| < draft-fedyk-ipsecme-yang-iptfs-01.txt | draft-fedyk-ipsecme-yang-iptfs-02.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Fedyk | Network Working Group D. Fedyk | |||
| Internet-Draft C. Hopps | Internet-Draft C. Hopps | |||
| Intended status: Standards Track LabN Consulting, L.L.C. | Intended status: Standards Track LabN Consulting, L.L.C. | |||
| Expires: May 19, 2021 November 15, 2020 | Expires: August 26, 2021 February 22, 2021 | |||
| IP Traffic Flow Security YANG Module | IP Traffic Flow Security YANG Module | |||
| draft-fedyk-ipsecme-yang-iptfs-01 | draft-fedyk-ipsecme-yang-iptfs-02 | |||
| Abstract | Abstract | |||
| This document describes a yang module for the management of IP | This document describes a yang module for the management of IP | |||
| Traffic Flow Security additions to IKEv2 and IPsec. | Traffic Flow Security additions to IKEv2 and IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 31 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 19, 2021. | This Internet-Draft will expire on August 26, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 2 | 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 | |||
| 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 17 | 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 18 | |||
| 4.2. Updates to the YANG Module Names Registry . . . . . . . . 17 | 4.2. Updates to the YANG Module Names Registry . . . . . . . . 18 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 18 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 19 | 7.2. Informative References . . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 19 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| A.1. Example XML Configuration . . . . . . . . . . . . . . . . 19 | A.1. Example XML Configuration . . . . . . . . . . . . . . . . 21 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 | A.2. Example XML Operational Data . . . . . . . . . . . . . . 22 | |||
| A.3. Example JSON Configuration . . . . . . . . . . . . . . . 23 | ||||
| A.4. Example JSON Operational Data . . . . . . . . . . . . . . 24 | ||||
| A.5. Example JSON Operational Statistics . . . . . . . . . . . 25 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG module [RFC7950] for the management of | This document defines a YANG module [RFC7950] for the management of | |||
| the IP Traffic Flow Security (IP-TFS) extensions as defined in | the IP Traffic Flow Security (IP-TFS) extensions as defined in | |||
| [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | |||
| tunnel Security Association to provide improved traffic | tunnel Security Association to provide improved traffic | |||
| confidentiality. Traffic confidentiality reduces the ability of | confidentiality. Traffic confidentiality reduces the ability of | |||
| traffic analysis to determine identity and correlate observable | traffic analysis to determine identity and correlate observable | |||
| traffic patterns. IP-TFS offers efficiency when aggregating traffic | traffic patterns. IP-TFS offers efficiency when aggregating traffic | |||
| skipping to change at page 3, line 9 ¶ | skipping to change at page 3, line 17 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119] [RFC8174] when, and only when, they appear in all capitals, | [RFC2119] [RFC8174] when, and only when, they appear in all capitals, | |||
| as shown here. | as shown here. | |||
| 2. Overview | 2. Overview | |||
| This document defines configuration and operational parameters of IP | This document defines configuration and operational parameters of IP | |||
| traffic flow security (IP-TFS). IP-TFS, defined in | traffic flow security (IP-TFS). IP-TFS, defined in | |||
| [I-D.ietf-ipsecme-iptfs], configures a security association for | [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel | |||
| tunnel mode IPsec with characteristics that improve traffic | mode IPsec with characteristics that improve traffic confidentiality | |||
| confidentiality and reduce bandwidth efficiency loss. These | and reduce bandwidth efficiency loss. These documents assume | |||
| documents assume familiarity with IP security concepts described in | familiarity with IP security concepts described in [RFC4301]. | |||
| [RFC4301]. | ||||
| IP-TFS uses tunnel mode to improve confidentiality by hiding inner | IP-TFS uses tunnel mode to improve confidentiality by hiding inner | |||
| packet identifiable information, packet size and packet timing. IP- | packet identifiable information, packet size and packet timing. IP- | |||
| TFS provides a general capability allowing aggregation of multiple | TFS provides a general capability allowing aggregation of multiple | |||
| packets and packet size control utilizing padding and additionally | packets in uniform size outer tunnel ipsec packets. It maintains the | |||
| utilizing inner packet fragments when a complete inner packet will | outer packet size by utilizing combinations of aggregating, padding | |||
| not fit in the IPsec outer tunnel packet. Zero byte padding is used | and fragmentating inner packets to fll out the IPsec outer tunnel | |||
| to fill the packet when no data is available to send. | packet. Zero byte padding is used to fill the packet when no data is | |||
| available to send. | ||||
| This document specifies an extensible configuration model for IP-TFS. | This document specifies an extensible configuration model for IP-TFS. | |||
| This version utilizes the capabilities of IP-TFS to configure fixed | This version utilizes the capabilities of IP-TFS to configure fixed | |||
| size IP-TFS Packets that are transmitted at a constant rate. This | size IP-TFS Packets that are transmitted at a constant rate. This | |||
| model is structured to allow for different types of operation through | model is structured to allow for different types of operation through | |||
