| < draft-ietf-ipsecme-yang-iptfs-02.txt | draft-ietf-ipsecme-yang-iptfs-03.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Fedyk | Network Working Group D. Fedyk | |||
| Internet-Draft C. Hopps | Internet-Draft C. Hopps | |||
| Intended status: Standards Track LabN Consulting, L.L.C. | Intended status: Standards Track LabN Consulting, L.L.C. | |||
| Expires: 28 April 2022 25 October 2021 | Expires: 15 May 2022 11 November 2021 | |||
| A YANG Data Model for IP Traffic Flow Security | A YANG Data Model for IP Traffic Flow Security | |||
| draft-ietf-ipsecme-yang-iptfs-02 | draft-ietf-ipsecme-yang-iptfs-03 | |||
| Abstract | Abstract | |||
| This document describes a yang module for the management of IP | This document describes a yang module for the management of IP | |||
| Traffic Flow Security additions to IKEv2 and IPsec. | Traffic Flow Security additions to IKEv2 and IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 31 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 28 April 2022. | This Internet-Draft will expire on 15 May 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 | |||
| 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 18 | 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 19 | |||
| 4.2. Updates to the YANG Module Names Registry . . . . . . . . 18 | 4.2. Updates to the YANG Module Names Registry . . . . . . . . 19 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 20 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 20 | 7.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 21 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| A.1. Example XML Configuration . . . . . . . . . . . . . . . . 21 | A.1. Example XML Configuration . . . . . . . . . . . . . . . . 22 | |||
| A.2. Example XML Operational Data . . . . . . . . . . . . . . 22 | A.2. Example XML Operational Data . . . . . . . . . . . . . . 23 | |||
| A.3. Example JSON Configuration . . . . . . . . . . . . . . . 23 | A.3. Example JSON Configuration . . . . . . . . . . . . . . . 24 | |||
| A.4. Example JSON Operational Data . . . . . . . . . . . . . . 24 | A.4. Example JSON Operational Data . . . . . . . . . . . . . . 26 | |||
| A.5. Example JSON Operational Statistics . . . . . . . . . . . 25 | A.5. Example JSON Operational Statistics . . . . . . . . . . . 27 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG module [RFC7950] for the management of | This document defines a YANG module [RFC7950] for the management of | |||
| the IP Traffic Flow Security (IP-TFS) extensions as defined in | the IP Traffic Flow Security (IP-TFS) extensions as defined in | |||
| [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec | |||
| tunnel Security Association to provide improved traffic | tunnel Security Association to provide improved traffic | |||
| confidentiality. Traffic confidentiality reduces the ability of | confidentiality. Traffic confidentiality reduces the ability of | |||
| traffic analysis to determine identity and correlate observable | traffic analysis to determine identity and correlate observable | |||
| traffic patterns. IP-TFS offers efficiency when aggregating traffic | traffic patterns. IP-TFS offers efficiency when aggregating traffic | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel | [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel | |||
| mode IPsec with characteristics that improve traffic confidentiality | mode IPsec with characteristics that improve traffic confidentiality | |||
| and reduce bandwidth efficiency loss. These documents assume | and reduce bandwidth efficiency loss. These documents assume | |||
| familiarity with IP security concepts described in [RFC4301]. | familiarity with IP security concepts described in [RFC4301]. | |||
| IP-TFS uses tunnel mode to improve confidentiality by hiding inner | IP-TFS uses tunnel mode to improve confidentiality by hiding inner | |||
