The MAC security entity (SecY) MIB module. A SecY is a protocol shim providing MAC Security (MACsec) in an interface stack. Eac...
Version: 2021-11-09
module ieee802-dot1ae { yang-version 1.1; namespace 'urn:ieee:std:802.1AE:yang:ieee802-dot1ae'; prefix dot1ae; import ietf-interfaces { prefix if; } import ietf-yang-types { prefix yang; } import ietf-system { prefix sys; } import iana-if-type { prefix ianaift; } import ieee802-dot1x-types { prefix dot1x-types; } import ieee802-dot1q-types { prefix dot1q-types; } import ieee802-dot1q-bridge { prefix dot1q; } organization "Institute of Electrical and Electronics Engineers"; contact "WG-URL: http://ieee802.org/1/ WG-EMail: stds-802-1-l@ieee.org Contact: IEEE 802.1 Working Group Chair Postal: C/O IEEE 802.1 Working Group IEEE Standards Association 445 Hoes Lane Piscataway, NJ 08855 USA E-mail: stds-802-1-chairs@ieee.org"; description "The MAC security entity (SecY) MIB module. A SecY is a protocol shim providing MAC Security (MACsec) in an interface stack. Each SecY transmits MACsec protected frames on one or more Secure Channels (SCs) to each of the other SecYs attached to the same LAN and participating in the same Secure Connectivity Association (CA). The CA is a security relationship, that is established and maintained by key agreement protocols and supported by MACsec to provide full connectivity between its participants. Each SC provides unidirectional point to multipoint connectivity from one participant to all the others and is supported by a succession of similarly point to multipoint Secure Associations (SAs). The Secure Association Key (SAK) used to protect frames is changed as an SA is replaced by its (overlapping) successor so fresh keys can be used without disrupting a long lived SC and CA. Two different upper interfaces, a Controlled Port (for frames protected by MACsec, providing an instance of the secure MAC service) and an Uncontrolled Port (for frames not requiring protection, like the key agreement frames used to establish the CA and distribute keys) are associated with a SecY shim."; revision "2021-11-09" { description "Updates based upon comment resolution on draft TBD"; reference "IEEE Std 802.1AE-2018, Media Access Control (MAC) Security."; } typedef sec-an-type { type uint8 { range "0..3"; } description "A 2 bit number that is concatenated with a MACsec Secure Channel Identifier to identify a Secure Association. Indicates an Association Number (AN) assigned by the Key Server for use with the key number for transmission. Each SC is comprised of a succession of SAs, each with a different SAK, identified by a Secure Association Identifier (SAI) comprising an SCI concatenated with a two-bit AN. The SAI is unique for SAs used by SecYs participating in a given CA at any instant."; reference "9.6 of 802.1AE"; } typedef sec-pn-type { type uint64; description "This is the Packet Number. It may be a 32 bit or a 64 bit unsigned value. A monotonically increasing value that is guaranteed unique for each MACsec frame transmitted using a given Secure Association Key (SAK)."; reference "9.8 of 802.1AE"; } typedef sec-sci-type { type uint64; description "The Secure Channel Identifier is 8 bytes (SCI). The SCI is an 8 octet binary number, where the first 6 octets represents the MAC Address (in canonical format), and the next 2 octets represents the Port Identifier. Integers may be entered as hexadecimal."; reference "9.9 of 802.1AE"; } typedef sec-eui64-type { type uint64; description "A 64 bit Identifier."; reference "10.7.25 of 802.1AE"; } typedef sec-key-identifier-type { type string { length "2..32"; } description "The keyIdentifier is an octet string, whose format and interpretation depends on the key agreement protocol in use. It does not contain any information about the SAK other than that explicitly chosen by the key agreement protocol to publicly identify the key. If MKA is being used, it is the 128-bit Key Identifier (KI) specified by IEEE Std 802.1X encoded in an octet string as specified by that standard."; } grouping provided-interface-grouping { description "This holds statistics for the Provided interface ports both the controlled port and the uncontrolled port."; leaf provided-interface { type dot1x-types:pae-if-index; config false; description "The controlled or uncontrolled Port for this Secy."; reference "10.7.4 of 802.1AE"; } leaf mac-enabled { type boolean; config false; description "The mac-enabled parameter is TRUE if use of the service is permitted and is otherwise FALSE. The value of this parameter is determined by administrative controls specific to the entity providing the service."; reference " 6.4 of 802.1AE"; } leaf mac-operational { type boolean; config false; description "The mac-operational parameter is TRUE if, and only if, service requests can be made and service indications can occur."; reference "6.4 of 802.1AE 6.4"; } leaf oper-point-to-point-mac { type boolean; config false; description "If the operPointToPointMAC parameter is TRUE, the service is used as if it provides connectivity to at most one other system; if FALSE, the service is used as if it can provide connectivity to a number of systems."; reference "6.5 of 802.1AE"; } leaf admin-point-to-point-mac { type enumeration { enum "force-true" { value 1; description "If admin-point-to-point-mac is set to force-true oper-point-to-point-mac shall be TRUE, regardless of any indications to the contrary generated by the service providing entity."; reference "6.5 of 802.1AE"; } enum "force-false" { value 2; description "If admin-point-to-point-mac is set to force-false oper-point-to-point-mac shall be FALSE."; reference "6.5 of 802.1AE"; } enum "auto" { value 3; description "If admin-point-to-point-mac is set to auto oper-point-to-point-mac is as currently determined by the service providing entity."; reference "6.5 of 802.1AE"; } } default "auto"; description "Each service access point can make available status parameters that reflect the point-to-point status for the service instance provided, and that allow administrative control over the use of that information.The adminPointToPointMAC parameter can take one of three values."; reference "6.5 of 802.1AE"; } } // grouping provided-interface-grouping grouping secy-secure-channel-grouping { description "The secy-secure-channel grouping contains configuration and state common to both transmit and receive SCs."; leaf created-time { type yang:date-and-time; config false; description "This is the system time when the SC was created."; reference "10.7.12 of 802.1AE"; } leaf started-time { type yang:date-and-time; config false; description "This is the system time when receiving last became True for the SC."; reference "10.7.12 of 802.1AE"; } leaf stopped-time { type yang:date-and-time; config false; description "This is the system time when receiving last became False for the SC."; reference "10.7.12 of 802.1AE"; } } // grouping secy-secure-channel-grouping grouping secy-secure-association-grouping { description "The secy-secure-association grouping contains configuration and state common to both transmit and receive Security Associations(SAs)."; leaf in-use { type boolean; config false; description "If inUse is True, and MAC_Operational is True for the Common Port, the SA can receive and transmit frames."; reference "10.7.14, 10.7.23 of 802.1AE"; } leaf ssci { type uint32; config false; description "Short Secure Channel Identifier for the Send and Transmit SA"; reference "10.7.14, 10.7.23 of 802.1AE"; } leaf next-pn { type sec-pn-type; config false; description "The Next Packet Number, one more than the highest PN conveyed in the SecTAG of successfully validates frames received on this SA."; reference "10.7.14, 10.7.23 of 802.1AE"; } leaf created-time { type yang:date-and-time; config false; description "This is the system time when the SA was created."; reference "10.7.14, 10.7.23 of 802.1AE"; } leaf started-time { type yang:date-and-time; config false; description "This is the system time when inUse last became True for the SA."; reference "10.7.14 of 802.1AE"; } leaf stopped-time { type yang:date-and-time; config false; description "This is the system time when inUse last became False for the SA."; reference "10.7.14 of 802.1AE"; } } // grouping secy-secure-association-grouping grouping secy-statistics-grouping { description "A collection of interface-related statistics objects."; leaf in-octets { type yang:counter64; config false; description "The total number of octets received on the interface, including framing characters. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCInOctets"; } leaf in-unicast-pkts { type yang:counter64; config false; description "The number of packets, delivered by this sub-layer to a higher (sub-)layer, that were not addressed to a multicast or broadcast address at this sub-layer. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCInUcastPkts"; } leaf in-broadcast-pkts { type yang:counter64; config false; description "The number of packets, delivered by this sub-layer to a higher (sub-)layer, that were addressed to a broadcast address at this sub-layer. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCInBroadcastPkts"; } leaf in-multicast-pkts { type yang:counter64; config false; description "The number of packets, delivered by this sub-layer to a higher (sub-)layer, that were addressed to a multicast address at this sub-layer. For a MAC-layer protocol, this includes both Group and Functional addresses. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCInMulticastPkts"; } leaf in-discards { type yang:counter32; config false; description "The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifInDiscards"; } leaf in-errors { type yang:counter32; config false; description "For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character- oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifInErrors"; } leaf out-octets { type yang:counter64; config false; description "The total number of octets transmitted out of the interface, including framing characters. