idnits 2.17.1 draft-tran-ipecme-yang-ipsec-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There is 1 instance of too long lines in the document, the longest one being 3 characters in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 149 has weird spacing: '...rw name str...' == Line 357 has weird spacing: '...unction pse...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: grouping identity-grouping { description "Identification type. It is an union identity, "+ "possible type as follows: "+ "a) ID_FQDN: A fully-qualified domain name string. "+ " An example of a ID_FQDN is, example.com. "+ " The string MUST not contain any terminators "+ "(e.g., NULL, CR, etc.). "+ "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ " address string, An example of a ID_RFC822_ADDR is, "+ " jsmith@example.com. The string MUST not contain "+ " any terminators. "+ "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ "e) DN_X509: Distinguished name in the X.509 tradition."; choice identity { description "Choice of identity."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) "+ "octet IPv6 address. "+ "An example is, "+ "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf dnX509 { type string; description "Specifies the identity as a distinguished name in the X.509 tradition."; } } } /* grouping identity-grouping */ -- The document date (May 14, 2015) is 3241 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2234' is defined on line 2628, but no explicit reference was found in the text == Unused Reference: 'RFC6020' is defined on line 2632, but no explicit reference was found in the text == Unused Reference: 'RFC6021' is defined on line 2636, but no explicit reference was found in the text == Unused Reference: 'RFC7296' is defined on line 2643, but no explicit reference was found in the text == Unused Reference: 'RFC6071' is defined on line 2647, but no explicit reference was found in the text == Unused Reference: 'RFC6087' is defined on line 2653, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) ** Obsolete normative reference: RFC 5996 (ref. 'RFC7296') (Obsoleted by RFC 7296) ** Downref: Normative reference to an Informational RFC: RFC 6071 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 6 errors (**), 0 flaws (~~), 11 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group K. Tran 2 Internet Draft Ericsson 3 Intended status: Standard Track May 14, 2015 4 Expires: November 14, 2015 6 Yang Data Model for Internet Protocol Security (IPSec) 7 draft-tran-ipecme-yang-ipsec-00.txt 9 Abstract 11 This document defines a YANG data model that can be used to 12 configure and manage Internet Protocol Security (IPSec). 14 Status of this Memo 16 This Internet-Draft is submitted in full conformance with the 17 provisions of BCP 78 and BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six 25 months and may be updated, replaced, or obsoleted by other documents 26 at any time. It is inappropriate to use Internet-Drafts as 27 reference material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html 35 This Internet-Draft will expire on November 14, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with 47 respect to this document. Code Components extracted from this 48 document must include Simplified BSD License text as described in 49 Section 4.e of the Trust Legal Provisions and are provided without 50 warranty as described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction...................................................3 55 2. Conventions used in this document..............................3 56 3. IPSec Configuration and Operation Model Overview...............4 57 3.1. IPSec Configuration Data Model............................4 58 3.2. IKE Configuration Data Model..............................8 59 3.3. IKEv2 Configuration Data Model............................9 60 3.4. IPSec Operation Data Model...............................11 61 3.5. IKE Operation Data Model.................................12 62 3.6. IKEv2 Operation Data Model...............................13 63 3.7. RPC Operation............................................13 64 4. IPSec YANG Module.............................................14 65 5. Security Considerations.......................................57 66 6. References....................................................57 67 6.1. Normative References.....................................57 68 6.2. Informative References...................................58 70 1. Introduction 72 Internet Protocol Security (IPSec) is a suite of protocols that 73 provides security to internet communications at the IP layer. This 74 document defines a YANG data model that can be used to configure and 75 manage the IPSec protocol. 77 2. Conventions used in this document 79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 81 document are to be interpreted as described in RFC-2119 [RFC2119]. 