This module contains the IPsec IKE case model for the SDN-based IPsec flow protection service. The key words 'MUST', 'MUST NOT'...
Version: 2021-07-14
module ietf-i2nsf-ike { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; prefix nsfike; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types."; } import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types."; } import ietf-i2nsf-ikec { prefix nsfikec; reference "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)."; } import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model."; } organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> "; description "This module contains the IPsec IKE case model for the SDN-based IPsec flow protection service. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2021 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9061; see the RFC itself for full legal notices."; revision "2021-07-14" { description "Initial version."; reference "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)."; } typedef ike-spi { type uint64 { range "0..max"; } description "Security Parameter Index (SPI)'s IKE SA."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.6."; } typedef autostartup-type { type enumeration { enum "add" { value 0; description "IKE/IPsec configuration is only loaded into IKE implementation, but IKE/IPsec SA is not started."; } enum "on-demand" { value 1; description "IKE/IPsec configuration is loaded into IKE implementation. The IPsec policies are transferred to the NSF, but the IPsec SAs are not established immediately. The IKE implementation will negotiate the IPsec SAs when they are required (i.e., through an ACQUIRE notification)."; } enum "start" { value 2; description "IKE/IPsec configuration is loaded and transferred to the NSF's kernel, and the IKEv2-based IPsec SAs are established immediately without waiting for any packet."; } } description "Different policies to set IPsec SA configuration into NSF's kernel when IKEv2 implementation has started."; } typedef fs-group { type uint16; description "DH groups for IKE and IPsec SA rekey."; reference "IANA: Internet Key Exchange Version 2 (IKEv2) Parameters, IKEv2 Transform Attribute Types, Transform Type 4 - Diffie-Hellman Group Transform IDs RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 3.3.2."; } typedef auth-protocol-type { type enumeration { enum "ikev2" { value 2; description "IKEv2 authentication protocol. It is the only one defined right now. An enum is used for further extensibility."; } } description "IKE authentication protocol version specified in the Peer Authorization Database (PAD). It is defined as enumerated to allow new IKE versions in the future."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)."; } typedef auth-method-type { type enumeration { enum "pre-shared" { value 0; description "Select pre-shared key as the authentication method."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)."; } enum "eap" { value 1; description "Select the Extensible Authentication Protocol (EAP) as the authentication method."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)."; } enum "digital-signature" { value 2; description "Select digital signature as the authentication method."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2) RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)."; } enum "null" { value 3; description "Null authentication."; reference "RFC 7619: The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)."; } } description "Peer authentication method specified in the Peer Authorization Database (PAD)."; } container ipsec-ike { description "IKE configuration for an NSF. It includes PAD parameters, IKE connection information, and state data."; container pad { description "Configuration of the Peer Authorization Database (PAD). Each entry of PAD contains authentication information of either the local peer or the remote peer. Therefore, the I2NSF Controller stores authentication information (and credentials) not only for the remote NSF but also for the local NSF. The local NSF MAY use the same identity for different types of authentication and credentials. Pointing to the entry for a local NSF (e.g., A) and the entry for remote NSF (e.g., B) is possible to specify all the required information to carry out the authentication between A and B (see ../conn-entry/local and ../conn-entry/remote)."; list pad-entry { key "name"; ordered-by user; description "Peer Authorization Database (PAD) entry. It is a list of PAD entries ordered by the I2NSF Controller, and each entry is unequivocally identified by a name."; leaf name { type string; description "PAD-unique name to identify this entry."; } choice identity { mandatory true; description "A particular IKE peer will be identified by one of these identities. This peer can be a remote peer or local peer (this NSF)."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.3.1."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single 4-octet IPv4 address."; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single 16-octet IPv6 address. An example is 2001:db8::8:800:200c:417a."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully Qualified Domain Name (FQDN) string. An example is example.com. The string MUST NOT contain any terminators (e.g., NULL, Carriage Return (CR), etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully qualified email address string (RFC 5322). An example is jsmith@example.com. The string MUST NOT contain any terminators (e.g., NULL, CR, etc.)