idnits 2.17.1 draft-fedyk-ipsecme-yang-iptfs-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (November 15, 2020) is 1258 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-i2nsf-sdn-ipsec-flow-protection-12 == Outdated reference: A later version (-19) exists of draft-ietf-ipsecme-iptfs-03 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: May 19, 2021 November 15, 2020 7 IP Traffic Flow Security YANG Module 8 draft-fedyk-ipsecme-yang-iptfs-01 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on May 19, 2021. 32 Copyright Notice 34 Copyright (c) 2020 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents 39 (https://trustee.ietf.org/license-info) in effect on the date of 40 publication of this document. Please review these documents 41 carefully, as they describe your rights and restrictions with respect 42 to this document. Code Components extracted from this document must 43 include Simplified BSD License text as described in Section 4.e of 44 the Trust Legal Provisions and are provided without warranty as 45 described in the Simplified BSD License. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 50 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 2 51 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 4 53 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 54 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 55 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 56 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 17 57 4.2. Updates to the YANG Module Names Registry . . . . . . . . 17 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 61 7.1. Normative References . . . . . . . . . . . . . . . . . . 18 62 7.2. Informative References . . . . . . . . . . . . . . . . . 19 63 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 19 64 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 19 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 67 1. Introduction 69 This document defines a YANG module [RFC7950] for the management of 70 the IP Traffic Flow Security (IP-TFS) extensions as defined in 71 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 72 tunnel Security Association to provide improved traffic 73 confidentiality. Traffic confidentiality reduces the ability of 74 traffic analysis to determine identity and correlate observable 75 traffic patterns. IP-TFS offers efficiency when aggregating traffic 76 in fixed size IPsec tunnel packets. 78 The YANG data model in this document conforms to the Network 79 Management Datastore Architecture defined in [RFC8342]. 81 The only actively published YANG modules for IPsec are found in 82 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. This document uses these 83 models as a general IPsec model that can be augmented. The models in 84 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] provide for an ike and an 85 ikeless model. 87 1.1. Terminology & Concepts 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 91 "OPTIONAL" in this document are to be interpreted as described in 92 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 93 as shown here. 95 2. Overview 97 This document defines configuration and operational parameters of IP 98 traffic flow security (IP-TFS). IP-TFS, defined in 99 [I-D.ietf-ipsecme-iptfs], configures a security association for 100 tunnel mode IPsec with characteristics that improve traffic 101 confidentiality and reduce bandwidth efficiency loss. These 102 documents assume familiarity with IP security concepts described in 103 [RFC4301]. 105 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 106 packet identifiable information, packet size and packet timing. IP- 107 TFS provides a general capability allowing aggregation of multiple 108 packets and packet size control utilizing padding and additionally 109 utilizing inner packet fragments when a complete inner packet will 110 not fit in the IPsec outer tunnel packet. Zero byte padding is used 111 to fill the packet when no data is available to send. 113 This document specifies an extensible configuration model for IP-TFS. 114 This version utilizes the capabilities of IP-TFS to configure fixed 115 size IP-TFS Packets that are transmitted at a constant rate. This 116 model is structured to allow for different types of operation through 117 future augmentation. 