| future augmentation. | future augmentation. | |||
| IP-TFS YANG augments IPsec YANG model from | IP-TFS YANG augments IPsec YANG model from | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. IP-TFS makes use of | [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. IP-TFS makes use of | |||
| IPsec tunnel mode and adds a small number configuration items to | IPsec tunnel mode and adds a small number configuration items to | |||
| tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA | tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA | |||
| configured to use IP-TFS supports only IP-TFS packets i.e. no mixed | configured to use IP-TFS supports only IP-TFS packets i.e. no mixed | |||
| IPsec modes. | IPsec modes. | |||
| The behavior for IP-TFS is controlled by the source. The self- | The behavior for IP-TFS is controlled by the source. The self- | |||
| describing format of an IP-TFS packets allows a sending side to | describing format of an IP-TFS packets allows a sending side to | |||
| adjust the packet-size and timing independently from any receiver. | adjust the packet-size and timing independently from any receiver. | |||
| Both directions are also independent, e.g. IP-TFS may be run only in | Both directions are also independent, e.g. IP-TFS may be run only in | |||
| one direction. | one direction. This means that counters, which are created here for | |||
| both directions may be 0 or not updated in the case of an SA that | ||||
| uses IP-TFS only in on direction. | ||||
| Cases where IP-TFS statistics are active for one direction: | ||||
| o SA one direction - IP-TFS enabled | ||||
| o SA both directions - IP-TFS only enabled in one direction | ||||
| Case where IP-TFS statistics are for both directions: | ||||
| o SA both directions - IP-TFS enable for both directions | ||||
| The data model uses following constructs for configuration and | The data model uses following constructs for configuration and | |||
| management: | management: | |||
| o Configuration | o Configuration | |||
| o Operational State | o Operational State | |||
| This YANG module supports configuration of fixed size and fixed rate | This YANG module supports configuration of fixed size and fixed rate | |||
| packets, and elements that may be augmented to support future | packets, and elements that may be augmented to support future | |||
| skipping to change at page 5, line 4 ¶ | skipping to change at page 5, line 18 ¶ | |||
| IP-TFS YANG augments: | IP-TFS YANG augments: | |||
| o Yang catalog entry for ietf-i2nsf-ike@2020-10-30.yang | o Yang catalog entry for ietf-i2nsf-ike@2020-10-30.yang | |||
| o Yang catalog entry for ietf-i2nsf-ikeless@20202-10-30.yang | o Yang catalog entry for ietf-i2nsf-ikeless@20202-10-30.yang | |||
| The Security Policy database entry and Security Association entry for | The Security Policy database entry and Security Association entry for | |||
| an IPsec Tunnel can be augmented with IP-TFS. | an IPsec Tunnel can be augmented with IP-TFS. | |||
| 3. YANG Management | 3. YANG Management | |||
| 3.1. YANG Tree | 3.1. YANG Tree | |||
| The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | |||
| extensions. | extensions. | |||
| module: ietf-ipsecme-iptfs | module: ietf-ipsecme-iptfs | |||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd | |||
| /nsfike:spd-entry/nsfike:ipsec-policy-config | /nsfike:spd-entry/nsfike:ipsec-policy-config | |||
| /nsfike:processing-info/nsfike:ipsec-sa-cfg: | /nsfike:processing-info/nsfike:ipsec-sa-cfg: | |||
| +--rw traffic-flow-security | +--rw traffic-flow-security | |||
| +--rw congestion-control? boolean | +--rw congestion-control? boolean | |||
| +--rw packet-size | +--rw packet-size | |||
| | +--rw use-path-mtu? boolean | | +--rw use-path-mtu-discovery? boolean | |||
| | +--rw outer-packet-size? uint16 | | +--rw outer-packet-size? uint16 | |||
| +--rw (tunnel-rate)? | +--rw (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--rw l2-fixed-rate? uint64 | | | +--rw l2-fixed-rate? uint64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--rw l3-fixed-rate? uint64 | | +--rw l3-fixed-rate? uint64 | |||
| +--rw dont-fragment? boolean | +--rw dont-fragment? boolean | |||
| +--rw max-aggregation-time? decimal64 | ||||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | |||
| +--ro traffic-flow-security | +--ro traffic-flow-security | |||
| +--ro congestion-control? boolean | +--ro congestion-control? boolean | |||
| +--ro packet-size | +--ro packet-size | |||
| | +--ro use-path-mtu? boolean | | +--ro use-path-mtu-discovery? boolean | |||
| | +--ro outer-packet-size? uint16 | | +--ro outer-packet-size? uint16 | |||
| +--ro (tunnel-rate)? | +--ro (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--ro l2-fixed-rate? uint64 | | | +--ro l2-fixed-rate? uint64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--ro l3-fixed-rate? uint64 | | +--ro l3-fixed-rate? uint64 | |||
| +--ro dont-fragment? boolean | +--ro dont-fragment? boolean | |||
| +--ro max-aggregation-time? decimal64 | ||||
| augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry | augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry | |||
| /nsfikels:ipsec-policy-config/nsfikels:processing-info | /nsfikels:ipsec-policy-config/nsfikels:processing-info | |||
| /nsfikels:ipsec-sa-cfg: | /nsfikels:ipsec-sa-cfg: | |||
| +--rw traffic-flow-security | +--rw traffic-flow-security | |||
| +--rw congestion-control? boolean | +--rw congestion-control? boolean | |||
| +--rw packet-size | +--rw packet-size | |||
| | +--rw use-path-mtu? boolean | | +--rw use-path-mtu-discovery? boolean | |||
| | +--rw outer-packet-size? uint16 | | +--rw outer-packet-size? uint16 | |||
| +--rw (tunnel-rate)? | +--rw (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--rw l2-fixed-rate? uint64 | | | +--rw l2-fixed-rate? uint64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--rw l3-fixed-rate? uint64 | | +--rw l3-fixed-rate? uint64 | |||
