Data model for IKE-less case in the SDN-based IPsec flow protection service. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHA...
Version: 2021-07-14
module ietf-i2nsf-ikeless { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"; prefix nsfikels; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types."; } import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types."; } import ietf-i2nsf-ikec { prefix nsfikec; reference "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)."; } import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model."; } organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> "; description "Data model for IKE-less case in the SDN-based IPsec flow protection service. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2021 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9061; see the RFC itself for full legal notices."; revision "2021-07-14" { description "Initial version."; reference "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)."; } feature ikeless-notification { description "This feature indicates that the server supports generating notifications in the ikeless module. To ensure broader applicability of this module, the notifications are marked as a feature. For the implementation of the IKE-less case, the NSF is expected to implement this feature."; } container ipsec-ikeless { description "Container for configuration of the IKE-less case. The container contains two additional containers: 'spd' and 'sad'. The first allows the I2NSF Controller to configure IPsec policies in the Security Policy Database (SPD), and the second allows the I2NSF Controller to configure IPsec Security Associations (IPsec SAs) in the Security Association Database (SAD)."; reference "RFC 4301: Security Architecture for the Internet Protocol."; container spd { description "Configuration of the Security Policy Database (SPD)."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2."; list spd-entry { key "name"; ordered-by user; description "The SPD is represented as a list of SPD entries, where each SPD entry represents an IPsec policy."; leaf name { type string; description "SPD-entry-unique name to identify this entry."; } leaf direction { type nsfikec:ipsec-traffic-direction; mandatory true; description "Inbound traffic or outbound traffic. In the IKE-less case, the I2NSF Controller needs to specify the policy direction to be applied in the NSF. In the IKE case, this direction does not need to be specified, since IKE will determine the direction that the IPsec policy will require."; } leaf reqid { type uint64; default "0"; description "This value allows linking this IPsec policy with IPsec SAs with the same reqid. It is only required in the IKE-less model since, in the IKE case, this link is handled internally by IKE."; } container ipsec-policy-config { description "This container carries the configuration of an IPsec policy."; leaf anti-replay-window-size { type uint32; default "64"; description "To set the anti-replay window size. The default value is set to 64, following the recommendation in RFC 4303."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.4.3."; } container traffic-selector { description "Packets are selected for processing actions based on Traffic Selector values, which refer to IP and inner protocol header information."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.4.1."; leaf local-prefix { type inet:ip-prefix; mandatory true; description "Local IP address prefix."; } leaf remote-prefix { type inet:ip-prefix; mandatory true; description "Remote IP address prefix."; } leaf inner-protocol { type ipsec-inner-protocol; default "any"; description "Inner protocol that is going to be protected with IPsec."; } list local-ports { key "start end"; description "List of local ports. When the inner protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list local-ports list remote-ports { key "start end"; description "List of remote ports. When the upper layer protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list remote-ports } // container traffic-selector container processing-info { description "SPD processing. If the required processing action is protect, it contains the required information to process the packet."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2."; leaf action { type ipsec-spd-action; default "discard"; description "If bypass or discard, container ipsec-sa-cfg is empty."; } container ipsec-sa-cfg { when "../action = 'protect'"; description "IPsec SA configuration included in the SPD entry."; leaf pfp-flag { type boolean; default "false"; description "Each selector has a Populate From Packet (PFP) flag. If asserted for a given selector X, the flag indicates that the IPsec SA to be created should take its value (local IP address, remote IP address, Next Layer Protocol, etc.) for X from the value in the packet. Otherwise, the IPsec SA should take its value(s) for X from the value(s) in the SPD entry."; } leaf ext-seq-num { type boolean; default "false"; description "True if this IPsec SA is using extended sequence numbers. If true, the 64-bit extended sequence number counter is used; if false, the normal 32-bit sequence number counter is used."; } leaf seq-overflow { type boolean; default "false"; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the IPsec SA (false) and, therefore, needs to be rekeyed or whether rollover is permitted (true). If Authenticated Encryption with Associated Data (AEAD) is