| < draft-ietf-ipsecme-yang-iptfs-01.txt | draft-ietf-ipsecme-yang-iptfs-02.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Fedyk | Network Working Group D. Fedyk | |||
| Internet-Draft C. Hopps | Internet-Draft C. Hopps | |||
| Intended status: Standards Track LabN Consulting, L.L.C. | Intended status: Standards Track LabN Consulting, L.L.C. | |||
| Expires: 7 April 2022 4 October 2021 | Expires: 28 April 2022 25 October 2021 | |||
| IP Traffic Flow Security YANG Module | A YANG Data Model for IP Traffic Flow Security | |||
| draft-ietf-ipsecme-yang-iptfs-01 | draft-ietf-ipsecme-yang-iptfs-02 | |||
| Abstract | Abstract | |||
| This document describes a yang module for the management of IP | This document describes a yang module for the management of IP | |||
| Traffic Flow Security additions to IKEv2 and IPsec. | Traffic Flow Security additions to IKEv2 and IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 31 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 7 April 2022. | This Internet-Draft will expire on 28 April 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 41 ¶ | skipping to change at page 2, line 41 ¶ | |||
| This document defines a YANG module [RFC7950] for the management of | This document defines a YANG module [RFC7950] for the management of | |||
| the IP Traffic Flow Security (IP-TFS) extensions as defined in | the IP Traffic Flow Security (IP-TFS) extensions as defined in | |||
| [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | |||
| tunnel Security Association to provide improved traffic | tunnel Security Association to provide improved traffic | |||
| confidentiality. Traffic confidentiality reduces the ability of | confidentiality. Traffic confidentiality reduces the ability of | |||
| traffic analysis to determine identity and correlate observable | traffic analysis to determine identity and correlate observable | |||
| traffic patterns. IP-TFS offers efficiency when aggregating traffic | traffic patterns. IP-TFS offers efficiency when aggregating traffic | |||
| in fixed size IPsec tunnel packets. | in fixed size IPsec tunnel packets. | |||
| The YANG data model in this document conforms to the Network | The YANG data model in this document conforms to the Network | |||
| Management Datastore Architecture defined in [RFC8342]. | Management Datastore Architecture (NMDA) defined in [RFC8342]. | |||
| The only actively published YANG modules for IPsec are found in | The published YANG modules for IPsec are defined in [RFC9061]. This | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. This document uses these | document uses these models as a general IPsec model that is augmented | |||
| models as a general IPsec model that can be augmented. The models in | for IP-TFS. The models in [RFC9061] provide for both an IKE and an | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] provide for an ike and an | IKELESS model. | |||
| ikeless model. | ||||
| 1.1. Terminology & Concepts | 1.1. Terminology & Concepts | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119] [RFC8174] when, and only when, they appear in all capitals, | [RFC2119] [RFC8174] when, and only when, they appear in all capitals, | |||
| as shown here. | as shown here. | |||
| 2. Overview | 2. Overview | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| and fragmentating inner packets to fll out the IPsec outer tunnel | and fragmentating inner packets to fll out the IPsec outer tunnel | |||
| packet. Zero byte padding is used to fill the packet when no data is | packet. Zero byte padding is used to fill the packet when no data is | |||
| available to send. | available to send. | |||
| This document specifies an extensible configuration model for IP-TFS. | This document specifies an extensible configuration model for IP-TFS. | |||
| This version utilizes the capabilities of IP-TFS to configure fixed | This version utilizes the capabilities of IP-TFS to configure fixed | |||
| size IP-TFS Packets that are transmitted at a constant rate. This | size IP-TFS Packets that are transmitted at a constant rate. This | |||
| model is structured to allow for different types of operation through | model is structured to allow for different types of operation through | |||
| future augmentation. | future augmentation. | |||
| IP-TFS YANG augments IPsec YANG model from | IP-TFS YANG augments IPsec YANG model from [RFC9061]. IP-TFS makes | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. IP-TFS makes use of | use of IPsec tunnel mode and adds a small number configuration items | |||
| IPsec tunnel mode and adds a small number configuration items to | to tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA | |||
| tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA | ||||
| configured to use IP-TFS supports only IP-TFS packets i.e. no mixed | configured to use IP-TFS supports only IP-TFS packets i.e. no mixed | |||
| IPsec modes. | IPsec modes. | |||
| The behavior for IP-TFS is controlled by the source. The self- | The behavior for IP-TFS is controlled by the source. The self- | |||
| describing format of an IP-TFS packets allows a sending side to | describing format of an IP-TFS packets allows a sending side to | |||
| adjust the packet-size and timing independently from any receiver. | adjust the packet-size and timing independently from any receiver. | |||
| Both directions are also independent, e.g. IP-TFS may be run only in | Both directions are also independent, e.g. IP-TFS may be run only in | |||
| one direction. This means that counters, which are created here for | one direction. This means that counters, which are created here for | |||
