| < draft-ietf-ipsecme-yang-iptfs-03.txt | draft-ietf-ipsecme-yang-iptfs-04.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Fedyk | Network Working Group D. Fedyk | |||
| Internet-Draft C. Hopps | Internet-Draft C. Hopps | |||
| Intended status: Standards Track LabN Consulting, L.L.C. | Intended status: Standards Track LabN Consulting, L.L.C. | |||
| Expires: 15 May 2022 11 November 2021 | Expires: 20 May 2022 16 November 2021 | |||
| A YANG Data Model for IP Traffic Flow Security | A YANG Data Model for IP Traffic Flow Security | |||
| draft-ietf-ipsecme-yang-iptfs-03 | draft-ietf-ipsecme-yang-iptfs-04 | |||
| Abstract | Abstract | |||
| This document describes a yang module for the management of IP | This document describes a yang module for the management of IP | |||
| Traffic Flow Security additions to IKEv2 and IPsec. | Traffic Flow Security additions to IKEv2 and IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 31 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 15 May 2022. | This Internet-Draft will expire on 20 May 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 7, line 41 ¶ | skipping to change at page 7, line 41 ¶ | |||
| +--ro rx-extra-pad-octets? yang:counter64 | +--ro rx-extra-pad-octets? yang:counter64 | |||
| +--ro rx-errored-pkts? yang:counter64 | +--ro rx-errored-pkts? yang:counter64 | |||
| +--ro rx-missed-pkts? yang:counter64 | +--ro rx-missed-pkts? yang:counter64 | |||
| 3.2. YANG Module | 3.2. YANG Module | |||
| The following is the YANG module for managing the IP-TFS extensions. | The following is the YANG module for managing the IP-TFS extensions. | |||
| The model contains references to [I-D.ietf-ipsecme-iptfs] and | The model contains references to [I-D.ietf-ipsecme-iptfs] and | |||
| [RFC5348]. | [RFC5348]. | |||
| <CODE BEGINS> file "ietf-ipsec-iptfs@2021-11-11.yang" | <CODE BEGINS> file "ietf-ipsec-iptfs@2021-11-16.yang" | |||
| module ietf-ipsec-iptfs { | module ietf-ipsec-iptfs { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; | namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; | |||
| prefix iptfs; | prefix iptfs; | |||
| import ietf-i2nsf-ike { | import ietf-i2nsf-ike { | |||
| prefix nsfike; | prefix nsfike; | |||
| } | } | |||
| import ietf-i2nsf-ikeless { | import ietf-i2nsf-ikeless { | |||
| prefix nsfikels; | prefix nsfikels; | |||
| skipping to change at page 8, line 43 ¶ | skipping to change at page 8, line 43 ¶ | |||
| without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
| the license terms contained in, the Simplified BSD License set | the license terms contained in, the Simplified BSD License set | |||
| forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX | This version of this YANG module is part of RFC XXXX | |||
| (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for | |||
| full legal notices."; | full legal notices."; | |||
| revision 2021-11-11 { | revision 2021-11-16 { | |||
| description | description | |||
| "Initial Revision"; | "Initial Revision"; | |||
| reference | reference | |||
| "RFC XXXX: IP Traffic Flow Security YANG Module"; | "RFC XXXX: IP Traffic Flow Security YANG Module"; | |||
| } | } | |||
| feature ipsec-stats { | feature ipsec-stats { | |||
| description | description | |||
| "This feature indicates the device supports | "This feature indicates the device supports | |||
| per SA IPsec statistics"; | per SA IPsec statistics"; | |||
| skipping to change at page 14, line 17 ¶ | skipping to change at page 14, line 17 ¶ | |||
| "Utilize path mtu discovery to determine maximum | "Utilize path mtu discovery to determine maximum | |||
| IP-TFS packet size. If the packet size is explicitly | IP-TFS packet size. If the packet size is explicitly | |||
| configured, then it will only be adjusted downward if | configured, then it will only be adjusted downward if | |||
| use-path-mtu-discovery is set."; | use-path-mtu-discovery is set."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| leaf outer-packet-size { | leaf outer-packet-size { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The size of the outer encapsulating tunnel packet (i.e., | "On transmission, the size of the outer encapsulating | |||
