idnits 2.17.1 draft-fedyk-ipsecme-yang-iptfs-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 13, 2020) is 1376 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 == Outdated reference: A later version (-19) exists of draft-ietf-ipsecme-iptfs-01 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: January 14, 2021 July 13, 2020 7 IP Traffic Flow Security YANG Module 8 draft-fedyk-ipsecme-yang-iptfs-00 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on January 14, 2021. 32 Copyright Notice 34 Copyright (c) 2020 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents 39 (https://trustee.ietf.org/license-info) in effect on the date of 40 publication of this document. Please review these documents 41 carefully, as they describe your rights and restrictions with respect 42 to this document. Code Components extracted from this document must 43 include Simplified BSD License text as described in Section 4.e of 44 the Trust Legal Provisions and are provided without warranty as 45 described in the Simplified BSD License. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 50 2. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 52 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 4. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 54 4.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 55 4.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 56 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 57 5.1. Updates to the IETF XML Registry . . . . . . . . . . . . 18 58 5.2. Updates to the YANG Module Names Registry . . . . . . . . 18 59 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 61 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 62 7.2. Informative References . . . . . . . . . . . . . . . . . 20 63 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 21 64 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 21 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 67 1. Introduction 69 This document defines a YANG module [RFC7950] for the management of 70 the IP Traffic Flow Security (IP-TFS) extensions as defined in 71 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 72 tunnel Security Association to provide improved traffic 73 confidentiality. Traffic confidentiality reduces the ability of 74 traffic analysis to determine identity and correlate observable 75 traffic patterns. IP-TFS offers efficiency when aggregating traffic 76 in fixed size IPsec tunnel packets. 78 The YANG data model in this document conforms to the Network 79 Management Datastore Architecture defined in [RFC8342]. 81 2. Open Issues 83 Currently, the only actively published YANG modules for IPsec are 84 found in [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. This document 85 attempts to use these models as a general IPsec model that can be 86 augmented, however, in their current form this does not seem to be a 87 good fit. The models in [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 88 provide for an ike and an ikeless model but the ike model 89 intentionally does not include a Security Association Database which 90 is a logical place for IP-TFS attributes. 92 2.1. Terminology & Concepts 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in 97 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 98 as shown here. 100 3. Overview 102 This document defines configuration and operational parameters of IP 103 traffic flow security (IP-TFS). IP-TFS, defined in 104 [I-D.ietf-ipsecme-iptfs], configures a security association for 105 tunnel mode IPsec with characteristics that improve traffic 106 confidentiality and reduce bandwidth efficiency loss. These 107 documents assume familiarity with IP security concepts described in 108 [RFC4301]. 