf encrypted-bytes { type uint64; units "Byte"; description "Number of bytes for which ICV is encapsulated and encryption is implemented."; } } // list interface-macsec } // container interface-macsecs container interface-mkas { description "List of MKA session information."; list interface-mka { key "interface-name"; description "MKA session state."; leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Interface name."; } leaf ckn1 { type string { length "1..65"; } description "CAK name."; } leaf mka-status1 { type string { length "1..64"; } description "Status of an MKA session in protocol negotiation."; } leaf member-identifier1 { type string { length "1..65"; } description "Identifier of a member in MKA."; } leaf message-sequence-number1 { type uint32; description "Number of a message."; } leaf key-server1 { type string { length "1..64"; } description "Whether the local device is the key server."; } leaf principal-actor1 { type string { length "1..64"; } description "Whether the connection is a major connection and whether the CKN is being used."; } leaf live-peers1 { type uint8; description "Number of successfully negotiated peers."; } leaf potential-peers1 { type uint8; description "Number of peers under negotiation."; } leaf latest-sak-status1 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, the SAK installed on the key server enables packet sending and then packet receiving. Packet sending and packet receiving of the non-key server are enabled at the same time. When packet sending and receiving are enabled at the same time for the SAKs on both ends, use this SAK to encrypt and decrypt data packets."; } leaf latest-sak-association1 { type string { length "1..64"; } description "When a key server is distributing different SAKs, SAK association numbers are cyclically allocated in order. During encryption transmission, the SCI is used together to distinguish different SAKs."; } leaf latest-sak-key-identifier1 { type string { length "1..33"; } description "Latest SAK key identifier, which uniquely identifies a SAK."; } leaf latest-sak-key-number1 { type string { length "1..64"; } description "Latest SAK key number that is allocated by the key server and is a part of the SAK identifier."; } leaf old-sak-status1 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, when the new SAK takes effect, the status of the original SAK is changed to N/A. The original SAK becomes invalid."; } leaf old-sak-association1 { type string { length "1..64"; } description "Previous SAK key identifier, which uniquely identifies a SAK."; } leaf old-sak-key-identifier1 { type string { length "1..33"; } description "Previous SAK identifier, which uniquely identifies a SAK."; } leaf old-sak-key-number1 { type string { length "1..64"; } description "Previous SAK number which is allocated by the key server and is a part of the SAK identifier."; } leaf transmit-short-sci1 { type string { length "1..64"; } description "Identifier of SCI in the short format, which uniquely identifies a security channel in the system."; } leaf lpl-member-identifier1 { type string { length "1..25"; } description "Identifier of a learned peer member."; } leaf lpl-message-sequence-number1 { type string { length "1..64"; } description "Message number of a learned peer member."; } leaf lpl-priority1 { type string { length "1..64"; } description "Key server priority of a learned peer member."; } leaf lpl-capability1 { type string { length "1..64"; } description "Capability value of a learned peer member."; } leaf lpl-receive-sci1 { type string { length "1..17"; } description "SCI value of a learned member interface."; } leaf lpl-short-sci1 { type string { length "1..64"; } description "SSCI value of a learned peer member."; } leaf ppl-member-identifier1 { type string { length "1..25"; } description "Identifier of a peer member under negotiation."; } leaf ppl-message-sequence-number1 { type string { length "1..64"; } description "Message number of a peer member under negotiation."; } leaf ppl-priority1 { type string { length "1..64"; } description "Key server priority of a peer member under negotiation."; } leaf ppl-capability1 { type string { length "1..64"; } description "Capability value of a peer member under