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCOutOctets"; } leaf out-unicast-pkts { type yang:counter64; config false; description "The total number of packets that higher-level protocols requested be transmitted and that were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCOutUcastPkts"; } leaf out-broadcast-pkts { type yang:counter64; config false; description "The total number of packets that higher-level protocols requested be transmitted and that were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCOutBroadcastPkts"; } leaf out-multicast-pkts { type yang:counter64; config false; description "The total number of packets that higher-level protocols requested be transmitted and that were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. For a MAC-layer protocol, this includes both Group and Functional addresses. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifHCOutMulticastPkts"; } leaf out-discards { type yang:counter32; config false; description "The number of outbound packets that were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifOutDiscards"; } leaf out-errors { type yang:counter32; config false; description "For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. For character-oriented or fixed-length interfaces, the number of outbound transmission units that could not be transmitted because of errors. Discontinuities in the value of this counter can occur at re-initialization of the management system and at other times as indicated by the value of 'discontinuity-time'."; reference "RFC 2863: The Interfaces Group MIB - ifOutErrors"; } } // grouping secy-statistics-grouping augment /if:interfaces/if:interface { when "if:type = 'ianaift:ethernetCsmacd' or if:type = " + "'ianaift:ilan' or if:type = 'ianaift:macSecControlledIF' or " + "if:type = 'ianaift:ptm' or if:type = 'ianaift:bridge'" { description "Augment interfaces with 802.1ae MACSec System specific configuration nodes."; } container secy { description "Augment interface with 802.1 SecY configuration nodes. The management information for each SecY is indexed by controlled-portNumber within a SecY System. This containment relationship complements that specified in IEEE Std 802.1X, where the management information for each PAE is indexed by portNumber within a PAE System"; reference "10.7 of 802.1AE"; leaf controlled-port-number { type dot1x-types:pae-if-index; description "Controlled Port Number"; } container verification { description "This is the Verification controls for validation and replay protect for a given secy."; reference "10.6 of 802.1AE"; leaf max-receive-channels { type uint8; config false; description "Specifies Maximum Number of Receive Channels for a SecY"; reference "10.7.7 of 802.1AE"; } leaf max-receive-keys { type uint8; config false; description "Specifies Maximum Number of Receive Keys for a SecY"; reference "10.7.7 of 802.1AE"; } leaf validate-frames { type enumeration { enum "disabled" { value 1; description "Frame Verification is disabled. Remove SecTAGs and ICVs (if present) from received frames."; } enum "check" { value 2; description "Frame Verification is enabled. Do not discard invalid frames."; } enum "strict" { value 3; description "Frame Verification is enabled and strictly enforced. Discard any invalid frames."; } enum "null" { value 4; description "No Frame Verification is performed, do not remove-secTags or ICVs"; } } default "strict"; description "Controls the frame verification settings. If the management control validate-frames is not Strict, frames without a SecTAG are received, counted, and delivered to the Controlled Port; otherwise, they are counted and discarded. If validate-frames is Disabled, cryptographic validation is not applied to tagged frames, but frames whose original service user data can be recovered are delivered. Frames with a SecTAG that has the TCI E bit set but the C bit clear are discarded, as this reserved encoding is used to identify frames with a SecTAG that are not to be delivered to the Controlled Port. If validate-frames is Null, all received frames are delivered to the Controlled Port without modification, irrespective of the absence, presence, or validity of a SecTAG"; reference "10.7.8 of 802.1AE"; } leaf replay-protect { type boolean; default "true"; description "If the Packet Number (PN) of the received frame is less than the lowest acceptable packet number for the SA, and replay-protect is enabled, the frame is discarded and the in-pkts-late counter incremented. The replayProtect and replayWindow controls allows replay protection to be disabled, to operate on a packet number window, or to enforce strict frame order. If replayProtect is set but the replayWindow is not zero, frames within the window can be received out of order; however, they are not replay protected."; reference "10.6.2, 10.4 of 802.1AE"; } leaf replay-window { type uint32; default "0"; description "Controls the replay-window size in packets that supports media access control methods and provider networks that can misorder frames with different priorities and/or addresses."; reference "10.7.8 of 802.1AE"; } leaf in-pkts-untagged { type yang:counter64; config false; description "The number of packets received without the MACsec tag (SecTAG) received while validate-frames was not strict."