idnits 2.17.1 draft-ietf-ipsecme-yang-iptfs-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (17 May 2022) is 710 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-19) exists of draft-ietf-ipsecme-iptfs-12 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 18 November 2022 17 May 2022 7 A YANG Data Model for IP Traffic Flow Security 8 draft-ietf-ipsecme-yang-iptfs-06 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on 18 November 2022. 32 Copyright Notice 34 Copyright (c) 2022 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 39 license-info) in effect on the date of publication of this document. 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. Code Components 42 extracted from this document must include Revised BSD License text as 43 described in Section 4.e of the Trust Legal Provisions and are 44 provided without warranty as described in the Revised BSD License. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 50 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 52 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 54 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 55 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 19 56 4.2. Updates to the YANG Module Names Registry . . . . . . . . 19 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 60 7.1. Normative References . . . . . . . . . . . . . . . . . . 20 61 7.2. Informative References . . . . . . . . . . . . . . . . . 21 62 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22 63 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 22 64 A.2. Example XML Operational Data . . . . . . . . . . . . . . 23 65 A.3. Example JSON Configuration . . . . . . . . . . . . . . . 24 66 A.4. Example JSON Operational Data . . . . . . . . . . . . . . 26 67 A.5. Example JSON Operational Statistics . . . . . . . . . . . 27 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 70 1. Introduction 72 This document defines a YANG module [RFC7950] for the management of 73 the IP Traffic Flow Security (IP-TFS) extensions as defined in 74 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 75 tunnel Security Association to provide improved traffic 76 confidentiality. Traffic confidentiality reduces the ability of 77 traffic analysis to determine identity and correlate observable 78 traffic patterns. IP-TFS offers efficiency when aggregating traffic 79 in fixed size IPsec tunnel packets. 81 The YANG data model in this document conforms to the Network 82 Management Datastore Architecture (NMDA) defined in [RFC8342]. 84 The published YANG modules for IPsec are defined in [RFC9061]. This 85 document uses these models as a general IPsec model that is augmented 86 for IP-TFS. The models in [RFC9061] provide for both an IKE and an 87 IKELESS model. 89 1.1. Terminology & Concepts 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 93 "OPTIONAL" in this document are to be interpreted as described in 94 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 95 as shown here. 97 2. Overview 99 This document defines configuration and operational parameters of IP 100 traffic flow security (IP-TFS). IP-TFS, defined in 101 [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel 102 mode IPsec with characteristics that improve traffic confidentiality 103 and reduce bandwidth efficiency loss. These documents assume 104 familiarity with IP security concepts described in [RFC4301]. 106 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 107 packet identifiable information, packet size and packet timing. IP- 108 TFS provides a general capability allowing aggregation of multiple 109 packets in uniform size outer tunnel IPsec packets. It maintains the 110 outer packet size by utilizing combinations of aggregating, padding 111 and fragmenting inner packets to fill out the IPsec outer tunnel 112 packet. Zero byte padding is used to fill the packet when no data is 113 available to send. 115 This document specifies an extensible configuration model for IP-TFS. 116 This version utilizes the capabilities of IP-TFS to configure fixed 117 size IP-TFS Packets that are transmitted at a constant rate. This 118 model is structured to allow for different types of operation through 119 future augmentation. 121 The IP-TFS YANG module augments IPsec YANG model from [RFC9061]. IP- 122 TFS makes use of IPsec tunnel mode and adds a small number 123 configuration items to tunnel mode IPsec. As defined in 124 [I-D.ietf-ipsecme-iptfs], any SA configured to use IP-TFS supports 125 only IP-TFS packets i.e. no mixed IPsec modes. 127 The behavior for IP-TFS is controlled by the source. The self- 128 describing format of an IP-TFS packets allows a sending side to 129 adjust the packet-size and timing independently from any receiver. 