."; reference "RFC 5322: Internet Message Format."; } leaf dnx509 { type binary; description "The binary Distinguished Encoding Rules (DER) encoding of an ASN.1 X.500 Distinguished Name, as specified in IKEv2."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 3.5."; } leaf gnx509 { type binary; description "ASN.1 X.509 GeneralName structure, as specified in RFC 5280, encoded using ASN.1 Distinguished Encoding Rules (DER), as specified in ITU-T X.690."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile."; } leaf id-key { type binary; description "Opaque octet stream that may be used to pass vendor-specific information for proprietary types of identification."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 3.5."; } leaf id-null { type empty; description "The ID_NULL identification is used when the IKE identification payload is not used."; reference "RFC 7619: The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)."; } } // choice identity leaf auth-protocol { type auth-protocol-type; default "ikev2"; description "Only IKEv2 is supported right now, but other authentication protocols may be supported in the future."; } container peer-authentication { description "This container allows the security controller to configure the authentication method (pre-shared key, eap, digital-signature, null) that will be used with a particular peer and the credentials to use, which will depend on the selected authentication method."; leaf auth-method { type auth-method-type; default "pre-shared"; description "Type of authentication method (pre-shared key, eap, digital signature, null)."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.15."; } container eap-method { when "../auth-method = 'eap'"; description "EAP method description used when authentication method is 'eap'."; reference "IANA: Extensible Authentication Protocol (EAP) Registry, Method Types RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.16."; leaf eap-type { type uint32 { range "1 .. 4294967295"; } mandatory true; description "EAP method type specified with a value extracted from the IANA registry. This information provides the particular EAP method to be used. Depending on the EAP method, pre-shared keys or certificates may be used."; } } // container eap-method container pre-shared { when "../auth-method[.='pre-shared' or .='eap']"; description "Shared secret value for PSK or EAP method authentication based on PSK."; leaf secret { nacm:default-deny-all; type yang:hex-string; description "Pre-shared secret value. The NSF has to prevent read access to this value for security reasons. This value MUST be set if the EAP method uses a pre-shared key or pre-shared authentication has been chosen."; } } // container pre-shared container digital-signature { when "../auth-method[.='digital-signature' or .='eap']"; description "digital-signature container."; leaf ds-algorithm { type uint8; default "14"; description "The digital signature algorithm is specified with a value extracted from the IANA registry. Default is the generic digital signature method. Depending on the algorithm, the following leafs MUST contain information. For example, if digital signature or the EAP method involves a certificate, then leaves 'cert-data' and 'private-key' will contain this information."; reference "IANA: Internet Key Exchange Version 2 (IKEv2) Parameters, IKEv2 Authentication Method."; } choice public-key { description "If the I2NSF Controller knows that the NSF already owns a private key associated to this public key (e.g., the NSF generated the pair public key/private key out of band), it will only configure one of the leaves of this choice but not the leaf private-key. The NSF, based on the public key value, can know the private key to be used."; leaf raw-public-key { type binary; description "A binary that contains the value of the public key. The interpretation of the content is defined by the digital signature algorithm. For example, an RSA key is represented as RSAPublicKey, as defined in RFC 8017, and an Elliptic Curve Cryptography (ECC) key is represented using the 'publicKey' described in RFC 5915."; reference "RFC 5915: Elliptic Curve Private Key Structure RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2."; } leaf cert-data { type binary; description "X.509 certificate data in DER format. If raw-public-key is defined, this leaf is empty."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile."; } } // choice public-key leaf private-key { nacm:default-deny-all; type binary; description "A binary that contains the value of the private key. The interpretation of the content is defined by the digital signature algorithm. For example, an RSA key is represented as RSAPrivateKey, as defined in RFC 8017, and an Elliptic Curve Cryptography (ECC) key is represented as ECPrivateKey, as defined in RFC 5915. This value is set if public key is defined and the I2NSF Controller is in charge of configuring the private key. Otherwise, it is not set and the value is kept in secret."; reference "RFC 5915: Elliptic Curve Private Key Structure RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2."; } leaf-list ca-data { type binary; description "List of trusted Certification Authorities (CAs) certificates encoded using ASN.1 Distinguished Encoding Rules (DER). If it is not defined, the default value is empty."; } leaf crl-data { type binary; description "A CertificateList structure, as specified in RFC 5280, encoded using ASN.1 Distinguished Encoding Rules (DER), as specified in ITU-T X.690. If it is not defined, the default value is empty."