| packet identifiable information, packet size and packet timing. IP- | packet identifiable information, packet size and packet timing. IP- | |||
| TFS provides a general capability allowing aggregation of multiple | TFS provides a general capability allowing aggregation of multiple | |||
| packets in uniform size outer tunnel ipsec packets. It maintains the | packets in uniform size outer tunnel ipsec packets. It maintains the | |||
| outer packet size by utilizing combinations of aggregating, padding | outer packet size by utilizing combinations of aggregating, padding | |||
| and fragmentating inner packets to fll out the IPsec outer tunnel | and fragmenting inner packets to fll out the IPsec outer tunnel | |||
| packet. Zero byte padding is used to fill the packet when no data is | packet. Zero byte padding is used to fill the packet when no data is | |||
| available to send. | available to send. | |||
| This document specifies an extensible configuration model for IP-TFS. | This document specifies an extensible configuration model for IP-TFS. | |||
| This version utilizes the capabilities of IP-TFS to configure fixed | This version utilizes the capabilities of IP-TFS to configure fixed | |||
| size IP-TFS Packets that are transmitted at a constant rate. This | size IP-TFS Packets that are transmitted at a constant rate. This | |||
| model is structured to allow for different types of operation through | model is structured to allow for different types of operation through | |||
| future augmentation. | future augmentation. | |||
| IP-TFS YANG augments IPsec YANG model from [RFC9061]. IP-TFS makes | IP-TFS YANG augments IPsec YANG model from [RFC9061]. IP-TFS makes | |||
| skipping to change at page 5, line 17 ¶ | skipping to change at page 5, line 17 ¶ | |||
| 3.1. YANG Tree | 3.1. YANG Tree | |||
| The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | The following is the YANG tree diagram ([RFC8340]) for the IP-TFS | |||
| extensions. | extensions. | |||
| module: ietf-ipsec-iptfs | module: ietf-ipsec-iptfs | |||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd | |||
| /nsfike:spd-entry/nsfike:ipsec-policy-config | /nsfike:spd-entry/nsfike:ipsec-policy-config | |||
| /nsfike:processing-info/nsfike:ipsec-sa-cfg: | /nsfike:processing-info/nsfike:ipsec-sa-cfg: | |||
| +--rw traffic-flow-security | +--rw traffic-flow-security | |||
| +--rw congestion-control? boolean | +--rw congestion-control? boolean | |||
| +--rw packet-size | +--rw packet-size | |||
| | +--rw use-path-mtu-discovery? boolean | | +--rw use-path-mtu-discovery? boolean | |||
| | +--rw outer-packet-size? uint16 | | +--rw outer-packet-size? uint16 | |||
| +--rw (tunnel-rate)? | +--rw (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--rw l2-fixed-rate? yang:counter64 | | | +--rw l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--rw l3-fixed-rate? yang:counter64 | | +--rw l3-fixed-rate? yang:counter64 | |||
| +--rw dont-fragment? boolean | +--rw dont-fragment? boolean | |||
| +--rw max-aggregation-time? decimal64 | +--rw max-aggregation-time? decimal64 | |||
| +--rw window-size? uint16 | ||||
| +--rw send-immediately? boolean | ||||
| +--rw lost-packet-timer-interval? decimal64 | ||||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | |||
| +--ro traffic-flow-security | +--ro traffic-flow-security | |||
| +--ro congestion-control? boolean | +--ro congestion-control? boolean | |||
| +--ro packet-size | +--ro packet-size | |||
| | +--ro use-path-mtu-discovery? boolean | | +--ro use-path-mtu-discovery? boolean | |||
| | +--ro outer-packet-size? uint16 | | +--ro outer-packet-size? uint16 | |||
| +--ro (tunnel-rate)? | +--ro (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--ro l2-fixed-rate? yang:counter64 | | | +--ro l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--ro l3-fixed-rate? yang:counter64 | | +--ro l3-fixed-rate? yang:counter64 | |||
| +--ro dont-fragment? boolean | +--ro dont-fragment? boolean | |||
| +--ro max-aggregation-time? decimal64 | +--ro max-aggregation-time? decimal64 | |||