130 Both directions are also independent, e.g. IP-TFS may be run only in 131 one direction. This means that counters, which are created here for 132 both directions may be 0 or not updated in the case of an SA that 133 uses IP-TFS only in on direction. 135 Cases where IP-TFS statistics are active for one direction: 137 * SA one direction - IP-TFS enabled 139 * SA both directions - IP-TFS only enabled in one direction 141 Case where IP-TFS statistics are for both directions: 143 * SA both directions - IP-TFS enable for both directions 145 The IP-TFS model support IP-TFS configuration and operational data. 147 This YANG module supports configuration of fixed size and fixed rate 148 packets, and elements that may be augmented to support future 149 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 150 goes beyond this simple fixed mode of operation by defining a general 151 format for any type of scheme. In this document the outer IPsec 152 packets can be sent with fixed or variable size (without padding). 153 The configuration allows the fixed packet size to be determined by 154 the path MTU. The fixed packet size can also be configured if a 155 value lower than the path MTU is desired. 157 Other configuration items include: 159 * Congestion Control. A congestion control setting to allow IP-TFS 160 to reduce the packet rate when congestion is detected. 162 * Fixed Rate configuration. The IP-TFS tunnel rate can be 163 configured taking into account either layer 2 overhead or layer 3 164 overhead. Layer 3 overhead is the IP data rate and layer 2 165 overhead is the rate of bits on the link. The combination of 166 packet size and rate determines the nominal maximum bandwidth and 167 the transmission interval when fixed size packets are used. 169 * User packet Fragmentation Control. While fragmentation is 170 recommended for improved efficiency, a configuration is provided 171 if users wish to observe the effect no-fragmentation on their data 172 flows. 174 The YANG operational data allows the readout of the configured 175 parameters as well as the per SA statistics and error counters for 176 IP-TFS. Per SA IPsec packet statistics are provided as a feature and 177 per SA IP-TFS specific statistics as another feature. Both sets of 178 statistics augment the IPsec YANG models with counters that allow 179 observation of IP-TFS packet efficiency. 181 [RFC9061] has a set of IPsec YANG management objects. IP-TFS YANG 182 augments the IKE and the IKELESS models. In these models the 183 Security Policy database entry and Security Association entry for an 184 IPsec Tunnel can be augmented with IP-TFS. 186 3. YANG Management 188 3.1. YANG Tree 190 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 191 extensions. 193 module: ietf-ipsec-iptfs 194 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd 195 /nsfike:spd-entry/nsfike:ipsec-policy-config 196 /nsfike:processing-info/nsfike:ipsec-sa-cfg: 197 +--rw traffic-flow-security 198 +--rw congestion-control? boolean 199 +--rw packet-size 200 | +--rw use-path-mtu-discovery? boolean 201 | +--rw outer-packet-size? uint16 202 +--rw (tunnel-rate)? 203 | +--:(l2-fixed-rate) 204 | | +--rw l2-fixed-rate? yang:counter64 205 | +--:(l3-fixed-rate) 206 | +--rw l3-fixed-rate? yang:counter64 207 +--rw dont-fragment? boolean 208 +--rw max-aggregation-time? decimal64 209 +--rw window-size? uint16 210 +--rw send-immediately? boolean 211 +--rw lost-packet-timer-interval? decimal64 212 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 213 +--ro traffic-flow-security 214 +--ro congestion-control? boolean 215 +--ro packet-size 216 | +--ro use-path-mtu-discovery? boolean 217 | +--ro outer-packet-size? uint16 218 +--ro (tunnel-rate)? 219 | +--:(l2-fixed-rate) 220 | | +--ro l2-fixed-rate? yang:counter64 221 | +--:(l3-fixed-rate) 222 | +--ro l3-fixed-rate? yang:counter64 223 +--ro dont-fragment? boolean 224 +--ro max-aggregation-time? decimal64 225 +--ro window-size? uint16 226 +--ro send-immediately? boolean 227 +--ro lost-packet-timer-interval? decimal64 228 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry 229 /nsfikels:ipsec-policy-config/nsfikels:processing-info 230 /nsfikels:ipsec-sa-cfg: 231 +--rw traffic-flow-security 232 +--rw congestion-control? boolean 233 +--rw packet-size 234 | +--rw use-path-mtu-discovery? boolean 235 | +--rw outer-packet-size? uint16 236 +--rw (tunnel-rate)? 