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile."; } leaf crl-uri { type inet:uri; description "X.509 Certificate Revocation List (CRL) certificate URI. If it is not defined, the default value is empty."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile."; } leaf oscp-uri { type inet:uri; description "Online Certificate Status Protocol (OCSP) URI. If it is not defined, the default value is empty."; reference "RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile."; } } // container digital-signature } // container peer-authentication } // list pad-entry } // container pad list conn-entry { key "name"; description "IKE peer connection information. This list contains the IKE connection for this peer with other peers. This will create, in real time, IKE Security Associations established with these nodes."; leaf name { type string; description "Identifier for this connection entry."; } leaf autostartup { type autostartup-type; default "add"; description "By default, only add configuration without starting the security association."; } leaf initial-contact { type boolean; default "false"; description "The goal of this value is to deactivate the usage of INITIAL_CONTACT notification (true). If this flag remains set to false, it means the usage of the INITIAL_CONTACT notification will depend on the IKEv2 implementation."; } leaf version { type auth-protocol-type; default "ikev2"; description "IKE version. Only version 2 is supported."; } container fragmentation { description "IKEv2 fragmentation, as per RFC 7383. If the IKEv2 fragmentation is enabled, it is possible to specify the MTU."; leaf enabled { type boolean; default "false"; description "Whether or not to enable IKEv2 fragmentation (true or false)."; reference "RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation."; } leaf mtu { when "../enabled='true'"; type uint16 { range "68..65535"; } description "MTU that IKEv2 can use for IKEv2 fragmentation."; reference "RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation."; } } // container fragmentation container ike-sa-lifetime-soft { description "IKE SA lifetime soft. Two lifetime values can be configured: either rekey time of the IKE SA or reauth time of the IKE SA. When the rekey lifetime expires, a rekey of the IKE SA starts. When reauth lifetime expires, an IKE SA reauthentication starts."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.8."; leaf rekey-time { type uint32; units "seconds"; default "0"; description "Time in seconds between each IKE SA rekey. The value 0 means infinite."; } leaf reauth-time { type uint32; units "seconds"; default "0"; description "Time in seconds between each IKE SA reauthentication. The value 0 means infinite."; } } // container ike-sa-lifetime-soft container ike-sa-lifetime-hard { description "Hard IKE SA lifetime. When this time is reached, the IKE SA is removed."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)."; leaf over-time { type uint32; units "seconds"; default "0"; description "Time in seconds before the IKE SA is removed. The value 0 means infinite."; } } // container ike-sa-lifetime-hard leaf-list ike-sa-intr-alg { type nsfikec:intr-alg-t; default "12"; ordered-by user; description "Integrity algorithm for establishing the IKE SA. This list is ordered following from the higher priority to lower priority. The first node of the list will be the algorithm with higher priority. Default value 12 (AUTH_HMAC_SHA2_256_128)."; } list ike-sa-encr-alg { key "id"; min-elements 1; ordered-by user; description "Encryption or AEAD algorithm for the IKE SAs. This list is ordered following from the higher priority to lower priority. The first node of the list will be the algorithm with higher priority."; leaf id { type uint16; description "An identifier that unequivocally identifies each entry of the list, i.e., an encryption algorithm and its key length (if required)."; } leaf algorithm-type { type nsfikec:encr-alg-t; default "12"; description "Default value 12 (ENCR_AES_CBC)."; } leaf key-length { type uint16; default "128"; description "By default, key length is 128 bits."; } } // list ike-sa-encr-alg leaf dh-group { type fs-group; default "14"; description "Group number for Diffie-Hellman Exponentiation used during IKE_SA_INIT for the IKE SA key exchange."; } leaf half-open-ike-sa-timer { type uint32; units "seconds"; default "0"; description "Set the half-open IKE SA timeout duration. The value 0 implies infinite."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2."; } leaf half-open-ike-sa-cookie-threshold { type uint32; default "0"; description "Number of half-open IKE SAs that activate the cookie mechanism. The value 0 implies infinite."