negotiation."; } leaf ppl-receive-sci1 { type string { length "1..17"; } description "SCI value of a peer member under negotiation."; } leaf ppl-short-sci1 { type string { length "1..64"; } description "SSCI value of a peer member under negotiation."; } leaf ckn2 { type string { length "1..65"; } description "CAK name."; } leaf mka-status2 { type string { length "1..64"; } description "Status of an MKA session in protocol negotiation."; } leaf member-identifier2 { type string { length "1..65"; } description "Identifier of a member in MKA."; } leaf message-sequence-number2 { type uint32; description "Number of a message."; } leaf key-server2 { type string { length "1..64"; } description "Whether the local device is the key server."; } leaf principal-actor2 { type string { length "1..64"; } description "Whether the connection is a major connection and whether the CKN is being used."; } leaf live-peers2 { type uint8; description "Number of successfully negotiated peers."; } leaf potential-peers2 { type uint8; description "Number of peers under negotiation."; } leaf latest-sak-status2 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, the SAK installed on the key server enables packet sending and then packet receiving. Packet sending and packet receiving of the non-key server are enabled at the same time. When packet sending and receiving are enabled at the same time for the SAKs on both ends, use this SAK to encrypt and decrypt data packets."; } leaf latest-sak-association2 { type string { length "1..64"; } description "When a key server is distributing different SAKs, SAK association numbers are cyclically allocated in order. During encryption transmission, the SCI is used together to distinguish different SAKs."; } leaf latest-sak-key-identifier2 { type string { length "1..33"; } description "Latest SAK key identifier, which uniquely identifies a SAK."; } leaf latest-sak-key-number2 { type string { length "1..64"; } description "Latest SAK key number that is allocated by the key server and is a part of the SAK identifier."; } leaf old-sak-status2 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, when the new SAK takes effect, the status of the original SAK is changed to N/A. The original SAK becomes invalid."; } leaf old-sak-association2 { type string { length "1..64"; } description "Previous SAK key identifier, which uniquely identifies a SAK."; } leaf old-sak-key-identifier2 { type string { length "1..33"; } description "Previous SAK identifier, which uniquely identifies a SAK."; } leaf old-sak-key-number2 { type string { length "1..64"; } description "Previous SAK number which is allocated by the key server and is a part of the SAK identifier."; } leaf transmit-short-sci2 { type string { length "1..64"; } description "Identifier of SCI in the short format, which uniquely identifies a security channel in the system."; } leaf lpl-member-identifier2 { type string { length "1..25"; } description "Identifier of a learned peer member."; } leaf lpl-message-sequence-number2 { type string { length "1..64"; } description "Message number of a learned peer member."; } leaf lpl-priority2 { type string { length "1..64"; } description "Key server priority of a learned peer member."; } leaf lpl-capability2 { type string { length "1..64"; } description "Capability value of a learned peer member."; } leaf lpl-receive-sci2 { type string { length "1..17"; } description "SCI value of a learned member interface."; } leaf lpl-short-sci2 { type string { length "1..64"; } description "SSCI value of a learned peer member."; } leaf ppl-member-identifier2 { type string { length "1..25"; } description "Identifier of a peer member under negotiation."; } leaf ppl-message-sequence-number2 { type string { length "1..64"; } description "Message number of a peer member under negotiation."; } leaf ppl-priority2 { type string { length "1..64"; } description "Key server priority of a peer member under negotiation."; } leaf ppl-capability2 { type string { length "1..64"; } description "Capability value of a peer member under negotiation."; } leaf ppl-receive-sci2 { type string { length "1..17"; } description "SCI value of a peer member under negotiation."; } leaf ppl-short-sci2 { type string { length "1..64"; } description "SSCI value of a peer member under negotiation."; } leaf mka-transmit-interval { type uint32; units "s"; description "Interval at which MKA protocol packets are sent."; } leaf mka-life-time { type uint32; units "s"; description "MKA session timeout duration. When MKA packets are not received within the specified period, the protocol is re-negotiated."; } leaf sak-life-time { type string { length "1..64"; } units "s"; description "SAK session timeout duration. To ensure data packet security, when a SAK has been used for too long, replace the SAK."; } leaf capability { type uint8; description "Information about the MACsec functions that can be provided, including integrity check, encryption, and encryption offset."; } leaf mode { type string { length "1..64"; } description "Whether to encrypt data when integrity check is supported in MACsec encryption mode."; } leaf frame-validation { type string { length "1..64"; } description "Mode of processing MACsec packet verification failures."; } leaf replay-protection { type string { length "1..64"; } description "Whether MACsec replay protection is enabled."; } leaf replay-window { type uint32; description "The replay protection allows packet reordering. The reordered packets can be accepted within the replay protection window, and the packets beyond the window are dropped."; } leaf confidentiality-offset { type uint8; units "Byte"; description "From which byte behind the MACsec tag a frame is encrypted. Some applications (such as load balancing) that need to identify IPv4/IPv6 packet headers require that the packet header cannot be encrypted. In this case, configure encryption offset."; } leaf include-sci { type string { length "1..64"; } description "Whether MACsec data packets carry the SCI. The SCI uniquely identifies a security channel in the system."; } leaf mka-cipher-suite { type string { length "1..64"; } description "MKA encryption suite that uniquely identifies the SAK encryption algorithm for the key server."; } leaf macsec-cipher-suite { type string { length "1..64"; } description "MACsec encryption suite that uniquely identifies the SAK encryption algorithm for the key server."; } leaf key-server-priority { type uint8; description "Key server priority."; } leaf transmit-sci { type string { length "1..64"; } description "Local SCI value. The SCI uniquely identifies a security channel in the system."; } leaf rx-mka-packets { type uint32; units "packet"; description "Number of received MKA packets."; } leaf tx-mka-packets { type uint32; units "packet"; description "Number of sent MKA packets."; } leaf drop-mka-packets { type uint32; units "packet"; description "Number of discarded MKA packets."; } leaf wrong-ckn-num { type uint32; units "packet"; description "Number of packets that fail in CKN verification."; } leaf wrong-icv-num { type uint32; units "packet"; description "Number of packets that fail in ICV verification."; } leaf sak-install-times { type uint32; description "Number of times the SAK is installed."; } leaf sak-delete-times { type uint32; description "Number of times the SAK is deleted."; } leaf sak-swap-times { type uint32; description "Number of times the SAK is switched."; } leaf latest-sak-reason { type string { length "1..64"; } description "Cause of the latest SAK switching."; } leaf protocol { type string { length "1..8"; } description "Protocol number."; } leaf pe-vlan { type string { length "1..8"; } description "VLAN ID in the outer VLAN tag."; } leaf ce-vlan { type string { length "1..8"; } description "VLAN ID in the inner VLAN tag."; } leaf cfi { type string { length "1..4"; } description "Canonical Format Indicator value."; } leaf priority { type string { length "1..4"; } description "VLAN priority value."; } } // list interface-mka } // container interface-mkas } // container statistics } // container macsec rpc reset-mka-statistics { ext:node-ref "/macsec:macsec/macsec:statistics/macsec:interface-mkas"; description "To clear interface mka statistics."; input { leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Name of an interface."; } } } // rpc reset-mka-statistics rpc reset-macsec-statistics { ext:node-ref "/macsec:macsec/macsec:statistics/macsec:interface-macsecs"; description "To clear interface macsec statistics."; input { leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Name of an interface."; } } } // rpc reset-macsec-statistics augment /ifm:ifm/ifm:interfaces/ifm:interface { description "Adds macsec configuration to ifm interface model."; container macsec { when "../ifm:type='Ethernet' or ../ifm:type='GigabitEthernet' or ../ifm:type='100GE' or ../ifm:type='10GE' or ../ifm:type='4x10GE' or ../ifm:type='10x10GE' or ../ifm:type='3x40GE' or ../ifm:type='4x25GE' or ../ifm:type='25GE' or ../ifm:type='40GE' or ../ifm:type='50GE' or ../ifm:type='50|100GE' or ../ifm:type='XGigabitEthernet' or ../ifm:type='FlexE' or ../ifm:type='FlexE-50G' or ../ifm:type='FlexE-100G' or ../ifm:type='FlexE-50|100G'"; description "Configure MACsec application. Before applying the macsec configuration, you need to activate the macsec port license and apply for sufficient license resources."; container ckn-caks { description "Configure secure connectivity association name and key. The range supported by this node varies according to the interface type."; container ckn-cak { presence "create ckn and cak"; description "Enable/disable secure connectivity association name and key."; leaf ckn { ext:case-sensitivity "upper2lower"; type string { length "2..64"; } mandatory true; description "The value of ckn; CKN is an even number in hexadecimal notation, containing at least one digit and one letter. The letters are case-insensitive."; } leaf cak-type { type cipher-flag-type; mandatory true; description "The type of cak."; } leaf cak { ext:case-sensitivity "upper2lower"; type pub-type:password-extend; mandatory true; description "The value of CAK. CAK is a hexadecimal notation. The letters are case-insensitive. It must be different from CKN. The length of CAK can only be 32 or 64 bits, but in the case of encryption mode, the query result will be more than 100 bits, so the length range is defined as 1 to 432. Before configuring a 64-bit CAK, you must configure a 256-bit cipher suite."; } } // container ckn-cak } // container ckn-caks container confidentiality-offsets { description "Configure confidentiality offset. The range supported by this node varies according to the interface type."; container confidentiality-offset { presence "create confidentiality offset"; description "Enable/disable confidentiality offset."; leaf offset-value { type uint8 { range "0 | 30 | 50"; } mandatory true; description "Confidentiality offset value."; } } // container confidentiality-offset } // container confidentiality-offsets container replay-windows { description "Configure replay protection window size. The range supported by this node varies according to the interface type."; container replay-window { presence "create replay window"; description "Enable/disable replay protection window size."; leaf window-size { type uint32 { range "0..1024"; } mandatory true; description "Replay protection window size."; } } // container replay-window } // container replay-windows container keyserver-prioritys { description "Configure key server priority. The range supported by this node varies according to the interface type."; container keyserver-priority { presence "create keyserver priority"; description "Enable/disable key server priority."; leaf priority { type uint8 { range "0..255"; } mandatory true; description "Key server priority value."; } } // container keyserver-priority } // container keyserver-prioritys container sak-life-times { description "Configure SAK life time. The range supported by this node varies according to the interface type."; container sak-life-time { presence "create keyserver priority"; description "Enable/disable SAK life time."; leaf life-time { type uint32 { range "300..604800"; } units "s"; mandatory true; description "SAK life time value."; } } // container sak-life-time } // container sak-life-times container encrypt-modes { description "Configure encryption mode. The range supported by this node varies according to the interface type."; container encrypt-mode { presence "create encrypt mode"; description "Enable/disable encryption mode."; leaf mode { type encrypt-mode-type; mandatory true; description "Encryption mode value."; } } // container