237 | +--:(l2-fixed-rate) 238 | | +--rw l2-fixed-rate? yang:counter64 239 | +--:(l3-fixed-rate) 240 | +--rw l3-fixed-rate? yang:counter64 241 +--rw dont-fragment? boolean 242 +--rw max-aggregation-time? decimal64 243 +--rw window-size? uint16 244 +--rw send-immediately? boolean 245 +--rw lost-packet-timer-interval? decimal64 246 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 247 +--ro traffic-flow-security 248 +--ro congestion-control? boolean 249 +--ro packet-size 250 | +--ro use-path-mtu-discovery? boolean 251 | +--ro outer-packet-size? uint16 252 +--ro (tunnel-rate)? 253 | +--:(l2-fixed-rate) 254 | | +--ro l2-fixed-rate? yang:counter64 255 | +--:(l3-fixed-rate) 256 | +--ro l3-fixed-rate? yang:counter64 257 +--ro dont-fragment? boolean 258 +--ro max-aggregation-time? decimal64 259 +--ro window-size? uint16 260 +--ro send-immediately? boolean 261 +--ro lost-packet-timer-interval? decimal64 262 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 263 +--ro ipsec-stats {ipsec-stats}? 264 | +--ro tx-pkts? yang:counter64 265 | +--ro tx-octets? yang:counter64 266 | +--ro tx-drop-pkts? yang:counter64 267 | +--ro rx-pkts? yang:counter64 268 | +--ro rx-octets? yang:counter64 269 | +--ro rx-drop-pkts? yang:counter64 270 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 271 | +--ro tx-pkts? yang:counter64 272 | +--ro tx-octets? yang:counter64 273 | +--ro rx-pkts? yang:counter64 274 | +--ro rx-octets? yang:counter64 275 | +--ro rx-incomplete-pkts? yang:counter64 276 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 277 +--ro tx-all-pad-pkts? yang:counter64 278 +--ro tx-all-pad-octets? yang:counter64 279 +--ro tx-extra-pad-pkts? yang:counter64 280 +--ro tx-extra-pad-octets? yang:counter64 281 +--ro rx-all-pad-pkts? yang:counter64 282 +--ro rx-all-pad-octets? yang:counter64 283 +--ro rx-extra-pad-pkts? yang:counter64 284 +--ro rx-extra-pad-octets? yang:counter64 285 +--ro rx-errored-pkts? yang:counter64 286 +--ro rx-missed-pkts? yang:counter64 287 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 288 +--rw ipsec-stats {ipsec-stats}? 289 | +--ro tx-pkts? yang:counter64 290 | +--ro tx-octets? yang:counter64 291 | +--ro tx-drop-pkts? yang:counter64 292 | +--ro rx-pkts? yang:counter64 293 | +--ro rx-octets? yang:counter64 294 | +--ro rx-drop-pkts? yang:counter64 295 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 296 | +--ro tx-pkts? yang:counter64 297 | +--ro tx-octets? yang:counter64 298 | +--ro rx-pkts? yang:counter64 299 | +--ro rx-octets? yang:counter64 300 | +--ro rx-incomplete-pkts? yang:counter64 301 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 302 +--ro tx-all-pad-pkts? yang:counter64 303 +--ro tx-all-pad-octets? yang:counter64 304 +--ro tx-extra-pad-pkts? yang:counter64 305 +--ro tx-extra-pad-octets? yang:counter64 306 +--ro rx-all-pad-pkts? yang:counter64 307 +--ro rx-all-pad-octets? yang:counter64 308 +--ro rx-extra-pad-pkts? yang:counter64 309 +--ro rx-extra-pad-octets? yang:counter64 310 +--ro rx-errored-pkts? yang:counter64 311 +--ro rx-missed-pkts? yang:counter64 313 3.2. YANG Module 315 The following is the YANG module for managing the IP-TFS extensions. 316 The model contains references to [I-D.ietf-ipsecme-iptfs] and 317 [RFC5348]. 319 file "ietf-ipsec-iptfs@2022-05-17.yang" 320 module ietf-ipsec-iptfs { 321 yang-version 1.1; 322 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; 323 prefix iptfs; 325 import ietf-i2nsf-ike { 326 prefix nsfike; 327 } 328 import ietf-i2nsf-ikeless { 329 prefix nsfikels; 331 } 332 import ietf-yang-types { 333 prefix yang; 334 } 336 organization 337 "IETF IPSECME Working Group (IPSECME)"; 338 contact 339 "WG Web: 340 WG List: 342 Author: Don Fedyk 343 345 Author: Christian Hopps 346 "; 348 // RFC Ed.: replace XXXX with actual RFC number and 349 // remove this note. 351 description 352 "This module defines the configuration and operational state for 353 managing the IP Traffic Flow Security functionality [RFC XXXX]. 355 Copyright (c) 2021 IETF Trust and the persons identified as 356 authors of the code. All rights reserved. 358 Redistribution and use in source and binary forms, with or 359 without modification, is permitted pursuant to, and subject to 360 the license terms contained in, the Simplified BSD License set 361 forth in Section 4.c of the IETF Trust's Legal Provisions 362 Relating to IETF Documents 363 (https://trustee.ietf.org/license-info). 