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.6."; } container local { description "Local peer authentication information."; leaf local-pad-entry-name { type string; mandatory true; description "Local peer authentication information. This node points to a specific entry in the PAD where the authorization information about this particular local peer is stored. It MUST match a pad-entry-name."; } } // container local container remote { description "Remote peer authentication information."; leaf remote-pad-entry-name { type string; mandatory true; description "Remote peer authentication information. This node points to a specific entry in the PAD where the authorization information about this particular remote peer is stored. It MUST match a pad-entry-name."; } } // container remote container encapsulation-type { description "This container carries configuration information about the source and destination ports of encapsulation that IKE should use and the type of encapsulation that should be used when NAT traversal is required. However, this is just a best effort since the IKE implementation may need to use a different encapsulation, as described in RFC 8229."; reference "RFC 8229: TCP Encapsulation of IKE and IPsec Packets."; leaf espencap { type esp-encap; default "none"; description "ESP in TCP, ESP in UDP, or ESP in TLS."; } leaf sport { type inet:port-number; default "4500"; description "Encapsulation source port."; } leaf dport { type inet:port-number; default "4500"; description "Encapsulation destination port."; } leaf-list oaddr { type inet:ip-address; description "If required, this is the original address that was used before NAT was applied over the packet."; } } // container encapsulation-type container spd { description "Configuration of the Security Policy Database (SPD). This main information is placed in the grouping ipsec-policy-grouping."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.9."; list spd-entry { key "name"; ordered-by user; description "List of entries that will constitute the representation of the SPD. In this case, since the NSF implements IKE, it is only required to send an IPsec policy from this NSF where 'local' is this NSF and 'remote' the other NSF. The IKE implementation will install IPsec policies in the NSF's kernel in both directions (inbound and outbound) and their corresponding IPsec SAs based on the information in this SPD entry."; leaf name { type string; description "SPD-entry-unique name to identify the IPsec policy."; } container ipsec-policy-config { description "This container carries the configuration of an IPsec policy."; leaf anti-replay-window-size { type uint32; default "64"; description "To set the anti-replay window size. The default value is set to 64, following the recommendation in RFC 4303."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.4.3."; } container traffic-selector { description "Packets are selected for processing actions based on Traffic Selector values, which refer to IP and inner protocol header information."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.4.1."; leaf local-prefix { type inet:ip-prefix; mandatory true; description "Local IP address prefix."; } leaf remote-prefix { type inet:ip-prefix; mandatory true; description "Remote IP address prefix."; } leaf inner-protocol { type ipsec-inner-protocol; default "any"; description "Inner protocol that is going to be protected with IPsec."; } list local-ports { key "start end"; description "List of local ports. When the inner protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list local-ports list remote-ports { key "start end"; description "List of remote ports. When the upper layer protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list remote-ports } // container traffic-selector container processing-info { description "SPD processing. If the required processing action is protect, it contains the required information to process the packet."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2."; leaf action { type ipsec-spd-action; default "discard"; description "If bypass or discard, container ipsec-sa-cfg is empty."; } container ipsec-sa-cfg { when "../action = 'protect'"; description "IPsec SA configuration included in the SPD entry."; leaf pfp-flag { type boolean; default "false"; description "Each selector has a Populate From Packet (PFP) flag. If asserted for a given selector X, the flag indicates that the IPsec SA to be created should take its value (local IP address, remote IP address, Next Layer Protocol, etc.) for X from the value in the packet. Otherwise, the IPsec SA should take its value(s) for X from the value(s) in the SPD entry."; } leaf ext-seq-num { type boolean; default "false"; description "True if this IPsec SA is using extended sequence numbers. If true, the 64-bit extended sequence number counter is used; if false, the normal 32-bit sequence number counter is used."; } leaf seq-overflow { type boolean; default "false"; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the IPsec SA (false) and, therefore, needs to be rekeyed or whether rollover is permitted (true). If Authenticated Encryption with Associated Data (AEAD) is used (leaf esp-algorithms/encryption/algorithm-type), this flag MUST be false. Setting this flag to true is strongly discouraged."; } leaf stateful-frag-check { type boolean; default "false"; description "Indicates whether (true) or not (false) stateful fragment checking applies to the IPsec SA to be created."; } leaf mode { type ipsec-mode; default "transport"; description "IPsec SA has to be processed in transport or tunnel mode."; } leaf protocol-parameters { type ipsec-protocol-params; default "esp"; description "Security protocol of the IPsec SA. Only ESP is supported, but it could be extended in the future."; } container esp-algorithms { when "../protocol-parameters = 'esp'"; description "Configuration of Encapsulating Security Payload (ESP) parameters and algorithms."; reference "RFC 4303: IP Encapsulating Security Payload (ESP)."; leaf-list integrity { type intr-alg-t; default "0"; ordered-by user; description "Configuration of ESP authentication based on the specified integrity algorithm. With AEAD encryption algorithms, the integrity node is not used."