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-no-tag { type yang:counter64; config false; description "The number of packets received without the MACsec tag (SecTAG) discarded because validate-frames was set to strict."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-bad-tag { type yang:counter64; config false; description "The number of received packets discarded with an invalid MACsec tag (SecTAG), zero value PN, or invalid ICV."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-no-sa { type yang:counter64; config false; description "The number of received packets discarded with an unknown SCI or for an unused SA."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-no-sa-error { type yang:counter64; config false; description "The number of packets discarded because the received SCI is unknown or the SA is not in use."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-overrun { type yang:counter64; config false; description "The number of packets discarded because they exceeded cryptographic performance capabilities."; reference "10.7.9 of 802.1AE"; } leaf in-octets-validated { type yang:counter64; config false; description "The number of plaintext octets recovered from packets that were integrity protected but not encrypted."; reference "10.6, 10.6.3 of 802.1AE"; } leaf in-octets-decrypted { type yang:counter64; config false; description "The number of plaintext octets recovered from packets that were integrity protected and encrypted."; reference "10.6, 10.6.3 of 802.1AE"; } list receive-sc { key "sci"; config false; description "This is the Receive Security Channel Status for a given secure channel identifier."; reference "10.7.9 of 802.1AE"; leaf sci { type sec-sci-type; description "Each SecY transmits frames conveying secure MAC Service requests of any given priority on a single SC. Each SC provides unidirectional point-to-multipoint communication, and it can be long lived, persisting through SAK changes. Each SC is identified by a Secure Channel Identifier (SCI) comprising a 48-bit MAC address concatenated with a 16-bit Port Identifier."; reference "7.1.2 and figure 7.7 of 802.1AE"; } uses secy-secure-channel-grouping; leaf receiving { type boolean; config false; description "Receiving is True if in-use is True for any of the SAs for the SC, and False otherwise"; reference "10.7.12 of 802.1AE"; } leaf in-pkts-ok { type yang:counter64; config false; description "For this SC, the number of validated packets."; reference "10.6.5, 10.7.9 of 802.1AE"; } leaf in-pkts-unchecked { type yang:counter64; config false; description "For this SC, the number of packets while validate-frames was disabled."; reference "10.6.5, 10.7.9 of 802.1AE"; } leaf in-pkts-delayed { type yang:counter64; config false; description "For this SC, the number of received packets, with Packet Number (PN) lower than the lowest acceptable PN lowest-pn and replay-protect is false."; reference "10.6.5, 10.7.9 of 802.1AE"; } leaf in-pkts-late { type yang:counter64; config false; description "For this SC, the number of discarded packets, because the Packet Number (PN) was lower than the lowest acceptable PN lowest-pn and replay-protect is true."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-invalid { type yang:counter64; config false; description "For this SC, the number packets that failed validation but could be received because validate-frames was 'check' and the data was not encrypted (so the original frame could be recovered)."; reference "10.7.9 of 802.1AE"; } leaf in-pkts-not-valid { type yang:counter64; config false; description "For this SC, the number of packets discarded because validation failed and validate-frames was 'strict' or the data was encrypted (so the original frame could not be recovered)."; reference "10.7.9 of 802.1AE"; } list receive-sa { key "rxa"; description "This is the Receive Security Association Status for this association"; uses secy-secure-association-grouping; leaf rxa { type sec-an-type; description "The Association Number for this Receiving Security Association"; reference "10.7.13 of 802.1AE"; } leaf lowest-pn { type sec-pn-type; config false; description "The lowest acceptable packet number. A received frame with a lower PN is discarded if replay-protect is enabled."; reference "10.7.14 of 802.1AE"; } leaf enable-receive { type boolean; description "When the SA is created, enable-receive and in-use are False and the SA cannot be