365 This version of this YANG module is part of RFC XXXX 366 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 367 full legal notices."; 369 revision 2022-05-17 { 370 description 371 "Initial Revision"; 372 reference 373 "RFC XXXX: IP Traffic Flow Security YANG Module"; 374 } 376 feature ipsec-stats { 377 description 378 "This feature indicates the device supports 379 per SA IPsec statistics"; 380 } 382 feature iptfs-stats { 383 description 384 "This feature indicates the device supports 385 per SA IP Traffic Flow Security statistics"; 386 } 388 /*--------------------*/ 389 /* groupings */ 390 /*--------------------*/ 392 grouping ipsec-tx-stat-grouping { 393 description 394 "IPsec outbound statistics"; 395 leaf tx-pkts { 396 type yang:counter64; 397 config false; 398 description 399 "Outbound Packet count"; 400 } 401 leaf tx-octets { 402 type yang:counter64; 403 config false; 404 description 405 "Outbound Packet bytes"; 406 } 407 leaf tx-drop-pkts { 408 type yang:counter64; 409 config false; 410 description 411 "Outbound dropped packets count"; 412 } 413 } 415 grouping ipsec-rx-stat-grouping { 416 description 417 "IPsec inbound statistics"; 418 leaf rx-pkts { 419 type yang:counter64; 420 config false; 421 description 422 "Inbound Packet count"; 423 } 424 leaf rx-octets { 425 type yang:counter64; 426 config false; 427 description 428 "Inbound Packet bytes"; 429 } 430 leaf rx-drop-pkts { 431 type yang:counter64; 432 config false; 433 description 434 "Inbound dropped packets count"; 435 } 436 } 438 grouping iptfs-inner-tx-stat-grouping { 439 description 440 "IP-TFS outbound inner packet statistics"; 441 leaf tx-pkts { 442 type yang:counter64; 443 config false; 444 description 445 "Total number of IP-TFS inner packets sent. This 446 count is whole packets only. A fragmented packet 447 counts as one packet"; 448 reference 449 "draft-ietf-ipsecme-iptfs"; 450 } 451 leaf tx-octets { 452 type yang:counter64; 453 config false; 454 description 455 "Total number of IP-TFS inner octets sent. This is 456 inner packet octets only. Does not count padding."; 457 reference 458 "draft-ietf-ipsecme-iptfs"; 459 } 460 } 462 grouping iptfs-outer-tx-stat-grouping { 463 description 464 "IP-TFS outbound inner packet statistics"; 465 leaf tx-all-pad-pkts { 466 type yang:counter64; 467 config false; 468 description 469 "Total number of transmitted IP-TFS packets that 470 were all padding with no inner packet data."; 471 reference 472 "draft-ietf-ipsecme-iptfs section 2.2.3"; 473 } 474 leaf tx-all-pad-octets { 475 type yang:counter64; 476 config false; 477 description 478 "Total number transmitted octets of padding added to 479 IP-TFS packets with no inner packet data."; 480 reference 481 "draft-ietf-ipsecme-iptfs section 2.2.3"; 482 } 483 leaf tx-extra-pad-pkts { 484 type yang:counter64; 485 config false; 486 description 487 "Total number of transmitted outer IP-TFS packets 488 that included some padding."; 489 reference 490 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 491 } 492 leaf tx-extra-pad-octets { 493 type yang:counter64; 494 config false; 495 description 496 "Total number of transmitted octets of padding added 497 to outer IP-TFS packets with data."; 498 reference 499 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 500 } 501 } 503 grouping iptfs-inner-rx-stat-grouping { 504 description 505 "IP-TFS inner packet inbound statistics"; 506 leaf rx-pkts { 507 type yang:counter64; 508 config false; 509 description 510 "Total number of IP-TFS inner packets received."; 511 reference 512 "draft-ietf-ipsecme-iptfs section 2.2"; 513 } 514 leaf rx-octets { 515 type yang:counter64; 516 config false; 517 description 518 "Total number of IP-TFS inner octets received. Does 519 not include padding or overhead"; 520 reference 521 "draft-ietf-ipsecme-iptfs section 2.2"; 522 } 523 leaf rx-incomplete-pkts { 524 type yang:counter64; 525 config false; 526 description 527 "Total number of IP-TFS inner packets that were 528 incomplete. Usually this is due to fragments not 529 received. Also, this may be due to misordering or 530 errors in received outer packets."; 531 reference 532 "draft-ietf-ipsecme-iptfs"; 533 } 534 } 536 grouping iptfs-outer-rx-stat-grouping { 537 description 538 "IP-TFS outer packet inbound statistics"; 539 leaf rx-all-pad-pkts { 540 type yang:counter64; 541 config false; 542 description 543 "Total number of received IP-TFS packets that were 544 all padding with no inner packet data."; 545 reference 546 "draft-ietf-ipsecme-iptfs section 2.2.3"; 547 } 548 leaf rx-all-pad-octets { 549 type yang:counter64; 550 config false; 551 description 552 "Total number received octets of padding added to 553 IP-TFS packets with no inner packet data."; 554 reference 555 "draft-ietf-ipsecme-iptfs section 2.2.3"; 556 } 557 leaf rx-extra-pad-pkts { 558 type yang:counter64; 559 config false; 560 description 561 "Total number of received outer IP-TFS packets that 562 included some padding."; 563 reference 564 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 565 } 566 leaf rx-extra-pad-octets { 567 type yang:counter64; 568 config false; 569 description 570 "Total number of received octets of padding added to 571 outer IP-TFS packets with data."; 572 