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.2."; } list encryption { key "id"; ordered-by user; description "Encryption or AEAD algorithm for the IPsec SAs. This list is ordered following from the higher priority to lower priority. First node of the list will be the algorithm with higher priority. In case the list is empty, then no encryption algorithm is applied (NULL)."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.2."; leaf id { type uint16; description "An identifier that unequivocally identifies each entry of the list, i.e., an encryption algorithm and its key length (if required)."; } leaf algorithm-type { type encr-alg-t; default "20"; description "Default value 20 (ENCR_AES_GCM_16)."; } leaf key-length { type uint16; default "128"; description "By default, key length is 128 bits."; } } // list encryption leaf tfc-pad { type boolean; default "false"; description "If Traffic Flow Confidentiality (TFC) padding for ESP encryption can be used (true) or not (false)."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 2.7."; } } // container esp-algorithms container tunnel { when "../mode = 'tunnel'"; description "IPsec tunnel endpoints definition."; leaf local { type inet:ip-address; mandatory true; description "Local IP address' tunnel endpoint."; } leaf remote { type inet:ip-address; mandatory true; description "Remote IP address' tunnel endpoint."; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Disable the Don't Fragment (DF) bit in the outer header. This is the default value."; } enum "set" { value 1; description "Enable the DF bit in the outer header."; } enum "copy" { value 2; description "Copy the DF bit to the outer header."; } } default "clear"; description "Allow configuring the DF bit when encapsulating tunnel mode IPsec traffic. RFC 4301 describes three options to handle the DF bit during tunnel encapsulation: clear, set, and copy from the inner IP header. This MUST be ignored or has no meaning when the local/remote IP addresses are IPv6 addresses."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 8.1."; } leaf bypass-dscp { type boolean; default "true"; description "If true, to copy the Differentiated Services Code Point (DSCP) value from inner header to outer header. If false, to map DSCP values from an inner header to values in an outer header following ../dscp-mapping."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2."; } list dscp-mapping { must "../bypass-dscp = "false""; key "id"; ordered-by user; description "A list that represents an array with the mapping from the inner DSCP value to outer DSCP value when bypass-dscp is false. To express a default mapping in the list where any other inner dscp value is not matching a node in the list, a new node has to be included at the end of the list where the leaf inner-dscp is not defined (ANY) and the leaf outer-dscp includes the value of the mapping. If there is no value set in the leaf outer-dscp, the default value for this leaf is 0."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2 and Appendix C."; leaf id { type uint8; description "The index of list with the different mappings."; } leaf inner-dscp { type inet:dscp; description "The DSCP value of the inner IP packet. If this leaf is not defined, it means ANY inner DSCP value."; } leaf outer-dscp { type inet:dscp; default "0"; description "The DSCP value of the outer IP packet."; } } // list dscp-mapping } // container tunnel container traffic-flow-security { description "Configure the IPsec TFS in the Security Association Database (SAD)."; leaf congestion-control { type boolean; default "true"; description "When set to true, the default, this enables the congestion control on-the-wire exchange of data that is required by congestion control algorithms, as defined by RFC 5348. When set to false, IP-TFS sends fixed-size packets over an IP-TFS tunnel at a constant rate."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.4.2; RFC 5348: TCP Friendly Rate Control (TFRC): Protocol Specification"; } container packet-size { description "Packet size is either auto-discovered or manually configured."; leaf use-path-mtu-discovery { type boolean; default "true"; description "Utilize path MTU discovery to determine maximum IP-TFS packet size. If the packet size is explicitly configured, then it will only be adjusted downward if use-path-mtu-discovery is set."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.2"; } leaf outer-packet-size { type uint16; units "bytes"; description "On transmission, the size of the outer encapsulating tunnel packet (i.e., the IP packet containing Encapsulating Security Payload (ESP))."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.2"; } } // container packet-size choice tunnel-rate { description "The TFS bit rate may be specified at layer 2 wire rate or layer 3 packet rate."; leaf l2-fixed-rate { type yang:gauge64; units "bits/second"; description "On transmission, target bandwidth/bit rate in bits/second for IP-TFS tunnel. This fixed rate is the nominal timing for the fixed-size packet. If congestion control is enabled, the rate may be adjusted down (or up if unset)."