| < draft-ietf-ipsecme-yang-iptfs-00.txt | draft-ietf-ipsecme-yang-iptfs-01.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Fedyk | Network Working Group D. Fedyk | |||
| Internet-Draft C. Hopps | Internet-Draft C. Hopps | |||
| Intended status: Standards Track LabN Consulting, L.L.C. | Intended status: Standards Track LabN Consulting, L.L.C. | |||
| Expires: September 9, 2021 March 8, 2021 | Expires: 7 April 2022 4 October 2021 | |||
| IP Traffic Flow Security YANG Module | IP Traffic Flow Security YANG Module | |||
| draft-ietf-ipsecme-yang-iptfs-00 | draft-ietf-ipsecme-yang-iptfs-01 | |||
| Abstract | Abstract | |||
| This document describes a yang module for the management of IP | This document describes a yang module for the management of IP | |||
| Traffic Flow Security additions to IKEv2 and IPsec. | Traffic Flow Security additions to IKEv2 and IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 31 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 9, 2021. | This Internet-Draft will expire on 7 April 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | license-info) in effect on the date of publication of this document. | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. Code Components | |||
| to this document. Code Components extracted from this document must | extracted from this document must include Simplified BSD License text | |||
| include Simplified BSD License text as described in Section 4.e of | as described in Section 4.e of the Trust Legal Provisions and are | |||
| the Trust Legal Provisions and are provided without warranty as | provided without warranty as described in the Simplified BSD License. | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 | |||
| 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| The behavior for IP-TFS is controlled by the source. The self- | The behavior for IP-TFS is controlled by the source. The self- | |||
| describing format of an IP-TFS packets allows a sending side to | describing format of an IP-TFS packets allows a sending side to | |||
| adjust the packet-size and timing independently from any receiver. | adjust the packet-size and timing independently from any receiver. | |||
| Both directions are also independent, e.g. IP-TFS may be run only in | Both directions are also independent, e.g. IP-TFS may be run only in | |||
| one direction. This means that counters, which are created here for | one direction. This means that counters, which are created here for | |||
| both directions may be 0 or not updated in the case of an SA that | both directions may be 0 or not updated in the case of an SA that | |||
| uses IP-TFS only in on direction. | uses IP-TFS only in on direction. | |||
| Cases where IP-TFS statistics are active for one direction: | Cases where IP-TFS statistics are active for one direction: | |||
| o SA one direction - IP-TFS enabled | * SA one direction - IP-TFS enabled | |||
| o SA both directions - IP-TFS only enabled in one direction | * SA both directions - IP-TFS only enabled in one direction | |||
| Case where IP-TFS statistics are for both directions: | Case where IP-TFS statistics are for both directions: | |||
| o SA both directions - IP-TFS enable for both directions | * SA both directions - IP-TFS enable for both directions | |||
| The data model uses following constructs for configuration and | The data model uses following constructs for configuration and | |||
| management: | management: | |||
| o Configuration | o Configuration | |||
| o Operational State | o Operational State | |||
| This YANG module supports configuration of fixed size and fixed rate | This YANG module supports configuration of fixed size and fixed rate | |||
| packets, and elements that may be augmented to support future | packets, and elements that may be augmented to support future | |||
| configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], | configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], | |||
| goes beyond this simple fixed mode of operation by defining a general | goes beyond this simple fixed mode of operation by defining a general | |||
| format for any type of scheme. In this document the outer IPsec | format for any type of scheme. In this document the outer IPsec | |||
| packets can be sent with fixed or variable size (without padding). | packets can be sent with fixed or variable size (without padding). | |||