| +--rw dont-fragment? boolean | +--rw dont-fragment? boolean | |||
| +--rw max-aggregation-time? decimal64 | ||||
| augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | |||
| +--ro traffic-flow-security | +--ro traffic-flow-security | |||
| +--ro congestion-control? boolean | +--ro congestion-control? boolean | |||
| +--ro packet-size | +--ro packet-size | |||
| | +--ro use-path-mtu? boolean | | +--ro use-path-mtu-discovery? boolean | |||
| | +--ro outer-packet-size? uint16 | | +--ro outer-packet-size? uint16 | |||
| +--ro (tunnel-rate)? | +--ro (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--ro l2-fixed-rate? uint64 | | | +--ro l2-fixed-rate? uint64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--ro l3-fixed-rate? uint64 | | +--ro l3-fixed-rate? uint64 | |||
| +--ro dont-fragment? boolean | +--ro dont-fragment? boolean | |||
| +--ro max-aggregation-time? decimal64 | ||||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | |||
| +--ro ipsec-stats {ipsec-stats}? | +--ro ipsec-stats {ipsec-stats}? | |||
| | +--ro tx-packets? uint64 | | +--ro tx-pkts? uint64 | |||
| | +--ro tx-octets? uint64 | | +--ro tx-octets? uint64 | |||
| | +--ro tx-drop-packets? uint64 | | +--ro tx-drop-pkts? uint64 | |||
| | +--ro rx-packets? uint64 | | +--ro rx-pkts? uint64 | |||
| | +--ro rx-octets? uint64 | | +--ro rx-octets? uint64 | |||
| | +--ro rx-drop-packets? uint64 | | +--ro rx-drop-pkts? uint64 | |||
| +--ro iptfs-stats {iptfs-stats}? | +--ro iptfs-inner-pkt-stats {iptfs-stats}? | |||
| +--ro tx-inner-packets? uint64 | | +--ro tx-pkts? uint64 | |||
| +--ro tx-inner-octets? uint64 | | +--ro tx-octets? uint64 | |||
| +--ro tx-extra-pad-packets? uint64 | | +--ro rx-pkts? uint64 | |||
| +--ro tx-extra-pad-octets? uint64 | | +--ro rx-octets? uint64 | |||
| +--ro tx-all-pad-packets? uint64 | | +--ro rx-incomplete-pkts? uint64 | |||
| +--ro tx-all-pad-octets? uint64 | +--ro iptfs-outer-pkt-stats {iptfs-stats}? | |||
| +--ro rx-inner-packets? uint64 | +--ro tx-all-pad-pkts? uint64 | |||
| +--ro rx-inner-octets? uint64 | +--ro tx-all-pad-octets? uint64 | |||
| +--ro rx-extra-pad-packets? uint64 | +--ro tx-extra-pad-pkts? uint64 | |||
| +--ro rx-extra-pad-octets? uint64 | +--ro tx-extra-pad-octets? uint64 | |||
| +--ro rx-all-pad-packets? uint64 | +--ro rx-all-pad-pkts? uint64 | |||
| +--ro rx-all-pad-octets? uint64 | +--ro rx-all-pad-octets? uint64 | |||
| +--ro rx-errored-packets? uint64 | +--ro rx-extra-pad-pkts? uint64 | |||
| +--ro rx-missed-packets? uint64 | +--ro rx-extra-pad-octets? uint64 | |||
| +--ro rx-incomplete-inner-packets? uint64 | +--ro rx-errored-pkts? uint64 | |||
| +--ro rx-missed-pkts? uint64 | ||||
| augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | |||
| +--rw ipsec-stats {ipsec-stats}? | +--rw ipsec-stats {ipsec-stats}? | |||
| | +--ro tx-packets? uint64 | | +--ro tx-pkts? uint64 | |||
| | +--ro tx-octets? uint64 | | +--ro tx-octets? uint64 | |||
| | +--ro tx-drop-packets? uint64 | | +--ro tx-drop-pkts? uint64 | |||
| | +--ro rx-packets? uint64 | | +--ro rx-pkts? uint64 | |||
| | +--ro rx-octets? uint64 | | +--ro rx-octets? uint64 | |||
| | +--ro rx-drop-packets? uint64 | | +--ro rx-drop-pkts? uint64 | |||
| +--rw iptfs-stats {iptfs-stats}? | +--ro iptfs-inner-pkt-stats {iptfs-stats}? | |||
| +--ro tx-inner-packets? uint64 | | +--ro tx-pkts? uint64 | |||
| +--ro tx-inner-octets? uint64 | | +--ro tx-octets? uint64 | |||
| +--ro tx-extra-pad-packets? uint64 | | +--ro rx-pkts? uint64 | |||
| +--ro tx-extra-pad-octets? uint64 | | +--ro rx-octets? uint64 | |||
| +--ro tx-all-pad-packets? uint64 | | +--ro rx-incomplete-pkts? uint64 | |||
| +--ro tx-all-pad-octets? uint64 | +--ro iptfs-outer-pkt-stats {iptfs-stats}? | |||
| +--ro rx-inner-packets? uint64 | +--ro tx-all-pad-pkts? uint64 | |||
| +--ro rx-inner-octets? uint64 | +--ro tx-all-pad-octets? uint64 | |||
| +--ro rx-extra-pad-packets? uint64 | +--ro tx-extra-pad-pkts? uint64 | |||
| +--ro rx-extra-pad-octets? uint64 | +--ro tx-extra-pad-octets? uint64 | |||
| +--ro rx-all-pad-packets? uint64 | +--ro rx-all-pad-pkts? uint64 | |||
| +--ro rx-all-pad-octets? uint64 | +--ro rx-all-pad-octets? uint64 | |||
| +--ro rx-errored-packets? uint64 | +--ro rx-extra-pad-pkts? uint64 | |||
| +--ro rx-missed-packets? uint64 | +--ro rx-extra-pad-octets? uint64 | |||
| +--ro rx-incomplete-inner-packets? uint64 | +--ro rx-errored-pkts? uint64 | |||
| +--ro rx-missed-pkts? uint64 | ||||
| 3.2. YANG Module | 3.2. YANG Module | |||
| The following is the YANG module for managing the IP-TFS extensions. | The following is the YANG module for managing the IP-TFS extensions. | |||
| <CODE BEGINS> file "ietf-ipsecme-iptfs@2020-11-15.yang" | <CODE BEGINS> file "ietf-ipsecme-iptfs@2021-02-22.yang" | |||
| module ietf-ipsecme-iptfs { | module ietf-ipsecme-iptfs { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; | |||
| prefix iptfs; | prefix iptfs; | |||
| import ietf-i2nsf-ike { | import ietf-i2nsf-ike { | |||
| prefix nsfike; | prefix nsfike; | |||
| } | } | |||
| import ietf-i2nsf-ikeless { | import ietf-i2nsf-ikeless { | |||
| prefix nsfikels; | prefix nsfikels; | |||
| skipping to change at page 8, line 19 ¶ | skipping to change at page 8, line 37 ¶ | |||
| without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
| the license terms contained in, the Simplified BSD License set | the license terms contained in, the Simplified BSD License set | |||
| forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX | This version of this YANG module is part of RFC XXXX | |||
| (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | |||
| full legal notices."; | full legal notices."; | |||
| revision 2020-11-15 { | revision 2021-02-22 { | |||
| description | description | |||
| "Initial Revision"; | "Initial Revision"; | |||
| reference | reference | |||