used (leaf esp-algorithms/encryption/algorithm-type), this flag MUST be false. Setting this flag to true is strongly discouraged."; } leaf stateful-frag-check { type boolean; default "false"; description "Indicates whether (true) or not (false) stateful fragment checking applies to the IPsec SA to be created."; } leaf mode { type ipsec-mode; default "transport"; description "IPsec SA has to be processed in transport or tunnel mode."; } leaf protocol-parameters { type ipsec-protocol-params; default "esp"; description "Security protocol of the IPsec SA. Only ESP is supported, but it could be extended in the future."; } container esp-algorithms { when "../protocol-parameters = 'esp'"; description "Configuration of Encapsulating Security Payload (ESP) parameters and algorithms."; reference "RFC 4303: IP Encapsulating Security Payload (ESP)."; leaf-list integrity { type intr-alg-t; default "0"; ordered-by user; description "Configuration of ESP authentication based on the specified integrity algorithm. With AEAD encryption algorithms, the integrity node is not used."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.2."; } list encryption { key "id"; ordered-by user; description "Encryption or AEAD algorithm for the IPsec SAs. This list is ordered following from the higher priority to lower priority. First node of the list will be the algorithm with higher priority. In case the list is empty, then no encryption algorithm is applied (NULL)."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.2."; leaf id { type uint16; description "An identifier that unequivocally identifies each entry of the list, i.e., an encryption algorithm and its key length (if required)."; } leaf algorithm-type { type encr-alg-t; default "20"; description "Default value 20 (ENCR_AES_GCM_16)."; } leaf key-length { type uint16; default "128"; description "By default, key length is 128 bits."; } } // list encryption leaf tfc-pad { type boolean; default "false"; description "If Traffic Flow Confidentiality (TFC) padding for ESP encryption can be used (true) or not (false)."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 2.7."; } } // container esp-algorithms container tunnel { when "../mode = 'tunnel'"; description "IPsec tunnel endpoints definition."; leaf local { type inet:ip-address; mandatory true; description "Local IP address' tunnel endpoint."; } leaf remote { type inet:ip-address; mandatory true; description "Remote IP address' tunnel endpoint."; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Disable the Don't Fragment (DF) bit in the outer header. This is the default value."; } enum "set" { value 1; description "Enable the DF bit in the outer header."; } enum "copy" { value 2; description "Copy the DF bit to the outer header."; } } default "clear"; description "Allow configuring the DF bit when encapsulating tunnel mode IPsec traffic. RFC 4301 describes three options to handle the DF bit during tunnel encapsulation: clear, set, and copy from the inner IP header. This MUST be ignored or has no meaning when the local/remote IP addresses are IPv6 addresses."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 8.1."; } leaf bypass-dscp { type boolean; default "true"; description "If true, to copy the Differentiated Services Code Point (DSCP) value from inner header to outer header. If false, to map DSCP values from an inner header to values in an outer header following ../dscp-mapping."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2."; } list dscp-mapping { must "../bypass-dscp = "false""; key "id"; ordered-by user; description "A list that represents an array with the mapping from the inner DSCP value to outer DSCP value when bypass-dscp is false. To express a default mapping in the list where any other inner dscp value is not matching a node in the list, a new node has to be included at the end of the list where the leaf inner-dscp is not defined (ANY) and the leaf outer-dscp includes the value of the mapping. If there is no value set in the leaf outer-dscp, the default value for this leaf is 0."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2 and Appendix C."; leaf id { type uint8; description "The index of list with the different mappings."; } leaf inner-dscp { type inet:dscp; description "The DSCP value of the inner IP packet. If this leaf is not defined, it means ANY inner DSCP value."; } leaf outer-dscp { type inet:dscp; default "0"; description "The DSCP value of the outer IP packet."; } } // list dscp-mapping } // container tunnel } // container ipsec-sa-cfg } // container processing-info } // container ipsec-policy-config } // list spd-entry } // container spd container sad { description "Configuration of the IPsec Security Association Database (SAD)."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.2.1."; list sad-entry { key "name"; ordered-by user; description "List of SAD entries that form the SAD."; leaf name { type string; description "SAD-entry-unique name to identify this entry."; } leaf reqid { type uint64; default "0"; description "This value allows linking this IPsec SA with an IPsec policy with the same reqid."; } container ipsec-sa-config { description "This container allows configuring details of an IPsec SA."; leaf spi { type uint32 { range "0..max"; } mandatory true; description "IPsec SA of Security Parameter Index (SPI)."; } leaf ext-seq-num { type boolean; default "true"; description "True if this IPsec SA is using extended sequence numbers. If true, the 64-bit extended sequence number counter is used; if false, the normal 32-bit sequence number counter is used."; } leaf seq-overflow { type boolean; default "false"; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the IPsec SA (false) and, therefore, needs to be rekeyed or whether rollover is permitted (true). If Authenticated Encryption with Associated Data (AEAD) is used (leaf esp-algorithms/encryption/algorithm-type), this flag MUST BE false. Setting this flag to true is strongly discouraged."; } leaf anti-replay-window-size { type uint32; default "64"; description "To set the anti-replay window size. The default value is set to 64, following the recommendation in RFC 4303."