| The configuration allows the fixed packet size to be determined by | The configuration allows the fixed packet size to be determined by | |||
| the path MTU. The fixed packet size can also be configured if a | the path MTU. The fixed packet size can also be configured if a | |||
| value lower than the path MTU is desired. | value lower than the path MTU is desired. | |||
| Other configuration items include: | Other configuration items include: | |||
| o Congestion Control. A congestion control setting to allow IP-TFS | * Congestion Control. A congestion control setting to allow IP-TFS | |||
| to reduce the packet rate when congestion is detected. | to reduce the packet rate when congestion is detected. | |||
| o Fixed Rate configuration. The IP-TFS tunnel rate can be | * Fixed Rate configuration. The IP-TFS tunnel rate can be | |||
| configured taking into account either layer 2 overhead or layer 3 | configured taking into account either layer 2 overhead or layer 3 | |||
| overhead. Layer 3 overhead is the IP data rate and layer 2 | overhead. Layer 3 overhead is the IP data rate and layer 2 | |||
| overhead is the rate of bits on the link. The combination of | overhead is the rate of bits on the link. The combination of | |||
| packet size and rate determines the nominal maximum bandwidth and | packet size and rate determines the nominal maximum bandwidth and | |||
| the transmission interval when fixed size packets are used. | the transmission interval when fixed size packets are used. | |||
| o User packet Fragmentation Control. While fragmentation is | * User packet Fragmentation Control. While fragmentation is | |||
| recommended for improved efficiency, a configuration is provided | recommended for improved efficiency, a configuration is provided | |||
| if users wish to observe the effect no-fragmentation on their data | if users wish to observe the effect no-fragmentation on their data | |||
| flows. | flows. | |||
| The YANG operational data allows the readout of the configured | The YANG operational data allows the readout of the configured | |||
| parameters as well as the per SA statistics and error counters for | parameters as well as the per SA statistics and error counters for | |||
| IP-TFS. Per SA IPsec packet statistics are provided as a feature and | IP-TFS. Per SA IPsec packet statistics are provided as a feature and | |||
| per SA IP-TFS specific statistics as another feature. Both sets of | per SA IP-TFS specific statistics as another feature. Both sets of | |||
| statistics augment the IPsec YANG models with counters that allow | statistics augment the IPsec YANG models with counters that allow | |||
| observation of IP-TFS packet efficiency. | observation of IP-TFS packet efficiency. | |||
| Draft [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] has a mature set of | Draft [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] has a mature set of | |||
| IPsec YANG management objects. | IPsec YANG management objects. | |||
| IP-TFS YANG augments: | IP-TFS YANG augments: | |||
| o Yang catalog entry for ietf-i2nsf-ike@2020-10-30.yang | * Yang catalog entry for ietf-i2nsf-ike@2021-07-14.yang | |||
| o Yang catalog entry for ietf-i2nsf-ikeless@20202-10-30.yang | * Yang catalog entry for ietf-i2nsf-ikeless@20202-07-14.yang | |||
| The Security Policy database entry and Security Association entry for | The Security Policy database entry and Security Association entry for | |||
| an IPsec Tunnel can be augmented with IP-TFS. | an IPsec Tunnel can be augmented with IP-TFS. | |||
| 3. YANG Management | 3. YANG Management | |||
| 3.1. YANG Tree | 3.1. YANG Tree | |||
| The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | |||
| extensions. | extensions. | |||
| skipping to change at page 7, line 40 ¶ | skipping to change at page 7, line 39 ¶ | |||
| +--ro rx-all-pad-octets? uint64 | +--ro rx-all-pad-octets? uint64 | |||
| +--ro rx-extra-pad-pkts? uint64 | +--ro rx-extra-pad-pkts? uint64 | |||
| +--ro rx-extra-pad-octets? uint64 | +--ro rx-extra-pad-octets? uint64 | |||
| +--ro rx-errored-pkts? uint64 | +--ro rx-errored-pkts? uint64 | |||
| +--ro rx-missed-pkts? uint64 | +--ro rx-missed-pkts? uint64 | |||
| 3.2. YANG Module | 3.2. YANG Module | |||
| The following is the YANG module for managing the IP-TFS extensions. | The following is the YANG module for managing the IP-TFS extensions. | |||
| <CODE BEGINS> file "ietf-ipsecme-iptfs@2021-03-08.yang" | <CODE BEGINS> file "ietf-ipsecme-iptfs@2021-10-04.yang" | |||