| the IP packet containing the ESP payload)."; | tunnel packet (i.e., the IP packet containing the ESP | |||
| payload)."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.2"; | "draft-ietf-ipsecme-iptfs section 4.2"; | |||
| } | } | |||
| } | } | |||
| choice tunnel-rate { | choice tunnel-rate { | |||
| description | description | |||
| "TFS bit rate may be specified at layer 2 wire | "TFS bit rate may be specified at layer 2 wire | |||
| rate or layer 3 packet rate"; | rate or layer 3 packet rate"; | |||
| leaf l2-fixed-rate { | leaf l2-fixed-rate { | |||
| type yang:counter64; | type yang:counter64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. | "On transmission, target bandwidth/bit rate in bps | |||
| This fixed rate is the nominal timing for the fixed | for iptfs tunnel. This fixed rate is the nominal | |||
| size packet. If congestion control is enabled the | timing for the fixed size packet. If congestion | |||
| rate may be adjusted down (or up if unset)."; | control is enabled the rate may be adjusted down (or | |||
| up if unset)."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| leaf l3-fixed-rate { | leaf l3-fixed-rate { | |||
| type yang:counter64; | type yang:counter64; | |||
| description | description | |||
| "Target bandwidth/bit rate in bps for iptfs tunnel. | "On transmission, target bandwidth/bit rate in bps | |||
| This fixed rate is the nominal timing for the fixed | for iptfs tunnel. This fixed rate is the nominal | |||
| size packet. If congestion control is enabled the | timing for the fixed size packet. If congestion | |||
| rate may be adjusted down (or up if unset)."; | control is enabled the rate may be adjusted down (or | |||
| up if unset)."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 4.1"; | "draft-ietf-ipsecme-iptfs section 4.1"; | |||
| } | } | |||
| } | } | |||
| leaf dont-fragment { | leaf dont-fragment { | |||
| type boolean; | type boolean; | |||
| default "false"; | default "false"; | |||
| description | description | |||
| "Disable packet fragmentation across consecutive iptfs | "On transmission, disable packet fragmentation across | |||
| tunnel packets"; | consecutive iptfs tunnel packets; inner packets larger | |||
| than what can be transmitted in outer packets will be | ||||
| dropped."; | ||||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; | |||
| } | } | |||
| leaf max-aggregation-time { | leaf max-aggregation-time { | |||
| type decimal64 { | type decimal64 { | |||
| fraction-digits 6; | fraction-digits 6; | |||
| } | } | |||
| units "milliseconds"; | units "milliseconds"; | |||
| description | description | |||
| "Maximum aggregation time is the maximum length of time | "On transmission, maximum aggregation time is the | |||
| a received inner packet can be held prior to | maximum length of time a received inner packet can be | |||
| transmission in the iptfs tunnel. Inner packets that | held prior to transmission in the iptfs tunnel. Inner | |||
| would be held longer than this time, based on the | packets that would be held longer than this time, based | |||
| current tunnel configuration will be dropped rather | on the current tunnel configuration will be dropped | |||
| than be queued for transmission. Maximum aggregation | rather than be queued for transmission. Maximum | |||
| time is configurable in milliseconds or fractional | aggregation time is configurable in milliseconds or | |||
| milliseconds down to 1 nanosecond."; | fractional milliseconds down to 1 nanosecond."; | |||
| } | } | |||
| leaf window-size { | leaf window-size { | |||
| type uint16 { | type uint16 { | |||
| range "0..65535"; | range "0..65535"; | |||
| } | } | |||
| description | description | |||
| "The maximum number of out-of-order packets that will be | "On reception, the maximum number of out-of-order | |||
| reordered by an iptfs receiver while performing the | packets that will be reordered by an iptfs receiver | |||
| reordering operation. The value 0 disables any | while performing the reordering operation. The value 0 | |||
| reordering."; | disables any reordering."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| leaf send-immediately { | leaf send-immediately { | |||
| type boolean; | type boolean; | |||