119 IP-TFS YANG augments IPsec YANG model from 120 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. IP-TFS makes use of 121 IPsec tunnel mode and adds a small number configuration items to 122 tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA 123 configured to use IP-TFS supports only IP-TFS packets i.e. no mixed 124 IPsec modes. 126 The behavior for IP-TFS is controlled by the source. The self- 127 describing format of an IP-TFS packets allows a sending side to 128 adjust the packet-size and timing independently from any receiver. 129 Both directions are also independent, e.g. IP-TFS may be run only in 130 one direction. 132 The data model uses following constructs for configuration and 133 management: 135 o Configuration 137 o Operational State 139 This YANG module supports configuration of fixed size and fixed rate 140 packets, and elements that may be augmented to support future 141 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 142 goes beyond this simple fixed mode of operation by defining a general 143 format for any type of scheme. In this document the outer IPsec 144 packets can be sent with fixed or variable size (without padding). 145 The configuration allows the fixed packet size to be determined by 146 the path MTU. The fixed packet size can also be configured if a 147 value lower than the path MTU is desired. 149 Other configuration items include: 151 o Congestion Control. A congestion control setting to allow IP-TFS 152 to reduce the packet rate when congestion is detected. 154 o Fixed Rate configuration. The IP-TFS tunnel rate can be 155 configured taking into account either layer 2 overhead or layer 3 156 overhead. Layer 3 overhead is the IP data rate and layer 2 157 overhead is the rate of bits on the link. The combination of 158 packet size and rate determines the nominal maximum bandwidth and 159 the transmission interval when fixed size packets are used. 161 o User packet Fragmentation Control. While fragmentation is 162 recommended for improved efficiency, a configuration is provided 163 if users wish to observe the effect no-fragmentation on their data 164 flows. 166 The YANG operational data allows the readout of the configured 167 parameters as well as the per SA statistics and error counters for 168 IP-TFS. Per SA IPsec packet statistics are provided as a feature and 169 per SA IP-TFS specific statistics as another feature. Both sets of 170 statistics augment the IPsec YANG models with counters that allow 171 observation of IP-TFS packet efficiency. 173 Draft [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] has a mature set of 174 IPsec YANG management objects. 176 IP-TFS YANG augments: 178 o Yang catalog entry for ietf-i2nsf-ike@2020-10-30.yang 180 o Yang catalog entry for ietf-i2nsf-ikeless@20202-10-30.yang 182 The Security Policy database entry and Security Association entry for 183 an IPsec Tunnel can be augmented with IP-TFS. 185 3. YANG Management 186 3.1. YANG Tree 188 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 189 extensions. 191 module: ietf-ipsecme-iptfs 192 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd 193 /nsfike:spd-entry/nsfike:ipsec-policy-config 194 /nsfike:processing-info/nsfike:ipsec-sa-cfg: 195 +--rw traffic-flow-security 196 +--rw congestion-control? boolean 197 +--rw packet-size 198 | +--rw use-path-mtu? boolean 199 | +--rw outer-packet-size? uint16 200 +--rw (tunnel-rate)? 201 | +--:(l2-fixed-rate) 202 | | +--rw l2-fixed-rate? uint64 203 | +--:(l3-fixed-rate) 204 | +--rw l3-fixed-rate? uint64 205 +--rw dont-fragment? boolean 206 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 207 +--ro traffic-flow-security 208 +--ro congestion-control? boolean 209 +--ro packet-size 210 | +--ro use-path-mtu? boolean 211 | +--ro outer-packet-size? uint16 212 +--ro (tunnel-rate)? 