83 In this document, these words will appear with that interpretation 84 only when in ALL CAPS. Lower case uses of these words are not to be 85 interpreted as carrying RFC-2119 significance. 87 In this document, the characters ">>" preceding an indented line(s) 88 indicates a compliance requirement statement using the key words 89 listed above. This convention aids reviewers in quickly identifying 90 or finding the explicit compliance requirements of this RFC. 92 3. IPSec Configuration and Operation Model Overview 94 Figure 1 illustrates the IPSec configuration and operation model 95 which contains IPSec, IKE, and IKEv2 modules. 97 +------------------------------------------------+ 98 | | 99 | Internet Protocol Security (IPSec) | 100 | | 101 | | 102 | +------------+ +------------+ +------------+ | 103 | | IPSec | | IKE | | IKEv2 | | 104 | | Data Model | | Data Model | | Data Model | | 105 | +------------+ +------------+ +------------+ | 106 | | 107 +------------------------------------------------+ 109 Figure 1. Overview of IPSec configuration and operation model 110 structure 112 3.1. IPSec Configuration Data Model 114 The IPSec data model provides the appropriate leaves for configuring 115 the IPSec protocol. The IPSec YANG data model has the following 116 structure: 118 module: ietf-ipsec 119 +--rw ipsec 120 | +--rw access-list* [name sequence-number] 121 | | +--rw name string 122 | | +--rw description? string 123 | | +--rw sequence-number uint32 124 | | +--rw (protocol)? 125 | | | +--:(number) 126 | | | | +--rw number? uint16 127 | | | | +--rw (argument)? 128 | | | | +--:(source-ipv4-address) 129 | | | | | +--rw source-ipv4-address? inet:ipv4-address 130 | | | | +--:(any) 131 | | | | +--rw source-any? empty 132 | | | +--:(source-ipv4-address) 133 | | | | +--rw source-ipv4-address? inet:ipv4-address 134 | | | +--:(any) 135 | | | | +--rw any? empty 136 | | | +--:(tcp) 137 | | | | +--rw tcp? empty 138 | | | +--:(udp) 139 | | | +--rw udp? empty 140 | | +--rw (dest-address)? 141 | | +--:(dest-ipv4-address) 142 | | | +--rw destination-ipv4-address? inet:ipv4-address 143 | | +--:(dest-any) 144 | | +--rw dest-any? empty 145 | +--rw alarms 146 | | +--rw hold-down? uint8 147 | +--rw qos 148 | | +--rw policy* [name] 149 | | +--rw name string 150 | | +--rw pq 151 | | +--rw num-queues? uint8 152 | +--rw redundancy 153 | | +--rw inter-chassis? empty 154 | +--rw security-association 155 | | +--rw ipsec-sa* [name] 156 | | +--rw name string 157 | | +--rw anti-replay-window? uint16 158 | | +--rw ip-comp? empty 159 | | +--rw in 160 | | | +--rw ah 161 | | | | +--rw spi? uint32 162 | | | | +--rw description? string 163 | | | | +--rw (authentication-algorithm)? 164 | | | | +--:(hmac-aes-xcbc) 165 | | | | | +--rw hmac-aes-xcbc 166 | | | | | +--rw key-str? union 167 | | | | +--:(hmac-md5-96) 168 | | | | | +--rw hmac-md5-96 169 | | | | | +--rw key-str? union 170 | | | | +--:(hmac-sha1-96) 171 | | | | | +--rw hmac-sha1-96 172 | | | | | +--rw key-str? union 173 | | | | +--:(key-string) 174 | | | | +--rw key-string 175 | | | | +--rw key-str? union 176 | | | +--rw esp 177 | | | +--rw description? string 178 | | | +--rw authentication 179 | | | | +--rw (authentication-algorithm)? 180 | | | | +--:(hmac-aes-xcbc) 181 | | | | | +--rw hmac-aes-xcbc 182 | | | | | +--rw key-str? union 183 | | | | +--:(hmac-md5-96) 184 | | | | | +--rw hmac-md5-96 185 | | | | | +--rw key-str? union 186 | | | | +--:(hmac-sha1-96) 187 | | | | | +--rw hmac-sha1-96 188 | | | | | +--rw key-str? union 189 | | | | +--:(key-string) 190 | | | | +--rw key-string 191 | | | | +--rw key-str? union 192 | | | +--rw encryption 193 | | | +--rw (encryption-algorithm)? 194 | | | +--:(des3-cbc) 195 | | | | +--rw des3-cbd 196 | | | | +--rw key-str? union 197 | | | +--:(aes-128-cbc) 198 | | | | +--rw aes-128-cbc 199 | | | | +--rw key-str? union 200 | | | +--:(aes-192-cbc) 201 | | | | +--rw aes-192-cbc 202 | | | | +--rw key-str? union 203 | | | +--:(aes-256-cbc) 204 | | | | +--rw aes-256-cbc 205 | | | | +--rw key-str? union 206 | | | +--:(des-cbc) 207 | | | | +--rw des-cbc 208 | | | | +--rw key-str? union 209 | | | +--:(key-string) 210 | | | +--rw key-string 211 | | | +--rw key-str? union 212 | | +--rw out 213 | | +--rw ah 214 | | | +--rw spi? uint32 215 | | | +--rw description? string 216 | | | +--rw (authentication-algorithm)? 217 | | | +--:(hmac-aes-xcbc) 218 | | | | +--rw hmac-aes-xcbc 219 | | | | +--rw key-str? union 220 | | | +--:(hmac-md5-96) 221 | | | | +--rw hmac-md5-96 222 | | | | +--rw key-str? union 223 | | | +--:(hmac-sha1-96) 224 | | | | +--rw hmac-sha1-96 225 | | | | +--rw key-str? union 226 | | | +--:(key-string) 227 | | | +--rw key-string 228 | | | +--rw key-str? union 229 | | +--rw esp 230 | | +--rw description? string 231 | | +--rw authentication 232 | | | +--rw (authentication-algorithm)? 233 | | | +--:(hmac-aes-xcbc) 234 | | | | +--rw hmac-aes-xcbc 235 | | | | +--rw key-str? union 236 | | | +--:(hmac-md5-96) 237 | | | | +--rw hmac-md5-96 238 | | | | +--rw key-str? union 239 | | | +--:(hmac-sha1-96) 240 | | | | +--rw hmac-sha1-96 241 | | | | +--rw key-str? union 242 | | | +--:(key-string) 243 | | | +--rw key-string 244 | | | +--rw key-str? union 245 | | +--rw encryption 246 | | +--rw (encryption-algorithm)? 