used to receive frames. The SA shall be able to receive, and in-use shall be True, when enable-receive is set. The SA shall stop receiving, and in-use shall be False, when enable-receive is reset."; reference "10.7.15 of 802.1AE"; } leaf updt-next-pn { type sec-pn-type; config false; description "The value of next-pn shall be set to the greater of its existing value and the supplied of updt-next-pn. Initially, following creation, the values of next-pn will have been set to the values supplied by KaY."; reference "10.7.15 of 802.1AE"; } leaf updt-lowest-pn { type sec-pn-type; config false; description "The value of lowest-pn shall be set to the greater of its existing value and the supplied of updt-lowest-pn. Initially, following creation, the values of lowest-pn will have been set to the values supplied by KaY."; reference "10.7.15 of 802.1AE"; } leaf key-identifier { type sec-key-identifier-type; config false; description "The key-identifier is an octet string, whose format and interpretation depends on the key agreement protocol in use. It does not contain any information about the SAK other than that explicitly chosen by the key agreement protocol to publicly identify the key. If MKA is being used, it is the 128-bit Key Identifier (KI) specified by IEEE Std 802.1X encoded in an octet string as specified by that standard"; reference "10.7.14, 10.7.24, of 802.1AE"; } } // list receive-sa } // list receive-sc } // container verification container generation { description "This is the Generation controls for given secy."; reference "10.5 of 802.1AE"; leaf sci-base { type string; config false; description "This is the base for a set of secure channels Security Channel Identifier."; reference "7.1.2, 10.7.17 of 802.1AE"; } leaf max-transmit-channels { type uint16; description "Number of Transmit Channels"; reference "10.7.16 of 802.1AE"; } leaf max-transmit-keys { type uint16; description "Number of Transmit Keys"; reference "10.7.16 of 802.1AE"; } leaf protect-frames { type boolean; default "true"; description "The protect-frames control is provided to facilitate deployment."; reference "10.7.17 of 802.1AE"; } leaf always-include-sci { type boolean; default "false"; description "Mandates inclusion of an explicit SCI in the SecTAG when transmitting protected frames."; reference "10.5.3, 10.7.17 of 802.1AE"; } leaf use-es { type boolean; default "false"; description "Enables use of the ES bit in the SecTAG when transmitting protected frames."; reference "10.5.3, 10.7.17 of 802.1AE"; } leaf use-scb { type boolean; default "false"; description "Enables use of the SCB bit in the SecTAG when transmitting protected frames."; reference "10.5.3, 10.7.17 of 802.1AE"; } leaf including-sci { type boolean; config false; description "True if an explicit SCI is included in the SecTAG when transmitting protected frames."; reference "10.5.3, 10.7.17 of 802.1AE"; } leaf out-pkts-untagged { type yang:counter64; config false; description "The number of packets transmitted without a SecTAG because protect-frames is configured false."; reference "10.7.18 of 802.1AE"; } leaf out-pkts-too-long { type yang:counter64; config false; description "The number of transmit packets discarded because their length is greater than the ifMtu of the Common Port."; reference "10.7.18 of 802.1AE"; } leaf out-octets-protected { type yang:counter64; config false; description "The number of plain text octets integrity protected but not encrypted in transmitted frames."; reference "10.7.9 of 802.1AE"; } leaf out-octets-encrypted { type yang:counter64; config false; description "The number of plain text octets integrity protected and encrypted in transmitted frames."; reference "10.7.9 of 802.1AE"; } list user-priority-tc { key "user-priority"; description "Each entry in the Traffic Class Table is a traffic class, represented by an integer from 0 (default) through 7 that also comprises the numeric value of the four most significant bits of the Port Identifier component of the SCI for the selected SC. The default for this table is every row has a non-mapping priority with the first row having all zeros, the second row having all ones etc. up to the last row having all sevens."; reference "10.7.17 of 802.1AE"; leaf user-priority { type dot1q-types:priority-type; description "The User Priority"; reference "10.7.17 of 802.1AE"; } leaf traffic-class { type dot1q-types:priority-type; description "The traffic class that maps to the four most significant bits of the Port Identifier component of the SCI for the selected SC"; reference "10.7.17 of 802.1AE"; } leaf access-class-de0 { type uint8 { range "0..15"; } description "The Access priority when PCP Discard eligible is not set(0). Access Priority is the high 3 bits and the DE bit is the lower bit."; reference "10.7.17 of 802.1AE"; } leaf access-class-de1 { type uint8 { range "0..15"; } description "The Access priority when PCP Discard eligible is set(1). Access Priority is