module ieee802-dot1ae {

    yang-version 1.1;

    namespace
      'urn:ieee:std:802.1AE:yang:ieee802-dot1ae';

    prefix dot1ae;

    import ietf-interfaces {
      prefix if;
    }
    import ietf-yang-types {
      prefix yang;
    }
    import ietf-system {
      prefix sys;
    }
    import iana-if-type {
      prefix ianaift;
    }
    import ieee802-dot1x-types {
      prefix dot1x-types;
    }
    import ieee802-dot1q-types {
      prefix dot1q-types;
    }
    import ieee802-dot1q-bridge {
      prefix dot1q;
    }

    organization
      "Institute of Electrical and Electronics Engineers";

    contact
      "WG-URL: http://ieee802.org/1/
    WG-EMail: stds-802-1-l@ieee.org
    
    Contact: IEEE 802.1 Working Group Chair
    Postal: C/O IEEE 802.1 Working Group
           IEEE Standards Association
           445 Hoes Lane
           Piscataway, NJ 08855
           USA
    
    E-mail: stds-802-1-chairs@ieee.org";

    description
      "The MAC security entity (SecY) MIB module. A SecY is a protocol
    shim providing MAC Security (MACsec) in an interface stack.
    
    Each SecY transmits MACsec protected frames on one or more Secure
    Channels (SCs) to each of the other SecYs attached to the same LAN
    and participating in the same Secure Connectivity Association
    (CA). The CA is a security relationship, that is established and
    maintained by key agreement protocols and supported by MACsec to
    provide full connectivity between its participants. Each SC
    provides unidirectional point to multipoint connectivity from one
    participant to all the others and is supported by a succession of
    similarly point to multipoint Secure Associations (SAs). The
    Secure Association Key (SAK) used to protect frames is changed as
    an SA is replaced by its (overlapping) successor so fresh keys can
    be used without disrupting a long lived SC and CA.
    
    Two different upper interfaces, a Controlled Port (for frames
    protected by MACsec, providing an instance of the secure MAC
    service) and an Uncontrolled Port (for frames not requiring
    protection, like the key agreement frames used to establish the CA
    and distribute keys) are associated with a SecY shim.";

    revision "2021-11-09" {
      description
        "Updates based upon comment resolution on draft TBD";
      reference
        "IEEE Std 802.1AE-2018, Media Access Control (MAC) Security.";

    }


    typedef sec-an-type {
      type uint8 {
        range "0..3";
      }
      description
        "A 2 bit number that is concatenated with a MACsec Secure
      Channel Identifier to identify a Secure Association. Indicates
      an Association Number (AN) assigned by the Key Server for use
      with the key number for transmission.
      
      Each SC is comprised of a succession of SAs, each with a
      different SAK, identified by a Secure Association Identifier
      (SAI) comprising an SCI concatenated with a two-bit AN. The SAI
      is unique for SAs used by SecYs participating in a given CA at
      any instant.";
      reference
        "9.6 of 802.1AE";

    }

    typedef sec-pn-type {
      type uint64;
      description
        "This is the Packet Number. It may be a 32 bit or a 64 bit
      unsigned value. A monotonically increasing value that is
      guaranteed unique for each MACsec frame transmitted using a
      given Secure Association Key (SAK).";
      reference
        "9.8 of 802.1AE";

    }

    typedef sec-sci-type {
      type uint64;
      description
        "The Secure Channel Identifier is 8 bytes (SCI). The SCI is an 8
      octet binary number, where the first 6 octets represents the MAC
      Address (in canonical format), and the next 2 octets represents
      the Port Identifier. Integers may be entered as hexadecimal.";
      reference
        "9.9 of 802.1AE";

    }

    typedef sec-eui64-type {
      type uint64;
      description "A 64 bit Identifier.";
      reference
        "10.7.25 of 802.1AE";

    }

    typedef sec-key-identifier-type {
      type string {
        length "2..32";
      }
      description
        "The keyIdentifier is an octet string, whose format and
      interpretation depends on the key agreement protocol in use. It
      does not contain any information about the SAK other than that
      explicitly chosen by the key agreement protocol to publicly
      identify the key. If MKA is being used, it is the 128-bit Key
      Identifier (KI) specified by IEEE Std 802.1X encoded in an octet
      string as specified by that standard.";
    }
  }  // module ieee802-dot1ae