| +--ro window-size? uint16 | ||||
| +--ro send-immediately? boolean | ||||
| +--ro lost-packet-timer-interval? decimal64 | ||||
| augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry | augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry | |||
| /nsfikels:ipsec-policy-config/nsfikels:processing-info | /nsfikels:ipsec-policy-config/nsfikels:processing-info | |||
| /nsfikels:ipsec-sa-cfg: | /nsfikels:ipsec-sa-cfg: | |||
| +--rw traffic-flow-security | +--rw traffic-flow-security | |||
| +--rw congestion-control? boolean | +--rw congestion-control? boolean | |||
| +--rw packet-size | +--rw packet-size | |||
| | +--rw use-path-mtu-discovery? boolean | | +--rw use-path-mtu-discovery? boolean | |||
| | +--rw outer-packet-size? uint16 | | +--rw outer-packet-size? uint16 | |||
| +--rw (tunnel-rate)? | +--rw (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--rw l2-fixed-rate? yang:counter64 | | | +--rw l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--rw l3-fixed-rate? yang:counter64 | | +--rw l3-fixed-rate? yang:counter64 | |||
| +--rw dont-fragment? boolean | +--rw dont-fragment? boolean | |||
| +--rw max-aggregation-time? decimal64 | +--rw max-aggregation-time? decimal64 | |||
| +--rw window-size? uint16 | ||||
| +--rw send-immediately? boolean | ||||
| +--rw lost-packet-timer-interval? decimal64 | ||||
| augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: | |||
| +--ro traffic-flow-security | +--ro traffic-flow-security | |||
| +--ro congestion-control? boolean | +--ro congestion-control? boolean | |||
| +--ro packet-size | +--ro packet-size | |||
| | +--ro use-path-mtu-discovery? boolean | | +--ro use-path-mtu-discovery? boolean | |||
| | +--ro outer-packet-size? uint16 | | +--ro outer-packet-size? uint16 | |||
| +--ro (tunnel-rate)? | +--ro (tunnel-rate)? | |||
| | +--:(l2-fixed-rate) | | +--:(l2-fixed-rate) | |||
| | | +--ro l2-fixed-rate? yang:counter64 | | | +--ro l2-fixed-rate? yang:counter64 | |||
| | +--:(l3-fixed-rate) | | +--:(l3-fixed-rate) | |||
| | +--ro l3-fixed-rate? yang:counter64 | | +--ro l3-fixed-rate? yang:counter64 | |||
| +--ro dont-fragment? boolean | +--ro dont-fragment? boolean | |||
| +--ro max-aggregation-time? decimal64 | +--ro max-aggregation-time? decimal64 | |||
| +--ro window-size? uint16 | ||||
| +--ro send-immediately? boolean | ||||
| +--ro lost-packet-timer-interval? decimal64 | ||||
| augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: | |||
| +--ro ipsec-stats {ipsec-stats}? | +--ro ipsec-stats {ipsec-stats}? | |||
| | +--ro tx-pkts? yang:counter64 | | +--ro tx-pkts? yang:counter64 | |||
| | +--ro tx-octets? yang:counter64 | | +--ro tx-octets? yang:counter64 | |||
| | +--ro tx-drop-pkts? yang:counter64 | | +--ro tx-drop-pkts? yang:counter64 | |||
| | +--ro rx-pkts? yang:counter64 | | +--ro rx-pkts? yang:counter64 | |||
| | +--ro rx-octets? yang:counter64 | | +--ro rx-octets? yang:counter64 | |||
| | +--ro rx-drop-pkts? yang:counter64 | | +--ro rx-drop-pkts? yang:counter64 | |||
| +--ro iptfs-inner-pkt-stats {iptfs-stats}? | +--ro iptfs-inner-pkt-stats {iptfs-stats}? | |||
| | +--ro tx-pkts? yang:counter64 | | +--ro tx-pkts? yang:counter64 | |||
| skipping to change at page 7, line 29 ¶ | skipping to change at page 7, line 41 ¶ | |||
| +--ro rx-extra-pad-octets? yang:counter64 | +--ro rx-extra-pad-octets? yang:counter64 | |||
| +--ro rx-errored-pkts? yang:counter64 | +--ro rx-errored-pkts? yang:counter64 | |||
| +--ro rx-missed-pkts? yang:counter64 | +--ro rx-missed-pkts? yang:counter64 | |||
| 3.2. YANG Module | 3.2. YANG Module | |||
| The following is the YANG module for managing the IP-TFS extensions. | The following is the YANG module for managing the IP-TFS extensions. | |||
| The model contains references to [I-D.ietf-ipsecme-iptfs] and | The model contains references to [I-D.ietf-ipsecme-iptfs] and | |||
| [RFC5348]. | [RFC5348]. | |||