reference 573 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 574 } 575 leaf rx-errored-pkts { 576 type yang:counter64; 577 config false; 578 description 579 "Total number of IP-TFS outer packets dropped due to 580 errors."; 581 reference 582 "draft-ietf-ipsecme-iptfs"; 583 } 584 leaf rx-missed-pkts { 585 type yang:counter64; 586 config false; 587 description 588 "Total number of IP-TFS outer packets missing 589 indicated by missing sequence number."; 590 reference 591 "draft-ietf-ipsecme-iptfs"; 592 } 593 } 595 grouping iptfs-config { 596 description 597 "This is the grouping for iptfs configuration"; 598 container traffic-flow-security { 599 description 600 "Configure the IPSec TFS in Security 601 Association Database (SAD)"; 602 leaf congestion-control { 603 type boolean; 604 default "true"; 605 description 606 "When set to true, the default, this enables the 607 congestion control on-the-wire exchange of data that is 608 required by congestion control algorithms as defined by 609 RFC 5348. When set to false, IP-TFS sends fixed-sized 610 packets over an IP-TFS tunnel at a constant rate."; 611 reference 612 "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; 613 } 614 container packet-size { 615 description 616 "Packet size is either auto-discovered or manually 617 configured."; 618 leaf use-path-mtu-discovery { 619 type boolean; 620 default "true"; 621 description 622 "Utilize path mtu discovery to determine maximum 623 IP-TFS packet size. If the packet size is explicitly 624 configured, then it will only be adjusted downward if 625 use-path-mtu-discovery is set."; 626 reference 627 "draft-ietf-ipsecme-iptfs section 4.2"; 628 } 629 leaf outer-packet-size { 630 type uint16; 631 units bytes; 632 description 633 "On transmission, the size of the outer encapsulating 634 tunnel packet (i.e., the IP packet containing the ESP 635 payload)."; 636 reference 637 "draft-ietf-ipsecme-iptfs section 4.2"; 638 } 639 } 640 choice tunnel-rate { 641 description 642 "TFS bit rate may be specified at layer 2 wire 643 rate or layer 3 packet rate"; 644 leaf l2-fixed-rate { 645 type yang:counter64; 646 description 647 "On transmission, target bandwidth/bit rate in bps 648 for iptfs tunnel. This fixed rate is the nominal 649 timing for the fixed size packet. If congestion 650 control is enabled the rate may be adjusted down (or 651 up if unset)."; 652 reference 653 "draft-ietf-ipsecme-iptfs section 4.1"; 654 } 655 leaf l3-fixed-rate { 656 type yang:counter64; 657 description 658 "On transmission, target bandwidth/bit rate in bps 659 for iptfs tunnel. This fixed rate is the nominal 660 timing for the fixed size packet. If congestion 661 control is enabled the rate may be adjusted down (or 662 up if unset)."; 663 reference 664 "draft-ietf-ipsecme-iptfs section 4.1"; 665 } 666 } 667 leaf dont-fragment { 668 type boolean; 669 default "false"; 670 description 671 "On transmission, disable packet fragmentation across 672 consecutive iptfs tunnel packets; inner packets larger 673 than what can be transmitted in outer packets will be 674 dropped."; 675 reference 676 "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; 677 } 678 leaf max-aggregation-time { 679 type decimal64 { 680 fraction-digits 6; 681 } 682 units "milliseconds"; 683 description 684 "On transmission, maximum aggregation time is the 685 maximum length of time a received inner packet can be 686 held prior to transmission in the iptfs tunnel. Inner 687 packets that would be held longer than this time, based 688 on the current tunnel configuration will be dropped 689 rather than be queued for transmission. Maximum 690 aggregation time is configurable in milliseconds or 691 fractional milliseconds down to 1 nanosecond."; 692 } 693 leaf window-size { 694 type uint16 { 695 range "0..65535"; 696 } 697 description 698 "On reception, the maximum number of out-of-order 699 packets that will be reordered by an iptfs receiver 700 while performing the reordering operation. The value 0 701 disables any reordering."; 702 reference 703 "draft-ietf-ipsecme-iptfs section 2.2.3"; 704 } 705 leaf send-immediately { 706 type boolean; 707 default false; 708 description 709 "On reception, send inner packets as soon as possible, do 710 not wait for lost or misordered outer packets. 