| both directions may be 0 or not updated in the case of an SA that | both directions may be 0 or not updated in the case of an SA that | |||
| uses IP-TFS only in on direction. | uses IP-TFS only in on direction. | |||
| skipping to change at page 4, line 13 ¶ | skipping to change at page 4, line 13 ¶ | |||
| Cases where IP-TFS statistics are active for one direction: | Cases where IP-TFS statistics are active for one direction: | |||
| * SA one direction - IP-TFS enabled | * SA one direction - IP-TFS enabled | |||
| * SA both directions - IP-TFS only enabled in one direction | * SA both directions - IP-TFS only enabled in one direction | |||
| Case where IP-TFS statistics are for both directions: | Case where IP-TFS statistics are for both directions: | |||
| * SA both directions - IP-TFS enable for both directions | * SA both directions - IP-TFS enable for both directions | |||
| The data model uses following constructs for configuration and | The IP-TFS model support IP-TFS configuration and operational data. | |||
| management: | ||||
| o Configuration | ||||
| o Operational State | ||||
| This YANG module supports configuration of fixed size and fixed rate | This YANG module supports configuration of fixed size and fixed rate | |||
| packets, and elements that may be augmented to support future | packets, and elements that may be augmented to support future | |||
| configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], | configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], | |||
| goes beyond this simple fixed mode of operation by defining a general | goes beyond this simple fixed mode of operation by defining a general | |||
| format for any type of scheme. In this document the outer IPsec | format for any type of scheme. In this document the outer IPsec | |||
| packets can be sent with fixed or variable size (without padding). | packets can be sent with fixed or variable size (without padding). | |||
| The configuration allows the fixed packet size to be determined by | The configuration allows the fixed packet size to be determined by | |||
| the path MTU. The fixed packet size can also be configured if a | the path MTU. The fixed packet size can also be configured if a | |||
| value lower than the path MTU is desired. | value lower than the path MTU is desired. | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at page 4, line 49 ¶ | |||
| if users wish to observe the effect no-fragmentation on their data | if users wish to observe the effect no-fragmentation on their data | |||
| flows. | flows. | |||
| The YANG operational data allows the readout of the configured | The YANG operational data allows the readout of the configured | |||
| parameters as well as the per SA statistics and error counters for | parameters as well as the per SA statistics and error counters for | |||
| IP-TFS. Per SA IPsec packet statistics are provided as a feature and | IP-TFS. Per SA IPsec packet statistics are provided as a feature and | |||
| per SA IP-TFS specific statistics as another feature. Both sets of | per SA IP-TFS specific statistics as another feature. Both sets of | |||
| statistics augment the IPsec YANG models with counters that allow | statistics augment the IPsec YANG models with counters that allow | |||
| observation of IP-TFS packet efficiency. | observation of IP-TFS packet efficiency. | |||
| Draft [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] has a mature set of | RFC [RFC9061] has a set of IPsec YANG management objects. IP-TFS | |||
| IPsec YANG management objects. | YANG augments the IKE and the IKELESS models. In these models the | |||
| Security Policy database entry and Security Association entry for an | ||||
| IP-TFS YANG augments: | IPsec Tunnel can be augmented with IP-TFS. | |||
| * Yang catalog entry for ietf-i2nsf-ike@2021-07-14.yang | ||||
| * Yang catalog entry for ietf-i2nsf-ikeless@20202-07-14.yang | ||||
| The Security Policy database entry and Security Association entry for | ||||
| an IPsec Tunnel can be augmented with IP-TFS. | ||||
| 3. YANG Management | 3. YANG Management | |||
| 3.1. YANG Tree | 3.1. YANG Tree | |||
| The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | |||
| extensions. | extensions. | |||
| module: ietf-ipsecme-iptfs | module: ietf-ipsec-iptfs | |||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd | |||
| /nsfike:spd-entry/nsfike:ipsec-policy-config | /nsfike:spd-entry/nsfike:ipsec-policy-config | |||
| /nsfike:processing-info/nsfike:ipsec-sa-cfg: | /nsfike:processing-info/nsfike:ipsec-sa-cfg: | |||
| +--rw traffic-flow-security | +--rw traffic-flow-security | |||
| +--rw congestion-control? boolean | +--rw congestion-control? boolean | |||
| +--rw packet-size | +--rw packet-size | |||
| | +--rw use-path-mtu-discovery? boolean | | +--rw use-path-mtu-discovery? boolean | |||
| | +--rw outer-packet-size? uint16 | | +--rw outer-packet-size? uint16 | |||
| +--rw (tunnel-rate)? | +--rw (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--rw l2-fixed-rate? uint64 | | | +--rw l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--rw l3-fixed-rate? uint64 | | +--rw l3-fixed-rate? yang:counter64 | |||
| +--rw dont-fragment? boolean | +--rw dont-fragment? boolean | |||
| +--rw max-aggregation-time? decimal64 | +--rw max-aggregation-time? decimal64 | |||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | |||
| +--ro traffic-flow-security | +--ro traffic-flow-security | |||
| +--ro congestion-control? boolean | +--ro congestion-control? boolean | |||
| +--ro packet-size | +--ro packet-size | |||
| | +--ro use-path-mtu-discovery? boolean | | +--ro use-path-mtu-discovery? boolean | |||
| | +--ro outer-packet-size? uint16 | | +--ro outer-packet-size? uint16 | |||
