Media Access Control (MAC) Security.
Version: 2020-04-01
module huawei-macsec { yang-version 1; namespace "urn:huawei:yang:huawei-macsec"; prefix macsec; import huawei-pub-type { prefix pub-type; } import huawei-extension { prefix ext; } import huawei-ifm { prefix ifm; } import huawei-license { prefix lcs; } import huawei-ethernet { prefix ethernet; } organization "Huawei Technologies Co., Ltd."; contact "Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: http://www.huawei.com Email: support@huawei.com"; description "Media Access Control (MAC) Security."; revision "2020-04-01" { description "Add new nodes."; reference "Huawei private."; } revision "2020-02-27" { description "Add new nodes."; reference "Huawei private."; } revision "2019-11-06" { description "Initial revision."; reference "Huawei private."; } ext:task-name "macsec"; typedef cipher-flag-type { type enumeration { enum "simple" { value 1; description "The simple cak-mode."; } enum "cipher" { value 2; description "The cipher cak-mode."; } } description "The type of cak-mode."; } typedef encrypt-mode-type { type enumeration { enum "normal" { value 1; description "The normal mode."; } enum "integrity-only" { value 2; description "The integrity-only mode."; } } description "The type of cryptographic mode."; } typedef cipher-suite-type { type enumeration { enum "gcm-aes-128" { value 1; description "The gcm-aes-128 cipher suite."; } enum "gcm-aes-xpn-128" { value 2; description "The gcm-aes-xpn-128 cipher suite."; } enum "gcm-aes-xpn-128-compatible" { value 3; description "The gcm-aes-xpn-128-compatible cipher suite."; } enum "gcm-aes-256" { value 4; description "The gcm-aes-256 cipher suite."; } enum "gcm-aes-xpn-256" { value 5; description "The gcm-aes-xpn-256 cipher suite."; } } description "The type of cipher suite."; } typedef vlan-in-clear-type { type enumeration { enum "dot1q-in-clear" { value 1; description "The single layer VLAN tag."; } enum "qinq-in-clear" { value 2; description "The double layer VLAN tag."; } } description "The type of VLAN tag."; } typedef lcs-active-status-type { type enumeration { enum "allocated" { value 1; description "Allocated."; } enum "activated" { value 2; description "Activated."; } } description "Liscense active status type."; } container macsec { description "Containers of MACsec nodes."; container statistics { config false; description "Statistics of MACsec under interface."; container interface-macsecs { description "List of MACsec data packet statistics."; list interface-macsec { key "interface-name"; description "MACsec data packet statistics."; leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Interface name."; } leaf valid-packets { type uint64; units "packet"; description "Number of packets protected by MACsec."; } leaf input-protected-bytes { type uint64; units "Byte"; description "Number of bytes for input which only integrity check is implemented but encryption is not."; } leaf decrypted-bytes { type uint64; units "Byte"; description "Number of bytes for which both integrity check and encryption are implemented."; } leaf late-packets { type uint64; units "packet"; description "Number of packets that fail the replay window size check."; } leaf not-valid-packets { type uint64; units "packet"; description "Number of packets that fail the integrity check or encounter decryption errors."; } leaf badtag-packets { type uint64; units "packet"; description "Number of packets with incorrect ICV length or invalid sectag header."; } leaf no-using-sa-packets { type uint64; units "packet"; description "Number of packets with SAs obtained from received sectag being unavailable."; } leaf protected-packets { type uint64; units "packet"; description "Number of packets for which only ICV is encapsulated."; } leaf output-protected-bytes { type uint64; units "Byte"; description "Protected bytes for output."; } leaf encrypted-packets { type uint64; units "packet"; description "Number of packets for which ICV is encapsulated and encryption is implemented."; } leaf encrypted-bytes { type uint64; units "Byte"; description "Number of bytes for which ICV is encapsulated and encryption is implemented."; } } // list interface-macsec } // container interface-macsecs container interface-mkas { description "List of MKA session information."; list interface-mka { key "interface-name"; description "MKA session state."; leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Interface name."; } leaf ckn1 { type string { length "1..65"; } description "CAK name."; } leaf mka-status1 { type string { length "1..64"; } description "Status of an MKA session in protocol negotiation."; } leaf member-identifier1 { type string { length "1..65"; } description "Identifier of a member in MKA."; } leaf message-sequence-number1 { type uint32; description "Number of a message."; } leaf key-server1 { type string { length "1..64"; } description "Whether the local device is the key server."; } leaf principal-actor1 { type string { length "1..64"; } description "Whether the connection is a major connection and whether the CKN is being used."; } leaf live-peers1 { type uint8; description "Number of successfully negotiated peers."; } leaf potential-peers1 { type uint8; description "Number of peers under negotiation."; } leaf latest-sak-status1 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, the SAK installed on the key server enables packet sending and then packet receiving. Packet sending and packet receiving of the non-key server are enabled at the same time. When packet sending and receiving are enabled at the same time for the SAKs on both ends, use this SAK to encrypt and decrypt data packets."; } leaf latest-sak-association1 { type string { length "1..64"; } description "When a key server is distributing different SAKs, SAK association numbers are cyclically allocated in order. During encryption transmission, the SCI is used together to distinguish different SAKs."; } leaf latest-sak-key-identifier1 { type string { length "1..33"; } description "Latest SAK key identifier, which uniquely identifies a SAK."; } leaf latest-sak-key-number1 { type string { length "1..64"; } description "Latest SAK key number that is allocated by the key server and is a part of the SAK identifier."; } leaf old-sak-status1 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, when the new SAK takes effect, the status of the original SAK is changed to N/A. The original SAK becomes invalid."; } leaf old-sak-association1 { type string { length "1..64"; } description "Previous SAK key identifier, which uniquely identifies a SAK."; } leaf old-sak-key-identifier1 { type string { length "1..33"; } description "Previous SAK identifier, which uniquely identifies a SAK."; } leaf old-sak-key-number1 { type string { length "1..64"; } description "Previous SAK number which is allocated by the key server and is a part of the SAK identifier."; } leaf transmit-short-sci1 { type string { length "1..64"; } description "Identifier of SCI in the short format, which uniquely identifies a security channel in the system."; } leaf lpl-member-identifier1 { type string { length "1..25"; } description "Identifier of a learned peer member."; } leaf lpl-message-sequence-number1 { type string { length "1..64"; } description "Message number of a learned peer member."; } leaf lpl-priority1 { type string { length "1..64"; } description "Key server priority of a learned peer member."; } leaf lpl-capability1 { type string { length "1..64"; } description "Capability value of a learned peer member."; } leaf lpl-receive-sci1 { type string { length "1..17"; } description "SCI value of a learned member interface."; } leaf lpl-short-sci1 { type string { length "1..64"; } description "SSCI value of a learned peer member."; } leaf ppl-member-identifier1 { type string { length "1..25"; } description "Identifier of a peer member under negotiation."; } leaf ppl-message-sequence-number1 { type string { length "1..64"; } description "Message number of a peer member under negotiation."; } leaf ppl-priority1 { type string { length "1..64"; } description "Key server priority of a peer member under negotiation."; } leaf ppl-capability1 { type string { length "1..64"; } description "Capability value of a peer member under negotiation."; } leaf ppl-receive-sci1 { type string { length "1..17"; } description "SCI value of a peer member under negotiation."; } leaf ppl-short-sci1 { type string { length "1..64"; } description "SSCI value of a peer member under negotiation."; } leaf ckn2 { type string { length "1..65"; } description "CAK name."; } leaf mka-status2 { type string { length "1..64"; } description "Status of an MKA session in protocol negotiation."; } leaf member-identifier2 { type string { length "1..65"; } description "Identifier of a member in MKA."; } leaf message-sequence-number2 { type uint32; description "Number of a message."; } leaf key-server2 { type string { length "1..64"; } description "Whether the local device is the key server."; } leaf principal-actor2 { type string { length "1..64"; } description "Whether the connection is a major connection and whether the CKN is being used."; } leaf live-peers2 { type uint8; description "Number of successfully negotiated peers."; } leaf potential-peers2 { type uint8; description "Number of peers under negotiation."; } leaf latest-sak-status2 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, the SAK installed on the key server enables packet sending and then packet receiving. Packet sending and packet receiving of the non-key server are enabled at the same time. When packet sending and receiving are enabled at the same time for the SAKs on both ends, use this SAK to encrypt and decrypt data packets."; } leaf latest-sak-association2 { type string { length "1..64"; } description "When a key server is distributing different SAKs, SAK association numbers are cyclically allocated in order. During encryption transmission, the SCI is used together to distinguish different SAKs."; } leaf latest-sak-key-identifier2 { type string { length "1..33"; } description "Latest SAK key identifier, which uniquely identifies a SAK."; } leaf latest-sak-key-number2 { type string { length "1..64"; } description "Latest SAK key number that is allocated by the key server and is a part of the SAK identifier."; } leaf old-sak-status2 { type string { length "1..64"; } description "Enabling status in SAK sending and receiving directions. During SAK switching, when the new SAK takes effect, the status of the original SAK is changed to N/A. The original SAK becomes invalid."; } leaf old-sak-association2 { type string { length "1..64"; } description "Previous SAK key identifier, which uniquely identifies a SAK."; } leaf old-sak-key-identifier2 { type string { length "1..33"; } description "Previous SAK identifier, which uniquely identifies a SAK."; } leaf old-sak-key-number2 { type string { length "1..64"; } description "Previous SAK number which is allocated by the key server and is a part of the SAK identifier."; } leaf transmit-short-sci2 { type string { length "1..64"; } description "Identifier of SCI in the short format, which uniquely identifies a security channel in the system."; } leaf lpl-member-identifier2 { type string { length "1..25"; } description "Identifier of a learned peer member."; } leaf lpl-message-sequence-number2 { type string { length "1..64"; } description "Message