110 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 111 packet identifiable information, packet size and packet timing. IP- 112 TFS provides a general capability allowing aggregation of multiple 113 packets and packet size control utilizing padding and additionally 114 utilizing inner packet fragments when a complete inner packet will 115 not fit in the IPsec outer tunnel packet. Zero byte padding is used 116 to fill the packet when no data is available to send. 118 This document specifies an extensible configuration model for IP-TFS. 119 This initial version utilizes the capabilities of IP-TFS to configure 120 fixed size IP-TFS Packets that are transmitted at a constant rate. 121 This model is structured to allow for different types of operation 122 through future augmentation. 124 IP-TFS YANG augments IPsec YANG model from 125 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. IP-TFS makes use of 126 IPsec tunnel mode and adds a small number configuration items to 127 tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA 128 configured to use IP-TFS supports only IP-TFS packets i.e. no mixed 129 IPsec modes. 131 The behavior for IP-TFS is controlled by the source. The self- 132 describing format of an IP-TFS packets allows a sending side to 133 adjust the packet-size and timing independently from any receiver. 134 Both directions are also independent, e.g. IP-TFS may be run only in 135 one direction. 137 The data model uses following constructs for configuration and 138 management: 140 o Configuration 142 o Operational State 144 This YANG module supports configuration of fixed size and fixed rate 145 packets, and elements that may be augmented to support future 146 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 147 goes beyond this simple fixed mode of operation by defining a general 148 format for any type of scheme. In this document the outer IPsec 149 packets can be sent with fixed or variable size (without padding). 150 The configuration allows the fixed packet size to be determined by 151 the path MTU. The fixed packet size can also be configured if a 152 value lower than the path MTU is desired. 154 Other configuration items include: 156 o Congestion Control. A congestion control setting to allow IP-TFS 157 to reduce the packet rate when congestion is detected. 159 o Fixed Rate configuration. The IP-TFS tunnel rate can be 160 configured taking into account either layer 2 overhead or layer 3 161 overhead. Layer 3 overhead is the IP data rate and layer 2 162 overhead is the rate of bits on the link. The combination of 163 packet size and rate determines the nominal maximum bandwidth and 164 the transmission interval when fixed size packets are used. 166 o User packet Fragmentation Control. While fragmentation is 167 recommended, a configuration is provided if users wish to observe 168 the effect no-fragmentation on their data flows. 170 The YANG operational data allows the readout of the configured 171 parameters as well as the statistics and error counter for IP-TFS. 172 Basic IPsec packet statistics are provided and IP-TFS statistics 173 augment IPsec statistics with counters that allow observation of IP- 174 TFS packet efficiency. 176 Draft [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] has a mature set of 177 IPsec YANG management objects. 179 IP-TFS YANG augments: 181 o Yang catalog entry for ietf-ipsec-ike@2019-08-05.yang 183 o Yang catalog entry for ietf-ipsec-ikeless@2019-08-05.yang 185 The Security Policy database entry and Security Association entry for 186 an IPsec Tunnel can be augmented with IP-TFS. 188 4. YANG Management 190 4.1. YANG Tree 192 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 193 extensions. 195 module: ietf-ipsecme-iptfs 196 augment /ike:ipsec-ike/ike:conn-entry/ike:spd/ike:spd-entry 197 /ike:ipsec-policy-config/ike:processing-info 198 /ike:ipsec-sa-cfg: 199 +--rw traffic-flow-security 200 +--rw congestion-control? boolean 201 +--rw packet-size 202 | +--rw use-path-mtu? boolean 203 | +--rw outer-packet-size? uint16 204 +--rw (tunnel-rate)? 