247 | | +--:(des3-cbc) 248 | | | +--rw des3-cbd 249 | | | +--rw key-str? union 250 | | +--:(aes-128-cbc) 251 | | | +--rw aes-128-cbc 252 | | | +--rw key-str? union 253 | | +--:(aes-192-cbc) 254 | | | +--rw aes-192-cbc 255 | | | +--rw key-str? union 256 | | +--:(aes-256-cbc) 257 | | | +--rw aes-256-cbc 258 | | | +--rw key-str? union 259 | | +--:(des-cbc) 260 | | | +--rw des-cbc 261 | | | +--rw key-str? union 262 | | +--:(key-string) 263 | | +--rw key-string 264 | | +--rw key-str? union 265 | +--rw proposal 266 | | +--rw ipsec-proposal* [name] 267 | | +--rw name string 268 | | +--rw ah? ike-integrity-algorithm-t 269 | | +--rw esp 270 | | | +--rw authentication? ike-integrity-algorithm-t 271 | | | +--rw encryption? ike-encryption-algorithm-t 272 | | +--rw ip-comp? empty 273 | | +--rw lifetime 274 | | +--rw kbytes? uint32 275 | | +--rw seconds? uint32 276 | +--rw policy 277 | +--rw ipsec-policy* [name] 278 | +--rw name string 279 | +--rw description? string 280 | +--rw anti-replay-window? uint32 281 | +--rw perfect-forward-secrecy 282 | | +--rw dh-group? diffie-hellman-group-t 283 | +--rw seq* [seq-id] 284 | +--rw seq-id uint32 285 | +--rw description? string 286 | +--rw proposal? leafref 288 3.2. IKE Configuration Data Model 290 The IKE data model provides the appropriate leaves for configuring 291 the IKE protocol. The IKE YANG data model has the following 292 structure: 294 +--rw ike 295 | +--rw proposal* [name] 296 | | +--rw name string 297 | | +--rw description? string 298 | | +--rw dh-group diffie-hellman-group-t 299 | | +--rw encryption 300 | | | +--rw algorithm? ike-encryption-algorithm-t 301 | | +--rw lifetime uint32 302 | | +--rw authentication 303 | | +--rw algorithm? ike-integrity-algorithm-t 304 | | +--rw preshared-key? empty 305 | | +--rw rsa-signature? empty 306 | +--rw keepalive? empty 307 | +--rw policy* [name] 308 | +--rw name string 309 | +--rw mode 310 | | +--rw aggressive? empty 311 | | +--rw main? empty 312 | +--rw connection-type connection-type-t 313 | +--rw pre-shared-key? union 314 | +--rw validate-certificate-identity? empty 315 | +--rw seq* [seq-id] 316 | | +--rw seq-id uint32 317 | | +--rw proposal? leafref 318 | +--rw identity 319 | +--rw local 320 | | +--rw (identity)? 321 | | +--:(ipv4-address) 322 | | | +--rw ipv4-address? inet:ipv4-address 323 | | +--:(ipv6-address) 324 | | | +--rw ipv6-address? inet:ipv6-address 325 | | +--:(fqdn-string) 326 | | | +--rw fqdn-string? inet:domain-name 327 | | +--:(rfc822-address-string) 328 | | | +--rw rfc822-address-string? string 329 | | +--:(dnX509) 330 | | +--rw dnX509? string 331 | +--rw remote 332 | +--rw (identity)? 333 | +--:(ipv4-address) 334 | | +--rw ipv4-address? inet:ipv4-address 335 | +--:(ipv6-address) 336 | | +--rw ipv6-address? inet:ipv6-address 337 | +--:(fqdn-string) 338 | | +--rw fqdn-string? inet:domain-name 339 | +--:(rfc822-address-string) 340 | | +--rw rfc822-address-string? string 341 | +--:(dnX509) 342 | +--rw dnX509? String 344 3.3. IKEv2 Configuration Data Model 346 The IKEv2 data model provides the appropriate leaves for configuring 347 the IKEv2 protocol. The IKEv2 YANG data model has the following 348 structure: 350 +--rw ikev2 351 | +--rw proposal* [name] 352 | | +--rw name string 353 | | +--rw description? string 354 | | +--rw dh-group diffie-hellman-group-t 355 | | +--rw encryption 356 | | | +--rw algorithm? ike-encryption-algorithm-t 357 | | +--rw pseudo-random-function pseudo-random-function-t 358 | | +--rw authentication 359 | | +--rw algorithm? ike-integrity-algorithm-t 360 | +--rw policy* [name] 361 | +--rw name string 362 | +--rw authentication 363 | | +--rw preshared-key? empty 364 | | +--rw rsa-signature? empty 365 | +--rw lifetime uint32 366 | +--rw address-allocation 367 | | +--rw aaa? empty 368 | +--rw connection-type connection-type-t 369 | +--rw pre-shared-key? union 370 | +--rw validate-certificate-identity? empty 371 | +--rw seq* [seq-id] 372 | | +--rw seq-id uint32 373 | | +--rw proposal? leafref 374 | +--rw identity 375 | | +--rw local 376 | | | +--rw (identity)? 377 | | | +--:(ipv4-address) 378 | | | | +--rw ipv4-address? inet:ipv4-address 379 | | | +--:(ipv6-address) 380 | | | | +--rw ipv6-address? inet:ipv6-address 381 | | | +--:(fqdn-string) 382 | | | | +--rw fqdn-string? inet:domain-name 383 | | | +--:(rfc822-address-string) 384 | | | | +--rw rfc822-address-string? string 385 | | | +--:(dnX509) 386 | | | +--rw dnX509? string 387 | | +--rw remote 388 | | +--rw (identity)? 