213 | +--:(l2-fixed-rate) 214 | | +--ro l2-fixed-rate? uint64 215 | +--:(l3-fixed-rate) 216 | +--ro l3-fixed-rate? uint64 217 +--ro dont-fragment? boolean 218 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry 219 /nsfikels:ipsec-policy-config/nsfikels:processing-info 220 /nsfikels:ipsec-sa-cfg: 221 +--rw traffic-flow-security 222 +--rw congestion-control? boolean 223 +--rw packet-size 224 | +--rw use-path-mtu? boolean 225 | +--rw outer-packet-size? uint16 226 +--rw (tunnel-rate)? 227 | +--:(l2-fixed-rate) 228 | | +--rw l2-fixed-rate? uint64 229 | +--:(l3-fixed-rate) 230 | +--rw l3-fixed-rate? uint64 231 +--rw dont-fragment? boolean 232 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 234 +--ro traffic-flow-security 235 +--ro congestion-control? boolean 236 +--ro packet-size 237 | +--ro use-path-mtu? boolean 238 | +--ro outer-packet-size? uint16 239 +--ro (tunnel-rate)? 240 | +--:(l2-fixed-rate) 241 | | +--ro l2-fixed-rate? uint64 242 | +--:(l3-fixed-rate) 243 | +--ro l3-fixed-rate? uint64 244 +--ro dont-fragment? boolean 245 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 246 +--ro ipsec-stats {ipsec-stats}? 247 | +--ro tx-packets? uint64 248 | +--ro tx-octets? uint64 249 | +--ro tx-drop-packets? uint64 250 | +--ro rx-packets? uint64 251 | +--ro rx-octets? uint64 252 | +--ro rx-drop-packets? uint64 253 +--ro iptfs-stats {iptfs-stats}? 254 +--ro tx-inner-packets? uint64 255 +--ro tx-inner-octets? uint64 256 +--ro tx-extra-pad-packets? uint64 257 +--ro tx-extra-pad-octets? uint64 258 +--ro tx-all-pad-packets? uint64 259 +--ro tx-all-pad-octets? uint64 260 +--ro rx-inner-packets? uint64 261 +--ro rx-inner-octets? uint64 262 +--ro rx-extra-pad-packets? uint64 263 +--ro rx-extra-pad-octets? uint64 264 +--ro rx-all-pad-packets? uint64 265 +--ro rx-all-pad-octets? uint64 266 +--ro rx-errored-packets? uint64 267 +--ro rx-missed-packets? uint64 268 +--ro rx-incomplete-inner-packets? uint64 269 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 270 +--rw ipsec-stats {ipsec-stats}? 271 | +--ro tx-packets? uint64 272 | +--ro tx-octets? uint64 273 | +--ro tx-drop-packets? uint64 274 | +--ro rx-packets? uint64 275 | +--ro rx-octets? uint64 276 | +--ro rx-drop-packets? uint64 277 +--rw iptfs-stats {iptfs-stats}? 278 +--ro tx-inner-packets? uint64 279 +--ro tx-inner-octets? uint64 280 +--ro tx-extra-pad-packets? uint64 281 +--ro tx-extra-pad-octets? uint64 282 +--ro tx-all-pad-packets? uint64 283 +--ro tx-all-pad-octets? uint64 284 +--ro rx-inner-packets? uint64 285 +--ro rx-inner-octets? uint64 286 +--ro rx-extra-pad-packets? uint64 287 +--ro rx-extra-pad-octets? uint64 288 +--ro rx-all-pad-packets? uint64 289 +--ro rx-all-pad-octets? uint64 290 +--ro rx-errored-packets? uint64 291 +--ro rx-missed-packets? uint64 292 +--ro rx-incomplete-inner-packets? uint64 294 3.2. YANG Module 296 The following is the YANG module for managing the IP-TFS extensions. 298 file "ietf-ipsecme-iptfs@2020-11-15.yang" 299 module ietf-ipsecme-iptfs { 300 yang-version 1.1; 301 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; 302 prefix iptfs; 304 import ietf-i2nsf-ike { 305 prefix nsfike; 306 } 307 import ietf-i2nsf-ikeless { 308 prefix nsfikels; 309 } 311 organization 312 "IETF IPSECME Working Group (IPSECME)"; 313 contact 314 "WG Web: 315 WG List: 317 Author: Don Fedyk 318 320 Author: Christian Hopps 321 "; 323 // RFC Ed.: replace XXXX with actual RFC number and 324 // remove this note. 326 description 327 "This module defines the configuration and operational state for 328 managing the IP Traffic Flow Security functionality [RFC XXXX]. 330 Copyright (c) 2020 IETF Trust and the persons identified as 331 authors of the code. All rights reserved. 333 Redistribution and use in source and binary forms, with or 334 without modification, is permitted pursuant to, and subject to 335 the license terms contained in, the Simplified BSD License set 336 forth in Section 4.c of the IETF Trust's Legal Provisions 337 Relating to IETF Documents 338 (https://trustee.ietf.org/license-info). 