| "RFC XXXX: IP Traffic Flow Security YANG Module"; | "RFC XXXX: IP Traffic Flow Security YANG Module"; | |||
| } | } | |||
| feature ipsec-stats { | feature ipsec-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IPsec statistics"; | per SA IPsec statistics"; | |||
| skipping to change at page 8, line 45 ¶ | skipping to change at page 9, line 15 ¶ | |||
| per SA IP Traffic Flow Security statistics"; | per SA IP Traffic Flow Security statistics"; | |||
| } | } | |||
| /*--------------------*/ | /*--------------------*/ | |||
| /* groupings */ | /* groupings */ | |||
| /*--------------------*/ | /*--------------------*/ | |||
| grouping ipsec-tx-stat-grouping { | grouping ipsec-tx-stat-grouping { | |||
| description | description | |||
| "IPsec outbound statistics"; | "IPsec outbound statistics"; | |||
| leaf tx-packets { | leaf tx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound Packet count"; | "Outbound Packet count"; | |||
| } | } | |||
| leaf tx-octets { | leaf tx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound Packet bytes"; | "Outbound Packet bytes"; | |||
| } | } | |||
| leaf tx-drop-packets { | leaf tx-drop-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound dropped packets count"; | "Outbound dropped packets count"; | |||
| } | } | |||
| } | } | |||
| grouping ipsec-rx-stat-grouping { | grouping ipsec-rx-stat-grouping { | |||
| description | description | |||
| "IPsec inbound statistics"; | "IPsec inbound statistics"; | |||
| leaf rx-packets { | leaf rx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound Packet count"; | "Inbound Packet count"; | |||
| } | } | |||
| leaf rx-octets { | leaf rx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound Packet bytes"; | "Inbound Packet bytes"; | |||
| } | } | |||
| leaf rx-drop-packets { | leaf rx-drop-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound dropped packets count"; | "Inbound dropped packets count"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-tx-stat-grouping { | grouping iptfs-inner-tx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outbound statistics"; | "IP-TFS outbound inner packet statistics"; | |||
| leaf tx-inner-packets { | leaf tx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets sent. This | "Total number of IP-TFS inner packets sent. This | |||
| count is whole packets only. A fragmented packet | count is whole packets only. A fragmented packet | |||
| counts as one packet"; | counts as one packet"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf tx-inner-octets { | leaf tx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner octets sent. This is | "Total number of IP-TFS inner octets sent. This is | |||
| inner packet octets only. Does not count padding."; | inner packet octets only. Does not count padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf tx-extra-pad-packets { | } | |||
| grouping iptfs-outer-tx-stat-grouping { | ||||
| description | ||||
| "IP-TFS outbound inner packet statistics"; | ||||
| leaf tx-all-pad-pkts { | ||||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted outer IP-TFS packets | "Total number of transmitted IP-TFS packets that | |||
| that included some padding."; | were all padding with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf tx-extra-pad-octets { | leaf tx-all-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted octets of padding added | "Total number transmitted octets of padding added to | |||
| to outer IP-TFS packets with data."; | IP-TFS packets with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf tx-all-pad-packets { | leaf tx-extra-pad-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted IP-TFS packets that | "Total number of transmitted outer IP-TFS packets | |||
| were all padding with no inner packet data."; | that included some padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf tx-all-pad-octets { | leaf tx-extra-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number transmitted octets of padding added to | "Total number of transmitted octets of padding added | |||
| IP-TFS packets with no inner packet data."; | to outer IP-TFS packets with data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-rx-stat-grouping { | grouping iptfs-inner-rx-stat-grouping { | |||
| description | description | |||
| "IP-TFS inbound statistics"; | "IP-TFS inner packet inbound statistics"; | |||
| leaf rx-inner-packets { | leaf rx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets received."; | "Total number of IP-TFS inner packets received."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2"; | |||
| } | } | |||
| leaf rx-inner-octets { | leaf rx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner octets received. Does | "Total number of IP-TFS inner octets received. Does | |||
| not include padding or overhead"; | not include padding or overhead"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2"; | |||
| } | ||||
| leaf rx-extra-pad-packets { | ||||
| type uint64; | ||||
| config false; | ||||
| description | ||||
| "Total number of received outer IP-TFS packets that | ||||
| included some padding."; | ||||
| reference | ||||
| "draft-ietf-ipsecme-iptfs"; | ||||
| } | } | |||
| leaf rx-extra-pad-octets { | leaf rx-incomplete-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received octets of padding added to | "Total number of IP-TFS inner packets that were | |||
| outer IP-TFS packets with data."; | incomplete. Usually this is due to fragments not | |||
| received. Also, this may be due to misordering or | ||||
| errors in received outer packets."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf rx-all-pad-packets { | } | |||
| grouping iptfs-outer-rx-stat-grouping { | ||||
| description | ||||
| "IP-TFS outer packet inbound statistics"; | ||||