| +--ro (tunnel-rate)? | +--ro (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--ro l2-fixed-rate? uint64 | | | +--ro l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--ro l3-fixed-rate? uint64 | | +--ro l3-fixed-rate? yang:counter64 | |||
| +--ro dont-fragment? boolean | +--ro dont-fragment? boolean | |||
| +--ro max-aggregation-time? decimal64 | +--ro max-aggregation-time? decimal64 | |||
| augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry | augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry | |||
| /nsfikels:ipsec-policy-config/nsfikels:processing-info | /nsfikels:ipsec-policy-config/nsfikels:processing-info | |||
| /nsfikels:ipsec-sa-cfg: | /nsfikels:ipsec-sa-cfg: | |||
| +--rw traffic-flow-security | +--rw traffic-flow-security | |||
| +--rw congestion-control? boolean | +--rw congestion-control? boolean | |||
| +--rw packet-size | +--rw packet-size | |||
| | +--rw use-path-mtu-discovery? boolean | | +--rw use-path-mtu-discovery? boolean | |||
| | +--rw outer-packet-size? uint16 | | +--rw outer-packet-size? uint16 | |||
| +--rw (tunnel-rate)? | +--rw (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--rw l2-fixed-rate? uint64 | | | +--rw l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--rw l3-fixed-rate? uint64 | | +--rw l3-fixed-rate? yang:counter64 | |||
| +--rw dont-fragment? boolean | +--rw dont-fragment? boolean | |||
| +--rw max-aggregation-time? decimal64 | +--rw max-aggregation-time? decimal64 | |||
| augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | |||
| +--ro traffic-flow-security | +--ro traffic-flow-security | |||
| +--ro congestion-control? boolean | +--ro congestion-control? boolean | |||
| +--ro packet-size | +--ro packet-size | |||
| | +--ro use-path-mtu-discovery? boolean | | +--ro use-path-mtu-discovery? boolean | |||
| | +--ro outer-packet-size? uint16 | | +--ro outer-packet-size? uint16 | |||
| +--ro (tunnel-rate)? | +--ro (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--ro l2-fixed-rate? uint64 | | | +--ro l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--ro l3-fixed-rate? uint64 | | +--ro l3-fixed-rate? yang:counter64 | |||
| +--ro dont-fragment? boolean | +--ro dont-fragment? boolean | |||
| +--ro max-aggregation-time? decimal64 | +--ro max-aggregation-time? decimal64 | |||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | |||
| +--ro ipsec-stats {ipsec-stats}? | +--ro ipsec-stats {ipsec-stats}? | |||
| | +--ro tx-pkts? uint64 | | +--ro tx-pkts? yang:counter64 | |||
| | +--ro tx-octets? uint64 | | +--ro tx-octets? yang:counter64 | |||
| | +--ro tx-drop-pkts? uint64 | | +--ro tx-drop-pkts? yang:counter64 | |||
| | +--ro rx-pkts? uint64 | | +--ro rx-pkts? yang:counter64 | |||
| | +--ro rx-octets? uint64 | | +--ro rx-octets? yang:counter64 | |||
| | +--ro rx-drop-pkts? uint64 | | +--ro rx-drop-pkts? yang:counter64 | |||
| +--ro iptfs-inner-pkt-stats {iptfs-stats}? | +--ro iptfs-inner-pkt-stats {iptfs-stats}? | |||
| | +--ro tx-pkts? uint64 | | +--ro tx-pkts? yang:counter64 | |||
| | +--ro tx-octets? uint64 | | +--ro tx-octets? yang:counter64 | |||
| | +--ro rx-pkts? uint64 | | +--ro rx-pkts? yang:counter64 | |||
| | +--ro rx-octets? uint64 | | +--ro rx-octets? yang:counter64 | |||
| | +--ro rx-incomplete-pkts? uint64 | | +--ro rx-incomplete-pkts? yang:counter64 | |||
| +--ro iptfs-outer-pkt-stats {iptfs-stats}? | +--ro iptfs-outer-pkt-stats {iptfs-stats}? | |||
| +--ro tx-all-pad-pkts? uint64 | +--ro tx-all-pad-pkts? yang:counter64 | |||
| +--ro tx-all-pad-octets? uint64 | +--ro tx-all-pad-octets? yang:counter64 | |||
| +--ro tx-extra-pad-pkts? uint64 | +--ro tx-extra-pad-pkts? yang:counter64 | |||
| +--ro tx-extra-pad-octets? uint64 | +--ro tx-extra-pad-octets? yang:counter64 | |||
| +--ro rx-all-pad-pkts? uint64 | +--ro rx-all-pad-pkts? yang:counter64 | |||
| +--ro rx-all-pad-octets? uint64 | +--ro rx-all-pad-octets? yang:counter64 | |||
| +--ro rx-extra-pad-pkts? uint64 | +--ro rx-extra-pad-pkts? yang:counter64 | |||
| +--ro rx-extra-pad-octets? uint64 | +--ro rx-extra-pad-octets? yang:counter64 | |||
| +--ro rx-errored-pkts? uint64 | +--ro rx-errored-pkts? yang:counter64 | |||
| +--ro rx-missed-pkts? uint64 | +--ro rx-missed-pkts? yang:counter64 | |||
| augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | |||
| +--rw ipsec-stats {ipsec-stats}? | +--rw ipsec-stats {ipsec-stats}? | |||
| | +--ro tx-pkts? uint64 | | +--ro tx-pkts? yang:counter64 | |||
| | +--ro tx-octets? uint64 | | +--ro tx-octets? yang:counter64 | |||
| | +--ro tx-drop-pkts? uint64 | | +--ro tx-drop-pkts? yang:counter64 | |||
| | +--ro rx-pkts? uint64 | | +--ro rx-pkts? yang:counter64 | |||
| | +--ro rx-octets? uint64 | | +--ro rx-octets? yang:counter64 | |||
| | +--ro rx-drop-pkts? uint64 | | +--ro rx-drop-pkts? yang:counter64 | |||
| +--ro iptfs-inner-pkt-stats {iptfs-stats}? | +--ro iptfs-inner-pkt-stats {iptfs-stats}? | |||
| | +--ro tx-pkts? uint64 | | +--ro tx-pkts? yang:counter64 | |||
| | +--ro tx-octets? uint64 | | +--ro tx-octets? yang:counter64 | |||
| | +--ro rx-pkts? uint64 | | +--ro rx-pkts? yang:counter64 | |||
| | +--ro rx-octets? uint64 | | +--ro rx-octets? yang:counter64 | |||
| | +--ro rx-incomplete-pkts? uint64 | | +--ro rx-incomplete-pkts? yang:counter64 | |||
| +--ro iptfs-outer-pkt-stats {iptfs-stats}? | +--ro iptfs-outer-pkt-stats {iptfs-stats}? | |||
| +--ro tx-all-pad-pkts? uint64 | +--ro tx-all-pad-pkts? yang:counter64 | |||
| +--ro tx-all-pad-octets? uint64 | +--ro tx-all-pad-octets? yang:counter64 | |||
| +--ro tx-extra-pad-pkts? uint64 | +--ro tx-extra-pad-pkts? yang:counter64 | |||
| +--ro tx-extra-pad-octets? uint64 | +--ro tx-extra-pad-octets? yang:counter64 | |||