| module ietf-ipsecme-iptfs { | module ietf-ipsecme-iptfs { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; | |||
| prefix iptfs; | prefix iptfs; | |||
| import ietf-i2nsf-ike { | import ietf-i2nsf-ike { | |||
| prefix nsfike; | prefix nsfike; | |||
| } | } | |||
| import ietf-i2nsf-ikeless { | import ietf-i2nsf-ikeless { | |||
| prefix nsfikels; | prefix nsfikels; | |||
| } | } | |||
| organization | organization | |||
| "IETF IPSECME Working Group (IPSECME)"; | "IETF IPSECME Working Group (IPSECME)"; | |||
| contact | contact | |||
| "WG Web: <https://tools.ietf.org/wg/ipsecme/> | "WG Web: <https://tools.ietf.org/wg/ipsecme/> | |||
| WG List: <mailto:ipsecme@ietf.org> | WG List: <mailto:ipsecme@ietf.org> | |||
| Author: Don Fedyk | Author: Don Fedyk | |||
| <mailto:dfedyk@labn.net> | <mailto:dfedyk@labn.net> | |||
| Author: Christian Hopps | Author: Christian Hopps | |||
| <mailto:chopps@chopps.org>"; | <mailto:chopps@chopps.org>"; | |||
| // RFC Ed.: replace XXXX with actual RFC number and | // RFC Ed.: replace XXXX with actual RFC number and | |||
| // remove this note. | // remove this note. | |||
| description | description | |||
| "This module defines the configuration and operational state for | "This module defines the configuration and operational state for | |||
| managing the IP Traffic Flow Security functionality [RFC XXXX]. | managing the IP Traffic Flow Security functionality [RFC XXXX]. | |||
| Copyright (c) 2020 IETF Trust and the persons identified as | Copyright (c) 2020 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
| the license terms contained in, the Simplified BSD License set | the license terms contained in, the Simplified BSD License set | |||
| forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX | This version of this YANG module is part of RFC XXXX | |||
| (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | |||
| full legal notices."; | full legal notices."; | |||
| revision 2021-03-08 { | revision 2021-10-04 { | |||
| description | description | |||
| "Initial Revision"; | "Initial Revision"; | |||
| reference | reference | |||
| "RFC XXXX: IP Traffic Flow Security YANG Module"; | "RFC XXXX: IP Traffic Flow Security YANG Module"; | |||
| } | } | |||
| feature ipsec-stats { | feature ipsec-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IPsec statistics"; | per SA IPsec statistics"; | |||
| } | } | |||
| feature iptfs-stats { | feature iptfs-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IP Traffic Flow Security statistics"; | per SA IP Traffic Flow Security statistics"; | |||
| } | } | |||
| /*--------------------*/ | /*--------------------*/ | |||
| /* groupings */ | /* groupings */ | |||
| /*--------------------*/ | /*--------------------*/ | |||
| grouping ipsec-tx-stat-grouping { | grouping ipsec-tx-stat-grouping { | |||
| description | description | |||
| "IPsec outbound statistics"; | "IPsec outbound statistics"; | |||
| leaf tx-pkts { | leaf tx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound Packet count"; | "Outbound Packet count"; | |||
| } | } | |||
| leaf tx-octets { | leaf tx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound Packet bytes"; | "Outbound Packet bytes"; | |||
| } | } | |||
| leaf tx-drop-pkts { | leaf tx-drop-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound dropped packets count"; | "Outbound dropped packets count"; | |||
| } | } | |||
| } | } | |||
| grouping ipsec-rx-stat-grouping { | grouping ipsec-rx-stat-grouping { | |||
| description | description | |||
| "IPsec inbound statistics"; | "IPsec inbound statistics"; | |||
| leaf rx-pkts { | leaf rx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound Packet count"; | "Inbound Packet count"; | |||
| } | } | |||
| leaf rx-octets { | leaf rx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound Packet bytes"; | "Inbound Packet bytes"; | |||
| } | } | |||
| leaf rx-drop-pkts { | leaf rx-drop-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound dropped packets count"; | "Inbound dropped packets count"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-inner-tx-stat-grouping { | grouping iptfs-inner-tx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outbound inner packet statistics"; | "IP-TFS outbound inner packet statistics"; | |||
| leaf tx-pkts { | leaf tx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets sent. This | "Total number of IP-TFS inner packets sent. This | |||