| leaf rx-all-pad-pkts { | ||||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received IP-TFS packets that were | "Total number of received IP-TFS packets that were | |||
| all padding with no inner packet data."; | all padding with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf rx-all-pad-octets { | leaf rx-all-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number received octets of padding added to | "Total number received octets of padding added to | |||
| IP-TFS packets with no inner packet data."; | IP-TFS packets with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf rx-errored-packets { | leaf rx-extra-pad-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS outer packets dropped due to | "Total number of received outer IP-TFS packets that | |||
| errors."; | included some padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf rx-missed-packets { | leaf rx-extra-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS outer packets missing | "Total number of received octets of padding added to | |||
| indicated by missing sequence number."; | outer IP-TFS packets with data."; | |||
| reference | ||||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | ||||
| } | ||||
| leaf rx-errored-pkts { | ||||
| type uint64; | ||||
| config false; | ||||
| description | ||||
| "Total number of IP-TFS outer packets dropped due to | ||||
| errors."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf rx-incomplete-inner-packets { | leaf rx-missed-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets that were | "Total number of IP-TFS outer packets missing | |||
| incomplete. Usually this is due to fragments not | indicated by missing sequence number."; | |||
| received. Also, this may be due to misordering or | ||||
| errors in received outer packets."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-config { | grouping iptfs-config { | |||
| description | description | |||
| "This is the grouping for iptfs configuration"; | "This is the grouping for iptfs configuration"; | |||
| container traffic-flow-security { | container traffic-flow-security { | |||
| // config true; want this so we can refine? | // config true; want this so we can refine? | |||
| skipping to change at page 13, line 12 ¶ | skipping to change at page 13, line 41 ¶ | |||
| leaf congestion-control { | leaf congestion-control { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Congestion Control With the congestion controlled | "Congestion Control With the congestion controlled | |||
| mode, IP-TFS adapts to network congestion by | mode, IP-TFS adapts to network congestion by | |||
| lowering the packet send rate to accommodate the | lowering the packet send rate to accommodate the | |||
| congestion, as well as raising the rate when | congestion, as well as raising the rate when | |||
| congestion subsides."; | congestion subsides."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs Section 2.5.2"; | "draft-ietf-ipsecme-iptfs section 2.5.2"; | |||
| } | } | |||
| container packet-size { | container packet-size { | |||
| description | description | |||
| "Packet size is either auto-discovered or manually | "Packet size is either auto-discovered or manually | |||
| configured."; | configured."; | |||
| leaf use-path-mtu { | leaf use-path-mtu-discovery { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Utilize path-mtu to determine maximum IP-TFS packet size. | "Utilize path mtu discovery to determine maximum IP-TFS | |||
| If the packet size is explicitly configured, then it | packet size. If the packet size is explicitly | |||
| will only be adjusted downward if use-path-mtu is set."; | configured, then it will only be adjusted downward | |||
| if use-path-mtu-discovery is set."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs Section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| leaf outer-packet-size { | leaf outer-packet-size { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The size of the outer encapsulating tunnel packet (i.e., | "The size of the outer encapsulating tunnel packet (i.e., | |||
| the IP packet containing the ESP payload)."; | the IP packet containing the ESP payload)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs Section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| } | } | |||
| choice tunnel-rate { | choice tunnel-rate { | |||
| description | description | |||
| "TFS bit rate may be specified at layer 2 wire | "TFS bit rate may be specified at layer 2 wire | |||
| rate or layer 3 packet rate"; | rate or layer 3 packet rate"; | |||
| leaf l2-fixed-rate { | leaf l2-fixed-rate { | |||
| type uint64; | type uint64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. This | |||
| skipping to change at page 14, line 22 ¶ | skipping to change at page 15, line 4 ¶ | |||
| } | } | |||
| } | } | |||
| leaf dont-fragment { | leaf dont-fragment { | |||
| type boolean; | type boolean; | |||
| default "false"; | default "false"; | |||
| description | description | |||
| "Disable packet fragmentation across consecutive iptfs | "Disable packet fragmentation across consecutive iptfs | |||
| tunnel packets"; | tunnel packets"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | |||
| } | ||||
| leaf max-aggregation-time { | ||||
| type decimal64 { | ||||
| fraction-digits 6; | ||||
| } | ||||
| units "milliseconds"; | ||||
| description | ||||
| "Maximum Aggregation Time in Milliseconds | ||||
| or fractional milliseconds down to 1 nanosecond"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * IP-TFS ike configuration | * IP-TFS ike configuration | |||
| */ | */ | |||
| augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" | augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" | |||
| + "nsfike:spd-entry/" | + "nsfike:spd-entry/" | |||
| skipping to change at page 15, line 37 ¶ | skipping to change at page 16, line 28 ¶ | |||
| /* | /* | |||
| * packet counters | * packet counters | |||
| */ | */ | |||