389 | | +--:(ipv4-address) 390 | | | +--rw ipv4-address? inet:ipv4-address 391 | | +--:(ipv6-address) 392 | | | +--rw ipv6-address? inet:ipv6-address 393 | | +--:(fqdn-string) 394 | | | +--rw fqdn-string? inet:domain-name 395 | | +--:(rfc822-address-string) 396 | | | +--rw rfc822-address-string? string 397 | | +--:(dnX509) 398 | | +--rw dnX509? string 399 | +--rw description? string 401 3.4. IPSec Operation Data Model 403 The IPSec data model provides the appropriate leaves for operational 404 states of the IPSec protocol. The IPSec YANG data model has the 405 following structure: 407 +--ro ipsec-state 408 +--ro policy* 409 | +--ro name? string 410 | +--ro anti-replay-window? uint32 411 | +--ro perfect-forward-secrecy? diffie-hellman-group-t 412 | +--ro seq* 413 | +--ro seq-id? uint32 414 | +--ro proposal-name? string 415 +--ro proposal* 416 | +--ro name? string 417 | +--ro ah? ike-integrity-algorithm-t 418 | +--ro esp 419 | | +--ro authentication? ike-integrity-algorithm-t 420 | | +--ro encryption? ike-encryption-algorithm-t 421 | +--ro ip-comp? empty 422 | +--ro lifetime 423 | +--ro kbytes? uint32 424 | +--ro seconds? uint32 425 +--ro hold-down? uint32 426 +--ro sa* 427 +--ro name? string 428 +--ro anti-replay-window? uint16 429 +--ro ip-comp? empty 430 +--ro spi? uint32 431 +--ro description? string 432 +--ro authentication-algorithm? ike-integrity-algorithm-t 433 +--ro encryption-algorithm? ike-encryption-algorithm-t 435 3.5. IKE Operation Data Model 437 The IKE data model provides the appropriate leaves for operational 438 states of the IKE protocol. The IKE YANG data model has the 439 following structure: 441 +--ro ike-state 442 | +--ro proposal* 443 | | +--ro name? string 444 | | +--ro lifetime? uint32 445 | | +--ro encryption? ike-encryption-algorithm-t 446 | | +--ro dh-group? diffie-hellman-group-t 447 | | +--ro authentication? ike-integrity-algorithm-t 448 | +--ro policy* 449 | +--ro name? string 450 | +--ro description? string 451 | +--ro mode? enumeration 452 | +--ro connection-type? connection-type-t 453 | +--ro local-identity? inet:ipv4-address-no-zone 454 | +--ro remote-identity? inet:ipv4-address-no-zone 455 | +--ro pre-shared-key? string 456 | +--ro seq? uint32 457 | +--ro proposal? string 459 3.6. IKEv2 Operation Data Model 461 The IKEv2 data model provides the appropriate leaves for operational 462 sattes of the IKEv2 protocol. The IKEv2 YANG data model has the 463 following structure: 465 +--ro ikev2-state 466 | +--ro proposal* 467 | | +--ro name? string 468 | | +--ro pseudo-random-function? pseudo-random-function-t 469 | | +--ro authentication? ike-integrity-algorithm-t 470 | | +--ro encryption? ike-encryption-algorithm-t 471 | | +--ro dh-group diffie-hellman-group-t 472 | +--ro policy* 473 | +--ro name? string 474 | +--ro description? string 475 | +--ro mode? enumeration 476 | +--ro connection-type? connection-type-t 477 | +--ro local-identity? inet:ipv4-address-no-zone 478 | +--ro remote-identity? inet:ipv4-address-no-zone 479 | +--ro pre-shared-key? string 480 | +--ro seq? uint32 481 | +--ro proposal? string 483 3.7. RPC Operation 485 This section defines a list of RPC support for IPSec protocol. 487 rpcs: 488 +---x clear-ipsec-group 489 | +--ro input 490 | +--ro alarm-hold-down? uint8 491 | +--ro ipsec-policy-name? leafref 492 +---x clear-ike-group 493 | +--ro input 494 | +--ro proposal? leafref 495 +---x clear-ikev2-group 496 +--ro input 497 +--ro proposal? leafref 499 4. IPSec YANG Module 501 file "ietf-ipsec@2015-04-22.yang" 503 module ietf-ipsec { 504 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; 505 prefix "eipsec"; 507 import ietf-inet-types { 508 prefix inet; 509 } 511 import ietf-yang-types { 512 prefix yang; 513 } 515 organization "Ericsson AB."; 517 contact "Web: "; 519 description 520 "This YANG module defines the configuration and operational 521 state data for Internet Protocol Security (IPSec) on 522 IETF draft. 523 Copyright (c) 2015 Ericsson AB. 524 All rights reserved."; 526 revision 2015-04-22 { 527 description 528 "Initial revision."; 529 reference 530 "YANG Data model for Internet Protocol Security - IPSec"; 531 } 533 /*--------------------*/ 534 /* Typedefs */ 535 /*--------------------*/ 537 typedef authentication-method-t { 538 type enumeration { 539 enum psk { 540 value 0; 541 description 542 "Pre-Sharing Keys."; 543 } 544 enum certificate { 545 value 1; 546 description 547 "Certificate."; 548 } 549 } 550 description 551 "Available authentication methods."; 552 } 554 /* IKEv2 Exchange Types (ET) */ 555 typedef ikev2-exchange-type-t { 556 type enumeration { 557 enum ikev2-et-ike-sa-init { 558 value 34; 559 description 560 "ikev2-et-ike-sa-init - RFC 7296."; 561 } 562 enum ikev2-et-ike-auth { 563 value 35; 564 description 565 "ikev2-et-ike-auth - RFC 7296."; 566 } 567 enum ikev2-et-create-child-sa { 568 value 36; 569 description 570 "ikev2-et-create-child-sa - RFC 7296."; 571 } 572 enum ikev2-et-informational { 573 value 37; 574 description 575 "ikev2-et-informational - RFC 7296."; 576 } 577 enum ikev2-et-ike-session-resume { 578 value 38; 579 description 580 "ikev2-et-ike-session-resume - RFC 7296."; 581 } 582 enum ikev2-et-gsa-auth { 583 value 39; 584 description 585 "ikev2-et-gsa-auth - RFC 7296."; 586 } 587 enum ikev2-et-gsa-registration { 588 value 40; 589 description 590 "ikev2-et-gsa-registration - RFC 7296."; 591 } 592 enum ikev2-et-gsa-rekey { 593 value 41; 594 description 595 "ikev2-et-gsa-rekey - RFC 7296."; 596 } 597 } 598 description 599 "IKEv2 Exchange Types (ET)."; 600 } 602 /* Transform Type Values (TTV), RFC 7296 */ 603 typedef transform-type-value-t { 604 type enumeration { 605 enum ttv-reserved-0 { 606 value 0; 607 description 608 "ttv-reserved-0 - Transform Type Value Reserved "+ 609 "(RFC 7296)."; 610 } 611 enum ttv-encr { 612 value 1; 613 description 614 "ttv-encr - Transform Type Value 1, 615 Encryption Algorithm "+ 616 "(ENCR) used in IKE and ESP."; 617 } 618 enum ttv-prf { 619 value 2; 620 description 621 "ttv-prf - Transform Type Value 2, "+ 622 "Pseudo-Random Function(PRF) used in IKE."; 623 } 624 enum ttv-integ { 625 value 3; 626 description 627 "ttv-integ - Transform Type Value 3, Integrity Algorithm"+ 628 " (INTEG) used in IKE, AH, optional ESP."; 629 } 630 enum ttv-dh { 631 value 4; 632 description 633 "ttv-dh - Transform Type Value 4, Diffie-Hellman (DH) "+ 634 "used in IKE, optional AH and ESP."; 635 } 636 enum ttv-esn { 637 value 5; 638 description 639 "ttv-esn - Transform Type Value 5, Extended Sequence "+ 640 "Numbers (ESN) used in AH and ESP."; 641 } 642 } 643 description 644 "Transform Type Values (RFC 7296)."; 645 } 647 /* IKEv2 Transform Attribute Types (TAT) */ 648 typedef ikev2-transform-attribute-type-t { 649 type enumeration { 650 enum ikev2-tat-reserved-0 { 651 value 0; 652 description 653 "ikev2-tat-reserved-0 - IKEv2 Transform Attribute "+ 654 "Type Reserved-0 (RFC 7296)."; 655 } 656 enum ikev2-tat-reserved-1 { 657 value 1; 658 description 659 "ikev2-tat-reserved-1 - IKEv2 Transform Attribute "+ 660 "Type Reserved-1 (RFC 7296)."; 661 } 662 enum ikev2-tat-reserved-13 { 663 value 13; 664 description 665 "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+ 666 "Type Reserved-13 (RFC 7296)."; 667 } 668 enum ikev2-tat-key-length { 669 value 41; 670 description 671 "ikev2-tat-key-length - IKEv2 Transform Attribute "+ 672 "Type KEY LENGTH (in bits) (RFC 7296)."; 673 } 674 } 675 description 676 "IKEv2 Transform Attribute Types (TAT) (RFC 7296)."; 677 } 679 /* Transform Type 1 (Encryption Algorithm Transform IDs) */ 680 typedef ike-encryption-algorithm-t { 681 type enumeration { 682 enum encr-reserved-0 { 683 value 0; 684 description 685 "encr-reserved-0 --> RFC_5996."; 686 } 687 enum encr-des-iv4 { 688 value 1; 689 description 690 "encr-des-iv4 --> RFC_5996."; 691 } 692 enum encr-des { 693 value 2; 694 description 695 "encr-des --> RFC_5996."; 696 } 697 enum encr-3des { 698 value 3; 699 description 700 "encr-3des --> RFC_5996."; 701 } 702 enum encr-rc5 { 703 value 4; 704 description 705 "encr-rc5 --> RFC_5996."; 706 } 707 enum encr-idea { 708 value 5; 709 description 710 "encr-idea --> RFC_5996."; 711 } 712 enum encr-cast { 713 value 6; 714 description 715 "encr-cast --> RFC_5996."; 716 } 717 enum encr-blowfish { 718 value 7; 719 description 720 "encr-blowfish --> RFC_5996."; 721 } 722 enum encr-3idea { 723 value 8; 724 description 725 "encr-3idea --> RFC_5996."; 726 } 727 enum encr-des-iv32 { 728 value 9; 729 description 730 "encr-des-iv32 --> RFC_5996."; 731 } 732 enum encr-reserved-10 { 733 value 10; 734 description 735 "encr-reserved-10 --> RFC_5996."; 736 } 737 enum encr-null { 738 value 11; 739 description 740 "encr-null --> RFC_5996."; 742 } 743 enum encr-aes-cbc { 744 value 12; 745 description 746 "encr-aes-cbc --> RFC_5996."; 747 } 748 enum encr-aes-ctr { 749 value 13; 750 description 751 "encr-aes-ctr --> RFC_5996."; 752 } 753 enum encr-aes-ccm-8 { 754 value 14; 755 description 756 "encr-aes-ccm-8 --> RFC_5996."; 757 } 758 enum encr-aes-ccm-12 { 759 value 15; 760 description 761 "encr-aes-ccm-12 --> RFC_5996."; 762 } 763 enum encr-aes-ccm-16 { 764 value 16; 765 description 766 "encr-aes-ccm-16 --> RFC_5996."; 767 } 768 enum encr-reserved-17 { 769 value 17; 770 description 771 "encr-reserved-17 --> RFC_5996."; 772 } 773 enum encr-aes-gcm-8-icv { 774 value 18; 775 description 776 "encr-aes-gcm-8-icv --> RFC_5996."; 777 } 778 enum encr-aes-gcm-12-icv { 779 value 19; 780 description 781 "encr-aes-gcm-12-icv --> RFC_5996."; 782 } 783 enum encr-aes-gcm-16-icv { 784 value 20; 785 description 786 "encr-aes-gcm-16-icv--> RFC_5996."; 787 } 788 enum encr-null-auth-aes-gmac { 789 value 21; 790 description 791 "encr-null-auth-aes-gmac --> RFC_5996."; 792 } 793 enum encr-ieee-p1619-xts-aes { 794 value 22; 795 description 796 "encr-ieee-p1619-xts-aes --> Reserved for "+ 797 "IEEE P1619 XTS-AES."; 798 } 799 enum encr-camellia-cbc { 800 value 23; 801 description 802 "encr-camellia-cbc --> RFC_5996."; 803 } 804 enum encr-camellia-ctr { 805 value 24; 806 description 807 "encr-camellia-ctr --> RFC_5996."; 808 } 809 enum encr-camellia-ccm-8-icv { 810 value 25; 811 description 812 "encr-camellia-ccm-8-icv --> RFC_5996."; 813 } 814 enum encr-camellia-ccm-12-icv { 815 value 26; 816 description 817 "encr-camellia-ccm-12-icv --> RFC_5996."; 818 } 819 enum