| default false; | default false; | |||
| description | description | |||
| "Send inner packets as soon as possible, do not wait for | "On reception, end inner packets as soon as possible, do | |||
| lost or misordered outer packets. Selecting this | not wait for lost or misordered outer packets. | |||
| option reduces the inner (user) packet delay but can | Selecting this option reduces the inner (user) packet | |||
| amplify out-of-order delivery of the inner packet | delay but can amplify out-of-order delivery of the | |||
| stream in the presence of packet aggregation and any | inner packet stream in the presence of packet | |||
| reordering."; | aggregation and any reordering."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.5"; | "draft-ietf-ipsecme-iptfs section 2.5"; | |||
| } | } | |||
| leaf lost-packet-timer-interval { | leaf lost-packet-timer-interval { | |||
| type decimal64 { | type decimal64 { | |||
| fraction-digits 6; | fraction-digits 6; | |||
| } | } | |||
| units "milliseconds"; | units "milliseconds"; | |||
| description | description | |||
| "This interval defines the length of time an iptfs | "On reception, this interval defines the length of time | |||
| receiver will wait for a missing packet before | an iptfs receiver will wait for a missing packet before | |||
| considering it lost. Setting this value too low can | considering it lost. If not using send-immediately, | |||
| impact reordering and reassembly. The value is | then each lost packet will delay inner (user) packets | |||
| until this timer expires. Setting this value too low | ||||
| can impact reordering and reassembly. The value is | ||||
| configurable in milliseconds or fractional milliseconds | configurable in milliseconds or fractional milliseconds | |||
| down to 1 nanosecond."; | down to 1 nanosecond."; | |||
| reference | reference | |||
| "draft-ietf-ipsecme-iptfs section 2.2.3"; | "draft-ietf-ipsecme-iptfs section 2.2.3"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * IP-TFS ike configuration | * IP-TFS ike configuration | |||
| skipping to change at page 20, line 29 ¶ | skipping to change at page 20, line 35 ¶ | |||
| The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
| provides the means to restrict access for particular NETCONF or | provides the means to restrict access for particular NETCONF or | |||
| RESTCONF users to a preconfigured subset of all available NETCONF or | RESTCONF users to a preconfigured subset of all available NETCONF or | |||
| RESTCONF protocol operations and content. | RESTCONF protocol operations and content. | |||
| The YANG module defined in this document can enable, disable and | The YANG module defined in this document can enable, disable and | |||
| modify the behavior of IP traffic flow security, for the implications | modify the behavior of IP traffic flow security, for the implications | |||
| regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] | regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] | |||
| which defines the functionality. | which defines the functionality. | |||
| IP-TFS hides the traffic flows through the network, anywhere that | ||||
| access YANG statistics is enabled needs to be protected from third | ||||
| party observation. | ||||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Eric Kinzie and Juergen Schoenwaelder | The authors would like to thank Eric Kinzie, Juergen Schoenwaelder, | |||
| for their feedback and review on the YANG model. | Lou Berger and Tero Kivinen for their feedback and review on the YANG | |||
| model. | ||||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-ipsecme-iptfs] | [I-D.ietf-ipsecme-iptfs] | |||
| Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for | |||
| ESP and its Use for IP Traffic Flow Security", Work in | ESP and its Use for IP Traffic Flow Security", Work in | |||
| Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 | Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 | |||
| November 2021, <https://www.ietf.org/archive/id/draft- | November 2021, <https://www.ietf.org/archive/id/draft- | |||
| End of changes. 16 change blocks. | ||||
| 42 lines changed or deleted | 53 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||