711 Selecting this option reduces the inner (user) packet 712 delay but can amplify out-of-order delivery of the 713 inner packet stream in the presence of packet 714 aggregation and any reordering."; 716 reference 717 "draft-ietf-ipsecme-iptfs section 2.5"; 718 } 719 leaf lost-packet-timer-interval { 720 type decimal64 { 721 fraction-digits 6; 722 } 723 units "milliseconds"; 724 description 725 "On reception, this interval defines the length of time 726 an iptfs receiver will wait for a missing packet before 727 considering it lost. If not using send-immediately, 728 then each lost packet will delay inner (user) packets 729 until this timer expires. Setting this value too low 730 can impact reordering and reassembly. The value is 731 configurable in milliseconds or fractional milliseconds 732 down to 1 nanosecond."; 733 reference 734 "draft-ietf-ipsecme-iptfs section 2.2.3"; 735 } 736 } 737 } 739 /* 740 * IP-TFS ike configuration 741 */ 743 augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" 744 + "nsfike:spd-entry/" 745 + "nsfike:ipsec-policy-config/" 746 + "nsfike:processing-info/" 747 + "nsfike:ipsec-sa-cfg" { 748 description 749 "IP-TFS configuration for this policy."; 750 uses iptfs-config; 751 } 753 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 754 + "nsfike:child-sa-info" { 755 description 756 "IP-TFS configured on this SA."; 757 uses iptfs-config { 758 refine "traffic-flow-security" { 759 config false; 760 } 761 } 762 } 763 /* 764 * IP-TFS ikeless configuration 765 */ 767 augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" 768 + "nsfikels:spd-entry/" 769 + "nsfikels:ipsec-policy-config/" 770 + "nsfikels:processing-info/" 771 + "nsfikels:ipsec-sa-cfg" { 772 description 773 "IP-TFS configuration for this policy."; 774 uses iptfs-config; 775 } 777 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 778 + "nsfikels:sad-entry" { 779 description 780 "IP-TFS configured on this SA."; 781 uses iptfs-config { 782 refine "traffic-flow-security" { 783 config false; 784 } 785 } 786 } 788 /* 789 * packet counters 790 */ 792 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 793 + "nsfike:child-sa-info" { 794 description 795 "Per SA Counters"; 796 container ipsec-stats { 797 if-feature "ipsec-stats"; 798 config false; 799 description 800 "IPsec per SA packet counters."; 801 uses ipsec-tx-stat-grouping { 802 //when "direction = 'outbound'"; 803 } 804 uses ipsec-rx-stat-grouping { 805 //when "direction = 'inbound'"; 806 } 807 } 808 container iptfs-inner-pkt-stats { 809 if-feature "iptfs-stats"; 810 config false; 811 description 812 "IPTFS per SA inner packet counters."; 813 uses iptfs-inner-tx-stat-grouping { 814 //when "direction = 'outbound'"; 815 } 816 uses iptfs-inner-rx-stat-grouping { 817 //when "direction = 'inbound'"; 818 } 819 } 820 container iptfs-outer-pkt-stats { 821 if-feature "iptfs-stats"; 822 config false; 823 description 824 "IPTFS per SA outer packets counters."; 825 uses iptfs-outer-tx-stat-grouping { 826 //when "direction = 'outbound'"; 827 } 828 uses iptfs-outer-rx-stat-grouping { 829 //when "direction = 'inbound'"; 830 } 831 } 832 } 834 /* 835 * packet counters 836 */ 838 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 839 + "nsfikels:sad-entry" { 840 description 841 "Per SA Counters"; 842 container ipsec-stats { 843 if-feature "ipsec-stats"; 844 description 845 "IPsec per SA packet counters."; 846 uses ipsec-tx-stat-grouping { 847 //when "direction = 'outbound'"; 848 } 849 uses ipsec-rx-stat-grouping { 850 //when "direction = 'inbound'"; 851 } 852 } 853 container iptfs-inner-pkt-stats { 854 if-feature "iptfs-stats"; 855 config false; 856 description 857 "IPTFS per SA inner packet counters."; 858 uses iptfs-inner-tx-stat-grouping { 859 //when "direction = 'outbound'"; 860 } 861 uses iptfs-inner-rx-stat-grouping { 862 //when "direction = 'inbound'"; 863 } 864 } 865 container iptfs-outer-pkt-stats { 866 if-feature "iptfs-stats"; 867 config false; 868 description 869 "IPTFS per SA outer packets counters."; 870 uses iptfs-outer-tx-stat-grouping { 871 //when "direction = 'outbound'"; 872 } 873 uses iptfs-outer-rx-stat-grouping { 874 //when "direction = 'inbound'"; 875 } 876 } 878 } 879 } 880 882 4. IANA Considerations 884 4.1. Updates to the IETF XML Registry 886 This document registers a URI in the "IETF XML Registry" [RFC3688]. 887 Following the format in [RFC3688], the following registration has 888 been made: 890 URI: 891 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 893 Registrant Contact: 894 The IESG. 896 XML: 897 N/A; the requested URI is an XML namespace. 899 4.2. Updates to the YANG Module Names Registry 901 This document registers one YANG module in the "YANG Module Names" 902 registry [RFC6020]. Following the format in [RFC6020], the following 903 registration has been made: 905 name: 906 ietf-ipsec-iptfs 908 namespace: 909 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 911 prefix: 912 iptfs 914 reference: 915 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 916 this note.) 918 5. Security Considerations 920 The YANG module specified in this document defines a schema for data 921 that is designed to be accessed via network management protocols such 922 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 923 is the secure transport layer, and the mandatory-to-implement secure 924 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 925 is HTTPS, and the mandatory-to-implement secure transport is TLS 926 [RFC8446]. 