| +--ro rx-all-pad-pkts? uint64 | +--ro rx-all-pad-pkts? yang:counter64 | |||
| +--ro rx-all-pad-octets? uint64 | +--ro rx-all-pad-octets? yang:counter64 | |||
| +--ro rx-extra-pad-pkts? uint64 | +--ro rx-extra-pad-pkts? yang:counter64 | |||
| +--ro rx-extra-pad-octets? uint64 | +--ro rx-extra-pad-octets? yang:counter64 | |||
| +--ro rx-errored-pkts? uint64 | +--ro rx-errored-pkts? yang:counter64 | |||
| +--ro rx-missed-pkts? uint64 | +--ro rx-missed-pkts? yang:counter64 | |||
| 3.2. YANG Module | 3.2. YANG Module | |||
| The following is the YANG module for managing the IP-TFS extensions. | The following is the YANG module for managing the IP-TFS extensions. | |||
| The model contains references to [I-D.ietf-ipsecme-iptfs] and | ||||
| [RFC5348]. | ||||
| <CODE BEGINS> file "ietf-ipsecme-iptfs@2021-10-04.yang" | <CODE BEGINS> file "ietf-ipsec-iptfs@2021-10-25.yang" | |||
| module ietf-ipsecme-iptfs { | module ietf-ipsec-iptfs { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; | |||
| prefix iptfs; | prefix iptfs; | |||
| import ietf-i2nsf-ike { | import ietf-i2nsf-ike { | |||
| prefix nsfike; | prefix nsfike; | |||
| } | } | |||
| import ietf-i2nsf-ikeless { | import ietf-i2nsf-ikeless { | |||
| prefix nsfikels; | prefix nsfikels; | |||
| } | } | |||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| organization | organization | |||
| "IETF IPSECME Working Group (IPSECME)"; | "IETF IPSECME Working Group (IPSECME)"; | |||
| contact | contact | |||
| "WG Web: <https://tools.ietf.org/wg/ipsecme/> | "WG Web: <https://tools.ietf.org/wg/ipsecme/> | |||
| WG List: <mailto:ipsecme@ietf.org> | WG List: <mailto:ipsecme@ietf.org> | |||
| Author: Don Fedyk | Author: Don Fedyk | |||
| <mailto:dfedyk@labn.net> | <mailto:dfedyk@labn.net> | |||
| Author: Christian Hopps | Author: Christian Hopps | |||
| <mailto:chopps@chopps.org>"; | <mailto:chopps@chopps.org>"; | |||
| // RFC Ed.: replace XXXX with actual RFC number and | // RFC Ed.: replace XXXX with actual RFC number and | |||
| // remove this note. | // remove this note. | |||
| description | description | |||
| "This module defines the configuration and operational state for | "This module defines the configuration and operational state for | |||
| managing the IP Traffic Flow Security functionality [RFC XXXX]. | managing the IP Traffic Flow Security functionality [RFC XXXX]. | |||
| Copyright (c) 2020 IETF Trust and the persons identified as | Copyright (c) 2021 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
| the license terms contained in, the Simplified BSD License set | the license terms contained in, the Simplified BSD License set | |||
| forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX | This version of this YANG module is part of RFC XXXX | |||
| (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | |||
| full legal notices."; | full legal notices."; | |||
| revision 2021-10-04 { | revision 2021-10-25 { | |||
| description | description | |||
| "Initial Revision"; | "Initial Revision"; | |||
| reference | reference | |||
| "RFC XXXX: IP Traffic Flow Security YANG Module"; | "RFC XXXX: IP Traffic Flow Security YANG Module"; | |||
| } | } | |||
| feature ipsec-stats { | feature ipsec-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IPsec statistics"; | per SA IPsec statistics"; | |||
| skipping to change at page 9, line 11 ¶ | skipping to change at page 9, line 4 ¶ | |||
| feature iptfs-stats { | feature iptfs-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IP Traffic Flow Security statistics"; | per SA IP Traffic Flow Security statistics"; | |||
| } | } | |||
| /*--------------------*/ | /*--------------------*/ | |||
| /* groupings */ | /* groupings */ | |||
| /*--------------------*/ | /*--------------------*/ | |||
| grouping ipsec-tx-stat-grouping { | grouping ipsec-tx-stat-grouping { | |||
| description | description | |||
| "IPsec outbound statistics"; | "IPsec outbound statistics"; | |||
| leaf tx-pkts { | leaf tx-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound Packet count"; | "Outbound Packet count"; | |||
| } | } | |||
| leaf tx-octets { | leaf tx-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound Packet bytes"; | "Outbound Packet bytes"; | |||
| } | } | |||
| leaf tx-drop-pkts { | leaf tx-drop-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Outbound dropped packets count"; | "Outbound dropped packets count"; | |||
| } | } | |||
| } | } | |||
| grouping ipsec-rx-stat-grouping { | grouping ipsec-rx-stat-grouping { | |||
| description | description | |||
| "IPsec inbound statistics"; | "IPsec inbound statistics"; | |||
| leaf rx-pkts { | leaf rx-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound Packet count"; | "Inbound Packet count"; | |||
| } | } | |||
| leaf rx-octets { | leaf rx-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound Packet bytes"; | "Inbound Packet bytes"; | |||
| } | } | |||
| leaf rx-drop-pkts { | leaf rx-drop-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Inbound dropped packets count"; | "Inbound dropped packets count"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-inner-tx-stat-grouping { | grouping iptfs-inner-tx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outbound inner packet statistics"; | "IP-TFS outbound inner packet statistics"; | |||
| leaf tx-pkts { | leaf tx-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets sent. This | "Total number of IP-TFS inner packets sent. This | |||
| count is whole packets only. A fragmented packet | count is whole packets only. A fragmented packet | |||