205 | +--:(l2-fixed-rate) 206 | | +--rw l2-fixed-rate? uint64 207 | +--:(l3-fixed-rate) 208 | +--rw l3-fixed-rate? uint64 209 +--rw dont-fragment? boolean 210 augment /ike:ipsec-ike/ike:conn-entry/ike:child-sa-info: 211 +--ro traffic-flow-security 212 +--ro congestion-control? boolean 213 +--ro packet-size 214 | +--ro use-path-mtu? boolean 215 | +--ro outer-packet-size? uint16 216 +--ro (tunnel-rate)? 217 | +--:(l2-fixed-rate) 218 | | +--ro l2-fixed-rate? uint64 219 | +--:(l3-fixed-rate) 220 | +--ro l3-fixed-rate? uint64 221 +--ro dont-fragment? boolean 222 augment /ikeless:ipsec-ikeless/ikeless:spd/ikeless:spd-entry 223 /ikeless:ipsec-policy-config/ikeless:processing-info 224 /ikeless:ipsec-sa-cfg: 225 +--rw traffic-flow-security 226 +--rw congestion-control? boolean 227 +--rw packet-size 228 | +--rw use-path-mtu? boolean 229 | +--rw outer-packet-size? uint16 230 +--rw (tunnel-rate)? 231 | +--:(l2-fixed-rate) 232 | | +--rw l2-fixed-rate? uint64 233 | +--:(l3-fixed-rate) 234 | +--rw l3-fixed-rate? uint64 235 +--rw dont-fragment? boolean 236 augment /ikeless:ipsec-ikeless/ikeless:sad/ikeless:sad-entry: 237 +--ro traffic-flow-security 238 +--ro congestion-control? boolean 239 +--ro packet-size 240 | +--ro use-path-mtu? boolean 241 | +--ro outer-packet-size? uint16 242 +--ro (tunnel-rate)? 243 | +--:(l2-fixed-rate) 244 | | +--ro l2-fixed-rate? uint64 245 | +--:(l3-fixed-rate) 246 | +--ro l3-fixed-rate? uint64 247 +--ro dont-fragment? boolean 248 augment /ike:ipsec-ike/ike:conn-entry/ike:child-sa-info: 249 +--ro tx-packets? uint64 {ipsec-stats}? 250 +--ro tx-octets? uint64 {ipsec-stats}? 251 +--ro tx-drop-packets? uint64 {ipsec-stats}? 252 +--ro rx-packets? uint64 {ipsec-stats}? 253 +--ro rx-octets? uint64 {ipsec-stats}? 254 +--ro rx-drop-packets? uint64 {ipsec-stats}? 255 +--rw rx-dropped-packet-detail {ipsec-stats}? 256 | +--ro sa-non-exist? uint64 257 | +--ro queue-full? uint64 258 | +--ro auth-failure? uint64 259 | +--ro malform? uint64 260 | +--ro replay? uint64 261 | +--ro large-packet? uint64 262 | +--ro invalid-sa? uint64 263 | +--ro policy-deny? uint64 264 | +--ro other-reason? uint64 265 +--ro tx-inner-packets? uint64 {iptfs-stats}? 266 +--ro tx-inner-octets? uint64 {iptfs-stats}? 267 +--ro tx-extra-pad-packets? uint64 {iptfs-stats}? 268 +--ro tx-extra-pad-octets? uint64 {iptfs-stats}? 269 +--ro tx-all-pad-packets? uint64 {iptfs-stats}? 270 +--ro tx-all-pad-octets? uint64 {iptfs-stats}? 271 +--ro rx-inner-packets? uint64 {iptfs-stats}? 272 +--ro rx-inner-octets? uint64 {iptfs-stats}? 273 +--ro rx-extra-pad-packets? uint64 {iptfs-stats}? 274 +--ro rx-extra-pad-octets? uint64 {iptfs-stats}? 275 +--ro rx-all-pad-packets? uint64 {iptfs-stats}? 276 +--ro rx-all-pad-octets? uint64 {iptfs-stats}? 277 +--ro rx-errored-packets? uint64 {iptfs-stats}? 278 +--ro rx-missed-packets? uint64 {iptfs-stats}? 279 +--ro rx-incomplete-inner-packets? uint64 {iptfs-stats}? 280 augment /ikeless:ipsec-ikeless/ikeless:sad/ikeless:sad-entry: 281 +--ro tx-packets? uint64 {ipsec-stats}? 282 +--ro tx-octets? uint64 {ipsec-stats}? 283 +--ro tx-drop-packets? uint64 {ipsec-stats}? 284 +--ro rx-packets? uint64 {ipsec-stats}? 285 +--ro rx-octets? uint64 {ipsec-stats}? 286 +--ro rx-drop-packets? uint64 {ipsec-stats}? 287 +--rw rx-dropped-packet-detail {ipsec-stats}? 288 | +--ro sa-non-exist? uint64 289 | +--ro queue-full? uint64 290 | +--ro auth-failure? uint64 291 | +--ro malform? uint64 292 | +--ro replay? uint64 293 | +--ro large-packet? uint64 294 | +--ro invalid-sa? uint64 295 | +--ro policy-deny? uint64 296 | +--ro other-reason? uint64 297 +--ro tx-inner-packets? uint64 {iptfs-stats}? 298 +--ro tx-inner-octets? uint64 {iptfs-stats}? 299 +--ro tx-extra-pad-packets? uint64 {iptfs-stats}? 300 +--ro tx-extra-pad-octets? uint64 {iptfs-stats}? 301 +--ro tx-all-pad-packets? uint64 {iptfs-stats}? 302 +--ro tx-all-pad-octets? uint64 {iptfs-stats}? 