928 The Network Configuration Access Control Model (NACM) [RFC8341] 929 provides the means to restrict access for particular NETCONF or 930 RESTCONF users to a preconfigured subset of all available NETCONF or 931 RESTCONF protocol operations and content. 933 The YANG module defined in this document can enable, disable and 934 modify the behavior of IP traffic flow security, for the implications 935 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 936 which defines the functionality. 938 IP-TFS hides the traffic flows through the network, however anywhere 939 that IP-TFS YANG statistics access is enabled, can reveal some 940 information about traffic flows as well. Therefore, access to IP-TFS 941 YANG statistics also needs to be protected from third party 942 observation. 944 6. Acknowledgements 946 The authors would like to thank Eric Kinzie, Juergen Schoenwaelder, 947 Lou Berger and Tero Kivinen for their feedback and review on the YANG 948 model. 950 7. References 952 7.1. Normative References 954 [I-D.ietf-ipsecme-iptfs] 955 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 956 ESP and its Use for IP Traffic Flow Security", Work in 957 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 958 November 2021, . 961 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 962 Requirement Levels", BCP 14, RFC 2119, 963 DOI 10.17487/RFC2119, March 1997, 964 . 966 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 967 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 968 December 2005, . 970 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 971 the Network Configuration Protocol (NETCONF)", RFC 6020, 972 DOI 10.17487/RFC6020, October 2010, 973 . 975 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 976 RFC 7950, DOI 10.17487/RFC7950, August 2016, 977 . 979 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 980 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 981 May 2017, . 983 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 984 and R. Wilton, "Network Management Datastore Architecture 985 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 986 . 988 [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 989 Garcia, "A YANG Data Model for IPsec Flow Protection Based 990 on Software-Defined Networking (SDN)", RFC 9061, 991 DOI 10.17487/RFC9061, July 2021, 992 . 994 7.2. Informative References 996 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 997 DOI 10.17487/RFC3688, January 2004, 998 . 1000 [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP 1001 Friendly Rate Control (TFRC): Protocol Specification", 1002 RFC 5348, DOI 10.17487/RFC5348, September 2008, 1003 . 1005 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1006 and A. Bierman, Ed., "Network Configuration Protocol 1007 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1008 . 1010 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1011 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1012 . 1014 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1015 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1016 . 1018 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1019 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1020 . 1022 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1023 Access Control Model", STD 91, RFC 8341, 1024 DOI 10.17487/RFC8341, March 2018, 1025 . 1027 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1028 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1029 . 1031 Appendix A. Examples 1033 The following examples show configuration and operational data for 1034 the IKE-less and IKE cases using XML and JSON. Also, the operational 1035 statistics for the IKE-less case is illustrated. 1037 A.1. Example XML Configuration 1039 This example illustrates configuration for IP-TFS in the IKE-less 1040 case. Note that since this augments the IPsec IKE-less schema only 1041 minimal a IKE-less configuration to satisfy the schema has been 1042 populated. 1044 1047 1048 1049 protect-policy-1 1050 outbound 1051 1052 1053 192.0.2.0/16 1054 198.51.100.0/16 1055 1056 1057 protect 1058 1059 1060 true 1061 1062 true 1064 1065 1000000000 1066 0.1 1068 5 1069 false 1070 0.2 1072 1073 1074 1075 1076 1077 1078 1080 Figure 1: Example IP-TFS XML configuration 1082 A.2. Example XML Operational Data 1084 This example illustrates operational data for IP-TFS in the IKE-less 1085 case. Note that since this augments the IPsec IKE-less schema only 1086 minimal IKE-less configuration to satisfy the schema has been 1087 populated. 