The encryption algorithm is specified with a 16-bit
number extracted from the IANA registry. The acceptable
values MUST follow the requirement levels for
encryption algorithms for ESP and IKEv2.
esp-encap
enumeration
Types of ESP encapsulation when Network Address
Translation (NAT) may be present between two NSFs.
intr-alg-t
uint16
The integrity algorithm is specified with a 16-bit
number extracted from the IANA registry.
The acceptable values MUST follow the requirement
levels for integrity algorithms for ESP and IKEv2.
ipsec-inner-protocol
union
IPsec protection can be applied to specific IP
traffic and Layer 4 traffic (TCP, UDP, SCTP, etc.)
or ANY protocol in the IP packet payload.
The IP protocol number is specified with a uint8
or ANY defining an enumerate with value 256 to
indicate the protocol number. Note that in case
of IPv6, the protocol in the IP packet payload
is indicated in the Next Header field of the IPv6
packet.
ipsec-mode
enumeration
Type definition of IPsec mode: transport or
tunnel.
ipsec-protocol-params
enumeration
Only the Encapsulation Security Protocol (ESP) is
supported, but it could be extended in the future.
ipsec-spd-action
enumeration
The action when traffic matches an IPsec security
policy. According to RFC 4301, there are three
possible values: BYPASS, PROTECT, and DISCARD.
ipsec-traffic-direction
enumeration
IPsec traffic direction is defined in
two directions: inbound and outbound.
From an NSF perspective, inbound and
outbound are defined as mentioned
in Section 3.1 in RFC 4301.
lifetime-action
enumeration
When the lifetime of an IPsec SA expires, an action
needs to be performed for the IPsec SA that
reached the lifetime. There are three possible
options: terminate-clear, terminate-hold, and
replace.