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.1"; } leaf l3-fixed-rate { type yang:gauge64; units "bits/second"; description "On transmission, target bandwidth/bit rate in bits/second for IP-TFS tunnel. This fixed rate is the nominal timing for the fixed-size packet. If congestion control is enabled, the rate may be adjusted down (or up if unset)."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.1"; } } // choice tunnel-rate leaf dont-fragment { type boolean; default "false"; description "On transmission, disable packet fragmentation across consecutive IP-TFS tunnel packets; inner packets larger than what can be transmitted in outer packets will be dropped."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.4 and 6.1.4"; } leaf max-aggregation-time { type decimal64 { fraction-digits 6; } units "milliseconds"; description "On transmission, maximum aggregation time is the maximum length of time a received inner packet can be held prior to transmission in the IP-TFS tunnel. Inner packets that would be held longer than this time, based on the current tunnel configuration, will be dropped rather than be queued for transmission. Maximum aggregation time is configurable in milliseconds or fractional milliseconds down to 1 nanosecond."; } leaf window-size { type uint16 { range "0..65535"; } description "On reception, the maximum number of out-of-order packets that will be reordered by an IP-TFS receiver while performing the reordering operation. The value 0 disables any reordering."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf send-immediately { type boolean; default "false"; description "On reception, send inner packets as soon as possible; do not wait for lost or misordered outer packets. Selecting this option reduces the inner (user) packet delay but can amplify out-of-order delivery of the inner packet stream in the presence of packet aggregation and any reordering."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.5"; } leaf lost-packet-timer-interval { type decimal64 { fraction-digits 6; } units "milliseconds"; description "On reception, this interval defines the length of time an IP-TFS receiver will wait for a missing packet before considering it lost. If not using send-immediately, then each lost packet will delay inner (user) packets until this timer expires. Setting this value too low can impact reordering and reassembly. The value is configurable in milliseconds or fractional milliseconds down to 1 nanosecond."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } } // container traffic-flow-security } // container ipsec-sa-cfg } // container processing-info } // container ipsec-policy-config } // list spd-entry } // container spd container child-sa-info { description "Specific information for IPsec SAs. It includes the Perfect Forward Secrecy (PFS) group and IPsec SAs rekey lifetimes."; leaf-list fs-groups { type fs-group; default "0"; ordered-by user; description "If non-zero, forward secrecy is required when a new IPsec SA is being created, the (non-zero) value indicates the group number to use for the key exchange process used to achieve forward secrecy. This list is ordered following from the higher priority to lower priority. The first node of the list will be the algorithm with higher priority."; } container child-sa-lifetime-soft { description "Soft IPsec SA lifetime. After the lifetime, the action is defined in this container in the leaf action."; leaf time { type uint32; units "seconds"; default "0"; description "Time in seconds since the IPsec SA was added. For example, if this value is 180 seconds, it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; } leaf bytes { type uint64; default "0"; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default "0"; description "If the IPsec SA processes the number of packets expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; units "seconds"; default "0"; description "When an NSF stores an IPsec SA, it consumes system resources. For an idle IPsec SA, this is a waste of resources. If the IPsec SA is idle during this number of seconds, the IPsec SA SHOULD be removed. The value 0 implies infinite."; } leaf action { type nsfikec:lifetime-action; default "replace"; description "When the lifetime of an IPsec SA expires, an action needs to be performed over the IPsec SA that reached the lifetime. There are three possible options: terminate-clear, terminate-hold, and replace."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.5 RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.8."; } } // container child-sa-lifetime-soft container child-sa-lifetime-hard { description "IPsec SA lifetime hard. The action will be to terminate the IPsec SA."; reference "RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Section 2.8."; leaf time { type uint32; units "seconds"; default "0"; description "Time in seconds since the IPsec SA was added. For example, if this value is 180 seconds, it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; } leaf bytes { type uint64; default "0"; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default "0"; description "If the IPsec SA processes the number of packets expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; units "seconds"; default "0"; description "When an NSF stores an IPsec SA, it consumes system resources. For an idle IPsec SA, this is a waste of resources. If the IPsec SA is idle during this number of seconds, the IPsec SA SHOULD be removed. The value 0 implies infinite."; } } // container child-sa-lifetime-hard container traffic-flow-security { config false; description "Configure the IPsec TFS in the Security Association Database (SAD)."; leaf congestion-control { type boolean; default "true"; description "When set to true, the default, this enables the congestion control on-the-wire exchange of data that is required by congestion control algorithms, as defined by RFC 5348. When set to false, IP-TFS sends fixed-size packets over an IP-TFS tunnel at a constant rate."