| counts as one packet"; | counts as one packet"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf tx-octets { | leaf tx-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner octets sent. This is | "Total number of IP-TFS inner octets sent. This is | |||
| inner packet octets only. Does not count padding."; | inner packet octets only. Does not count padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-outer-tx-stat-grouping { | grouping iptfs-outer-tx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outbound inner packet statistics"; | "IP-TFS outbound inner packet statistics"; | |||
| leaf tx-all-pad-pkts { | leaf tx-all-pad-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted IP-TFS packets that | "Total number of transmitted IP-TFS packets that | |||
| were all padding with no inner packet data."; | were all padding with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf tx-all-pad-octets { | leaf tx-all-pad-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number transmitted octets of padding added to | "Total number transmitted octets of padding added to | |||
| IP-TFS packets with no inner packet data."; | IP-TFS packets with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf tx-extra-pad-pkts { | leaf tx-extra-pad-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted outer IP-TFS packets | "Total number of transmitted outer IP-TFS packets | |||
| that included some padding."; | that included some padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf tx-extra-pad-octets { | leaf tx-extra-pad-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of transmitted octets of padding added | "Total number of transmitted octets of padding added | |||
| to outer IP-TFS packets with data."; | to outer IP-TFS packets with data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-inner-rx-stat-grouping { | grouping iptfs-inner-rx-stat-grouping { | |||
| description | description | |||
| "IP-TFS inner packet inbound statistics"; | "IP-TFS inner packet inbound statistics"; | |||
| leaf rx-pkts { | leaf rx-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets received."; | "Total number of IP-TFS inner packets received."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2"; | "draft-ietf-ipsecme-iptfs section 2.2"; | |||
| } | } | |||
| leaf rx-octets { | leaf rx-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner octets received. Does | "Total number of IP-TFS inner octets received. Does | |||
| not include padding or overhead"; | not include padding or overhead"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2"; | "draft-ietf-ipsecme-iptfs section 2.2"; | |||
| } | } | |||
| leaf rx-incomplete-pkts { | leaf rx-incomplete-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets that were | "Total number of IP-TFS inner packets that were | |||
| incomplete. Usually this is due to fragments not | incomplete. Usually this is due to fragments not | |||
| received. Also, this may be due to misordering or | received. Also, this may be due to misordering or | |||
| errors in received outer packets."; | errors in received outer packets."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 12, line 11 ¶ | skipping to change at page 12, line 4 ¶ | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS inner packets that were | "Total number of IP-TFS inner packets that were | |||
| incomplete. Usually this is due to fragments not | incomplete. Usually this is due to fragments not | |||
| received. Also, this may be due to misordering or | received. Also, this may be due to misordering or | |||
| errors in received outer packets."; | errors in received outer packets."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-outer-rx-stat-grouping { | grouping iptfs-outer-rx-stat-grouping { | |||
| description | description | |||
| "IP-TFS outer packet inbound statistics"; | "IP-TFS outer packet inbound statistics"; | |||
| leaf rx-all-pad-pkts { | leaf rx-all-pad-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received IP-TFS packets that were | "Total number of received IP-TFS packets that were | |||
| all padding with no inner packet data."; | all padding with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf rx-all-pad-octets { | leaf rx-all-pad-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number received octets of padding added to | "Total number received octets of padding added to | |||
| IP-TFS packets with no inner packet data."; | IP-TFS packets with no inner packet data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf rx-extra-pad-pkts { | leaf rx-extra-pad-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received outer IP-TFS packets that | "Total number of received outer IP-TFS packets that | |||
| included some padding."; | included some padding."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf rx-extra-pad-octets { | leaf rx-extra-pad-octets { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of received octets of padding added to | "Total number of received octets of padding added to | |||
| outer IP-TFS packets with data."; | outer IP-TFS packets with data."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | "draft-ietf-ipsecme-iptfs section 2.2.3.1"; | |||
| } | } | |||
| leaf rx-errored-pkts { | leaf rx-errored-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS outer packets dropped due to | "Total number of IP-TFS outer packets dropped due to | |||
| errors."; | errors."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| leaf rx-missed-pkts { | leaf rx-missed-pkts { | |||
| type uint64; | type yang:counter64; | |||
| config false; | config false; | |||
| description | description | |||
| "Total number of IP-TFS outer packets missing | "Total number of IP-TFS outer packets missing | |||