| count is whole packets only. A fragmented packet | count is whole packets only. A fragmented packet | |||
| counts as one packet"; | counts as one packet"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf tx-octets { | leaf tx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner octets sent. This is | "Total number of IP-TFS inner octets sent. This is | |||
| inner packet octets only. Does not count padding."; | inner packet octets only. Does not count padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-outer-tx-stat-grouping { | grouping iptfs-outer-tx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outbound inner packet statistics"; | "IP-TFS outbound inner packet statistics"; | |||
| leaf tx-all-pad-pkts { | leaf tx-all-pad-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted IP-TFS packets that | "Total number of transmitted IP-TFS packets that | |||
| were all padding with no inner packet data."; | were all padding with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf tx-all-pad-octets { | leaf tx-all-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number transmitted octets of padding added to | "Total number transmitted octets of padding added to | |||
| IP-TFS packets with no inner packet data."; | IP-TFS packets with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf tx-extra-pad-pkts { | leaf tx-extra-pad-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted outer IP-TFS packets | "Total number of transmitted outer IP-TFS packets | |||
| that included some padding."; | that included some padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf tx-extra-pad-octets { | leaf tx-extra-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted octets of padding added | "Total number of transmitted octets of padding added | |||
| to outer IP-TFS packets with data."; | to outer IP-TFS packets with data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-inner-rx-stat-grouping { | grouping iptfs-inner-rx-stat-grouping { | |||
| description | description | |||
| "IP-TFS inner packet inbound statistics"; | "IP-TFS inner packet inbound statistics"; | |||
| leaf rx-pkts { | leaf rx-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets received."; | "Total number of IP-TFS inner packets received."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2"; | "draft-ietf-ipsecme-iptfs section 2.2"; | |||
| } | } | |||
| leaf rx-octets { | leaf rx-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner octets received. Does | "Total number of IP-TFS inner octets received. Does | |||
| not include padding or overhead"; | not include padding or overhead"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2"; | "draft-ietf-ipsecme-iptfs section 2.2"; | |||
| } | } | |||
| leaf rx-incomplete-pkts { | leaf rx-incomplete-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets that were | "Total number of IP-TFS inner packets that were | |||
| incomplete. Usually this is due to fragments not | incomplete. Usually this is due to fragments not | |||
| received. Also, this may be due to misordering or | received. Also, this may be due to misordering or | |||
| errors in received outer packets."; | errors in received outer packets."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-outer-rx-stat-grouping { | grouping iptfs-outer-rx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outer packet inbound statistics"; | "IP-TFS outer packet inbound statistics"; | |||
| leaf rx-all-pad-pkts { | leaf rx-all-pad-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received IP-TFS packets that were | "Total number of received IP-TFS packets that were | |||
| all padding with no inner packet data."; | all padding with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf rx-all-pad-octets { | leaf rx-all-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number received octets of padding added to | "Total number received octets of padding added to | |||
| IP-TFS packets with no inner packet data."; | IP-TFS packets with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf rx-extra-pad-pkts { | leaf rx-extra-pad-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received outer IP-TFS packets that | "Total number of received outer IP-TFS packets that | |||
| included some padding."; | included some padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf rx-extra-pad-octets { | leaf rx-extra-pad-octets { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received octets of padding added to | "Total number of received octets of padding added to | |||