340 This version of this YANG module is part of RFC XXXX 341 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 342 full legal notices."; 344 revision 2020-11-15 { 345 description 346 "Initial Revision"; 347 reference 348 "RFC XXXX: IP Traffic Flow Security YANG Module"; 349 } 351 feature ipsec-stats { 352 description 353 "This feature indicates the device supports 354 per SA IPsec statistics"; 355 } 357 feature iptfs-stats { 358 description 359 "This feature indicates the device supports 360 per SA IP Traffic Flow Security statistics"; 361 } 363 /*--------------------*/ 364 /* groupings */ 365 /*--------------------*/ 367 grouping ipsec-tx-stat-grouping { 368 description 369 "IPsec outbound statistics"; 370 leaf tx-packets { 371 type uint64; 372 config false; 373 description 374 "Outbound Packet count"; 375 } 376 leaf tx-octets { 377 type uint64; 378 config false; 379 description 380 "Outbound Packet bytes"; 381 } 382 leaf tx-drop-packets { 383 type uint64; 384 config false; 385 description 386 "Outbound dropped packets count"; 387 } 388 } 390 grouping ipsec-rx-stat-grouping { 391 description 392 "IPsec inbound statistics"; 393 leaf rx-packets { 394 type uint64; 395 config false; 396 description 397 "Inbound Packet count"; 398 } 399 leaf rx-octets { 400 type uint64; 401 config false; 402 description 403 "Inbound Packet bytes"; 404 } 405 leaf rx-drop-packets { 406 type uint64; 407 config false; 408 description 409 "Inbound dropped packets count"; 410 } 411 } 413 grouping iptfs-tx-stat-grouping { 414 description 415 "IP-TFS outbound statistics"; 416 leaf tx-inner-packets { 417 type uint64; 418 config false; 419 description 420 "Total number of IP-TFS inner packets sent. This 421 count is whole packets only. A fragmented packet 422 counts as one packet"; 423 reference 424 "draft-ietf-ipsecme-iptfs"; 425 } 426 leaf tx-inner-octets { 427 type uint64; 428 config false; 429 description 430 "Total number of IP-TFS inner octets sent. This is 431 inner packet octets only. Does not count padding."; 432 reference 433 "draft-ietf-ipsecme-iptfs"; 434 } 435 leaf tx-extra-pad-packets { 436 type uint64; 437 config false; 438 description 439 "Total number of transmitted outer IP-TFS packets 440 that included some padding."; 441 reference 442 "draft-ietf-ipsecme-iptfs"; 443 } 444 leaf tx-extra-pad-octets { 445 type uint64; 446 config false; 447 description 448 "Total number of transmitted octets of padding added 449 to outer IP-TFS packets with data."; 450 reference 451 "draft-ietf-ipsecme-iptfs"; 452 } 453 leaf tx-all-pad-packets { 454 type uint64; 455 config false; 456 description 457 "Total number of transmitted IP-TFS packets that 458 were all padding with no inner packet data."; 459 reference 460 "draft-ietf-ipsecme-iptfs"; 461 } 462 leaf tx-all-pad-octets { 463 type uint64; 464 config false; 465 description 466 "Total number transmitted octets of padding added to 467 IP-TFS packets with no inner packet data."; 468 reference 469 "draft-ietf-ipsecme-iptfs"; 470 } 471 } 473 grouping iptfs-rx-stat-grouping { 474 description 475 "IP-TFS inbound statistics"; 476 leaf rx-inner-packets { 477 type uint64; 478 config false; 479 description 480 "Total number of IP-TFS inner packets received."; 481 reference 482 "draft-ietf-ipsecme-iptfs"; 483 } 484 leaf rx-inner-octets { 485 type uint64; 486 config false; 487 description 488 "Total number of IP-TFS inner octets received. Does 489 not include padding or overhead"; 490 reference 491 "draft-ietf-ipsecme-iptfs"; 492 } 493 leaf rx-extra-pad-packets { 494 type uint64; 495 config false; 496 description 497 "Total number of received outer IP-TFS packets that 498 included some padding."; 499 reference 500 "draft-ietf-ipsecme-iptfs"; 501 } 502 leaf rx-extra-pad-octets { 503 type uint64; 504 config false; 505 description 506 "Total number of received octets of padding added to 507 outer IP-TFS packets with data."; 508 reference 509 "draft-ietf-ipsecme-iptfs"; 510 } 511 leaf rx-all-pad-packets { 512 type uint64; 513 config false; 514 description 515 "Total number of received IP-TFS packets that were 516 all padding with no inner packet data."; 517 reference 518 "draft-ietf-ipsecme-iptfs"; 519 } 520 leaf rx-all-pad-octets { 521 type uint64; 522 config false; 523 description 524 "Total number received octets of padding added to 525 IP-TFS packets with no inner packet data."; 526 reference 527 "draft-ietf-ipsecme-iptfs"; 528 } 529 leaf rx-errored-packets { 530 type uint64; 531 config false; 532 description 533 "Total number of IP-TFS outer packets dropped due to 534 errors."; 