| indicated by missing sequence number."; | indicated by missing sequence number."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs"; | "draft-ietf-ipsecme-iptfs"; | |||
| } | } | |||
| } | } | |||
| grouping iptfs-config { | grouping iptfs-config { | |||
| description | description | |||
| "This is the grouping for iptfs configuration"; | "This is the grouping for iptfs configuration"; | |||
| container traffic-flow-security { | container traffic-flow-security { | |||
| // config true; want this so we can refine? | ||||
| description | description | |||
| "Configure the IPSec TFS in Security | "Configure the IPSec TFS in Security | |||
| Association Database (SAD)"; | Association Database (SAD)"; | |||
| leaf congestion-control { | leaf congestion-control { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Congestion Control With the congestion controlled | "When set to true, the default, this enables the | |||
| mode, IP-TFS adapts to network congestion by | congestion control on-the-wire exchange of data that | |||
| lowering the packet send rate to accommodate the | is required by congestion control algorithms as | |||
| congestion, as well as raising the rate when | defined by RFC 5348. When set to false, IP-TFS | |||
| congestion subsides."; | sends fixed-sized packets over an IP-TFS tunnel | |||
| at a constant rate."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.5.2"; | "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; | |||
| } | } | |||
| container packet-size { | container packet-size { | |||
| description | description | |||
| "Packet size is either auto-discovered or manually | "Packet size is either auto-discovered or manually | |||
| configured."; | configured."; | |||
| leaf use-path-mtu-discovery { | leaf use-path-mtu-discovery { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Utilize path mtu discovery to determine maximum IP-TFS | "Utilize path mtu discovery to determine maximum IP-TFS | |||
| skipping to change at page 14, line 24 ¶ | skipping to change at page 14, line 16 ¶ | |||
| the IP packet containing the ESP payload)."; | the IP packet containing the ESP payload)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| } | } | |||
| choice tunnel-rate { | choice tunnel-rate { | |||
| description | description | |||
| "TFS bit rate may be specified at layer 2 wire | "TFS bit rate may be specified at layer 2 wire | |||
| rate or layer 3 packet rate"; | rate or layer 3 packet rate"; | |||
| leaf l2-fixed-rate { | leaf l2-fixed-rate { | |||
| type uint64; | type yang:counter64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. This | |||
| fixed rate is the nominal timing for the fixed size packet. | fixed rate is the nominal timing for the fixed size packet. | |||
| If congestion control is enabled the rate may be adjusted | If congestion control is enabled the rate may be adjusted | |||
| down (or up if unset)."; | down (or up if unset)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| leaf l3-fixed-rate { | leaf l3-fixed-rate { | |||
| type uint64; | type yang:counter64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. This | |||
| fixed rate is the nominal timing for the fixed size packet. | fixed rate is the nominal timing for the fixed size packet. | |||
| If congestion control is enabled the rate may be adjusted | If congestion control is enabled the rate may be adjusted | |||
| down (or up if unset)."; | down (or up if unset)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| } | } | |||
| leaf dont-fragment { | leaf dont-fragment { | |||
| skipping to change at page 18, line 26 ¶ | skipping to change at page 18, line 18 ¶ | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| 4.1. Updates to the IETF XML Registry | 4.1. Updates to the IETF XML Registry | |||
| This document registers a URI in the "IETF XML Registry" [RFC3688]. | This document registers a URI in the "IETF XML Registry" [RFC3688]. | |||
| Following the format in [RFC3688], the following registration has | Following the format in [RFC3688], the following registration has | |||
| been made: | been made: | |||
| URI: | URI: | |||
| urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs | urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs | |||
| Registrant Contact: | Registrant Contact: | |||
| The IESG. | The IESG. | |||
| XML: | XML: | |||
| N/A; the requested URI is an XML namespace. | N/A; the requested URI is an XML namespace. | |||
| 4.2. Updates to the YANG Module Names Registry | 4.2. Updates to the YANG Module Names Registry | |||
| This document registers one YANG module in the "YANG Module Names" | This document registers one YANG module in the "YANG Module Names" | |||
| registry [RFC6020]. Following the format in [RFC6020], the following | registry [RFC6020]. Following the format in [RFC6020], the following | |||
| registration has been made: | registration has been made: | |||
| name: | name: | |||
| ietf-ipsecme-iptfs | ietf-ipsec-iptfs | |||
| namespace: | namespace: | |||
| urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs | urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs | |||
| prefix: | prefix: | |||
| iptfs | iptfs | |||
| reference: | reference: | |||
| RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove | RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove | |||
| this note.) | this note.) | |||
| 5. Security Considerations | 5. Security Considerations | |||
| skipping to change at page 19, line 27 ¶ | skipping to change at page 19, line 27 ¶ | |||
| RESTCONF users to a preconfigured subset of all available NETCONF or | RESTCONF users to a preconfigured subset of all available NETCONF or | |||
| RESTCONF protocol operations and content. | RESTCONF protocol operations and content. | |||