| <CODE BEGINS> file "ietf-ipsec-iptfs@2021-10-25.yang" | <CODE BEGINS> file "ietf-ipsec-iptfs@2021-11-11.yang" | |||
| module ietf-ipsec-iptfs { | module ietf-ipsec-iptfs { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; | |||
| prefix iptfs; | prefix iptfs; | |||
| import ietf-i2nsf-ike { | import ietf-i2nsf-ike { | |||
| prefix nsfike; | prefix nsfike; | |||
| } | } | |||
| import ietf-i2nsf-ikeless { | import ietf-i2nsf-ikeless { | |||
| prefix nsfikels; | prefix nsfikels; | |||
| skipping to change at page 8, line 30 ¶ | skipping to change at page 8, line 43 ¶ | |||
| without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
| the license terms contained in, the Simplified BSD License set | the license terms contained in, the Simplified BSD License set | |||
| forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX | This version of this YANG module is part of RFC XXXX | |||
| (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | |||
| full legal notices."; | full legal notices."; | |||
| revision 2021-10-25 { | revision 2021-11-11 { | |||
| description | description | |||
| "Initial Revision"; | "Initial Revision"; | |||
| reference | reference | |||
| "RFC XXXX: IP Traffic Flow Security YANG Module"; | "RFC XXXX: IP Traffic Flow Security YANG Module"; | |||
| } | } | |||
| feature ipsec-stats { | feature ipsec-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IPsec statistics"; | per SA IPsec statistics"; | |||
| skipping to change at page 13, line 27 ¶ | skipping to change at page 13, line 40 ¶ | |||
| "This is the grouping for iptfs configuration"; | "This is the grouping for iptfs configuration"; | |||
| container traffic-flow-security { | container traffic-flow-security { | |||
| description | description | |||
| "Configure the IPSec TFS in Security | "Configure the IPSec TFS in Security | |||
| Association Database (SAD)"; | Association Database (SAD)"; | |||
| leaf congestion-control { | leaf congestion-control { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "When set to true, the default, this enables the | "When set to true, the default, this enables the | |||
| congestion control on-the-wire exchange of data that | congestion control on-the-wire exchange of data that is | |||
| is required by congestion control algorithms as | required by congestion control algorithms as defined by | |||
| defined by RFC 5348. When set to false, IP-TFS | RFC 5348. When set to false, IP-TFS sends fixed-sized | |||
| sends fixed-sized packets over an IP-TFS tunnel | packets over an IP-TFS tunnel at a constant rate."; | |||
| at a constant rate."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; | "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; | |||
| } | } | |||
| container packet-size { | container packet-size { | |||
| description | description | |||
| "Packet size is either auto-discovered or manually | "Packet size is either auto-discovered or manually | |||
| configured."; | configured."; | |||
| leaf use-path-mtu-discovery { | leaf use-path-mtu-discovery { | |||
| type boolean; | type boolean; | |||
| default "true"; | default "true"; | |||
| description | description | |||
| "Utilize path mtu discovery to determine maximum IP-TFS | "Utilize path mtu discovery to determine maximum | |||
| packet size. If the packet size is explicitly | IP-TFS packet size. If the packet size is explicitly | |||
| configured, then it will only be adjusted downward | configured, then it will only be adjusted downward if | |||
| if use-path-mtu-discovery is set."; | use-path-mtu-discovery is set."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| leaf outer-packet-size { | leaf outer-packet-size { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The size of the outer encapsulating tunnel packet (i.e., | "The size of the outer encapsulating tunnel packet (i.e., | |||
| the IP packet containing the ESP payload)."; | the IP packet containing the ESP payload)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| } | } | |||
