Common data model for the IKE and IKE-less cases defined by the SDN-based IPsec flow protection service. The key words 'MUST', ...
Version: 2021-07-14
module ietf-i2nsf-ikec { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec"; prefix nsfikec; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types."; } organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> "; description "Common data model for the IKE and IKE-less cases defined by the SDN-based IPsec flow protection service. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2021 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9061; see the RFC itself for full legal notices."; revision "2021-07-14" { description "Initial version."; reference "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)."; } typedef encr-alg-t { type uint16; description "The encryption algorithm is specified with a 16-bit number extracted from the IANA registry. The acceptable values MUST follow the requirement levels for encryption algorithms for ESP and IKEv2."; reference "IANA: Internet Key Exchange Version 2 (IKEv2) Parameters, IKEv2 Transform Attribute Types, Transform Type 1 - Encryption Algorithm Transform IDs RFC 8221: Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) RFC 8247: Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)."; } typedef intr-alg-t { type uint16; description "The integrity algorithm is specified with a 16-bit number extracted from the IANA registry. The acceptable values MUST follow the requirement levels for integrity algorithms for ESP and IKEv2."; reference "IANA: Internet Key Exchange Version 2 (IKEv2) Parameters, IKEv2 Transform Attribute Types, Transform Type 3 - Integrity Algorithm Transform IDs RFC 8221: Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) RFC 8247: Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)."; } typedef ipsec-mode { type enumeration { enum "transport" { value 0; description "IPsec transport mode. No Network Address Translation (NAT) support."; } enum "tunnel" { value 1; description "IPsec tunnel mode."; } } description "Type definition of IPsec mode: transport or tunnel."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 3.2."; } typedef esp-encap { type enumeration { enum "espintcp" { value 0; description "ESP in TCP encapsulation."; reference "RFC 8229: TCP Encapsulation of IKE and IPsec Packets."; } enum "espinudp" { value 1; description "ESP in UDP encapsulation."; reference "RFC 3948: UDP Encapsulation of IPsec ESP Packets."; } enum "none" { value 2; description "No ESP encapsulation."; } } description "Types of ESP encapsulation when Network Address Translation (NAT) may be present between two NSFs."; reference "RFC 8229: TCP Encapsulation of IKE and IPsec Packets RFC 3948: UDP Encapsulation of IPsec ESP Packets."; } typedef ipsec-protocol-params { type enumeration { enum "esp" { value 0; description "IPsec ESP protocol."; } } description "Only the Encapsulation Security Protocol (ESP) is supported, but it could be extended in the future."; reference "RFC 4303: IP Encapsulating Security Payload (ESP)."; } typedef lifetime-action { type enumeration { enum "terminate-clear" { value 0; description "Terminates the IPsec SA and allows the packets through."; } enum "terminate-hold" { value 1; description "Terminates the IPsec SA and drops the packets."; } enum "replace" { value 2; description "Replaces the IPsec SA with a new one: rekey."; } } description "When the lifetime of an IPsec SA expires, an action needs to be performed for the IPsec SA that reached the lifetime. There are three possible options: terminate-clear, terminate-hold, and replace."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.5."; } typedef ipsec-traffic-direction { type enumeration { enum "inbound" { value 0; description "Inbound traffic."; } enum "outbound" { value 1; description "Outbound traffic."; } } description "IPsec traffic direction is defined in two directions: inbound and outbound. From an NSF perspective, inbound and outbound are defined as mentioned in Section 3.1 in RFC 4301."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 3.1."; } typedef ipsec-spd-action { type enumeration { enum "protect" { value 0; description "PROTECT the traffic with IPsec."; } enum "bypass" { value 1; description "BYPASS the traffic. The packet is forwarded without IPsec protection."; } enum "discard" { value 2; description "DISCARD the traffic. The IP packet is discarded."; } } description "The action when traffic matches an IPsec security policy. According to RFC 4301, there are three possible values: BYPASS, PROTECT, and DISCARD."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1."; } typedef ipsec-inner-protocol { type union { type uint8; type enumeration { enum "any" { value 256; description "Any IP protocol number value."; } } } default "any"; description "IPsec protection can be applied to specific IP traffic and Layer 4 traffic (TCP, UDP, SCTP, etc.) or ANY protocol in the IP packet payload. The IP protocol number is specified with a uint8 or ANY defining an enumerate with value 256 to indicate the protocol number. Note that in case of IPv6, the protocol in the IP packet payload is indicated in the Next Header field of the IPv6 packet."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.1 IANA: Protocol Numbers."; } } // module ietf-i2nsf-ikec
© 2023 YumaWorks, Inc. All rights reserved.