535 reference 536 "draft-ietf-ipsecme-iptfs"; 537 } 538 leaf rx-missed-packets { 539 type uint64; 540 config false; 541 description 542 "Total number of IP-TFS outer packets missing 543 indicated by missing sequence number."; 544 reference 545 "draft-ietf-ipsecme-iptfs"; 546 } 547 leaf rx-incomplete-inner-packets { 548 type uint64; 549 config false; 550 description 551 "Total number of IP-TFS inner packets that were 552 incomplete. Usually this is due to fragments not 553 received. Also, this may be due to misordering or 554 errors in received outer packets."; 555 reference 556 "draft-ietf-ipsecme-iptfs"; 557 } 558 } 560 grouping iptfs-config { 561 description 562 "This is the grouping for iptfs configuration"; 563 container traffic-flow-security { 564 // config true; want this so we can refine? 565 description 566 "Configure the IPSec TFS in Security 567 Association Database (SAD)"; 568 leaf congestion-control { 569 type boolean; 570 default "true"; 571 description 572 "Congestion Control With the congestion controlled 573 mode, IP-TFS adapts to network congestion by 574 lowering the packet send rate to accommodate the 575 congestion, as well as raising the rate when 576 congestion subsides."; 577 reference 578 "draft-ietf-ipsecme-iptfs Section 2.5.2"; 579 } 580 container packet-size { 581 description 582 "Packet size is either auto-discovered or manually 583 configured."; 584 leaf use-path-mtu { 585 type boolean; 586 default "true"; 587 description 588 "Utilize path-mtu to determine maximum IP-TFS packet size. 589 If the packet size is explicitly configured, then it 590 will only be adjusted downward if use-path-mtu is set."; 591 reference 592 "draft-ietf-ipsecme-iptfs Section 4.2"; 593 } 594 leaf outer-packet-size { 595 type uint16; 596 description 597 "The size of the outer encapsulating tunnel packet (i.e., 598 the IP packet containing the ESP payload)."; 599 reference 600 "draft-ietf-ipsecme-iptfs Section 4.2"; 601 } 602 } 603 choice tunnel-rate { 604 description 605 "TFS bit rate may be specified at layer 2 wire 606 rate or layer 3 packet rate"; 607 leaf l2-fixed-rate { 608 type uint64; 609 description 610 "Target bandwidth/bit rate in bps for iptfs tunnel. This 611 fixed rate is the nominal timing for the fixed size packet. 612 If congestion control is enabled the rate may be adjusted 613 down (or up if unset)."; 614 reference 615 "draft-ietf-ipsecme-iptfs section 4.1"; 616 } 617 leaf l3-fixed-rate { 618 type uint64; 619 description 620 "Target bandwidth/bit rate in bps for iptfs tunnel. This 621 fixed rate is the nominal timing for the fixed size packet. 622 If congestion control is enabled the rate may be adjusted 623 down (or up if unset)."; 624 reference 625 "draft-ietf-ipsecme-iptfs section 4.1"; 626 } 627 } 628 leaf dont-fragment { 629 type boolean; 630 default "false"; 631 description 632 "Disable packet fragmentation across consecutive iptfs 633 tunnel packets"; 634 reference 635 "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; 636 } 637 } 638 } 640 /* 641 * IP-TFS ike configuration 642 */ 644 augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" 645 + "nsfike:spd-entry/" 646 + "nsfike:ipsec-policy-config/" 647 + "nsfike:processing-info/" 648 + "nsfike:ipsec-sa-cfg" { 649 description 650 "IP-TFS configuration for this policy."; 651 uses iptfs-config; 652 } 654 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 655 + "nsfike:child-sa-info" { 656 description 657 "IP-TFS configured on this SA."; 658 uses iptfs-config { 659 refine "traffic-flow-security" { 660 config false; 661 } 662 } 663 } 665 /* 666 * IP-TFS ikeless configuration 667 */ 669 augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" 670 + "nsfikels:spd-entry/" 671 + "nsfikels:ipsec-policy-config/" 672 + "nsfikels:processing-info/" 673 + "nsfikels:ipsec-sa-cfg" { 674 description 675 "IP-TFS configuration for this policy."; 676 uses iptfs-config; 677 } 679 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 680 + "nsfikels:sad-entry" { 681 description 682 "IP-TFS configured on this SA."; 683 uses iptfs-config { 684 refine "traffic-flow-security" { 685 config false; 686 } 687 } 688 } 690 /* 691 * packet counters 692 */ 694 