| outer IP-TFS packets with data."; | outer IP-TFS packets with data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf rx-errored-pkts { | leaf rx-errored-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS outer packets dropped due to | "Total number of IP-TFS outer packets dropped due to | |||
| errors."; | errors."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf rx-missed-pkts { | leaf rx-missed-pkts { | |||
| type uint64; | type uint64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS outer packets missing | "Total number of IP-TFS outer packets missing | |||
| indicated by missing sequence number."; | indicated by missing sequence number."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-config { | grouping iptfs-config { | |||
| description | description | |||
| "This is the grouping for iptfs configuration"; | "This is the grouping for iptfs configuration"; | |||
| container traffic-flow-security { | container traffic-flow-security { | |||
| // config true; want this so we can refine? | // config true; want this so we can refine? | |||
| description | description | |||
| "Configure the IPSec TFS in Security | "Configure the IPSec TFS in Security | |||
| Association Database (SAD)"; | Association Database (SAD)"; | |||
| leaf congestion-control { | leaf congestion-control { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Congestion Control With the congestion controlled | "Congestion Control With the congestion controlled | |||
| mode, IP-TFS adapts to network congestion by | mode, IP-TFS adapts to network congestion by | |||
| lowering the packet send rate to accommodate the | lowering the packet send rate to accommodate the | |||
| congestion, as well as raising the rate when | congestion, as well as raising the rate when | |||
| congestion subsides."; | congestion subsides."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.5.2"; | "draft-ietf-ipsecme-iptfs section 2.5.2"; | |||
| } | } | |||
| container packet-size { | container packet-size { | |||
| description | description | |||
| "Packet size is either auto-discovered or manually | "Packet size is either auto-discovered or manually | |||
| configured."; | configured."; | |||
| leaf use-path-mtu-discovery { | leaf use-path-mtu-discovery { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Utilize path mtu discovery to determine maximum IP-TFS | "Utilize path mtu discovery to determine maximum IP-TFS | |||
| packet size. If the packet size is explicitly | packet size. If the packet size is explicitly | |||
| configured, then it will only be adjusted downward | configured, then it will only be adjusted downward | |||
| if use-path-mtu-discovery is set."; | if use-path-mtu-discovery is set."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| leaf outer-packet-size { | leaf outer-packet-size { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The size of the outer encapsulating tunnel packet (i.e., | "The size of the outer encapsulating tunnel packet (i.e., | |||
| the IP packet containing the ESP payload)."; | the IP packet containing the ESP payload)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| } | } | |||
| choice tunnel-rate { | choice tunnel-rate { | |||
| description | description | |||
| "TFS bit rate may be specified at layer 2 wire | "TFS bit rate may be specified at layer 2 wire | |||
| rate or layer 3 packet rate"; | rate or layer 3 packet rate"; | |||
| leaf l2-fixed-rate { | leaf l2-fixed-rate { | |||
| type uint64; | type uint64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. This | |||
| fixed rate is the nominal timing for the fixed size packet. | fixed rate is the nominal timing for the fixed size packet. | |||
| If congestion control is enabled the rate may be adjusted | If congestion control is enabled the rate may be adjusted | |||
| down (or up if unset)."; | down (or up if unset)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| leaf l3-fixed-rate { | leaf l3-fixed-rate { | |||
| type uint64; | type uint64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. This | |||
| fixed rate is the nominal timing for the fixed size packet. | fixed rate is the nominal timing for the fixed size packet. | |||
| If congestion control is enabled the rate may be adjusted | If congestion control is enabled the rate may be adjusted | |||