number of a learned peer member."; } leaf lpl-priority2 { type string { length "1..64"; } description "Key server priority of a learned peer member."; } leaf lpl-capability2 { type string { length "1..64"; } description "Capability value of a learned peer member."; } leaf lpl-receive-sci2 { type string { length "1..17"; } description "SCI value of a learned member interface."; } leaf lpl-short-sci2 { type string { length "1..64"; } description "SSCI value of a learned peer member."; } leaf ppl-member-identifier2 { type string { length "1..25"; } description "Identifier of a peer member under negotiation."; } leaf ppl-message-sequence-number2 { type string { length "1..64"; } description "Message number of a peer member under negotiation."; } leaf ppl-priority2 { type string { length "1..64"; } description "Key server priority of a peer member under negotiation."; } leaf ppl-capability2 { type string { length "1..64"; } description "Capability value of a peer member under negotiation."; } leaf ppl-receive-sci2 { type string { length "1..17"; } description "SCI value of a peer member under negotiation."; } leaf ppl-short-sci2 { type string { length "1..64"; } description "SSCI value of a peer member under negotiation."; } leaf mka-transmit-interval { type uint32; units "s"; description "Interval at which MKA protocol packets are sent."; } leaf mka-life-time { type uint32; units "s"; description "MKA session timeout duration. When MKA packets are not received within the specified period, the protocol is re-negotiated."; } leaf sak-life-time { type string { length "1..64"; } units "s"; description "SAK session timeout duration. To ensure data packet security, when a SAK has been used for too long, replace the SAK."; } leaf capability { type uint8; description "Information about the MACsec functions that can be provided, including integrity check, encryption, and encryption offset."; } leaf mode { type string { length "1..64"; } description "Whether to encrypt data when integrity check is supported in MACsec encryption mode."; } leaf frame-validation { type string { length "1..64"; } description "Mode of processing MACsec packet verification failures."; } leaf replay-protection { type string { length "1..64"; } description "Whether MACsec replay protection is enabled."; } leaf replay-window { type uint32; description "The replay protection allows packet reordering. The reordered packets can be accepted within the replay protection window, and the packets beyond the window are dropped."; } leaf confidentiality-offset { type uint8; units "Byte"; description "From which byte behind the MACsec tag a frame is encrypted. Some applications (such as load balancing) that need to identify IPv4/IPv6 packet headers require that the packet header cannot be encrypted. In this case, configure encryption offset."; } leaf include-sci { type string { length "1..64"; } description "Whether MACsec data packets carry the SCI. The SCI uniquely identifies a security channel in the system."; } leaf mka-cipher-suite { type string { length "1..64"; } description "MKA encryption suite that uniquely identifies the SAK encryption algorithm for the key server."; } leaf macsec-cipher-suite { type string { length "1..64"; } description "MACsec encryption suite that uniquely identifies the SAK encryption algorithm for the key server."; } leaf key-server-priority { type uint8; description "Key server priority."; } leaf transmit-sci { type string { length "1..64"; } description "Local SCI value. The SCI uniquely identifies a security channel in the system."; } leaf rx-mka-packets { type uint32; units "packet"; description "Number of received MKA packets."; } leaf tx-mka-packets { type uint32; units "packet"; description "Number of sent MKA packets."; } leaf drop-mka-packets { type uint32; units "packet"; description "Number of discarded MKA packets."; } leaf wrong-ckn-num { type uint32; units "packet"; description "Number of packets that fail in CKN verification."; } leaf wrong-icv-num { type uint32; units "packet"; description "Number of packets that fail in ICV verification."; } leaf sak-install-times { type uint32; description "Number of times the SAK is installed."; } leaf sak-delete-times { type uint32; description "Number of times the SAK is deleted."; } leaf sak-swap-times { type uint32; description "Number of times the SAK is switched."; } leaf latest-sak-reason { type string { length "1..64"; } description "Cause of the latest SAK switching."; } leaf protocol { type string { length "1..8"; } description "Protocol number."; } leaf pe-vlan { type string { length "1..8"; } description "VLAN ID in the outer VLAN tag."; } leaf ce-vlan { type string { length "1..8"; } description "VLAN ID in the inner VLAN tag."; } leaf cfi { type string { length "1..4"; } description "Canonical Format Indicator value."; } leaf priority { type string { length "1..4"; } description "VLAN priority value."; } } // list interface-mka } // container interface-mkas } // container statistics } // container macsec rpc reset-mka-statistics { ext:node-ref "/macsec:macsec/macsec:statistics/macsec:interface-mkas"; description "To clear interface mka statistics."; input { leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Name of an interface."; } } } // rpc reset-mka-statistics rpc reset-macsec-statistics { ext:node-ref "/macsec:macsec/macsec:statistics/macsec:interface-macsecs"; description "To clear interface macsec statistics."; input { leaf interface-name { type leafref { path "/ifm:ifm/ifm:interfaces/ifm:interface/ifm:name"; } description "Name of an interface."; } } } // rpc reset-macsec-statistics } // module huawei-macsec
© 2023 YumaWorks, Inc. All rights reserved.