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 695 + "nsfike:child-sa-info" { 696 description 697 "Per SA Counters"; 698 container ipsec-stats { 699 if-feature "ipsec-stats"; 700 config false; 701 description 702 "IPsec per SA packet counters."; 703 uses ipsec-tx-stat-grouping { 704 //when "direction = 'outbound'"; 705 } 706 uses ipsec-rx-stat-grouping { 707 //when "direction = 'inbound'"; 708 } 709 } 710 container iptfs-stats { 711 if-feature "iptfs-stats"; 712 config false; 713 description 714 "IPTFS per SA packet counters."; 715 uses iptfs-tx-stat-grouping { 716 //when "direction = 'outbound'"; 717 } 718 uses iptfs-rx-stat-grouping { 719 //when "direction = 'inbound'"; 720 } 721 } 722 } 724 /* 725 * packet counters 726 */ 728 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 729 + "nsfikels:sad-entry" { 730 description 731 "Per SA Counters"; 732 container ipsec-stats { 733 if-feature "ipsec-stats"; 734 description 735 "IPsec per SA packet counters."; 736 uses ipsec-tx-stat-grouping { 737 //when "direction = 'outbound'"; 738 } 739 uses ipsec-rx-stat-grouping { 740 //when "direction = 'inbound'"; 741 } 742 } 743 container iptfs-stats { 744 if-feature "iptfs-stats"; 745 description 746 "IPTFS per SA packet counters."; 747 uses iptfs-tx-stat-grouping { 748 //when "direction = 'outbound'"; 749 } 750 uses iptfs-rx-stat-grouping { 751 //when "direction = 'inbound'"; 752 } 753 } 754 } 755 } 756 757 4. IANA Considerations 759 4.1. Updates to the IETF XML Registry 761 This document registers a URI in the "IETF XML Registry" [RFC3688]. 762 Following the format in [RFC3688], the following registration has 763 been made: 765 URI: 766 urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs 768 Registrant Contact: 769 The IESG. 771 XML: 772 N/A; the requested URI is an XML namespace. 774 4.2. Updates to the YANG Module Names Registry 776 This document registers one YANG module in the "YANG Module Names" 777 registry [RFC6020]. Following the format in [RFC6020], the following 778 registration has been made: 780 name: 781 ietf-ipsecme-iptfs 783 namespace: 784 urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs 786 prefix: 787 iptfs 789 reference: 790 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 791 this note.) 793 5. Security Considerations 795 The YANG module specified in this document defines a schema for data 796 that is designed to be accessed via network management protocols such 797 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 798 is the secure transport layer, and the mandatory-to-implement secure 799 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 800 is HTTPS, and the mandatory-to-implement secure transport is TLS 801 [RFC8446]. 803 The Network Configuration Access Control Model (NACM) [RFC8341] 804 provides the means to restrict access for particular NETCONF or 805 RESTCONF users to a preconfigured subset of all available NETCONF or 806 RESTCONF protocol operations and content. 808 The YANG module defined in this document can enable, disable and 809 modify the behavior of IP traffic flow security, for the implications 810 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 811 which defines the functionality. 813 6. Acknowledgements 815 The authors would like to thank Eric Kinzie for his feedback on the 816 YANG model. 818 7. References 820 7.1. Normative References 822 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 823 Lopez, R., Lopez-Millan, G., and F. Pereniguez-Garcia, 824 "Software-Defined Networking (SDN)-based IPsec Flow 825 Protection", draft-ietf-i2nsf-sdn-ipsec-flow-protection-12 826 (work in progress), October 2020. 828 [I-D.ietf-ipsecme-iptfs] 829 Hopps, C., "IP Traffic Flow Security", draft-ietf-ipsecme- 830 iptfs-03 (work in progress), November 2020. 832 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 833 Requirement Levels", BCP 14, RFC 2119, 834 DOI 10.17487/RFC2119, March 1997, 835 . 837 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 838 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 839 December 2005, . 841 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 842 the Network Configuration Protocol (NETCONF)", RFC 6020, 843 DOI 10.17487/RFC6020, October 2010, 844 . 