encrypt-mode } // container encrypt-modes container cipher-algorithm-suites { description "Configure cipher algorithm suite. The range supported by this node varies according to the interface type."; container cipher-algorithm-suite { presence "create cipher algorithm suite"; description "Enable/disable cipher algorithm suite."; leaf suite { type cipher-suite-type; mandatory true; description "Cipher algorithm suite type."; } } // container cipher-algorithm-suite } // container cipher-algorithm-suites container vlan-in-clears { description "Configure VLAN tag to bypass MACsec encryption. The range supported by this node varies according to the interface type."; container vlan-in-clear { must "../../ckn-caks/ckn-cak/ckn"; must "../../../ifm:class='sub-interface'"; must "((../../../ethernet:ethernet/ethernet:l3-sub-interface/ethernet:dot1q-termination/ethernet:tag or ../../../ethernet:ethernet/ethernet:l3-sub-interface/ethernet:vlan-type-dot1q/ethernet:vlan-type-vid or ../../../ethernet:ethernet/ethernet:l2-sub-interface/ethernet:dot1q/ethernet:vlans/ethernet:vlan-list) and ./clear-type='dot1q-in-clear') or ((../../../ethernet:ethernet/ethernet:l3-sub-interface/ethernet:qinq-termination/ethernet:tag or ../../../ethernet:ethernet/ethernet:l2-sub-interface/ethernet:qinqs/ethernet:qinq-vids/ethernet:qinq-vid) and ./clear-type='qinq-in-clear') or not(../../../ethernet:ethernet/ethernet:l3-sub-interface/ethernet:dot1q-termination/ethernet:tag or ../../../ethernet:ethernet/ethernet:l3-sub-interface/ethernet:vlan-type-dot1q/ethernet:vlan-type-vid or ../../../ethernet:ethernet/ethernet:l2-sub-interface/ethernet:dot1q/ethernet:vlans/ethernet:vlan-list or ../../../ethernet:ethernet/ethernet:l3-sub-interface/ethernet:qinq-termination/ethernet:tag or ../../../ethernet:ethernet/ethernet:l2-sub-interface/ethernet:qinqs/ethernet:qinq-vids/ethernet:qinq-vid)"; presence "create vlan tag"; description "Enable/disable VLAN tag configured to bypass MACsec encryption."; leaf clear-type { type vlan-in-clear-type; mandatory true; description "The type of VLAN tag."; } } // container vlan-in-clear } // container vlan-in-clears } // container macsec } augment /lcs:license/lcs:license-items/lcs:license-item { description "Add MACsec configuration to license model."; container port-macsecs { when "../lcs:name='LCR9S9KMACS00' or ../lcs:name='LCR5MACSEC01' or ../lcs:name='LCR5MACSEC02' or ../lcs:name='LCX6S60NMSEAP' or ../lcs:name='LANKMACSEC011' or ../lcs:name='LANKMACSEC026' or ../lcs:name='LANKMACSEC051' or ../lcs:name='LCR9S9K0XMS80' or ../lcs:name='LCR9S9K0NMS80' or ../lcs:name='LCR9S9K0NMS85' or ../lcs:name='LTNRS00YMSC0P' or ../lcs:name='LTNRS00VMSC0P' or ../lcs:name='LTNRS00NMSC0P' or ../lcs:name='LCR5S40YMSC0P' or ../lcs:name='LCR5S40VMSC0P' or ../lcs:name='LCR5S40NMSC0P' or ../lcs:name='LCX6S00YMSC0P' or ../lcs:name='LCX6S00VMSC0P' or ../lcs:name='LCX6S00NMSC0P' or ../lcs:name='LCR5S40XMSC0P' or ../lcs:name='LCX6S40YMSC0P' or ../lcs:name='LTNRS40YMSC0P' or ../lcs:name='LCX6S00VMSC01' or ../lcs:name='LCX6S00YMSC01' or ../lcs:name='LCR5SMACSEC05' or ../lcs:name='LCR5SMACSEC06' or ../lcs:name='LCR8SMACSECC2' or ../lcs:name='LCR8SMACSECC4' or ../lcs:name='LTNRSMACSECC4'or ../lcs:name='LTNRSMACSECC2' or ../lcs:name='LCR5SMACSECC2' or ../lcs:name='LCR5SMACSECC4' or ../lcs:name='LCX6S00NMSC01' or ../lcs:name='LCX6S00XMSC01' or ../lcs:name='LCX6S00GMSC01' or ../lcs:name='LTNRS00GMSC0P' or ../lcs:name='LCR5S40GMSC0P' or ../lcs:name='LCX6S40GMSC0P' or ../lcs:name='LCR8S8KXMSCCP' or ../lcs:name='LCR8S8KXMSCCR' or ../lcs:name='LCR8SM6MACSC1' or ../lcs:name='LCR8SM6MACSC0' or ../lcs:name='LCR8S8KXMSAAA' or ../lcs:name='LCR8S8KVMSCCR'"; description "List of port MACsec license information."; list port-macsec { key "position"; description "Configure port MACsec license."; leaf position { type string { length "1..32"; } description "Port position. The name is expressed in the format of WdmslotID/cardID/portID. For example, Wdm1/0/1. Here Wdm1/0/1 is an example. The value may vary with devices."; } leaf active-status { type lcs-active-status-type; config false; description "Activated State."; } } // list port-macsec } // container port-macsecs } } // module huawei-macsec
© 2023 YumaWorks, Inc. All rights reserved.