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Section 3.4.3."; } container traffic-selector { description "The IPsec SA Traffic Selector."; leaf local-prefix { type inet:ip-prefix; mandatory true; description "Local IP address prefix."; } leaf remote-prefix { type inet:ip-prefix; mandatory true; description "Remote IP address prefix."; } leaf inner-protocol { type ipsec-inner-protocol; default "any"; description "Inner protocol that is going to be protected with IPsec."; } list local-ports { key "start end"; description "List of local ports. When the inner protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list local-ports list remote-ports { key "start end"; description "List of remote ports. When the upper layer protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list remote-ports } // container traffic-selector leaf protocol-parameters { type nsfikec:ipsec-protocol-params; default "esp"; description "Security protocol of IPsec SA, only ESP so far."; } leaf mode { type nsfikec:ipsec-mode; default "transport"; description "Tunnel or transport mode."; } container esp-sa { when "../protocol-parameters = 'esp'"; description "In case the IPsec SA is an Encapsulation Security Payload (ESP), it is required to specify encryption and integrity algorithms and key materials."; container encryption { description "Configuration of encryption or AEAD algorithm for IPsec Encapsulation Security Payload (ESP)."; leaf encryption-algorithm { type nsfikec:encr-alg-t; default "12"; description "Configuration of ESP encryption. With AEAD algorithms, the integrity-algorithm leaf is not used."; } leaf key { nacm:default-deny-all; type yang:hex-string; description "ESP encryption key value. If this leaf is not defined, the key is not defined (e.g., encryption is NULL). The key length is determined by the length of the key set in this leaf. By default, it is 128 bits."; } leaf iv { nacm:default-deny-all; type yang:hex-string; description "ESP encryption IV value. If this leaf is not defined, the IV is not defined (e.g., encryption is NULL)."; } } // container encryption container integrity { description "Configuration of integrity for IPsec Encapsulation Security Payload (ESP). This container allows configuration of integrity algorithms when no AEAD algorithms are used and integrity is required."; leaf integrity-algorithm { type nsfikec:intr-alg-t; default "12"; description "Message Authentication Code (MAC) algorithm to provide integrity in ESP (default AUTH_HMAC_SHA2_256_128). With AEAD algorithms, the integrity leaf is not used."; } leaf key { nacm:default-deny-all; type yang:hex-string; description "ESP integrity key value. If this leaf is not defined, the key is not defined (e.g., AEAD algorithm is chosen and integrity algorithm is not required). The key length is determined by the length of the key configured."; } } // container integrity } // container esp-sa container sa-lifetime-hard { description "IPsec SA hard lifetime. The action associated is terminate and hold."; leaf time { type uint32; units "seconds"; default "0"; description "Time in seconds since the IPsec SA was added. For example, if this value is 180 seconds, it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; } leaf bytes { type uint64; default "0"; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default "0"; description "If the IPsec SA processes the number of packets expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; units "seconds"; default "0"; description "When an NSF stores an IPsec SA, it consumes system resources. For an idle IPsec SA, this is a waste of resources. If the IPsec SA is idle during this number of seconds, the IPsec SA SHOULD be removed. The value 0 implies infinite."; } } // container sa-lifetime-hard container sa-lifetime-soft { description "IPsec SA soft lifetime."; leaf time { type uint32; units "seconds"; default "0"; description "Time in seconds since the IPsec SA was added. For example, if this value is 180 seconds, it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; } leaf bytes { type uint64; default "0"; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default "0"; description "If the IPsec SA processes the number of packets expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; units "seconds"; default "0"; description "When an NSF stores an IPsec SA, it consumes system resources. For an idle IPsec SA, this is a waste of resources. If the IPsec SA is idle during this number of seconds, the IPsec SA SHOULD be removed. The value 0 implies infinite."; } leaf action { type nsfikec:lifetime-action; description "Action lifetime: terminate-clear, terminate-hold, or replace."; } } // container sa-lifetime-soft container tunnel { when "../mode = 'tunnel'"; description "Endpoints of the IPsec tunnel."; leaf