846 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 847 RFC 7950, DOI 10.17487/RFC7950, August 2016, 848 . 850 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 851 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 852 May 2017, . 854 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 855 and R. Wilton, "Network Management Datastore Architecture 856 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 857 . 859 7.2. Informative References 861 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 862 DOI 10.17487/RFC3688, January 2004, 863 . 865 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 866 and A. Bierman, Ed., "Network Configuration Protocol 867 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 868 . 870 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 871 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 872 . 874 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 875 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 876 . 878 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 879 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 880 . 882 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 883 Access Control Model", STD 91, RFC 8341, 884 DOI 10.17487/RFC8341, March 2018, 885 . 887 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 888 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 889 . 891 Appendix A. Examples 893 The following examples show configuration and operational data for 894 the ikeless case in xml and ike case in json. Also, the operational 895 statistics for the ikeless case is shown using xml. 897 A.1. Example XML Configuration 898 902 903 904 protect-policy-1 905 outbound 906 907 908 1.1.1.1/32 909 2.2.2.2/32 910 911 912 protect 913 914 915 true 916 917 true 918 919 1000000000 920 921 922 923 924 925 926 928 Figure 1: Example IP-TFS XML configuration 930 934 935 936 sad-1 937 938 1 939 940 1.1.1.1/32 941 2.2.2.2/32 942 943 944 945 true 946 947 true 948 949 1000000000 950 951 952 953 955 Figure 2: Example IP-TFS XML Operational data 957 { 958 "ietf-i2nsf-ike:ipsec-ike": { 959 "ietf-i2nsf-ike:conn-entry": [ 960 { 961 "name": "my-peer-connection", 962 "encalg": [ 963 { 964 "id": 1, 965 "algorithm-type": 12, 966 "key-length": 128 967 } 968 ], 969 "local": { 970 "local-pad-entry-name": "local-1" 971 }, 972 "remote": { 973 "remote-pad-entry-name": "remote-1" 974 }, 975 "ietf-i2nsf-ike:spd": { 976 "spd-entry": [ 977 { 978 "name": "protect-policy-1", 979 "ipsec-policy-config": { 980 "traffic-selector": { 981 "local-subnet": "1.1.1.1/32", 982 "remote-subnet": "2.2.2.2/32" 983 }, 984 "processing-info": { 985 "action": "protect", 986 "ipsec-sa-cfg": { 987 "ietf-ipsecme-iptfs:traffic-flow-security": { 988 "congestion-control": "true", 989 "l2-fixed-rate": 1000000000, 990 "packet-size": { 991 "use-path-mtu": "true" 992 } 993 } 994 } 995 } 996 } 997 } 998 ] 999 } 1000 } 1001 ] 1002 } 1003 } 1005 Figure 3: Example IP-TFS JSON configuration 1007 { 1008 "ietf-i2nsf-ike:ipsec-ike": { 1009 "ietf-i2nsf-ike:conn-entry": [ 1010 { 1011 "name": "my-peer-connection", 1012 "encalg": [ 1013 { 1014 "id": 1, 1015 "algorithm-type": 12, 1016 "key-length": 128 1017 } 1018 ], 1019 "local": { 1020 "local-pad-entry-name": "local-1" 1021 }, 1022 "remote": { 1023 "remote-pad-entry-name": "remote-1" 1024 }, 1025 "ietf-i2nsf-ike:child-sa-info": { 1026 "ietf-ipsecme-iptfs:traffic-flow-security": { 1027 "congestion-control": "true", 1028 "l2-fixed-rate": 1000000000, 1029 "packet-size": { 1030 "use-path-mtu": "true" 1031 } 1032 } 1033 } 1034 } 1035 ] 1036 } 1037 } 1039 Figure 4: Example IP-TFS JSON Operational data 1041 1045 1046 1047 sad-1 1048 1049 1 1050 1051 1.1.1.1/32 1052 2.2.2.2/32 1053 1054 1055 1056 100 1057 80000 1058 2 1059 50 1060 50000 1061 0 1062 1063 1064 250 1065 75000 1066 200 1067 30000 1068 40 1069 40000 1070 240 1071 95000 1072 150 1073 25000 1074 20 1075 20000 1076 0 1077 0 1078 0 1079 1080 1081 1082 1084 Figure 5: Example IP-TFS XML Statistics 1086 Authors' Addresses 1088 Don Fedyk 1089 LabN Consulting, L.L.C. 1091 Email: dfedyk@labn.net 1093 Christian Hopps 1094 LabN Consulting, L.L.C. 1096 Email: chopps@chopps.org