| augment "/nsfike:ipsec-ike/nsfike:conn-entry/" | augment "/nsfike:ipsec-ike/nsfike:conn-entry/" | |||
| + "nsfike:child-sa-info" { | + "nsfike:child-sa-info" { | |||
| description | description | |||
| "Per SA Counters"; | "Per SA Counters"; | |||
| container ipsec-stats { | container ipsec-stats { | |||
| if-feature "ipsec-stats"; | if-feature "ipsec-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPsec per SA packet counters."; | "IPsec per SA packet counters."; | |||
| uses ipsec-tx-stat-grouping { | uses ipsec-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses ipsec-rx-stat-grouping { | uses ipsec-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| container iptfs-stats { | container iptfs-inner-pkt-stats { | |||
| if-feature "iptfs-stats"; | if-feature "iptfs-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPTFS per SA packet counters."; | "IPTFS per SA inner packet counters."; | |||
| uses iptfs-tx-stat-grouping { | uses iptfs-inner-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses iptfs-rx-stat-grouping { | uses iptfs-inner-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | ||||
| } | ||||
| container iptfs-outer-pkt-stats { | ||||
| if-feature "iptfs-stats"; | ||||
| config false; | ||||
| description | ||||
| "IPTFS per SA outer packets counters."; | ||||
| uses iptfs-outer-tx-stat-grouping { | ||||
| //when "direction = 'outbound'"; | ||||
| } | ||||
| uses iptfs-outer-rx-stat-grouping { | ||||
| //when "direction = 'inbound'"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * packet counters | * packet counters | |||
| */ | */ | |||
| augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" | augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" | |||
| + "nsfikels:sad-entry" { | + "nsfikels:sad-entry" { | |||
| skipping to change at page 16, line 33 ¶ | skipping to change at page 17, line 36 ¶ | |||
| if-feature "ipsec-stats"; | if-feature "ipsec-stats"; | |||
| description | description | |||
| "IPsec per SA packet counters."; | "IPsec per SA packet counters."; | |||
| uses ipsec-tx-stat-grouping { | uses ipsec-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses ipsec-rx-stat-grouping { | uses ipsec-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| container iptfs-stats { | container iptfs-inner-pkt-stats { | |||
| if-feature "iptfs-stats"; | if-feature "iptfs-stats"; | |||
| config false; | ||||
| description | description | |||
| "IPTFS per SA packet counters."; | "IPTFS per SA inner packet counters."; | |||
| uses iptfs-tx-stat-grouping { | uses iptfs-inner-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses iptfs-rx-stat-grouping { | uses iptfs-inner-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | ||||
| } | ||||
| container iptfs-outer-pkt-stats { | ||||
| if-feature "iptfs-stats"; | ||||
| config false; | ||||
| description | ||||
| "IPTFS per SA outer packets counters."; | ||||
| uses iptfs-outer-tx-stat-grouping { | ||||
| //when "direction = 'outbound'"; | ||||
| } | ||||
| uses iptfs-outer-rx-stat-grouping { | ||||
| //when "direction = 'inbound'"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| 4.1. Updates to the IETF XML Registry | 4.1. Updates to the IETF XML Registry | |||
| This document registers a URI in the "IETF XML Registry" [RFC3688]. | This document registers a URI in the "IETF XML Registry" [RFC3688]. | |||
| Following the format in [RFC3688], the following registration has | Following the format in [RFC3688], the following registration has | |||
| been made: | been made: | |||
| URI: | URI: | |||
| urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs | urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs | |||
| skipping to change at page 18, line 22 ¶ | skipping to change at page 19, line 35 ¶ | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Eric Kinzie for his feedback on the | The authors would like to thank Eric Kinzie for his feedback on the | |||
| YANG model. | YANG model. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] | [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] | |||
| Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, | Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- | |||
| "Software-Defined Networking (SDN)-based IPsec Flow | Garcia, "Software-Defined Networking (SDN)-based IPsec | |||
| Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-12 | Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- | |||
| (work in progress), October 2020. | protection-12 (work in progress), October 2020. | |||
| [I-D.ietf-ipsecme-iptfs] | [I-D.ietf-ipsecme-iptfs] | |||
| Hopps, C., "IP Traffic Flow Security", draft-ietf-ipsecme- | Hopps, C., "IP-TFS: IP Traffic Flow Security Using | |||
| iptfs-03 (work in progress), November 2020. | Aggregation and Fragmentation", draft-ietf-ipsecme- | |||
| iptfs-06 (work in progress), January 2021. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| skipping to change at page 19, line 46 ¶ | skipping to change at page 21, line 13 ¶ | |||
| <https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| Appendix A. Examples | Appendix A. Examples | |||
| The following examples show configuration and operational data for | The following examples show configuration and operational data for | |||
| the ikeless case in xml and ike case in json. Also, the operational | the ikeless case in xml and ike case in json. Also, the operational | |||
| statistics for the ikeless case is shown using xml. | statistics for the ikeless case are shown using xml. | |||
| A.1. Example XML Configuration | A.1. Example XML Configuration | |||
| This example illustrates configuration for IP-TFS in the ikeless | ||||
| case. Note that since this augments the ipsec ikeless schema only | ||||
| minimal ikeless configuration to satisfy the schema has been | ||||
| populated. | ||||