| down (or up if unset)."; | down (or up if unset)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| } | } | |||
| leaf dont-fragment { | leaf dont-fragment { | |||
| type boolean; | type boolean; | |||
| default "false"; | default "false"; | |||
| description | description | |||
| "Disable packet fragmentation across consecutive iptfs | "Disable packet fragmentation across consecutive iptfs | |||
| tunnel packets"; | tunnel packets"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | |||
| } | } | |||
| leaf max-aggregation-time { | leaf max-aggregation-time { | |||
| type decimal64 { | type decimal64 { | |||
| fraction-digits 6; | fraction-digits 6; | |||
| } | } | |||
| units "milliseconds"; | units "milliseconds"; | |||
| description | description | |||
| "Maximum Aggregation Time in Milliseconds | "Maximum Aggregation Time in Milliseconds | |||
| or fractional milliseconds down to 1 nanosecond"; | or fractional milliseconds down to 1 nanosecond"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * IP-TFS ike configuration | * IP-TFS ike configuration | |||
| */ | */ | |||
| augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" | augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" | |||
| + "nsfike:spd-entry/" | + "nsfike:spd-entry/" | |||
| + "nsfike:ipsec-policy-config/" | + "nsfike:ipsec-policy-config/" | |||
| + "nsfike:processing-info/" | + "nsfike:processing-info/" | |||
| + "nsfike:ipsec-sa-cfg" { | + "nsfike:ipsec-sa-cfg" { | |||
| description | description | |||
| "IP-TFS configuration for this policy."; | "IP-TFS configuration for this policy."; | |||
| uses iptfs-config; | uses iptfs-config; | |||
| } | } | |||
| augment "/nsfike:ipsec-ike/nsfike:conn-entry/" | augment "/nsfike:ipsec-ike/nsfike:conn-entry/" | |||
| + "nsfike:child-sa-info" { | + "nsfike:child-sa-info" { | |||
| description | description | |||
| "IP-TFS configured on this SA."; | "IP-TFS configured on this SA."; | |||
| uses iptfs-config { | uses iptfs-config { | |||
| refine "traffic-flow-security" { | refine "traffic-flow-security" { | |||
| config false; | config false; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * IP-TFS ikeless configuration | * IP-TFS ikeless configuration | |||
| */ | */ | |||
| augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" | augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" | |||
| + "nsfikels:spd-entry/" | + "nsfikels:spd-entry/" | |||
| + "nsfikels:ipsec-policy-config/" | + "nsfikels:ipsec-policy-config/" | |||
| + "nsfikels:processing-info/" | + "nsfikels:processing-info/" | |||
| + "nsfikels:ipsec-sa-cfg" { | + "nsfikels:ipsec-sa-cfg" { | |||
| description | description | |||
| "IP-TFS configuration for this policy."; | "IP-TFS configuration for this policy."; | |||
| uses iptfs-config; | uses iptfs-config; | |||
| } | } | |||
| augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" | augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" | |||
| + "nsfikels:sad-entry" { | + "nsfikels:sad-entry" { | |||
| description | description | |||
| "IP-TFS configured on this SA."; | "IP-TFS configured on this SA."; | |||
| uses iptfs-config { | uses iptfs-config { | |||
| refine "traffic-flow-security" { | refine "traffic-flow-security" { | |||
| config false; | config false; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * packet counters | * packet counters | |||
| */ | */ | |||
| augment "/nsfike:ipsec-ike/nsfike:conn-entry/" | augment "/nsfike:ipsec-ike/nsfike:conn-entry/" | |||
| + "nsfike:child-sa-info" { | + "nsfike:child-sa-info" { | |||
| description | description | |||
| "Per SA Counters"; | "Per SA Counters"; | |||
| container ipsec-stats { | container ipsec-stats { | |||
| if-feature "ipsec-stats"; | if-feature "ipsec-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPsec per SA packet counters."; | "IPsec per SA packet counters."; | |||
| uses ipsec-tx-stat-grouping { | uses ipsec-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses ipsec-rx-stat-grouping { | uses ipsec-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| container iptfs-inner-pkt-stats { | container iptfs-inner-pkt-stats { | |||
| if-feature "iptfs-stats"; | if-feature "iptfs-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPTFS per SA inner packet counters."; | "IPTFS per SA inner packet counters."; | |||