303 +--ro rx-inner-packets? uint64 {iptfs-stats}? 304 +--ro rx-inner-octets? uint64 {iptfs-stats}? 305 +--ro rx-extra-pad-packets? uint64 {iptfs-stats}? 306 +--ro rx-extra-pad-octets? uint64 {iptfs-stats}? 307 +--ro rx-all-pad-packets? uint64 {iptfs-stats}? 308 +--ro rx-all-pad-octets? uint64 {iptfs-stats}? 309 +--ro rx-errored-packets? uint64 {iptfs-stats}? 310 +--ro rx-missed-packets? uint64 {iptfs-stats}? 311 +--ro rx-incomplete-inner-packets? uint64 {iptfs-stats}? 313 4.2. YANG Module 315 The following is the YANG module for managing the IP-TFS extensions. 317 file "ietf-ipsecme-iptfs@2020-07-13.yang" 318 module ietf-ipsecme-iptfs { 319 yang-version 1.1; 320 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; 321 prefix iptfs; 323 import ietf-ipsec-ike { 324 prefix ike; 325 } 326 import ietf-ipsec-ikeless { 327 prefix ikeless; 328 } 330 organization 331 "IETF IPSECME Working Group (IPSECME)"; 332 contact 333 "WG Web: 334 WG List: 336 Author: Don Fedyk 337 339 Author: Christian Hopps 340 "; 342 // RFC Ed.: replace XXXX with actual RFC number and 343 // remove this note. 345 description 346 "This module defines the configuration and operational state for 347 managing the IP Traffic Flow Security functionality [RFC XXXX]. 349 Copyright (c) 2020 IETF Trust and the persons identified as 350 authors of the code. All rights reserved. 352 Redistribution and use in source and binary forms, with or 353 without modification, is permitted pursuant to, and subject to 354 the license terms contained in, the Simplified BSD License set 355 forth in Section 4.c of the IETF Trust's Legal Provisions 356 Relating to IETF Documents 357 (https://trustee.ietf.org/license-info). 359 This version of this YANG module is part of RFC XXXX 360 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 361 full legal notices."; 363 revision 2020-07-13 { 364 description 365 "Initial Revision"; 366 reference 367 "RFC XXXX: IP Traffic Flow Security YANG Module"; 368 } 370 feature ipsec-stats { 371 description 372 "This feature indicates the device supports IPsec 373 statistics"; 374 } 376 feature iptfs-stats { 377 description 378 "This feature indicates the device supports IP 379 Traffic Flow Security statistics"; 380 } 382 /*--------------------*/ 383 /* groupings */ 384 /*--------------------*/ 386 grouping ipsec-tx-stat-grouping { 387 description 388 "IPsec outbound statistics"; 389 leaf tx-packets { 390 type uint64; 391 config false; 392 description 393 "Outbound Packet count"; 394 } 395 leaf tx-octets { 396 type uint64; 397 config false; 398 description 399 "Outbound Packet bytes"; 400 } 401 leaf tx-drop-packets { 402 type uint64; 403 config false; 404 description 405 "Outbound dropped packets count"; 406 } 407 } 409 grouping ipsec-rx-stat-grouping { 410 description 411 "IPsec inbound statistics"; 412 leaf rx-packets { 413 type uint64; 414 config false; 415 description 416 "Inbound Packet count"; 417 } 418 leaf rx-octets { 419 type uint64; 420 config false; 421 description 422 "Inbound Packet bytes"; 423 } 424 leaf rx-drop-packets { 425 type uint64; 426 config false; 427 description 428 "Inbound dropped packets count"; 429 } 430 container rx-dropped-packet-detail { 431 description 432 "The detail information of dropped packets"; 433 leaf sa-non-exist { 434 type uint64; 435 config false; 436 description 437 "The dropped packets counts caused by SA 438 non-exist."; 439 } 440 leaf queue-full { 441 type uint64; 442 config false; 443 description 444 "The dropped packets counts caused by full 445 processing queue"; 446 } 447 leaf auth-failure { 448 type uint64; 449 config false; 450 description 451 "The dropped packets counts caused by 452 authentication failure"; 453 } 454 leaf malform { 455 type uint64; 456 config false; 457 description 458 "The dropped packets counts of malform"; 459 } 460 leaf replay { 461 type uint64; 462 config