| The YANG module defined in this document can enable, disable and | The YANG module defined in this document can enable, disable and | |||
| modify the behavior of IP traffic flow security, for the implications | modify the behavior of IP traffic flow security, for the implications | |||
| regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] | regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] | |||
| which defines the functionality. | which defines the functionality. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Eric Kinzie for his feedback on the | The authors would like to thank Eric Kinzie and Juergen Schoenwaelder | |||
| YANG model. | for their feedback and review on the YANG model. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] | ||||
| Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- | ||||
| Garcia, "A YANG Data Model for IPsec Flow Protection Based | ||||
| on Software-Defined Networking (SDN)", Work in Progress, | ||||
| Internet-Draft, draft-ietf-i2nsf-sdn-ipsec-flow- | ||||
| protection-14, 25 March 2021, | ||||
| <https://www.ietf.org/archive/id/draft-ietf-i2nsf-sdn- | ||||
| ipsec-flow-protection-14.txt>. | ||||
| [I-D.ietf-ipsecme-iptfs] | [I-D.ietf-ipsecme-iptfs] | |||
| Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | |||
| ESP and its Use for IP Traffic Flow Security", Work in | ESP and its Use for IP Traffic Flow Security", Work in | |||
| Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-10, 3 | Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-11, 24 | |||
| September 2021, <https://www.ietf.org/archive/id/draft- | October 2021, <https://www.ietf.org/archive/id/draft-ietf- | |||
| ietf-ipsecme-iptfs-10.txt>. | ipsecme-iptfs-11.txt>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| skipping to change at page 20, line 32 ¶ | skipping to change at page 20, line 23 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
| and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
| (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
| [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- | ||||
| Garcia, "A YANG Data Model for IPsec Flow Protection Based | ||||
| on Software-Defined Networking (SDN)", RFC 9061, | ||||
| DOI 10.17487/RFC9061, July 2021, | ||||
| <https://www.rfc-editor.org/info/rfc9061>. | ||||
| 7.2. Informative References | 7.2. Informative References | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP | ||||
| Friendly Rate Control (TFRC): Protocol Specification", | ||||
| RFC 5348, DOI 10.17487/RFC5348, September 2008, | ||||
| <https://www.rfc-editor.org/info/rfc5348>. | ||||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | |||
| Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6242>. | <https://www.rfc-editor.org/info/rfc6242>. | |||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | |||
| skipping to change at page 22, line 7 ¶ | skipping to change at page 22, line 7 ¶ | |||
| A.1. Example XML Configuration | A.1. Example XML Configuration | |||
| This example illustrates configuration for IP-TFS in the ikeless | This example illustrates configuration for IP-TFS in the ikeless | |||
| case. Note that since this augments the ipsec ikeless schema only | case. Note that since this augments the ipsec ikeless schema only | |||
| minimal ikeless configuration to satisfy the schema has been | minimal ikeless configuration to satisfy the schema has been | |||
| populated. | populated. | |||
| <i:ipsec-ikeless | <i:ipsec-ikeless | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> | |||
| <i:spd> | <i:spd> | |||
| <i:spd-entry> | <i:spd-entry> | |||
| <i:name>protect-policy-1</i:name> | <i:name>protect-policy-1</i:name> | |||
| <i:direction>outbound</i:direction> | <i:direction>outbound</i:direction> | |||
| <i:ipsec-policy-config> | <i:ipsec-policy-config> | |||
| <i:traffic-selector> | <i:traffic-selector> | |||
| <i:local-prefix>1.1.1.1/32</i:local-prefix> | <i:local-prefix>192.0.2.0/16</i:local-prefix> | |||
| <i:remote-prefix>2.2.2.2/32</i:remote-prefix> | <i:remote-prefix>198.51.100.0/16</i:remote-prefix> | |||
| </i:traffic-selector> | </i:traffic-selector> | |||
| <i:processing-info> | <i:processing-info> | |||
| <i:action>protect</i:action> | <i:action>protect</i:action> | |||
| <i:ipsec-sa-cfg> | <i:ipsec-sa-cfg> | |||
| <tfs:traffic-flow-security> | <tfs:traffic-flow-security> | |||
| <tfs:congestion-control>true</tfs:congestion-control> | <tfs:congestion-control>true</tfs:congestion-control> | |||
| <tfs:packet-size> | <tfs:packet-size> | |||
| <tfs:use-path-mtu-discovery | <tfs:use-path-mtu-discovery | |||
| >true</tfs:use-path-mtu-discovery> | >true</tfs:use-path-mtu-discovery> | |||
| </tfs:packet-size> | </tfs:packet-size> | |||
| skipping to change at page 23, line 7 ¶ | skipping to change at page 23, line 7 ¶ | |||
| A.2. Example XML Operational Data | A.2. Example XML Operational Data | |||
| This example illustrates operational data for IP-TFS in the ikeless | This example illustrates operational data for IP-TFS in the ikeless | |||
| case. Note that since this augments the ipsec ikeless schema only | case. Note that since this augments the ipsec ikeless schema only | |||
| minimal ikeless configuration to satisfy the schema has been | minimal ikeless configuration to satisfy the schema has been | |||
| populated. | populated. | |||
| <i:ipsec-ikeless | <i:ipsec-ikeless | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"> | xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> | |||
| <i:sad> | <i:sad> | |||
| <i:sad-entry> | <i:sad-entry> | |||
| <i:name>sad-1</i:name> | <i:name>sad-1</i:name> | |||
| <i:ipsec-sa-config> | <i:ipsec-sa-config> | |||