| choice tunnel-rate { | choice tunnel-rate { | |||
| description | description | |||
| "TFS bit rate may be specified at layer 2 wire | "TFS bit rate may be specified at layer 2 wire | |||
| rate or layer 3 packet rate"; | rate or layer 3 packet rate"; | |||
| leaf l2-fixed-rate { | leaf l2-fixed-rate { | |||
| type yang:counter64; | type yang:counter64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. | |||
| fixed rate is the nominal timing for the fixed size packet. | This fixed rate is the nominal timing for the fixed | |||
| If congestion control is enabled the rate may be adjusted | size packet. If congestion control is enabled the | |||
| down (or up if unset)."; | rate may be adjusted down (or up if unset)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| leaf l3-fixed-rate { | leaf l3-fixed-rate { | |||
| type yang:counter64; | type yang:counter64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. This | "Target bandwidth/bit rate in bps for iptfs tunnel. | |||
| fixed rate is the nominal timing for the fixed size packet. | This fixed rate is the nominal timing for the fixed | |||
| If congestion control is enabled the rate may be adjusted | size packet. If congestion control is enabled the | |||
| down (or up if unset)."; | rate may be adjusted down (or up if unset)."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| } | } | |||
| leaf dont-fragment { | leaf dont-fragment { | |||
| type boolean; | type boolean; | |||
| default "false"; | default "false"; | |||
| description | description | |||
| "Disable packet fragmentation across consecutive iptfs | "Disable packet fragmentation across consecutive iptfs | |||
| tunnel packets"; | tunnel packets"; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | |||
| } | } | |||
| leaf max-aggregation-time { | leaf max-aggregation-time { | |||
| type decimal64 { | type decimal64 { | |||
| fraction-digits 6; | fraction-digits 6; | |||
| } | } | |||
| units "milliseconds"; | units "milliseconds"; | |||
| description | description | |||
| "Maximum Aggregation Time in Milliseconds | "Maximum aggregation time is the maximum length of time | |||
| or fractional milliseconds down to 1 nanosecond"; | a received inner packet can be held prior to | |||
| transmission in the iptfs tunnel. Inner packets that | ||||
| would be held longer than this time, based on the | ||||
| current tunnel configuration will be dropped rather | ||||
| than be queued for transmission. Maximum aggregation | ||||
| time is configurable in milliseconds or fractional | ||||
| milliseconds down to 1 nanosecond."; | ||||
| } | ||||
| leaf window-size { | ||||
| type uint16 { | ||||
| range "0..65535"; | ||||
| } | ||||
| description | ||||
| "The maximum number of out-of-order packets that will be | ||||
| reordered by an iptfs receiver while performing the | ||||
| reordering operation. The value 0 disables any | ||||
| reordering."; | ||||
| reference | ||||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | ||||
| } | ||||
| leaf send-immediately { | ||||
| type boolean; | ||||
| default false; | ||||
| description | ||||
| "Send inner packets as soon as possible, do not wait for | ||||
| lost or misordered outer packets. Selecting this | ||||
| option reduces the inner (user) packet delay but can | ||||
| amplify out-of-order delivery of the inner packet | ||||
| stream in the presence of packet aggregation and any | ||||
| reordering."; | ||||
| reference | ||||
| "draft-ietf-ipsecme-iptfs section 2.5"; | ||||
| } | ||||
| leaf lost-packet-timer-interval { | ||||
| type decimal64 { | ||||
| fraction-digits 6; | ||||
| } | ||||
| units "milliseconds"; | ||||
| description | ||||
| "This interval defines the length of time an iptfs | ||||
| receiver will wait for a missing packet before | ||||
| considering it lost. Setting this value too low can | ||||
| impact reordering and reassembly. The value is | ||||
| configurable in milliseconds or fractional milliseconds | ||||
