module ieee802-dot1ae-secy {

    yang-version 1.1;

    namespace
      "urn:ieee:std:802.1AE:yang:ieee802-dot1ae-secy";

    prefix secy;

    import ietf-interfaces {
      prefix if;
    }
    import ietf-yang-types {
      prefix yang;
    }
    import ietf-system {
      prefix sys;
    }
    import ieee802-dot1q-types {
      prefix dot1q-types;
    }
    import ieee802-dot1x {
      prefix dot1x;
    }

    organization
      "Institute of Electrical and Electronics Engineers";

    contact
      "WG-URL: http://ieee802.org/1/
     WG-EMail: stds-802-1-l@ieee.org

     Contact: IEEE 802.1 Working Group Chair
     Postal: C/O IEEE 802.1 Working Group
           IEEE Standards Association
           445 Hoes Lane
           Piscataway, NJ 08855
           USA

     E-mail: stds-802-1-chairs@ieee.org";

    description
      "The MAC security entity (SecY) YANG module. A SecY is a protocol
     shim providing MAC Security (MACsec) in an interface stack.

     Each SecY transmits MACsec protected frames on one or more Secure
     Channels (SCs) to each of the other SecYs attached to the same LAN
     and participating in the same Secure Connectivity Association
     (CA). The CA is a security relationship, that is established and
     maintained by key agreement protocols and supported by MACsec to
     provide full connectivity between its participants. Each SC
     provides unidirectional point to multipoint connectivity from one
     participant to all the others and is supported by a succession of
     similarly point to multipoint Secure Associations (SAs). The
     Secure Association Key (SAK) used to protect frames is changed as
     an SA is replaced by its (overlapping) successor so fresh keys can
     be used without disrupting a long lived SC and CA.

     Two different upper interfaces, a Controlled Port (for frames
     protected by MACsec, providing an instance of the secure MAC
     service) and an Uncontrolled Port (for frames not requiring
     protection, like the key agreement frames used to establish the CA
     and distribute keys) are associated with a SecY shim.";

    revision "2022-06-14" {
      description
        "The following reference statement identifies each referenced IEEE
       Standard as updated by applicable amendments.";
      reference
        "IEEE Std 802.1AE Media Access Control (MAC) Security: 
        IEEE Stds 802.1AE-2018, 802.1AE-2018-Cor1-2020, 802.1AEdk-2022. 
        IEEE Std 802.1X Port-Based Network Access Control: 
        IEEE Std 802.1X-2020. 
        IEEE Std 802.1AC Media Access Control (MAC) Service Definition: 
        IEEE Stds 802.1AC-2016, 802.1AC-2016-Cor1-2018.";

    }


    typedef sec-an-type {
      type uint8 {
        range "0..3";
      }
      description
        "A 2-bit number that is concatenated with a MACsec Secure
       Channel Identifier to identify a Secure Association. Indicates
       an Association Number (AN) assigned by the Key Server for use
       with the key number for transmission.

       Each SC is comprised of a succession of SAs, each with a
       different SAK, identified by a Secure Association Identifier
       (SAI) comprising an SCI concatenated with a two-bit AN. The SAI
       is unique for SAs used by SecYs participating in a given CA at
       any instant.";
      reference
        "9.6 of IEEE Std 802.1AE";

    }

    typedef sec-pn-type {
      type uint64;
      description
        "The Packet Number (PN). A 32-bit or 64-bit unsigned value.
       A monotonically increasing value that is guaranteed unique
       for each MACsec frame transmitted using a given Secure
       Association Key (SAK).";
      reference
        "9.8 of IEEE Std 802.1AE";

    }

    typedef sec-sci-type {
      type string {
        pattern
          '[0-9a-fA-F]{2}(-[0-9a-fA-F]{2}){5}-[0-9a-fA-F]{4}';
      }
      description
        "The Secure Channel Identifier (SCI). An 8 octet binary
       number, where the first (most significant) 6 octets
       represent the MAC Address (in canonical format), and the
       next 2 octets represents the Port Identifier. Integers can
       be entered as hexadecimal.";
      reference
        "9.9 of IEEE Std 802.1AE, 10.7.14, 10.7.23 and 
        9.8 of IEEE Std 802.1X";

    }

    typedef sec-eui64-type {
      type uint64;
      description "A 64 bit identifier.";
      reference
        "10.7.25 of IEEE Std 802.1AE";

    }

    typedef sec-key-identifier-type {
      type string {
        length "0..32";
      }
      description
        "The sec-key-identifier-type is an octet string, whose
       format and interpretation depends on the key agreement
       protocol in use. It does not contain any information about
       the SAK other than that explicitly chosen by the key
       agreement protocol to publicly identify the key. If MKA is
       being used, it is the 128-bit Key Identifier (KI)
       specified by IEEE Std 802.1X encoded in an octet string as
       specified by that standard.";
      reference
        "10.7.14, 10.7.23 and 
        9.8 of IEEE Std 802.1X";

    }
  }  // module ieee802-dot1ae-secy