1089 1092 1093 1094 sad-1 1095 1096 1 1097 1098 2001:DB8::0/16 1099 2001:DB8::1:0/16 1100 1101 1102 1103 true 1104 1105 true 1107 1108 1000000000 1109 0.100 1110 0 1111 true 1112 0.200 1114 1115 1116 1117 1119 Figure 2: Example IP-TFS XML Operational data 1121 A.3. Example JSON Configuration 1123 This example illustrates config data for IP-TFS in the IKE case. 1124 Note that since this augments the IPsec IKE schema only minimal ike 1125 configuration to satisfy the schema has been populated. 1127 { 1128 "ietf-i2nsf-ike:ipsec-ike": { 1129 "ietf-i2nsf-ike:conn-entry": [ 1130 { 1131 "name": "my-peer-connection", 1132 "ike-sa-encr-alg": [ 1133 { 1134 "id": 1, 1135 "algorithm-type": 12, 1136 "key-length": 128 1138 } 1139 ], 1140 "local": { 1141 "local-pad-entry-name": "local-1" 1142 }, 1143 "remote": { 1144 "remote-pad-entry-name": "remote-1" 1145 }, 1146 "ietf-i2nsf-ike:spd": { 1147 "spd-entry": [ 1148 { 1149 "name": "protect-policy-1", 1150 "ipsec-policy-config": { 1151 "traffic-selector": { 1152 "local-prefix": "192.0.2.0/16", 1153 "remote-prefix": "198.51.100.0/16" 1154 }, 1155 "processing-info": { 1156 "action": "protect", 1157 "ipsec-sa-cfg": { 1158 "ietf-ipsec-iptfs:traffic-flow-security": { 1159 "congestion-control": "true", 1160 "l2-fixed-rate": 1000000000, 1161 "packet-size": { 1162 "use-path-mtu-discovery": "true" 1163 }, 1164 "max-aggregation-time": "0.1", 1165 "window-size": "1", 1166 "send-immediately": "false", 1167 "lost-packet-timer-interval": "0.2" 1168 } 1169 } 1170 } 1171 } 1172 } 1173 ] 1174 } 1175 } 1176 ] 1177 } 1178 } 1180 Figure 3: Example IP-TFS JSON configuration 1182 A.4. Example JSON Operational Data 1184 This example illustrates operational data for IP-TFS in the IKE case. 1185 Note that since this augments the IPsec IKE tree only minimal IKE 1186 configuration to satisfy the schema has been populated. 1188 { 1189 "ietf-i2nsf-ike:ipsec-ike": { 1190 "ietf-i2nsf-ike:conn-entry": [ 1191 { 1192 "name": "my-peer-connection", 1193 "ike-sa-encr-alg": [ 1194 { 1195 "id": 1, 1196 "algorithm-type": 12, 1197 "key-length": 128 1198 } 1199 ], 1200 "local": { 1201 "local-pad-entry-name": "local-1" 1202 }, 1203 "remote": { 1204 "remote-pad-entry-name": "remote-1" 1205 }, 1206 "ietf-i2nsf-ike:child-sa-info": { 1207 "ietf-ipsec-iptfs:traffic-flow-security": { 1208 "congestion-control": "true", 1209 "l2-fixed-rate": 1000000000, 1210 "packet-size": { 1211 "use-path-mtu-discovery": "true" 1212 }, 1213 "max-aggregation-time": "0.1", 1214 "window-size": "5", 1215 "send-immediately": "false", 1216 "lost-packet-timer-interval": "0.2" 1217 } 1218 } 1219 } 1220 ] 1221 } 1222 } 1224 Figure 4: Example IP-TFS JSON Operational data 1226 A.5. Example JSON Operational Statistics 1228 This example shows the JSON formatted statistics for IP-TFS. Note a 1229 unidirectional IP-TFS transmit side is illustrated, with arbitrary 1230 numbers for transmit. 1232 { 1233 "ietf-i2nsf-ikeless:ipsec-ikeless": { 1234 "sad": { 1235 "sad-entry": [ 1236 { 1237 "name": "sad-1", 1238 "ipsec-sa-config": { 1239 "spi": 1, 1240 "traffic-selector": { 1241 "local-prefix": "192.0.2.1/16", 1242 "remote-prefix": "198.51.100.0/16" 1243 } 1244 }, 1245 "ietf-ipsec-iptfs:traffic-flow-security": { 1246 "window-size": "5", 1247 "send-immediately": "false", 1248 "lost-packet-timer-interval": "0.2" 1249 }, 1250 "ietf-ipsec-iptfs:ipsec-stats": { 1251 "tx-pkts": "300", 1252 "tx-octets": "80000", 1253 "tx-drop-pkts": "2", 1254 "rx-pkts": "0", 1255 "rx-octets": "0", 1256 "rx-drop-pkts": "0" 1257 }, 1258 "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { 1259 "tx-pkts": "250", 1260 "tx-octets": "75000", 1261 "rx-pkts": "0", 1262 "rx-octets": "0", 1263 "rx-incomplete-pkts": "0" 1264 }, 1265 "ietf-ipsec-iptfs:iptfs-outer-pkt-stats": { 1266 "tx-all-pad-pkts": "40", 1267 "tx-all-pad-octets": "40000", 1268 "tx-extra-pad-pkts": "200", 1269 "tx-extra-pad-octets": "30000", 1270 "rx-all-pad-pkts": "0", 1271 "rx-all-pad-octets": "0", 1272 "rx-extra-pad-pkts": "0", 1273 "rx-extra-pad-octets": "0", 1274 "rx-errored-pkts": "0", 1275 "rx-missed-pkts": "0" 1276 }, 1277 "ipsec-sa-state": { 1278 "sa-lifetime-current": { 1279 "time": 80000, 1280 "bytes": 4000606, 1281 "packets": 1000, 1282 "idle": 5 1283 } 1284 } 1285 } 1286 ] 1287 } 1288 } 1289 } 1291 Figure 5: Example IP-TFS JSON Statistics 1293 Authors' Addresses 1295 Don Fedyk 1296 LabN Consulting, L.L.C. 1297 Email: dfedyk@labn.net 1299 Christian Hopps 1300 LabN Consulting, L.L.C. 1301 Email: chopps@chopps.org