| down to 1 nanosecond."; | ||||
| reference | ||||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * IP-TFS ike configuration | * IP-TFS ike configuration | |||
| */ | */ | |||
| augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" | augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" | |||
| + "nsfike:spd-entry/" | + "nsfike:spd-entry/" | |||
| skipping to change at page 19, line 37 ¶ | skipping to change at page 20, line 41 ¶ | |||
| The authors would like to thank Eric Kinzie and Juergen Schoenwaelder | The authors would like to thank Eric Kinzie and Juergen Schoenwaelder | |||
| for their feedback and review on the YANG model. | for their feedback and review on the YANG model. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-ipsecme-iptfs] | [I-D.ietf-ipsecme-iptfs] | |||
| Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | |||
| ESP and its Use for IP Traffic Flow Security", Work in | ESP and its Use for IP Traffic Flow Security", Work in | |||
| Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-11, 24 | Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 | |||
| October 2021, <https://www.ietf.org/archive/id/draft-ietf- | November 2021, <https://www.ietf.org/archive/id/draft- | |||
| ipsecme-iptfs-11.txt>. | ietf-ipsecme-iptfs-12.txt>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <https://www.rfc-editor.org/info/rfc4301>. | December 2005, <https://www.rfc-editor.org/info/rfc4301>. | |||
| skipping to change at page 21, line 21 ¶ | skipping to change at page 22, line 21 ¶ | |||
| DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| Appendix A. Examples | Appendix A. Examples | |||
| The following examples show configuration and operational data for | The following examples show configuration and operational data for | |||
| the ikeless case in xml and ike case in json. Also, the operational | the ikeless and ike cases using xml and json. Also, the operational | |||
| statistics for the ikeless case are shown using xml. | statistics for the ikeless case is illustrated. | |||
| A.1. Example XML Configuration | A.1. Example XML Configuration | |||
| This example illustrates configuration for IP-TFS in the ikeless | This example illustrates configuration for IP-TFS in the ikeless | |||
| case. Note that since this augments the ipsec ikeless schema only | case. Note that since this augments the ipsec ikeless schema only | |||
| minimal ikeless configuration to satisfy the schema has been | minimal a ikeless configuration to satisfy the schema has been | |||
| populated. | populated. | |||
| <i:ipsec-ikeless | <i:ipsec-ikeless | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> | xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> | |||
| <i:spd> | <i:spd> | |||
| <i:spd-entry> | <i:spd-entry> | |||
| <i:name>protect-policy-1</i:name> | <i:name>protect-policy-1</i:name> | |||
| <i:direction>outbound</i:direction> | <i:direction>outbound</i:direction> | |||
| <i:ipsec-policy-config> | <i:ipsec-policy-config> | |||
| skipping to change at page 22, line 29 ¶ | skipping to change at page 23, line 29 ¶ | |||
| <i:ipsec-sa-cfg> | <i:ipsec-sa-cfg> | |||
| <tfs:traffic-flow-security> | <tfs:traffic-flow-security> | |||
| <tfs:congestion-control>true</tfs:congestion-control> | <tfs:congestion-control>true</tfs:congestion-control> | |||
| <tfs:packet-size> | <tfs:packet-size> | |||
| <tfs:use-path-mtu-discovery | <tfs:use-path-mtu-discovery | |||
| >true</tfs:use-path-mtu-discovery> | >true</tfs:use-path-mtu-discovery> | |||
| </tfs:packet-size> | </tfs:packet-size> | |||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | |||
| <tfs:max-aggregation-time | <tfs:max-aggregation-time | |||
| >0.1</tfs:max-aggregation-time> | >0.1</tfs:max-aggregation-time> | |||
| <tfs:window-size>5</tfs:window-size> | ||||
| <tfs:send-immediately>false</tfs:send-immediately> | ||||
| <tfs:lost-packet-timer-interval | ||||
| >0.2</tfs:lost-packet-timer-interval> | ||||