false; 463 description 464 "The dropped packets counts of replay"; 465 } 466 leaf large-packet { 467 type uint64; 468 config false; 469 description 470 "The dropped packets counts of too large"; 471 } 472 leaf invalid-sa { 473 type uint64; 474 config false; 475 description 476 "The dropped packets counts of invalid SA"; 477 } 478 leaf policy-deny { 479 type uint64; 480 config false; 481 description 482 "The dropped packets counts of denied by policy"; 483 } 484 leaf other-reason { 485 type uint64; 486 config false; 487 description 488 "The dropped packets counts of other reason"; 489 } 490 } 491 } 493 grouping iptfs-tx-stat-grouping { 494 description 495 "IP-TFS outbound statistics"; 496 leaf tx-inner-packets { 497 type uint64; 498 config false; 499 description 500 "Total number of IP-TFS inner packets sent. This 501 count is whole packets only. A fragmented packet 502 counts as one packet"; 503 reference 504 "draft-ietf-ipsecme-iptfs-01"; 505 } 506 leaf tx-inner-octets { 507 type uint64; 508 config false; 509 description 510 "Total number of IP-TFS inner octets sent. This is 511 inner packet octets only. Does not count padding."; 512 reference 513 "draft-ietf-ipsecme-iptfs-01"; 514 } 515 leaf tx-extra-pad-packets { 516 type uint64; 517 config false; 518 description 519 "Total number of transmitted outer IP-TFS packets 520 that included some padding."; 521 reference 522 "draft-ietf-ipsecme-iptfs-01"; 524 } 525 leaf tx-extra-pad-octets { 526 type uint64; 527 config false; 528 description 529 "Total number of transmitted octets of padding added 530 to outer IP-TFS packets with data."; 531 reference 532 "draft-ietf-ipsecme-iptfs-01"; 533 } 534 leaf tx-all-pad-packets { 535 type uint64; 536 config false; 537 description 538 "Total number of transmitted IP-TFS packets that 539 were all padding with no inner packet data."; 540 reference 541 "draft-ietf-ipsecme-iptfs-01"; 542 } 543 leaf tx-all-pad-octets { 544 type uint64; 545 config false; 546 description 547 "Total number transmitted octets of padding added to 548 IP-TFS packets with no inner packet data."; 549 reference 550 "draft-ietf-ipsecme-iptfs-01"; 551 } 552 } 554 grouping iptfs-rx-stat-grouping { 555 description 556 "IP-TFS inbound statistics"; 557 leaf rx-inner-packets { 558 type uint64; 559 config false; 560 description 561 "Total number of IP-TFS inner packets received."; 562 reference 563 "draft-ietf-ipsecme-iptfs-01"; 564 } 565 leaf rx-inner-octets { 566 type uint64; 567 config false; 568 description 569 "Total number of IP-TFS inner octets received. Does 570 not include padding or overhead"; 571 reference 572 "draft-ietf-ipsecme-iptfs-01"; 573 } 574 leaf rx-extra-pad-packets { 575 type uint64; 576 config false; 577 description 578 "Total number of received outer IP-TFS packets that 579 included some padding."; 580 reference 581 "draft-ietf-ipsecme-iptfs-01"; 582 } 583 leaf rx-extra-pad-octets { 584 type uint64; 585 config false; 586 description 587 "Total number of received octets of padding added to 588 outer IP-TFS packets with data."; 589 reference 590 "draft-ietf-ipsecme-iptfs-01"; 591 } 592 leaf rx-all-pad-packets { 593 type uint64; 594 config false; 595 description 596 "Total number of received IP-TFS packets that were 597 all padding with no inner packet data."; 598 reference 599 "draft-ietf-ipsecme-iptfs-01"; 600 } 601 leaf rx-all-pad-octets { 602 type uint64; 603 config false; 604 description 605 "Total number received octets of padding added to 606 IP-TFS packets with no inner packet data."; 607 reference 608 "draft-ietf-ipsecme-iptfs-01"; 609 } 610 leaf rx-errored-packets { 611 type uint64; 612 config false; 613 description 614 "Total number of IP-TFS outer packets dropped due to 615 errors."; 616 reference 617 "draft-ietf-ipsecme-iptfs-01"; 618 } 619 leaf rx-missed-packets { 620 type uint64; 621 config false; 622 description 623 "Total number of IP-TFS