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.4.2; RFC 5348: TCP Friendly Rate Control (TFRC): Protocol Specification"; } container packet-size { description "Packet size is either auto-discovered or manually configured."; leaf use-path-mtu-discovery { type boolean; default "true"; description "Utilize path MTU discovery to determine maximum IP-TFS packet size. If the packet size is explicitly configured, then it will only be adjusted downward if use-path-mtu-discovery is set."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.2"; } leaf outer-packet-size { type uint16; units "bytes"; description "On transmission, the size of the outer encapsulating tunnel packet (i.e., the IP packet containing Encapsulating Security Payload (ESP))."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.2"; } } // container packet-size choice tunnel-rate { description "The TFS bit rate may be specified at layer 2 wire rate or layer 3 packet rate."; leaf l2-fixed-rate { type yang:gauge64; units "bits/second"; description "On transmission, target bandwidth/bit rate in bits/second for IP-TFS tunnel. This fixed rate is the nominal timing for the fixed-size packet. If congestion control is enabled, the rate may be adjusted down (or up if unset)."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.1"; } leaf l3-fixed-rate { type yang:gauge64; units "bits/second"; description "On transmission, target bandwidth/bit rate in bits/second for IP-TFS tunnel. This fixed rate is the nominal timing for the fixed-size packet. If congestion control is enabled, the rate may be adjusted down (or up if unset)."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.1"; } } // choice tunnel-rate leaf dont-fragment { type boolean; default "false"; description "On transmission, disable packet fragmentation across consecutive IP-TFS tunnel packets; inner packets larger than what can be transmitted in outer packets will be dropped."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.4 and 6.1.4"; } leaf max-aggregation-time { type decimal64 { fraction-digits 6; } units "milliseconds"; description "On transmission, maximum aggregation time is the maximum length of time a received inner packet can be held prior to transmission in the IP-TFS tunnel. Inner packets that would be held longer than this time, based on the current tunnel configuration, will be dropped rather than be queued for transmission. Maximum aggregation time is configurable in milliseconds or fractional milliseconds down to 1 nanosecond."; } leaf window-size { type uint16 { range "0..65535"; } description "On reception, the maximum number of out-of-order packets that will be reordered by an IP-TFS receiver while performing the reordering operation. The value 0 disables any reordering."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf send-immediately { type boolean; default "false"; description "On reception, send inner packets as soon as possible; do not wait for lost or misordered outer packets. Selecting this option reduces the inner (user) packet delay but can amplify out-of-order delivery of the inner packet stream in the presence of packet aggregation and any reordering."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.5"; } leaf lost-packet-timer-interval { type decimal64 { fraction-digits 6; } units "milliseconds"; description "On reception, this interval defines the length of time an IP-TFS receiver will wait for a missing packet before considering it lost. If not using send-immediately, then each lost packet will delay inner (user) packets until this timer expires. Setting this value too low can impact reordering and reassembly. The value is configurable in milliseconds or fractional milliseconds down to 1 nanosecond."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } } // container traffic-flow-security container ipsec-stats { if-feature ipsec-stats; config false; description "IPsec per-SA packet counters. tx = outbound, rx = inbound"; leaf tx-pkts { type yang:counter64; config false; description "Outbound Packet count"; } leaf tx-octets { type yang:counter64; config false; description "Outbound Packet bytes"; } leaf tx-drop-pkts { type yang:counter64; config false; description "Outbound dropped packets count"; } leaf rx-pkts { type yang:counter64; config false; description "Inbound Packet count"; } leaf rx-octets { type yang:counter64; config false; description "Inbound Packet bytes"; } leaf rx-drop-pkts { type yang:counter64; config false; description "Inbound dropped packets count"; } } // container ipsec-stats container iptfs-inner-pkt-stats { if-feature iptfs-stats; config false; description "IP-TFS per-SA inner packet counters. tx = outbound, rx = inbound"; leaf tx-pkts { type yang:counter64; config false; description "Total number of IP-TFS inner packets sent. This count is whole packets only. A fragmented packet counts as one packet."