encr-camellia-ccm-16-icv { 820 value 27; 821 description 822 "encr-camellia-ccm-16-icv --> RFC_5996."; 823 } 824 enum encr-aes-cbc-128 { 825 value 1024; 826 description 827 "encr-aes-cbc-128 --> RFC_5996."; 828 } 829 enum encr-aes-cbc-192 { 830 value 1025; 831 description 832 "encr-aes-cbc-192 --> RFC_5996."; 833 } 834 enum encr-aes-cbc-256 { 835 value 1026; 836 description 837 "encr-aes-cbc-256 --> RFC_5996."; 838 } 839 enum encr-blowfish-128 { 840 value 1027; 841 description 842 "encr-blowfish-128 --> RFC_5996."; 843 } 844 enum encr-blowfish-192 { 845 value 1028; 846 description 847 "encr-blowfish-192 --> RFC_5996."; 848 } 849 enum encr-blowfish-256 { 850 value 1029; 851 description 852 "encr-blowfish-256 --> RFC_5996."; 853 } 854 enum encr-blowfish-448 { 855 value 1030; 856 description 857 "encr-blowfish-448 --> RFC_5996."; 858 } 859 enum encr-camellia-128 { 860 value 1031; 861 description 862 "encr-camellia-128 --> RFC_5996."; 863 } 864 enum encr-camellia-192 { 865 value 1032; 866 description 867 "encr-camellia-192 --> RFC_5996."; 868 } 869 enum encr-camellia-256 { 870 value 1033; 871 description 872 "encr-camellia-256 --> RFC_5996."; 873 } 874 } 875 description 876 "Transform Type 1 - Internet Key Exchange (IKE) "+ 877 "encryption algorithms."; 878 } 880 /* Transform Type 2 (Pseudo-Random Function PRF) */ 881 typedef pseudo-random-function-t { 882 type enumeration { 883 enum prf-reserved-0 { 884 value 0; 885 description 886 "prf-reserved-0 --> RFC_2104."; 887 } 888 enum prf-hmac-md5 { 889 value 1; 890 description 891 "prf-hmac-md5 --> RFC_2104."; 892 } 893 enum prf-hmac-sha1 { 894 value 2; 895 description 896 "prf-hmac-sha1 --> RFC2104."; 897 } 898 enum prf-hmac-tiger { 899 value 3; 900 description 901 "prf-hmac-tiger --> RFC2104."; 902 } 903 enum prf-aes128-xcbc { 904 value 4; 905 description 906 "prf-aes128-xcbc --> RFC_4434."; 907 } 908 enum prf-hmac-sha2-256 { 909 value 5; 910 description 911 "prf-hmac-sha2-256 --> RFC_4434."; 912 } 913 enum prf-hmac-sha2-384 { 914 value 6; 915 description 916 "prf-hmac-sha2-384 --> RFC_4434."; 917 } 918 enum prf-hmac-sha2-512 { 919 value 7; 920 description 921 "prf-hmac-sha2-512 --> RFC_4434."; 922 } 923 enum prf-aes128-cmac { 924 value 8; 925 description 926 "prf-aes128-cmac --> RFC_4615."; 927 } 928 } 929 description 930 "Available Pseudo-Random Functions (PRF)."; 931 } 933 /* Transform Type 3 (Integrity Algorithm) */ 934 typedef ike-integrity-algorithm-t { 935 type enumeration { 936 enum auth-none { 937 value 0; 938 description 939 "auth-none --> RFC_5996."; 940 } 941 enum auth-hmac-md5-96 { 942 value 1; 943 description 944 "auth-hmac-md5-96 --> RFC_5996."; 945 } 946 enum auth-hmac-sha1-96 { 947 value 2; 948 description 949 "auth-hmac-sha1-96 --> RFC_5996."; 950 } 951 enum auth-des-mac { 952 value 3; 953 description 954 "auth-des-mac --> RFC_5996."; 955 } 956 enum auth-kpdk-md5 { 957 value 4; 958 description 959 "auth-kpdk-md5 --> RFC_5996."; 960 } 961 enum auth-aes-xcbc-96 { 962 value 5; 963 description 964 "auth-aes-xcbc-96 --> RFC_5996."; 965 } 966 enum auth-hmac-md5-128 { 967 value 6; 968 description 969 "auth-hmac-md5-128 --> RFC_5996."; 970 } 971 enum auth-hmac-sha1-160 { 972 value 7; 973 description 974 "auth-hmac-sha1-160 --> RFC_5996."; 975 } 976 enum auth-aes-cmac-96 { 977 value 8; 978 description 979 "auth-aes-cmac-96 --> RFC_5996."; 980 } 981 enum auth-aes-128-gmac { 982 value 9; 983 description 984 "auth-aes-128-gmac --> RFC_5996."; 985 } 986 enum auth-aes-192-gmac { 987 value 10; 988 description 989 "auth-aes-192-gmac --> RFC_5996."; 990 } 991 enum auth-aes-256-gmac { 992 value 11; 993 description 994 "auth-aes-256-gmac --> RFC_5996."; 995 } 996 enum auth-hmac-sha2-256-128 { 997 value 12; 998 description 999 "auth-hmac-sha2-256-128 --> RFC_5996."; 1000 } 1001 enum auth-hmac-sha2-384-192 { 1002 value 13; 1003 description 1004 "auth-hmac-sha2-384-192 --> RFC_5996."; 1005 } 1006 enum auth-hmac-sha2-512-256 { 1007 value 14; 1008 description 1009 "auth-hmac-sha2-512-256 --> RFC_5996."; 1010 } 1011 enum auth-hmac-sha2-256-96 { 1012 value 1024; 1013 description 1014 "auth-hmac-sha2-256-96."; 1015 } 1016 } 1017 description 1018 "Transform Type 3 - Internet Key Exchange (IKE) "+ 1019 "Integrity Algorithms."; 1020 } 1022 /* Transform Type 4 (Diffie-Hellman Group) */ 1023 typedef diffie-hellman-group-t { 1024 type enumeration { 1025 enum group-none { 1026 value 0; 1027 description 1028 "group-none --> RFC_5996."; 1029 } 1030 enum modp-768-group-1 { 1031 value 1; 1032 description 1033 "modp-768-group-1 --> RFC_5996."; 1034 } 1035 enum modp-1024-group-2 { 1036 value 2; 1037 description 1038 "modp-1024-group-2 --> RFC_5996."; 1039 } 1040 enum modp-1536-group-5 { 1041 value 5; 1042 description 1043 "modp-1536-group-5 --> RFC_3526."; 1044 } 1045 enum modp-2048-group-14 { 1046 value 14; 1047 description 1048 "modp-2048-group-14 --> RFC_3526."; 1049 } 1050 enum modp-3072-group-15 { 1051 value 15; 1052 description 1053 "modp-3072-group-15 --> RFC_3526."; 1054 } 1055 enum modp-4096-group-16 { 1056 value 16; 1057 description 1058 "modp-4096-group-16 --> RFC_3526."; 1059 } 1060 enum modp-6144-group-17 { 1061 value 17; 1062 description 1063 "modp-6144-group-17 --> RFC_3526."; 1064 } 1065 enum modp-8192-group-18 { 1066 value 18; 1067 description 1068 "modp-8192-group-18 --> RFC_3526."; 1069 } 1070 enum recp-256-group-19 { 1071 value 19; 1072 description 1073 "recp-256-group-19 --> RFC_6989. 