outer packets missing 624 indicated by missing sequence number."; 625 reference 626 "draft-ietf-ipsecme-iptfs-01"; 627 } 628 leaf rx-incomplete-inner-packets { 629 type uint64; 630 config false; 631 description 632 "Total number of IP-TFS inner packets that were 633 incomplete. Usually this is due to fragments not 634 received. Also, this may be due to misordering or 635 errors in received outer packets."; 636 reference 637 "draft-ietf-ipsecme-iptfs-01"; 638 } 639 } 641 grouping iptfs-config { 642 description 643 "This is the grouping for iptfs configuration"; 644 container traffic-flow-security { 645 // config true; want this so we can refine? 646 description 647 "Configure the IPSec TFS in Security 648 Association Database (SAD)"; 649 leaf congestion-control { 650 type boolean; 651 default "true"; 652 description 653 "Congestion Control With the congestion controlled 654 mode, IP-TFS adapts to network congestion by 655 lowering the packet send rate to accommodate the 656 congestion, as well as raising the rate when 657 congestion subsides."; 658 reference 659 "draft-ietf-ipsecme-iptfs-01 Section 2.5.2"; 660 } 661 container packet-size { 662 description 663 "Packet size is either auto-discovered or manually 664 configured."; 665 leaf use-path-mtu { 666 type boolean; 667 default "true"; 668 description 669 "Utilize path-mtu to determine maximum IP-TFS 670 packet size. If the packet size is explicitly 671 configured, then it will only be adjusted 672 downward if use-path-mtu is set."; 673 reference 674 "draft-ietf-ipsecme-iptfs-01 Section 4.2"; 675 } 676 leaf outer-packet-size { 677 type uint16; 678 description 679 "The size of the outer encapsulating tunnel 680 packet (i.e., the IP packet containing the ESP 681 payload)."; 682 reference 683 "draft-ietf-ipsecme-iptfs-01 Section 4.2"; 684 } 685 } 686 choice tunnel-rate { 687 description 688 "TFS bit rate may be specified at layer 2 wire 689 rate or layer 3 packet rate"; 690 leaf l2-fixed-rate { 691 type uint64; 692 description 693 "Target bandwidth/bit rate in bps for iptfs 694 tunnel. This fixed rate is the nominal timing 695 for the fixed size packet. If congestion control 696 is enabled the rate may be adjusted down (or up 697 if unset)."; 698 reference 699 "draft-ietf-ipsecme-iptfs-01 section 4.1"; 700 } 701 leaf l3-fixed-rate { 702 type uint64; 703 description 704 "Target bandwidth/bit rate in bps for iptfs 705 tunnel. This fixed rate is the nominal timing 706 for the fixed size packet. If congestion control 707 is enabled the rate may be adjusted down (or up 708 if unset)."; 709 reference 710 "draft-ietf-ipsecme-iptfs-01 section 4.1"; 711 } 712 } 713 leaf dont-fragment { 714 type boolean; 715 default "false"; 716 description 717 "Disable packet fragmentation across consecutive iptfs 718 tunnel packets"; 719 reference 720 "draft-ietf-ipsecme-iptfs-01 section 2.2.4 and 6.4.1"; 721 } 722 } 723 } 725 /* 726 * IP-TFS ike configuration 727 */ 729 augment "/ike:ipsec-ike/ike:conn-entry/ike:spd/" 730 + "ike:spd-entry/" 731 + "ike:ipsec-policy-config/" 732 + "ike:processing-info/" 733 + "ike:ipsec-sa-cfg" { 734 description 735 "IP-TFS configuration for this policy."; 736 uses iptfs-config; 737 } 739 augment "/ike:ipsec-ike/ike:conn-entry/" 740 + "ike:child-sa-info" { 741 description 742 "IP-TFS configured on this SA."; 743 uses iptfs-config { 744 refine "traffic-flow-security" { 745 config false; 746 } 747 } 748 } 750 /* 751 * IP-TFS ikeless configuration 752 */ 754 augment "/ikeless:ipsec-ikeless/ikeless:spd/" 755 + "ikeless:spd-entry/" 756 + "ikeless:ipsec-policy-config/" 757 + "ikeless:processing-info/" 758 + "ikeless:ipsec-sa-cfg" { 759 description 760 "IP-TFS configuration for this policy."; 761 uses iptfs-config; 762 } 763 augment "/ikeless:ipsec-ikeless/ikeless:sad/" 764 + "ikeless:sad-entry" { 765 description 766 "IP-TFS configured on this SA."; 767 uses iptfs-config { 768 refine "traffic-flow-security" { 769 config false; 770 } 771 } 772 } 774 /* 775 * packet counters 776 */ 778 augment "/ike:ipsec-ike/ike:conn-entry/" 779 + "ike:child-sa-info" { 780 description 781 "Per-SA IPsec SA with IP-TFS packet counters."; 782 uses ipsec-tx-stat-grouping { 783 //when "direction = 'outbound'"; 784 if-feature "ipsec-stats"; 785 } 786 uses ipsec-rx-stat-grouping { 787 //when "direction = 'inbound'"; 788 if-feature "ipsec-stats"; 789 } 790 uses iptfs-tx-stat-grouping { 791 //when "direction = 'outbound'"; 792 if-feature "iptfs-stats"; 793 } 794 uses iptfs-rx-stat-grouping { 795 //when "direction = 'inbound'"; 796 if-feature "iptfs-stats"; 797 } 798 } 800 /* 801 * packet counters 802 */ 804 augment "/ikeless:ipsec-ikeless/ikeless:sad/" 805 + "ikeless:sad-entry" { 806 description 807 "Per-SA IPsec SA with IP-TFS packet counters."; 808 uses ipsec-tx-stat-grouping { 809 //when "direction = 'outbound'"; 810 if-feature "ipsec-stats"; 812 } 813 uses ipsec-rx-stat-grouping { 814 //when "direction = 'inbound'"; 815 if-feature "ipsec-stats"; 816 } 817 uses iptfs-tx-stat-grouping { 818 //when "direction = 'outbound'"; 819 if-feature "iptfs-stats"; 820 } 821 uses iptfs-rx-stat-grouping { 822 //when "direction = 'inbound'"; 823 if-feature "iptfs-stats"; 824 } 825 } 826 } 827 829 5. IANA Considerations 831 5.1. Updates to the IETF XML Registry 833 This document registers a URI in the "IETF XML Registry" [RFC3688]. 834 Following the format in [RFC3688], the following registration has 835 been made: 837 URI: 838 urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs 840 Registrant Contact: 841 The IESG. 843 XML: 844 N/A; the requested URI is an XML namespace. 846 5.2. Updates to the YANG Module Names Registry 848 This document registers one YANG module in the "YANG Module Names" 849 registry [RFC6020]. Following the format in [RFC6020], the following 850 registration has been made: 852 name: 853 ietf-ipsecme-iptfs 855 namespace: 856 urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs 858 prefix: 859 iptfs 861 reference: 862 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 863 this note.) 865 6. Security Considerations 867 The YANG module specified in this document defines a schema for data 868 that is designed to be accessed via network management protocols such 869 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 870 is the secure transport layer, and the mandatory-to-implement secure 871 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 872 is HTTPS, and the mandatory-to-implement secure transport is TLS 873 [RFC8446]. 875 The Network Configuration Access Control Model (NACM) [RFC8341] 876 provides the means to restrict access for particular NETCONF or 877 RESTCONF users to a preconfigured subset of all available NETCONF or 878 RESTCONF protocol operations and content. 880 The YANG module defined in this document can enable, disable and 881 modify the behavior of IP traffic flow security, for the implications 882 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 883 which defines the functionality. 885 7. References 887 7.1. Normative References 889 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 890 Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, 891 "Software-Defined Networking (SDN)-based IPsec Flow 892 Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 893 (work in progress), June 2020. 895 [I-D.ietf-ipsecme-iptfs] 896 Hopps, C., "IP Traffic Flow Security", draft-ietf-ipsecme- 897 iptfs-01 (work in progress), March 2020. 899 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 900 Requirement Levels", BCP 14, RFC 2119, 901 DOI 10.17487/RFC2119, March 1997, 902 . 904 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 905 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 906 December 2005, . 