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } leaf tx-octets { type yang:counter64; config false; description "Total number of IP-TFS inner octets sent. This is inner packet octets only. It does not count padding."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } leaf rx-pkts { type yang:counter64; config false; description "Total number of IP-TFS inner packets received."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2"; } leaf rx-octets { type yang:counter64; config false; description "Total number of IP-TFS inner octets received. It does not include padding or overhead."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2"; } leaf rx-incomplete-pkts { type yang:counter64; config false; description "Total number of IP-TFS inner packets that were incomplete. Usually this is due to fragments that are not received. Also, this may be due to misordering or errors in received outer packets."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } } // container iptfs-inner-pkt-stats container iptfs-outer-pkt-stats { if-feature iptfs-stats; config false; description "IP-TFS per-SA outer packets counters. tx = outbound, rx = inbound"; leaf tx-all-pad-pkts { type yang:counter64; config false; description "Total number of transmitted IP-TFS packets that were all padding with no inner packet data."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf tx-all-pad-octets { type yang:counter64; config false; description "Total number transmitted octets of padding added to IP-TFS packets with no inner packet data."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf tx-extra-pad-pkts { type yang:counter64; config false; description "Total number of transmitted outer IP-TFS packets that included some padding."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf tx-extra-pad-octets { type yang:counter64; config false; description "Total number of transmitted octets of padding added to outer IP-TFS packets with data."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf rx-all-pad-pkts { type yang:counter64; config false; description "Total number of received IP-TFS packets that were all padding with no inner packet data."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf rx-all-pad-octets { type yang:counter64; config false; description "Total number of received octets of padding added to IP-TFS packets with no inner packet data."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf rx-extra-pad-pkts { type yang:counter64; config false; description "Total number of received outer IP-TFS packets that included some padding."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf rx-extra-pad-octets { type yang:counter64; config false; description "Total number of received octets of padding added to outer IP-TFS packets with data."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf rx-errored-pkts { type yang:counter64; config false; description "Total number of IP-TFS outer packets dropped due to errors."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } leaf rx-missed-pkts { type yang:counter64; config false; description "Total number of IP-TFS outer packets missing, indicated by a missing sequence number."; reference "RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } } // container iptfs-outer-pkt-stats } // container child-sa-info container state { config false; description "IKE state data for a particular connection."; leaf initiator { type boolean; description "It is acting as an initiator for this connection."; } leaf initiator-ikesa-spi { type ike-spi; description "Initiator's IKE SA SPI."; } leaf responder-ikesa-spi { type ike-spi; description "Responder's IKE SA SPI."; } leaf nat-local { type boolean; description "True if local endpoint is behind a NAT."; } leaf nat-remote { type boolean; description "True if remote endpoint is behind a NAT."; } container encapsulation-type { description "This container provides information about the source and destination ports of encapsulation that IKE is using and the type of encapsulation when NAT traversal is required."; reference "RFC 8229: TCP Encapsulation of IKE and IPsec Packets."; leaf espencap { type esp-encap; default "none"; description "ESP in TCP, ESP in UDP, or ESP in TLS."; } leaf sport { type inet:port-number; default "4500"; description "Encapsulation source port."; } leaf dport { type inet:port-number; default "4500"; description "Encapsulation destination port."; } leaf-list oaddr { type inet:ip-address; description "If required, this is the original address that was used before NAT was applied over the packet."; } } // container encapsulation-type leaf established { type uint64; units "seconds"; description "Seconds since this IKE SA has been established."; } leaf current-rekey-time { type uint64; units "seconds"; description "Seconds before IKE SA is rekeyed."; } leaf current-reauth-time { type uint64; units "seconds"; description "Seconds before IKE SA is reauthenticated."; } } // container state } // list conn-entry container number-ike-sas { config false; description "General information about the IKE SAs. In particular, it provides the current number of IKE SAs."; leaf total { type yang:gauge64; description "Total number of active IKE SAs."; } leaf half-open { type yang:gauge64; description "Number of half-open active IKE SAs."; } leaf half-open-cookies { type yang:gauge64; description "Number of half-open active IKE SAs with cookie activated."; } } // container number-ike-sas } // container ipsec-ike } // module ietf-i2nsf-ike
© 2023 YumaWorks, Inc. All rights reserved.