the high 3 bits and the DE bit is the lower bit."; reference "10.7.17 of 802.1AE"; } } // list user-priority-tc list transmit-sc { key "sci"; config false; description "This is the transmit Security Channel, status for a given Security Channel Identifier."; reference "10.7.1 of 802.1AE"; leaf sci { type sec-sci-type; description "Each SecY transmits frames conveying secure MAC Service requests of any given priority on a single SC. Each SC provides unidirectional point-to-multipoint communication, and it can be long lived, persisting through SAK changes. Each SC is identified by a Secure Channel Identifier (SCI) comprising a 48-bit MAC address concatenated with a 16-bit Port Identifier."; reference "7.1.2 and figure 7.7 of 802.1AE"; } uses secy-secure-channel-grouping; leaf transmitting { type boolean; config false; description "True if in-use is True for any of the SAs for the SC, and False otherwise"; reference "10.7.21 of 802.1AE"; } leaf encoding-sa { type sec-an-type; config false; description "The current value of the encoding-sa variable for the selected transmit SC."; reference "10.7.24 of 802.1AE"; } leaf out-pkts-protected { type yang:counter64; config false; description "The number of integrity protected but not encrypted packets for this transmit SC."; reference "10.7.18, Figure 10-3 of 802.1AE"; } leaf out-pkts-encrypted { type yang:counter64; config false; description "The number of integrity protected and encrypted packets for this transmit SC."; reference "10.7.18, Figure 10-3 of 802.1AE"; } list transmit-sa { key "txa"; config false; description "This is the transmit security association status for a given association number."; uses secy-secure-association-grouping; leaf txa { type sec-an-type; config false; description "The association number for the SA"; reference "10.7.23 of 802.1AE"; } leaf confidentiality { type boolean; config false; description "True if the SA provides confidentiality as well as integrity for transmitted frames."; reference "10.7.23 of 802.1AE"; } leaf key-identifier { type sec-key-identifier-type; config false; description "The key-identifier is an octet string, whose format and interpretation depends on the key agreement protocol in use. It does not contain any information about the SAK other than that explicitly chosen by the key agreement protocol to publicly identify the key. If MKA is being used, it is the 128-bit Key Identifier (KI) specified by IEEE Std 802.1X encoded in an octet string as specified by that standard"; reference "10.7.14, 14.7, 14.8 of 802.1AE"; } } // list transmit-sa } // list transmit-sc } // container generation container current-cipher-suite { description "The CurrentCipherSuite is selected by the KaY. The Current Cipher Suite may also be selected and keys created by management, but a conformant implementation shall provide a mechanism to allow such selection and creation by network management to be disabled."; leaf cipher-suite-identifier { type sec-eui64-type; description "The Cipher Suite currently used by this SecY."; reference "10.7.27 of 802.1AE"; } list data-key { key "key-index"; description "An index of Keys Used"; leaf key-index { type uint32; description "Numeric key number used as index"; reference "10.7.27 of 802.1AE"; } leaf key-identifier { type sec-key-identifier-type; config false; description "Key Identifier (KI), comprising the Key Server's MI (providing the more significant bits) and a 32-bit Key Number (KN) assigned by that Key Server (sequentially, beginning with 1). Each KI is used to identify the corresponding SAK for the purposes of SAI assignment, and appears in the clear in MKPDUs, so network management equipment and personnel can observe and diagnose MKA operation (if necessary) without having access to any secret key."; reference "10.7.28 of 802.1AE"; } leaf transmits { type boolean; config false; description "Transmits true means key is used for transmitting direction."; reference "10.5 of 802.1AE"; } leaf receives { type boolean; config false; description "Receives true means key is used for receiving direction."; reference "10.5 of 802.1AE"; } } // list data-key } // container current-cipher-suite container controlled-interface { description "Controlled interface control and status"; uses provided-interface-grouping; leaf controlled-port-enabled { type boolean; config false; description "By setting ControlledPortEnabled False, the KaY can prohibit use of the Controlled Port until the secure connectivity required has been configured."; reference "10.7.6 of 802.1AE"; } uses secy-statistics-grouping; } // container controlled-interface container uncontrolled-interface { description "Uncontrolled interface control and status"; uses provided-interface-grouping; uses secy-statistics-grouping; } // container uncontrolled-interface container common-port { description "This list the statistics for the Provided interface ports both the controlled port and the uncontrolled port."; leaf