| uses iptfs-inner-tx-stat-grouping { | uses iptfs-inner-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses iptfs-inner-rx-stat-grouping { | uses iptfs-inner-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| container iptfs-outer-pkt-stats { | container iptfs-outer-pkt-stats { | |||
| if-feature "iptfs-stats"; | if-feature "iptfs-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPTFS per SA outer packets counters."; | "IPTFS per SA outer packets counters."; | |||
| uses iptfs-outer-tx-stat-grouping { | uses iptfs-outer-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses iptfs-outer-rx-stat-grouping { | uses iptfs-outer-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * packet counters | * packet counters | |||
| */ | */ | |||
| augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" | augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" | |||
| + "nsfikels:sad-entry" { | + "nsfikels:sad-entry" { | |||
| description | description | |||
| "Per SA Counters"; | "Per SA Counters"; | |||
| container ipsec-stats { | container ipsec-stats { | |||
| if-feature "ipsec-stats"; | if-feature "ipsec-stats"; | |||
| description | description | |||
| "IPsec per SA packet counters."; | "IPsec per SA packet counters."; | |||
| uses ipsec-tx-stat-grouping { | uses ipsec-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses ipsec-rx-stat-grouping { | uses ipsec-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| container iptfs-inner-pkt-stats { | container iptfs-inner-pkt-stats { | |||
| if-feature "iptfs-stats"; | if-feature "iptfs-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPTFS per SA inner packet counters."; | "IPTFS per SA inner packet counters."; | |||
| uses iptfs-inner-tx-stat-grouping { | uses iptfs-inner-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses iptfs-inner-rx-stat-grouping { | uses iptfs-inner-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| container iptfs-outer-pkt-stats { | container iptfs-outer-pkt-stats { | |||
| if-feature "iptfs-stats"; | if-feature "iptfs-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| "IPTFS per SA outer packets counters."; | "IPTFS per SA outer packets counters."; | |||
| uses iptfs-outer-tx-stat-grouping { | uses iptfs-outer-tx-stat-grouping { | |||
| //when "direction = 'outbound'"; | //when "direction = 'outbound'"; | |||
| } | } | |||
| uses iptfs-outer-rx-stat-grouping { | uses iptfs-outer-rx-stat-grouping { | |||
| //when "direction = 'inbound'"; | //when "direction = 'inbound'"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| 4.1. Updates to the IETF XML Registry | 4.1. Updates to the IETF XML Registry | |||
| This document registers a URI in the "IETF XML Registry" [RFC3688]. | This document registers a URI in the "IETF XML Registry" [RFC3688]. | |||
| Following the format in [RFC3688], the following registration has | Following the format in [RFC3688], the following registration has | |||
| been made: | been made: | |||
| URI: | URI: | |||
| skipping to change at page 19, line 36 ¶ | skipping to change at page 19, line 36 ¶ | |||
| The authors would like to thank Eric Kinzie for his feedback on the | The authors would like to thank Eric Kinzie for his feedback on the | |||
| YANG model. | YANG model. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] | [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] | |||
| Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- | Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- | |||
| Garcia, "Software-Defined Networking (SDN)-based IPsec | Garcia, "A YANG Data Model for IPsec Flow Protection Based | |||
| Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow- | on Software-Defined Networking (SDN)", Work in Progress, | |||
| protection-12 (work in progress), October 2020. | Internet-Draft, draft-ietf-i2nsf-sdn-ipsec-flow- | |||
| protection-14, 25 March 2021, | ||||
| <https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn- | ||||
| ipsec-flow-protection-14.txt>. | ||||
| [I-D.ietf-ipsecme-iptfs] | [I-D.ietf-ipsecme-iptfs] | |||
| Hopps, C., "IP-TFS: IP Traffic Flow Security Using | Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | |||
| Aggregation and Fragmentation", draft-ietf-ipsecme- | ESP and its Use for IP Traffic Flow Security", Work in | |||
| iptfs-06 (work in progress), January 2021. | Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-10, 3 | |||
| September 2021, <https://www.ietf.org/archive/id/draft- | ||||