local { type inet:ip-address; mandatory true; description "Local IP address' tunnel endpoint."; } leaf remote { type inet:ip-address; mandatory true; description "Remote IP address' tunnel endpoint."; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Disable the Don't Fragment (DF) bit in the outer header. This is the default value."; } enum "set" { value 1; description "Enable the DF bit in the outer header."; } enum "copy" { value 2; description "Copy the DF bit to the outer header."; } } default "clear"; description "Allow configuring the DF bit when encapsulating tunnel mode IPsec traffic. RFC 4301 describes three options to handle the DF bit during tunnel encapsulation: clear, set, and copy from the inner IP header. This MUST be ignored or has no meaning when the local/remote IP addresses are IPv6 addresses."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 8.1."; } leaf bypass-dscp { type boolean; default "true"; description "If true, to copy the Differentiated Services Code Point (DSCP) value from inner header to outer header. If false, to map DSCP values from an inner header to values in an outer header following ../dscp-mapping."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2."; } list dscp-mapping { must "../bypass-dscp = "false""; key "id"; ordered-by user; description "A list that represents an array with the mapping from the inner DSCP value to outer DSCP value when bypass-dscp is false. To express a default mapping in the list where any other inner dscp value is not matching a node in the list, a new node has to be included at the end of the list where the leaf inner-dscp is not defined (ANY) and the leaf outer-dscp includes the value of the mapping. If there is no value set in the leaf outer-dscp, the default value for this leaf is 0."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.1.2 and Appendix C."; leaf id { type uint8; description "The index of list with the different mappings."; } leaf inner-dscp { type inet:dscp; description "The DSCP value of the inner IP packet. If this leaf is not defined, it means ANY inner DSCP value."; } leaf outer-dscp { type inet:dscp; default "0"; description "The DSCP value of the outer IP packet."; } } // list dscp-mapping leaf-list dscp-values { type inet:dscp; description "DSCP values allowed for ingress packets carried over this IPsec SA. If no values are specified, no DSCP-specific filtering is applied. When ../bypass-dscp is false and a dscp-mapping is defined, each value here would be the same as the 'inner' DSCP value for the DSCP mapping (list dscp-mapping)."; reference "RFC 4301: Security Architecture for the Internet Protocol, Section 4.4.2.1."; } } // container tunnel container encapsulation-type { description "This container carries configuration information about the source and destination ports that will be used for ESP encapsulation of ESP packets and the type of encapsulation when NAT traversal is in place."; leaf espencap { type esp-encap; default "none"; description "ESP in TCP, ESP in UDP, or ESP in TLS."; } leaf sport { type inet:port-number; default "4500"; description "Encapsulation source port."; } leaf dport { type inet:port-number; default "4500"; description "Encapsulation destination port."; } leaf-list oaddr { type inet:ip-address; description "If required, this is the original address that was used before NAT was applied over the packet."; } } // container encapsulation-type } // container ipsec-sa-config container ipsec-sa-state { config false; description "Container describing IPsec SA state data."; container sa-lifetime-current { description "SAD lifetime current."; leaf time { type uint32; units "seconds"; default "0"; description "Time in seconds since the IPsec SA was added. For example, if this value is 180 seconds, it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; } leaf bytes { type uint64; default "0"; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default "0"; description "If the IPsec SA processes the number of packets expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; units "seconds"; default "0"; description "When an NSF stores an IPsec SA, it consumes system resources. For an idle IPsec SA, this is a waste of resources. If the IPsec SA is idle during this number of seconds, the IPsec SA SHOULD be removed. The value 0 implies infinite."; } } // container sa-lifetime-current container replay-stats { description "State data about the anti-replay window."; container replay-window { description "This container contains three parameters that define the state of the replay window: window size (w), highest sequence number authenticated (t), and lower bound of the window (b), according to Appendix A2.1 in RFC 4303 (w = t - b + 1)."; reference "RFC 4303: IP Encapsulating Security Payload (ESP), Appendix A."; leaf w { type uint32; description "Size of the replay window."; } leaf t { type uint64; description "Highest sequence number authenticated so far, upper bound of window."; } leaf b { type uint64; description "Lower bound of window."; } } // container replay-window leaf packet-dropped { type yang:counter64; description "Packets dropped because they are replay packets."; } leaf failed { type yang:counter64; description "Number of packets detected out of the replay window."; } leaf seq-number-counter { type uint64; description "A 64-bit counter when this IPsec SA is using Extended Sequence Number or 32-bit counter when it is not. Current value of sequence number."; } } // container