256-bit"+ 1074 " Random ECP Group."; 1075 } 1076 enum recp-384-group-20 { 1077 value 20; 1078 description 1079 "recp-384-group-20 --> RFC_6989. 384-bit"+ 1080 " Random ECP Group."; 1081 } 1082 enum recp-521-group-21 { 1083 value 21; 1084 description 1085 "recp-521-group-21 --> RFC_6989. 521-bit"+ 1086 " Random ECP Group."; 1087 } 1088 enum modp-1024-160-pos-group-22 { 1089 value 22; 1090 description 1091 "modp-1024-160-pos-group-22 --> RFC_6989."+ 1092 " 1024-bit MODP Group with"+ 1093 " 160-bit Prime Order Subgroup (POS)."; 1094 } 1095 enum modp-2048-224-pos-group-23 { 1096 value 23; 1097 description 1098 "modp-2048-224-pos-group-23 --> RFC_6989."+ 1099 " 2048-bit MODP Group with"+ 1100 " 224-bit Prime Order Subgroup (POS)."; 1101 } 1102 enum modp-2048-256-pos-group-24 { 1103 value 24; 1104 description 1105 "modp-2048-256-pos-group-24 --> RFC_6989."+ 1106 " 2048-bit MODP Group with"+ 1107 " 256-bit Prime Order Subgroup (POS)."; 1108 } 1109 enum recp-192-group-25 { 1110 value 25; 1111 description 1112 "recp-192-group-25 --> RFC_6989."+ 1113 " 192-bit Random ECP Group."; 1114 } 1115 enum recp-224-group-26 { 1116 value 26; 1117 description 1118 "recp-224-group-26 --> RFC_6989."+ 1119 " 224-bit Random ECP Group."; 1120 } 1121 } 1122 description 1123 "Diffie-Hellman Groups (RFC 5996)."; 1124 } 1126 /* Transform Type 5 (Extended Sequence Numbers 1127 Transform ESN IDs) */ 1128 typedef extended-sequence-number-t { 1129 type enumeration { 1130 enum esn-none { 1131 value 0; 1132 description 1133 "esn-none - Extended Sequence Number None --> RFC_7296."; 1134 } 1135 enum esn-1 { 1136 value 1; 1137 description 1138 "esn-1 - Extended Sequence Number --> RFC_7296."; 1139 } 1140 } 1141 description 1142 "Extended Sequence Number (RFC 7296)."; 1143 } 1145 typedef connection-type-t { 1146 type enumeration { 1147 enum initiator-only { 1148 value 0; 1149 description 1150 "initiator-only: ME will act as initiator for"+ 1151 " bringing up IKEv2"+ 1152 " session with its IKE peer."; 1153 } 1154 enum responder-only { 1155 value 1; 1156 description 1157 "responder-only: ME will act as responder for"+ 1158 " bringing up IKEv2"+ 1159 " session with its IKE peer."; 1160 } 1161 enum both { 1162 value 2; 1163 description 1164 "both: ME can act as initiator or responder."; 1165 } 1166 } 1167 description 1168 "Connection type for IKE session."; 1169 } 1171 typedef transport-protocol-name-t { 1172 type enumeration { 1173 enum tcp { 1174 value 1; 1175 description 1176 "Transmission Control Protocol (TCP) Transport Protocol."; 1177 } 1178 enum udp { 1179 value 2; 1180 description 1181 "User Datagram Protocol (UDP) Transport Protocol"; 1182 } 1183 enum sctp { 1184 value 3; 1185 description 1186 "Stream Control Transmission Protocol (SCTP) Transport "+ 1187 "Protocol"; 1188 } 1189 enum icmp { 1190 value 4; 1191 description 1192 "Internet Control Message Protocol (ICMP) Transport "+ 1193 "Protocol"; 1194 } 1195 } 1196 description 1197 "Enumeration of well known transport protocols."; 1198 } 1200 typedef preshared-key-t { 1201 type string; 1202 description 1203 "Derived string used as Pre-Shared Key."; 1204 } 1206 /*--------------------*/ 1207 /* grouping */ 1208 /*--------------------*/ 1210 /* The following groupings are used in both configuration data 1211 and operational state data */ 1212 grouping name-grouping { 1213 description 1214 "This grouping provides a leaf identifying the name."; 1215 leaf name { 1216 type string; 1217 description 1218 "Name of a identifying."; 1219 } 1220 leaf description { 1221 type string; 1222 description 1223 "Specify the description."; 1224 } 1225 } 1227 grouping sequence-number-grouping { 1228 description 1229 "This grouping provides a leaf identifying 1230 a sequence number."; 1231 leaf sequence-number { 1232 type uint32 { 1233 range "1..4294967295"; 1234 } 1235 description 1236 "Specify the sequence number."; 1237 } 1238 } 1240 grouping description-grouping { 1241 description 1242 "description for free use."; 1243 leaf description { 1244 type string; 1245 description 1246 "description for free use."; 1247 } 1248 } 1250 grouping traffic-selector-grouping { 1251 description 1252 "Traffic selector to be used for SA negotiation."; 1253 leaf traffic-selector-id { 1254 type string; 1255 mandatory true; 1256 description 1257 "Traffic selector identifier."; 1258 } 1259 leaf protocol-name { 1260 type transport-protocol-name-t; 1261 description 1262 "Specifies the protocol selector."; 1263 } 1264 leaf address-range { 1265 type string; 1266 mandatory true; 1267 description 1268 "Specifies