| ietf-ipsecme-iptfs-10.txt>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| skipping to change at page 22, line 37 ¶ | skipping to change at page 22, line 37 ¶ | |||
| <tfs:max-aggregation-time | <tfs:max-aggregation-time | |||
| >0.1</tfs:max-aggregation-time> | >0.1</tfs:max-aggregation-time> | |||
| </tfs:traffic-flow-security> | </tfs:traffic-flow-security> | |||
| </i:ipsec-sa-cfg> | </i:ipsec-sa-cfg> | |||
| </i:processing-info> | </i:processing-info> | |||
| </i:ipsec-policy-config> | </i:ipsec-policy-config> | |||
| </i:spd-entry> | </i:spd-entry> | |||
| </i:spd> | </i:spd> | |||
| </i:ipsec-ikeless> | </i:ipsec-ikeless> | |||
| Figure 1: Example IP-TFS XML configuration | Figure 1: Example IP-TFS XML configuration | |||
| A.2. Example XML Operational Data | A.2. Example XML Operational Data | |||
| This example illustrates operational data for IP-TFS in the ikeless | This example illustrates operational data for IP-TFS in the ikeless | |||
| case. Note that since this augments the ipsec ikeless schema only | case. Note that since this augments the ipsec ikeless schema only | |||
| minimal ikeless configuration to satisfy the schema has been | minimal ikeless configuration to satisfy the schema has been | |||
| populated. | populated. | |||
| <i:ipsec-ikeless | <i:ipsec-ikeless | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| skipping to change at page 23, line 30 ¶ | skipping to change at page 23, line 30 ¶ | |||
| <tfs:packet-size> | <tfs:packet-size> | |||
| <tfs:use-path-mtu-discovery>true</tfs:use-path-mtu-discovery> | <tfs:use-path-mtu-discovery>true</tfs:use-path-mtu-discovery> | |||
| </tfs:packet-size> | </tfs:packet-size> | |||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | |||
| <tfs:max-aggregation-time>0.100</tfs::max-aggregation-time> | <tfs:max-aggregation-time>0.100</tfs::max-aggregation-time> | |||
| </tfs:traffic-flow-security> | </tfs:traffic-flow-security> | |||
| </i:sad-entry> | </i:sad-entry> | |||
| </i:sad> | </i:sad> | |||
| </i:ipsec-ikeless> | </i:ipsec-ikeless> | |||
| Figure 2: Example IP-TFS XML Operational data | Figure 2: Example IP-TFS XML Operational data | |||
| A.3. Example JSON Configuration | A.3. Example JSON Configuration | |||
| This example illustrates config data for IP-TFS in the ike case. | This example illustrates config data for IP-TFS in the ike case. | |||
| Note that since this augments the ipsec ike schema only minimal ike | Note that since this augments the ipsec ike schema only minimal ike | |||
| configuration to satisfy the schema has been populated. | configuration to satisfy the schema has been populated. | |||
| { | { | |||
| "ietf-i2nsf-ike:ipsec-ike": { | "ietf-i2nsf-ike:ipsec-ike": { | |||
| "ietf-i2nsf-ike:conn-entry": [ | "ietf-i2nsf-ike:conn-entry": [ | |||
| skipping to change at page 25, line 38 ¶ | skipping to change at page 25, line 38 ¶ | |||
| "use-path-mtu-discovery": "true" | "use-path-mtu-discovery": "true" | |||
| }, | }, | |||
| "max-aggregation-time": "0.1" | "max-aggregation-time": "0.1" | |||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 4: Example IP-TFS JSON Operational data | Figure 4: Example IP-TFS JSON Operational data | |||
| A.5. Example JSON Operational Statistics | A.5. Example JSON Operational Statistics | |||
| This example shows the json formated statistics for IP-TFS. Note a | This example shows the json formated statistics for IP-TFS. Note a | |||
| unidirectional IP-TFS transmit side is illustrated, with arbitray | unidirectional IP-TFS transmit side is illustrated, with arbitray | |||
| numbers for transmit. | numbers for transmit. | |||
| { | { | |||
| "ietf-i2nsf-ikeless:ipsec-ikeless": { | "ietf-i2nsf-ikeless:ipsec-ikeless": { | |||
| "sad": { | "sad": { | |||
| skipping to change at page 26, line 51 ¶ | skipping to change at page 26, line 51 ¶ | |||
| "packets": 1000, | "packets": 1000, | |||
| "idle": 5 | "idle": 5 | |||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| } | } | |||
| Figure 5: Example IP-TFS JSON Statistics | Figure 5: Example IP-TFS JSON Statistics | |||
| Authors' Addresses | Authors' Addresses | |||
| Don Fedyk | Don Fedyk | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| Email: dfedyk@labn.net | Email: dfedyk@labn.net | |||
| Christian Hopps | Christian Hopps | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| End of changes. 51 change blocks. | ||||
| 503 lines changed or deleted | 507 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||