replay-stats } // container ipsec-sa-state } // list sad-entry } // container sad } // container ipsec-ikeless notification sadb-acquire { if-feature ikeless-notification; description "The NSF detects and notifies that an IPsec SA is required for an outbound IP packet that has matched an SPD entry. The traffic-selector container in this notification contains information about the IP packet that triggered this notification."; leaf ipsec-policy-name { type string; mandatory true; description "It contains the SPD entry name (unique) of the IPsec policy that hits the IP-packet-required IPsec SA. It is assumed the I2NSF Controller will have a copy of the information of this policy so it can extract all the information with this unique identifier. The type of IPsec SA is defined in the policy so the security controller can also know the type of IPsec SA that MUST be generated."; } container traffic-selector { description "The IP packet that triggered the acquire and requires an IPsec SA. Specifically, it will contain the IP source/mask and IP destination/mask, protocol (udp, tcp, etc.), and source and destination ports."; leaf local-prefix { type inet:ip-prefix; mandatory true; description "Local IP address prefix."; } leaf remote-prefix { type inet:ip-prefix; mandatory true; description "Remote IP address prefix."; } leaf inner-protocol { type ipsec-inner-protocol; default "any"; description "Inner protocol that is going to be protected with IPsec."; } list local-ports { key "start end"; description "List of local ports. When the inner protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list local-ports list remote-ports { key "start end"; description "List of remote ports. When the upper layer protocol is ICMP, this 16-bit value represents code and type. If this list is not defined, it is assumed that start and end are 0 by default (any port)."; leaf start { type inet:port-number; description "Start port number."; } leaf end { type inet:port-number; must ". >= ../start" { error-message "The end port number MUST be equal or greater than the start port number."; } description "End port number. To express a single port, set the same value as start and end."; } } // list remote-ports } // container traffic-selector } // notification sadb-acquire notification sadb-expire { if-feature ikeless-notification; description "An IPsec SA expiration (soft or hard)."; leaf ipsec-sa-name { type string; mandatory true; description "It contains the SAD entry name (unique) of the IPsec SA that is about to expire. It is assumed the I2NSF Controller will have a copy of the IPsec SA information (except the cryptographic material and state data) indexed by this name (unique identifier) so it can know all the information (crypto algorithms, etc.) about the IPsec SA that has expired in order to perform a rekey (soft lifetime) or delete it (hard lifetime) with this unique identifier."; } leaf soft-lifetime-expire { type boolean; default "true"; description "If this value is true, the lifetime expired is soft. If it is false, the lifetime is hard."; } container lifetime-current { description "IPsec SA current lifetime. If soft-lifetime-expired is true, this container is set with the lifetime information about current soft lifetime. It can help the NSF Controller to know which of the (soft) lifetime limits raised the event: time, bytes, packets, or idle."; leaf time { type uint32; units "seconds"; default "0"; description "Time in seconds since the IPsec SA was added. For example, if this value is 180 seconds, it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; } leaf bytes { type uint64; default "0"; description "If the IPsec SA processes the number of bytes expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default "0"; description "If the IPsec SA processes the number of packets expressed in this leaf, the IPsec SA expires and SHOULD be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; units "seconds"; default "0"; description "When an NSF stores an IPsec SA, it consumes system resources. For an idle IPsec SA, this is a waste of resources. If the IPsec SA is idle during this number of seconds, the IPsec SA SHOULD be removed. The value 0 implies infinite."; } } // container lifetime-current } // notification sadb-expire notification sadb-seq-overflow { if-feature ikeless-notification; description "Sequence overflow notification."; leaf ipsec-sa-name { type string; mandatory true; description "It contains the SAD entry name (unique) of the IPsec SA that is about to have a sequence number overflow, and rollover is not permitted. When the NSF issues this event before reaching a sequence number, overflow is implementation specific and out of scope of this specification. It is assumed the I2NSF Controller will have a copy of the IPsec SA information (except the cryptographic material and state data) indexed by this name (unique identifier) so it can know all the information (crypto algorithms, etc.) about the IPsec SA in order to perform a rekey of the IPsec SA."; } } // notification sadb-seq-overflow notification sadb-bad-spi { if-feature ikeless-notification; description "Notify when the NSF receives a packet with an incorrect SPI (i.e., not present in the SAD)."; leaf spi { type uint32 { range "0..max"; } mandatory true; description "SPI number contained in the erroneous IPsec packet."; } } // notification sadb-bad-spi } // module ietf-i2nsf-ikeless
© 2023 YumaWorks, Inc. All rights reserved.