| <i:ipsec-ikeless | <i:ipsec-ikeless | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| xmlns:ic="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec" | ||||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | |||
| <i:spd> | <i:spd> | |||
| <i:spd-entry> | <i:spd-entry> | |||
| <i:name>protect-policy-1</i:name> | <i:name>protect-policy-1</i:name> | |||
| <i:direction>outbound</i:direction> | <i:direction>outbound</i:direction> | |||
| <i:ipsec-policy-config> | <i:ipsec-policy-config> | |||
| <i:traffic-selector> | <i:traffic-selector> | |||
| <i:local-subnet>1.1.1.1/32</i:local-subnet> | <i:local-prefix>1.1.1.1/32</i:local-prefix> | |||
| <i:remote-subnet>2.2.2.2/32</i:remote-subnet> | <i:remote-prefix>2.2.2.2/32</i:remote-prefix> | |||
| </i:traffic-selector> | </i:traffic-selector> | |||
| <i:processing-info> | <i:processing-info> | |||
| <i:action>protect</i:action> | <i:action>protect</i:action> | |||
| <i:ipsec-sa-cfg> | <i:ipsec-sa-cfg> | |||
| <tfs:traffic-flow-security> | <tfs:traffic-flow-security> | |||
| <tfs:congestion-control>true</tfs:congestion-control> | <tfs:congestion-control>true</tfs:congestion-control> | |||
| <tfs:packet-size> | <tfs:packet-size> | |||
| <tfs:use-path-mtu>true</tfs:use-path-mtu> | <tfs:use-path-mtu-discovery | |||
| >true</tfs:use-path-mtu-discovery> | ||||
| </tfs:packet-size> | </tfs:packet-size> | |||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | |||
| <tfs:max-aggregation-time | ||||
| >0.1</tfs:max-aggregation-time> | ||||
| </tfs:traffic-flow-security> | </tfs:traffic-flow-security> | |||
| </i:ipsec-sa-cfg> | </i:ipsec-sa-cfg> | |||
| </i:processing-info> | </i:processing-info> | |||
| </i:ipsec-policy-config> | </i:ipsec-policy-config> | |||
| </i:spd-entry> | </i:spd-entry> | |||
| </i:spd> | </i:spd> | |||
| </i:ipsec-ikeless> | </i:ipsec-ikeless> | |||
| Figure 1: Example IP-TFS XML configuration | Figure 1: Example IP-TFS XML configuration | |||
| <i:ipsec-ikeless | A.2. Example XML Operational Data | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | ||||
| xmlns:ic="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec" | This example illustrates operational data for IP-TFS in the ikeless | |||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | case. Note that since this augments the ipsec ikeless schema only | |||
| <i:sad> | minimal ikeless configuration to satisfy the schema has been | |||
| <i:sad-entry> | populated. | |||
| <i:name>sad-1</i:name> | ||||
| <i:ipsec-sa-config> | <i:ipsec-ikeless | |||
| <i:spi>1</i:spi> | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| <i:traffic-selector> | xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | |||
| <i:local-subnet>1.1.1.1/32</i:local-subnet> | <i:sad> | |||
| <i:remote-subnet>2.2.2.2/32</i:remote-subnet> | <i:sad-entry> | |||
| </i:traffic-selector> | <i:name>sad-1</i:name> | |||
| </i:ipsec-sa-config> | <i:ipsec-sa-config> | |||
| <tfs:traffic-flow-security> | <i:spi>1</i:spi> | |||
| <tfs:congestion-control>true</tfs:congestion-control> | <i:traffic-selector> | |||
| <tfs:packet-size> | <i:local-prefix>1.1.1.1/32</i:local-prefix> | |||
| <tfs:use-path-mtu>true</tfs:use-path-mtu> | <i:remote-prefix>2.2.2.2/32</i:remote-prefix> | |||
| </tfs:packet-size> | </i:traffic-selector> | |||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | </i:ipsec-sa-config> | |||
| </tfs:traffic-flow-security> | <tfs:traffic-flow-security> | |||
| </i:sad-entry> | <tfs:congestion-control>true</tfs:congestion-control> | |||
| </i:sad> | <tfs:packet-size> | |||
| </i:ipsec-ikeless> | <tfs:use-path-mtu-discovery>true</tfs:use-path-mtu-discovery> | |||
| </tfs:packet-size> | ||||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | ||||
| <tfs:max-aggregation-time>0.100</tfs::max-aggregation-time> | ||||
| </tfs:traffic-flow-security> | ||||
| </i:sad-entry> | ||||
| </i:sad> | ||||
| </i:ipsec-ikeless> | ||||
| Figure 2: Example IP-TFS XML Operational data | Figure 2: Example IP-TFS XML Operational data | |||
| A.3. Example JSON Configuration | ||||
| This example illustrates config data for IP-TFS in the ike case. | ||||
| Note that since this augments the ipsec ike schema only minimal ike | ||||
| configuration to satisfy the schema has been populated. | ||||
| { | { | |||
| "ietf-i2nsf-ike:ipsec-ike": { | "ietf-i2nsf-ike:ipsec-ike": { | |||
| "ietf-i2nsf-ike:conn-entry": [ | "ietf-i2nsf-ike:conn-entry": [ | |||
| { | { | |||
| "name": "my-peer-connection", | "name": "my-peer-connection", | |||
| "encalg": [ | "ike-sa-encr-alg": [ | |||
| { | { | |||
| "id": 1, | "id": 1, | |||
| "algorithm-type": 12, | "algorithm-type": 12, | |||
| "key-length": 128 | "key-length": 128 | |||
| } | } | |||
| ], | ], | |||
| "local": { | "local": { | |||
| "local-pad-entry-name": "local-1" | "local-pad-entry-name": "local-1" | |||
| }, | }, | |||
| "remote": { | "remote": { | |||
| "remote-pad-entry-name": "remote-1" | "remote-pad-entry-name": "remote-1" | |||
| }, | }, | |||
| "ietf-i2nsf-ike:spd": { | "ietf-i2nsf-ike:spd": { | |||
| "spd-entry": [ | "spd-entry": [ | |||
| { | { | |||
| "name": "protect-policy-1", | "name": "protect-policy-1", | |||
| "ipsec-policy-config": { | "ipsec-policy-config": { | |||
| "traffic-selector": { | "traffic-selector": { | |||
| "local-subnet": "1.1.1.1/32", | "local-prefix": "1.1.1.1/32", | |||
| "remote-subnet": "2.2.2.2/32" | "remote-prefix": "2.2.2.2/32" | |||
| }, | }, | |||
| "processing-info": { | "processing-info": { | |||
| "action": "protect", | "action": "protect", | |||
| "ipsec-sa-cfg": { | "ipsec-sa-cfg": { | |||
| "ietf-ipsecme-iptfs:traffic-flow-security": { | "ietf-ipsecme-iptfs:traffic-flow-security": { | |||
| "congestion-control": "true", | "congestion-control": "true", | |||
| "l2-fixed-rate": 1000000000, | "l2-fixed-rate": 1000000000, | |||
| "packet-size": { | "packet-size": { | |||
| "use-path-mtu": "true" | "use-path-mtu-discovery": "true" | |||