908 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 909 the Network Configuration Protocol (NETCONF)", RFC 6020, 910 DOI 10.17487/RFC6020, October 2010, 911 . 913 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 914 RFC 7950, DOI 10.17487/RFC7950, August 2016, 915 . 917 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 918 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 919 May 2017, . 921 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 922 and R. Wilton, "Network Management Datastore Architecture 923 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 924 . 926 7.2. Informative References 928 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 929 DOI 10.17487/RFC3688, January 2004, 930 . 932 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 933 and A. Bierman, Ed., "Network Configuration Protocol 934 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 935 . 937 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 938 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 939 . 941 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 942 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 943 . 945 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 946 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 947 . 949 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 950 Access Control Model", STD 91, RFC 8341, 951 DOI 10.17487/RFC8341, March 2018, 952 . 954 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 955 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 956 . 958 Appendix A. Examples 960 The following examples show configuration and operational data for 961 the ikeless case in xml and ike case in json. Also, the operational 962 statistics for the ikeless case is shown using xml. 964 A.1. Example XML Configuration 966 970 971 972 protect-policy-1 973 974 975 1.1.1.1/32 976 2.2.2.2/32 977 978 979 protect 980 981 982 true 983 984 true 985 986 1000000000 987 988 989 990 991 992 993 995 Figure 1: Example IP-TFS XML configuration 997 1001 1002 1003 sad-1 1004 1005 1 1006 1007 1.1.1.1/32 1008 2.2.2.2/32 1009 1010 1011 1012 true 1013 1014 true 1015 1016 1000000000 1017 1018 1019 1020 1022 Figure 2: Example IP-TFS XML Operational data 1024 { 1025 "ietf-ipsec-ike:ipsec-ike": { 1026 "ietf-ipsec-ike:conn-entry": [ 1027 { 1028 "name": "my-peer-connection", 1029 "ietf-ipsec-ike:spd": { 1030 "spd-entry": [ 1031 { 1032 "name": "protect-policy-1", 1033 "ipsec-policy-config": { 1034 "traffic-selector": { 1035 "local-subnet": "1.1.1.1/32", 1036 "remote-subnet": "2.2.2.2/32" 1037 }, 1038 "processing-info": { 1039 "action": "protect", 1040 "ipsec-sa-cfg": { 1041 "ietf-ipsecme-iptfs:traffic-flow-security": { 1042 "congestion-control": "true", 1043 "l2-fixed-rate": 1000000000, 1044 "packet-size": { 1045 "use-path-mtu": "true" 1046 } 1047 } 1048 } 1049 } 1050 } 1051 } 1052 ] 1053 } 1054 } 1055 ] 1056 } 1057 } 1059 Figure 3: Example IP-TFS JSON configuration 1061 { 1062 "ietf-ipsec-ike:ipsec-ike": { 1063 "ietf-ipsec-ike:conn-entry": [ 1064 { 1065 "name": "my-peer-connection", 1066 "ietf-ipsec-ike:child-sa-info": { 1067 "ietf-ipsecme-iptfs:traffic-flow-security": { 1068 "congestion-control": "true", 1069 "l2-fixed-rate": 1000000000, 1070 "packet-size": { 1071 "use-path-mtu": "true" 1072 } 1073 } 1074 } 1075 } 1076 ] 1077 } 1078 } 1080 Figure 4: Example IP-TFS JSON Operational data 1082 1086 1087 1088 sad-1 1089 1090 1 1091 1092 1.1.1.1/32 1093 2.2.2.2/32 1094 1095 1096 100 1097 80000 1098 2 1099 50 1100 50000 1101 0 1102 1103 0 1104 0 1105 0 1106 0 1107 0 1108 0 1109 0 1110 0 1111 0 1112 1113 250 1114 75000 1115 200 1116 30000 1117 40 1118 40000 1119 240 1120 95000 1121 150 1122 25000 1123 20 1124 20000 1125 0 1126 0 1127 0 1128 1129 1130 1131 1133 Figure 5: Example IP-TFS XML Statistics 1135 Authors' Addresses 1137 Don Fedyk 1138 LabN Consulting, L.L.C. 1140 Email: dfedyk@labn.net 1142 Christian Hopps 1143 LabN Consulting, L.L.C. 1145 Email: chopps@chopps.org