| </tfs:traffic-flow-security> | </tfs:traffic-flow-security> | |||
| </i:ipsec-sa-cfg> | </i:ipsec-sa-cfg> | |||
| </i:processing-info> | </i:processing-info> | |||
| </i:ipsec-policy-config> | </i:ipsec-policy-config> | |||
| </i:spd-entry> | </i:spd-entry> | |||
| </i:spd> | </i:spd> | |||
| </i:ipsec-ikeless> | </i:ipsec-ikeless> | |||
| Figure 1: Example IP-TFS XML configuration | Figure 1: Example IP-TFS XML configuration | |||
| A.2. Example XML Operational Data | A.2. Example XML Operational Data | |||
| This example illustrates operational data for IP-TFS in the ikeless | This example illustrates operational data for IP-TFS in the ikeless | |||
| case. Note that since this augments the ipsec ikeless schema only | case. Note that since this augments the ipsec ikeless schema only | |||
| minimal ikeless configuration to satisfy the schema has been | minimal ikeless configuration to satisfy the schema has been | |||
| populated. | populated. | |||
| <i:ipsec-ikeless | <i:ipsec-ikeless | |||
| xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" | |||
| xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> | xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> | |||
| <i:sad> | <i:sad> | |||
| <i:sad-entry> | <i:sad-entry> | |||
| <i:name>sad-1</i:name> | <i:name>sad-1</i:name> | |||
| <i:ipsec-sa-config> | <i:ipsec-sa-config> | |||
| <i:spi>1</i:spi> | <i:spi>1</i:spi> | |||
| <i:traffic-selector> | <i:traffic-selector> | |||
| <i:local-prefix>2001:DB8::0/16</i:local-prefix> | <i:local-prefix>2001:DB8::0/16</i:local-prefix> | |||
| <i:remote-prefix>2001:DB8::1:0/16</i:remote-prefix> | <i:remote-prefix>2001:DB8::1:0/16</i:remote-prefix> | |||
| </i:traffic-selector> | </i:traffic-selector> | |||
| </i:ipsec-sa-config> | </i:ipsec-sa-config> | |||
| <tfs:traffic-flow-security> | <tfs:traffic-flow-security> | |||
| <tfs:congestion-control>true</tfs:congestion-control> | <tfs:congestion-control>true</tfs:congestion-control> | |||
| <tfs:packet-size> | <tfs:packet-size> | |||
| <tfs:use-path-mtu-discovery>true</tfs:use-path-mtu-discovery> | <tfs:use-path-mtu-discovery | |||
| </tfs:packet-size> | >true</tfs:use-path-mtu-discovery> | |||
| <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | </tfs:packet-size> | |||
| <tfs:max-aggregation-time>0.100</tfs::max-aggregation-time> | <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> | |||
| </tfs:traffic-flow-security> | <tfs:max-aggregation-time>0.100</tfs:max-aggregation-time> | |||
| </i:sad-entry> | <tfs:window-size>0</tfs:window-size> | |||
| </i:sad> | <tfs:send-immediately>true</tfs:send-immediately> | |||
| </i:ipsec-ikeless> | <tfs:lost-packet-timer-interval | |||
| >0.200</tfs:lost-packet-timer-interval> | ||||
| </tfs:traffic-flow-security> | ||||
| </i:sad-entry> | ||||
| </i:sad> | ||||
| </i:ipsec-ikeless> | ||||
| Figure 2: Example IP-TFS XML Operational data | Figure 2: Example IP-TFS XML Operational data | |||
| A.3. Example JSON Configuration | A.3. Example JSON Configuration | |||
| This example illustrates config data for IP-TFS in the ike case. | This example illustrates config data for IP-TFS in the ike case. | |||
| Note that since this augments the ipsec ike schema only minimal ike | Note that since this augments the ipsec ike schema only minimal ike | |||
| configuration to satisfy the schema has been populated. | configuration to satisfy the schema has been populated. | |||
| { | { | |||
| "ietf-i2nsf-ike:ipsec-ike": { | "ietf-i2nsf-ike:ipsec-ike": { | |||
| "ietf-i2nsf-ike:conn-entry": [ | "ietf-i2nsf-ike:conn-entry": [ | |||
| skipping to change at page 24, line 25 ¶ | skipping to change at page 25, line 31 ¶ | |||
| }, | }, | |||
| "processing-info": { | "processing-info": { | |||
| "action": "protect", | "action": "protect", | |||
| "ipsec-sa-cfg": { | "ipsec-sa-cfg": { | |||
| "ietf-ipsec-iptfs:traffic-flow-security": { | "ietf-ipsec-iptfs:traffic-flow-security": { | |||