| } | }, | |||
| "max-aggregation-time": "0.1" | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 3: Example IP-TFS JSON configuration | Figure 3: Example IP-TFS JSON configuration | |||
| A.4. Example JSON Operational Data | ||||
| This example illustrates operational data for IP-TFS in the ike case. | ||||
| Note that since this augments the ipsec ike tree only minimal ike | ||||
| configuration to satisfy the schema has been populated. | ||||
| { | { | |||
| "ietf-i2nsf-ike:ipsec-ike": { | "ietf-i2nsf-ike:ipsec-ike": { | |||
| "ietf-i2nsf-ike:conn-entry": [ | "ietf-i2nsf-ike:conn-entry": [ | |||
| { | { | |||
| "name": "my-peer-connection", | "name": "my-peer-connection", | |||
| "encalg": [ | "ike-sa-encr-alg": [ | |||
| { | { | |||
| "id": 1, | "id": 1, | |||
| "algorithm-type": 12, | "algorithm-type": 12, | |||
| "key-length": 128 | "key-length": 128 | |||
| } | } | |||
| ], | ], | |||
| "local": { | "local": { | |||
| "local-pad-entry-name": "local-1" | "local-pad-entry-name": "local-1" | |||
| }, | }, | |||
| "remote": { | "remote": { | |||
| "remote-pad-entry-name": "remote-1" | "remote-pad-entry-name": "remote-1" | |||
| }, | }, | |||
| "ietf-i2nsf-ike:child-sa-info": { | "ietf-i2nsf-ike:child-sa-info": { | |||
| "ietf-ipsecme-iptfs:traffic-flow-security": { | "ietf-ipsecme-iptfs:traffic-flow-security": { | |||
| "congestion-control": "true", | "congestion-control": "true", | |||
| "l2-fixed-rate": 1000000000, | "l2-fixed-rate": 1000000000, | |||
| "packet-size": { | "packet-size": { | |||
| "use-path-mtu": "true" | "use-path-mtu-discovery": "true" | |||
| } | }, | |||
| "max-aggregation-time": "0.1" | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 4: Example IP-TFS JSON Operational data | Figure 4: Example IP-TFS JSON Operational data | |||
| <i:ipsec-ikeless | A.5. Example JSON Operational Statistics | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | ||||
| xmlns:ic="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec" | ||||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | ||||
| <i:sad> | ||||
| <i:sad-entry> | ||||
| <i:name>sad-1</i:name> | ||||
| <i:ipsec-sa-config> | ||||
| <i:spi>1</i:spi> | ||||
| <i:traffic-selector> | ||||
| <i:local-subnet>1.1.1.1/32</i:local-subnet> | ||||
| <i:remote-subnet>2.2.2.2/32</i:remote-subnet> | ||||
| </i:traffic-selector> | ||||
| </i:ipsec-sa-config> | ||||
| <tfs:ipsec-stats> | ||||
| <tfs:tx-packets>100</tfs:tx-packets> | ||||
| <tfs:tx-octets>80000</tfs:tx-octets> | ||||
| <tfs:tx-drop-packets>2</tfs:tx-drop-packets> | ||||
| <tfs:rx-packets>50</tfs:rx-packets> | ||||
| <tfs:rx-octets>50000</tfs:rx-octets> | ||||
| <tfs:rx-drop-packets>0</tfs:rx-drop-packets> | ||||
| </tfs:ipsec-stats> | ||||
| <tfs:iptfs-stats> | ||||
| <tfs:tx-inner-packets>250</tfs:tx-inner-packets> | ||||
| <tfs:tx-inner-octets>75000</tfs:tx-inner-octets> | ||||
| <tfs:tx-extra-pad-packets>200</tfs:tx-extra-pad-packets> | ||||
| <tfs:tx-extra-pad-octets>30000</tfs:tx-extra-pad-octets> | ||||
| <tfs:tx-all-pad-packets>40</tfs:tx-all-pad-packets> | ||||
| <tfs:tx-all-pad-octets>40000</tfs:tx-all-pad-octets> | ||||
| <tfs:rx-inner-packets>240</tfs:rx-inner-packets> | ||||
| <tfs:rx-inner-octets>95000</tfs:rx-inner-octets> | ||||
| <tfs:rx-extra-pad-packets>150</tfs:rx-extra-pad-packets> | ||||
| <tfs:rx-extra-pad-octets>25000</tfs:rx-extra-pad-octets> | ||||
| <tfs:rx-all-pad-packets>20</tfs:rx-all-pad-packets> | ||||
| <tfs:rx-all-pad-octets>20000</tfs:rx-all-pad-octets> | ||||
| <tfs:rx-errored-packets>0</tfs:rx-errored-packets> | ||||
| <tfs:rx-missed-packets>0</tfs:rx-missed-packets> | ||||
| <tfs:rx-incomplete-inner-packets>0</tfs:rx-incomplete-inner-packets> | ||||
| </tfs:iptfs-stats> | ||||
| </i:sad-entry> | ||||
| </i:sad> | ||||
| </i:ipsec-ikeless> | ||||
| Figure 5: Example IP-TFS XML Statistics | This example shows the json formated statistics for IP-TFS. Note a | |||
| unidirectional IP-TFS transmit side is illustrated, with arbitray | ||||
| numbers for transmit. | ||||
| { | ||||
| "ietf-i2nsf-ikeless:ipsec-ikeless": { | ||||
| "sad": { | ||||
| "sad-entry": [ | ||||
| { | ||||
| "name": "sad-1", | ||||
| "ipsec-sa-config": { | ||||
| "spi": 1, | ||||
| "traffic-selector": { | ||||
| "local-prefix": "1.1.1.1/32", | ||||
| "remote-prefix": "2.2.2.2/32" | ||||
| } | ||||
| }, | ||||
| "ietf-ipsecme-iptfs:ipsec-stats": { | ||||
| "tx-pkts": "300", | ||||
| "tx-octets": "80000", | ||||
| "tx-drop-pkts": "2", | ||||
| "rx-pkts": "0", | ||||
| "rx-octets": "0", | ||||
| "rx-drop-pkts": "0" | ||||
| }, | ||||
| "ietf-ipsecme-iptfs:iptfs-inner-pkt-stats": { | ||||
| "tx-pkts": "250", | ||||
| "tx-octets": "75000", | ||||
| "rx-pkts": "0", | ||||
| "rx-octets": "0", | ||||
| "rx-incomplete-pkts": "0" | ||||
| }, | ||||
| "ietf-ipsecme-iptfs:iptfs-outer-pkt-stats": { | ||||
| "tx-all-pad-pkts": "40", | ||||
| "tx-all-pad-octets": "40000", | ||||
| "tx-extra-pad-pkts": "200", | ||||
| "tx-extra-pad-octets": "30000", | ||||
| "rx-all-pad-pkts": "0", | ||||
| "rx-all-pad-octets": "0", | ||||
| "rx-extra-pad-pkts": "0", | ||||
| "rx-extra-pad-octets": "0", | ||||
| "rx-errored-pkts": "0", | ||||
| "rx-missed-pkts": "0" | ||||
| }, | ||||
| "ipsec-sa-state": { | ||||
| "sa-lifetime-current": { | ||||
| "time": 80000, | ||||
| "bytes": 4000606, | ||||
| "packets": 1000, | ||||
| "idle": 5 | ||||
| } | ||||
| } | ||||
| } | ||||
| ] | ||||
| } | ||||
| } | ||||
| } | ||||
| Figure 5: Example IP-TFS JSON Statistics | ||||
| Authors' Addresses | Authors' Addresses | |||
| Don Fedyk | Don Fedyk | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| Email: dfedyk@labn.net | Email: dfedyk@labn.net | |||
| Christian Hopps | Christian Hopps | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| End of changes. 102 change blocks. | ||||
| 262 lines changed or deleted | 380 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||