| <i:spi>1</i:spi> | <i:spi>1</i:spi> | |||
| <i:traffic-selector> | <i:traffic-selector> | |||
| <i:local-prefix>1.1.1.1/32</i:local-prefix> | <i:local-prefix>2001:DB8::0/16</i:local-prefix> | |||
| <i:remote-prefix>2.2.2.2/32</i:remote-prefix> | <i:remote-prefix>2001:DB8::1:0/16</i:remote-prefix> | |||
| </i:traffic-selector> | </i:traffic-selector> | |||
| </i:ipsec-sa-config> | </i:ipsec-sa-config> | |||
| <tfs:traffic-flow-security> | <tfs:traffic-flow-security> | |||
| <tfs:congestion-control>true</tfs:congestion-control> | <tfs:congestion-control>true</tfs:congestion-control> | |||
| <tfs:packet-size> | <tfs:packet-size> | |||
| <tfs:use-path-mtu-discovery>true</tfs:use-path-mtu-discovery> | <tfs:use-path-mtu-discovery>true</tfs:use-path-mtu-discovery> | |||
| </tfs:packet-size> | </tfs:packet-size> | |||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | |||
| <tfs:max-aggregation-time>0.100</tfs::max-aggregation-time> | <tfs:max-aggregation-time>0.100</tfs::max-aggregation-time> | |||
| </tfs:traffic-flow-security> | </tfs:traffic-flow-security> | |||
| skipping to change at page 24, line 13 ¶ | skipping to change at page 24, line 13 ¶ | |||
| }, | }, | |||
| "remote": { | "remote": { | |||
| "remote-pad-entry-name": "remote-1" | "remote-pad-entry-name": "remote-1" | |||
| }, | }, | |||
| "ietf-i2nsf-ike:spd": { | "ietf-i2nsf-ike:spd": { | |||
| "spd-entry": [ | "spd-entry": [ | |||
| { | { | |||
| "name": "protect-policy-1", | "name": "protect-policy-1", | |||
| "ipsec-policy-config": { | "ipsec-policy-config": { | |||
| "traffic-selector": { | "traffic-selector": { | |||
| "local-prefix": "1.1.1.1/32", | "local-prefix": "192.0.2.0/16", | |||
| "remote-prefix": "2.2.2.2/32" | "remote-prefix": "198.51.100.0/16" | |||
| }, | }, | |||
| "processing-info": { | "processing-info": { | |||
| "action": "protect", | "action": "protect", | |||
| "ipsec-sa-cfg": { | "ipsec-sa-cfg": { | |||
| "ietf-ipsecme-iptfs:traffic-flow-security": { | "ietf-ipsec-iptfs:traffic-flow-security": { | |||
| "congestion-control": "true", | "congestion-control": "true", | |||
| "l2-fixed-rate": 1000000000, | "l2-fixed-rate": 1000000000, | |||
| "packet-size": { | "packet-size": { | |||
| "use-path-mtu-discovery": "true" | "use-path-mtu-discovery": "true" | |||
| }, | }, | |||
| "max-aggregation-time": "0.1" | "max-aggregation-time": "0.1" | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| skipping to change at page 25, line 24 ¶ | skipping to change at page 25, line 24 ¶ | |||
| "key-length": 128 | "key-length": 128 | |||
| } | } | |||
| ], | ], | |||
| "local": { | "local": { | |||
| "local-pad-entry-name": "local-1" | "local-pad-entry-name": "local-1" | |||
| }, | }, | |||
| "remote": { | "remote": { | |||
| "remote-pad-entry-name": "remote-1" | "remote-pad-entry-name": "remote-1" | |||
| }, | }, | |||
| "ietf-i2nsf-ike:child-sa-info": { | "ietf-i2nsf-ike:child-sa-info": { | |||
| "ietf-ipsecme-iptfs:traffic-flow-security": { | "ietf-ipsec-iptfs:traffic-flow-security": { | |||
| "congestion-control": "true", | "congestion-control": "true", | |||
| "l2-fixed-rate": 1000000000, | "l2-fixed-rate": 1000000000, | |||
| "packet-size": { | "packet-size": { | |||
| "use-path-mtu-discovery": "true" | "use-path-mtu-discovery": "true" | |||
| }, | }, | |||
| "max-aggregation-time": "0.1" | "max-aggregation-time": "0.1" | |||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| skipping to change at page 26, line 6 ¶ | skipping to change at page 26, line 6 ¶ | |||
| { | { | |||
| "ietf-i2nsf-ikeless:ipsec-ikeless": { | "ietf-i2nsf-ikeless:ipsec-ikeless": { | |||
| "sad": { | "sad": { | |||
| "sad-entry": [ | "sad-entry": [ | |||
| { | { | |||
| "name": "sad-1", | "name": "sad-1", | |||
| "ipsec-sa-config": { | "ipsec-sa-config": { | |||
| "spi": 1, | "spi": 1, | |||
| "traffic-selector": { | "traffic-selector": { | |||
| "local-prefix": "1.1.1.1/32", | "local-prefix": "192.0.2.1/16", | |||
| "remote-prefix": "2.2.2.2/32" | "remote-prefix": "198.51.100.0/16" | |||
| } | } | |||
| }, | }, | |||
| "ietf-ipsecme-iptfs:ipsec-stats": { | "ietf-ipsec-iptfs:ipsec-stats": { | |||
| "tx-pkts": "300", | "tx-pkts": "300", | |||
| "tx-octets": "80000", | "tx-octets": "80000", | |||
| "tx-drop-pkts": "2", | "tx-drop-pkts": "2", | |||
| "rx-pkts": "0", | "rx-pkts": "0", | |||
| "rx-octets": "0", | "rx-octets": "0", | |||
| "rx-drop-pkts": "0" | "rx-drop-pkts": "0" | |||
| }, | }, | |||
| "ietf-ipsecme-iptfs:iptfs-inner-pkt-stats": { | "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { | |||
| "tx-pkts": "250", | "tx-pkts": "250", | |||
| "tx-octets": "75000", | "tx-octets": "75000", | |||
| "rx-pkts": "0", | "rx-pkts": "0", | |||
| "rx-octets": "0", | "rx-octets": "0", | |||
| "rx-incomplete-pkts": "0" | "rx-incomplete-pkts": "0" | |||
| }, | }, | |||
| "ietf-ipsecme-iptfs:iptfs-outer-pkt-stats": { | "ietf-ipsec-iptfs:iptfs-outer-pkt-stats": { | |||
| "tx-all-pad-pkts": "40", | "tx-all-pad-pkts": "40", | |||
| "tx-all-pad-octets": "40000", | "tx-all-pad-octets": "40000", | |||
| "tx-extra-pad-pkts": "200", | "tx-extra-pad-pkts": "200", | |||
| "tx-extra-pad-octets": "30000", | "tx-extra-pad-octets": "30000", | |||
| "rx-all-pad-pkts": "0", | "rx-all-pad-pkts": "0", | |||
| "rx-all-pad-octets": "0", | "rx-all-pad-octets": "0", | |||
| "rx-extra-pad-pkts": "0", | "rx-extra-pad-pkts": "0", | |||
| "rx-extra-pad-octets": "0", | "rx-extra-pad-octets": "0", | |||
| "rx-errored-pkts": "0", | "rx-errored-pkts": "0", | |||
| "rx-missed-pkts": "0" | "rx-missed-pkts": "0" | |||
| End of changes. 78 change blocks. | ||||
| 153 lines changed or deleted | 143 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||