common-port { type dot1x-types:pae-if-index; config false; description "The common Port for this Secy."; reference "10.7.4 of 802.1AE"; } uses secy-statistics-grouping; } // container common-port list cipher-suite-control { key "implemented-cipher-suite"; description "The MKA Key Server selects the Cipher Suite to be used to protect communication within a CA. If enable-use is False for the selected Cipher Suite, the SecY does not participate in the CA and MAC_Operational for the Controlled Port remains false. If the MKA Key Server has selected integrity protection and enableUse and require-confidentiality are both True for the selected Cipher Suite, confidentiality protection is used."; leaf implemented-cipher-suite { type sec-eui64-type; description "cipher suite identifier (EUI-64)"; reference "10.7.26 of 802.1AE"; } leaf enable-use { type boolean; default "true"; description "Enables use of the Cipher Suite by this SecY."; reference "10.7.26 of 802.1AE"; } leaf require-confidentiality { type boolean; default "true"; description "This value is true if the Cipher Suite can only be used to provide both confidentiality and integrity (and not integrity only, or confidentiality with an offset)Enables use of the Cipher Suite by this SecY."; reference "10.7.26 of 802.1AE"; } } // list cipher-suite-control } // container secy } augment /sys:system { description "Augment system with 802.1ae MACSec System Ciber Suites nodes."; container secy-system { description "Augment system with 802.1 SecY configuration nodes."; list cipher-suites { key "cipher-suite"; description "A list of configuration parameters and operational state associated with a cipher suite."; leaf cipher-suite { type sec-eui64-type; description "A globally unique 64-bit (EUI-64) identifier for this cipher suite"; reference "10.7.25 of 802.1AE"; } leaf name { type string { length "1..254"; } config false; description "Cipher Suite Name, a human readable and displayable UTF-8 (IETF RFC 2279) string."; reference "10.7.25 of 802.1AE"; } leaf integrity-protection { type boolean; config false; description "True if integrity protection without confidentiality can be provided."; reference "10.7.25 of 802.1AE"; } leaf confidentiality-protection { type boolean; config false; description "True if confidentiality with integrity protection can be provided."; reference "10.7.25 of 802.1AE"; } leaf offset-confidentiality { type boolean; config false; description "True if a selectable offset for confidentiality can be provided"; reference "10.7.25 of 802.1AE"; } leaf changes-data-length { type boolean; config false; description "Indicates that the cipher suite changes the data length."; reference "10.7.25 of 802.1AE"; } leaf icv-length { type uint16; config false; description "The number of octets in the ICV"; reference "10.7.25 of 802.1AE"; } } // list cipher-suites } // container secy-system } augment /if:interfaces/if:interface/dot1q:bridge-port { description "Augment the interface model with 802.1Q Bridge Port configuration specific nodes."; list ede-tag-registration { when "/dot1q:bridges/dot1q:bridge[dot1q:name=current()" + "/../dot1q:bridge-name]/dot1q:component[dot1q:name=current()" + "/../dot1q:component-name]/dot1q:type = 'dot1q:c-vlan-component'" + "or 'dot1q:s-vlan-component' and " + "../dot1q:port-type = 'dot1q:red-side-port'" { description "Applies when the component associated with this interface is an EDE C-VLAN or S_VLAN component and the port-type is a customer edge port."; } key "black-side-vid"; description "The EDE tag Registration Table, provides a mapping between a C-VLAN or S-VLAN red-side component and the service instance represented C-VLAN or S-VLAN black-side component selected for that C-VLAN. This table provides the equivalent functionality of 1) Configuring the PVID of the internal CNP on the black side component 2) Adding the corresponding PEP on the component to the member set of the C-VLAN 3) Adding the PEP and/or CEP to the untagged set of the C-VLAN (if it is desired that frames forwarded to that port are transmitted untagged for this C-VLAN)."; leaf black-side-vid { type dot1q-types:vlanid; description "VID value type depended on linked component type."; reference "TBD of IEEE Std 802.1Q-2018"; } leaf red-side-vid { type dot1q-types:vid-range-type; description "VID value type depended on linked component type."; reference "TBD of IEEE Std 802.1Q-2018"; } leaf untagged-pep { type boolean; default "true"; description "A boolean indicating frames for this VLAN should be forwarded untagged through the Provider Edge Port."; reference "12.13.2.1 of IEEE Std 802.1Q-2018"; } leaf untagged-red-side-port { type boolean; default "true"; description "A boolean indicating frames for this VLAN should be forwarded untagged through the Red side Port."; reference "12.13.2.1 of IEEE Std 802.1Q-2018"; } } // list ede-tag-registration } } // module ieee802-dot1ae
© 2023 YumaWorks, Inc. All rights reserved.