| "congestion-control": "true", | "congestion-control": "true", | |||
| "l2-fixed-rate": 1000000000, | "l2-fixed-rate": 1000000000, | |||
| "packet-size": { | "packet-size": { | |||
| "use-path-mtu-discovery": "true" | "use-path-mtu-discovery": "true" | |||
| }, | }, | |||
| "max-aggregation-time": "0.1" | "max-aggregation-time": "0.1", | |||
| "window-size": "1", | ||||
| "send-immediately": "false", | ||||
| "lost-packet-timer-interval": "0.2" | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| skipping to change at page 25, line 30 ¶ | skipping to change at page 26, line 36 ¶ | |||
| "remote": { | "remote": { | |||
| "remote-pad-entry-name": "remote-1" | "remote-pad-entry-name": "remote-1" | |||
| }, | }, | |||
| "ietf-i2nsf-ike:child-sa-info": { | "ietf-i2nsf-ike:child-sa-info": { | |||
| "ietf-ipsec-iptfs:traffic-flow-security": { | "ietf-ipsec-iptfs:traffic-flow-security": { | |||
| "congestion-control": "true", | "congestion-control": "true", | |||
| "l2-fixed-rate": 1000000000, | "l2-fixed-rate": 1000000000, | |||
| "packet-size": { | "packet-size": { | |||
| "use-path-mtu-discovery": "true" | "use-path-mtu-discovery": "true" | |||
| }, | }, | |||
| "max-aggregation-time": "0.1" | "max-aggregation-time": "0.1", | |||
| "window-size": "5", | ||||
| "send-immediately": "false", | ||||
| "lost-packet-timer-interval": "0.2" | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 4: Example IP-TFS JSON Operational data | Figure 4: Example IP-TFS JSON Operational data | |||
| A.5. Example JSON Operational Statistics | A.5. Example JSON Operational Statistics | |||
| This example shows the json formated statistics for IP-TFS. Note a | This example shows the json formated statistics for IP-TFS. Note a | |||
| unidirectional IP-TFS transmit side is illustrated, with arbitray | unidirectional IP-TFS transmit side is illustrated, with arbitrary | |||
| numbers for transmit. | numbers for transmit. | |||
| { | { | |||
| "ietf-i2nsf-ikeless:ipsec-ikeless": { | "ietf-i2nsf-ikeless:ipsec-ikeless": { | |||
| "sad": { | "sad": { | |||
| "sad-entry": [ | "sad-entry": [ | |||
| { | { | |||
| "name": "sad-1", | "name": "sad-1", | |||
| "ipsec-sa-config": { | "ipsec-sa-config": { | |||
| "spi": 1, | "spi": 1, | |||
| "traffic-selector": { | "traffic-selector": { | |||
| "local-prefix": "192.0.2.1/16", | "local-prefix": "192.0.2.1/16", | |||
| "remote-prefix": "198.51.100.0/16" | "remote-prefix": "198.51.100.0/16" | |||
| } | } | |||
| }, | }, | |||
| "ietf-ipsec-iptfs:traffic-flow-security": { | ||||
| "window-size": "5", | ||||
| "send-immediately": "false", | ||||
| "lost-packet-timer-interval": "0.2" | ||||
| }, | ||||
| "ietf-ipsec-iptfs:ipsec-stats": { | "ietf-ipsec-iptfs:ipsec-stats": { | |||
| "tx-pkts": "300", | "tx-pkts": "300", | |||
| "tx-octets": "80000", | "tx-octets": "80000", | |||
| "tx-drop-pkts": "2", | "tx-drop-pkts": "2", | |||
| "rx-pkts": "0", | "rx-pkts": "0", | |||
| "rx-octets": "0", | "rx-octets": "0", | |||
| "rx-drop-pkts": "0" | "rx-drop-pkts": "0" | |||
| }, | }, | |||
| "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { | "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { | |||
| "tx-pkts": "250", | "tx-pkts": "250", | |||
| skipping to change at page 27, line 5 ¶ | skipping to change at page 28, line 23 ¶ | |||
| } | } | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| } | } | |||
| Figure 5: Example IP-TFS JSON Statistics | Figure 5: Example IP-TFS JSON Statistics | |||
| <tfs:traffic-flow-security> <tfs:reorder-window- | ||||
| size>300</tfs:reorder-window-size> | ||||
| Authors' Addresses | Authors' Addresses | |||
| Don Fedyk | Don Fedyk | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| Email: dfedyk@labn.net | Email: dfedyk@labn.net | |||
| Christian Hopps | Christian Hopps | |||
| LabN Consulting, L.L.C. | LabN Consulting, L.L.C. | |||
| End of changes. 35 change blocks. | ||||
| 94 lines changed or deleted | 175 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||