the IPv4 or IPv6 address range."; 1269 } 1270 } 1272 grouping ike-general-proposal-grouping { 1273 description 1274 "IKE proposal."; 1275 leaf name { 1276 type string; 1277 mandatory true; 1278 description 1279 "IKE Proposal identify."; 1280 } 1281 leaf description { 1282 type string; 1283 description 1284 "Specify the description."; 1285 } 1287 leaf dh-group { 1288 type diffie-hellman-group-t; 1289 mandatory true; 1290 description 1291 "Specifies a Diffie-Hellman group."; 1292 } 1293 container encryption { 1294 description 1295 "Specify IKE Proposal encryption configuration"; 1296 leaf algorithm { 1297 type ike-encryption-algorithm-t; 1298 description 1299 "Specifies an Encryption Algorithm."; 1300 } 1301 } 1302 } 1304 grouping ike-proposal-grouping { 1305 description 1306 "Configure the IKE Proposal"; 1307 uses ike-general-proposal-grouping; 1309 leaf lifetime { 1310 type uint32; 1311 mandatory true; 1312 description 1313 "Configure lifetime for IKE SAs 1314 0: for no timeout. 1315 300 .. 99999999: IKE SA lifetime in seconds."; 1316 } 1317 container authentication { 1318 description 1319 "Specify IKE Proposal authentication configuration"; 1320 leaf algorithm { 1321 type ike-integrity-algorithm-t; 1322 description 1323 "Specify the authentication algorithm"; 1324 } 1325 leaf preshared-key { 1326 type empty; 1327 description 1328 "Use pre-shared key based authentication"; 1329 } 1330 leaf rsa-signature { 1331 type empty; 1332 description 1333 "Use signature based authentication by using 1334 PKI certificates"; 1335 } 1336 } 1337 } 1339 grouping ikev2-proposal-grouping { 1340 description 1341 "Holds an IKEv2 transform proposal used during "+ 1342 "IKEv2 SA negotiation. Multiple IKEv2 Transforms "+ 1343 " can be proposed during an IKEv2 session initiation "+ 1344 "in an ordered list."; 1345 uses ike-general-proposal-grouping; 1347 leaf pseudo-random-function { 1348 type pseudo-random-function-t; 1349 mandatory true; 1350 description 1351 "Specifies Pseudo Random Function for IKEv2 key exchange"; 1352 } 1353 container authentication { 1354 description 1355 "Specify IKEv2 Proposal authentication configuration"; 1356 leaf algorithm { 1357 type ike-integrity-algorithm-t; 1358 description 1359 "Specify the authentication algorithm"; 1360 } 1361 } 1362 } 1364 grouping ipsec-proposal-grouping { 1365 description 1366 "Configure IPSec Proposal"; 1367 leaf name { 1368 type string; 1369 mandatory true; 1370 description 1371 "IPSec proposal identifier."; 1372 } 1373 leaf ah { 1374 type ike-integrity-algorithm-t; 1375 description 1376 "Configure Authentication Header (AH)."; 1377 } 1378 container esp { 1379 description 1380 "Configure Encapsulating Security Payload (ESP)."; 1381 leaf authentication { 1382 type ike-integrity-algorithm-t; 1383 description 1384 "Configure ESP authentication"; 1385 } 1386 leaf encryption { 1387 type ike-encryption-algorithm-t; 1388 description 1389 "Configure ESP encryption"; 1390 } 1391 } 1392 leaf ip-comp{ 1393 type empty; 1394 description 1395 "Enable IPSec proposal IP-COMP which uses the IP Payload "+ 1396 "compression protocol to compress IP Security (IPSec) "+ 1397 "packets before encryption"; 1398 } 1399 container lifetime { 1400 description 1401 "Configure lifetime for IPSEC SAs"; 1402 leaf kbytes { 1403 type uint32 { 1404 range "128..2147483647"; 1405 } 1406 description 1407 "Enter lifetime kbytes for IPSEC SAs"; 1408 } 1409 leaf seconds { 1410 type uint32 { 1411 range "300..99999999"; 1412 } 1413 description 1414 "Enter lifetime seconds for IPSEC SAs 1415 0: lifetime of 0 for no timeout 1416 300..99999999: IPSec SA lifetime in seconds"; 1417 } 1418 } 1419 } 1421 grouping identity-grouping { 1422 description 1423 "Identification type. It is an union identity, "+ 1424 "possible type as follows: "+ 1425 "a) ID_FQDN: A fully-qualified domain name string. "+ 1426 " An example of a ID_FQDN is, example.com. "+ 1427 " The string MUST not contain any terminators "+ 1428 "(e.g., NULL, CR, etc.). "+ 1429 "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ 1430 " address string, An example of a ID_RFC822_ADDR is, "+ 1431 " jsmith@example.com. The string MUST not contain "+ 1432 " any terminators. "+ 1433 "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ 1434 "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ 1435 "e) DN_X509: Distinguished name in the X.509 tradition."; 1436 choice identity { 1437 description 1438 "Choice of identity."; 1439 leaf ipv4-address { 1440 type inet:ipv4-address; 1441 description 1442 "Specifies the identity as a single four (4) 1443 octet IPv4 address. 1444 An example is, 10.10.10.10. "; 1445 } 1446 leaf ipv6-address { 1447 type inet:ipv6-address; 1448 description 1449 "Specifies the identity as a single sixteen (16) "+ 1450 "octet IPv6 address. "+ 1451 "An example is, "+ 1452 "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; 1453 } 1454 leaf fqdn-string { 1455 type inet:domain-name; 1456 description 1457 "Specifies the identity as a Fully-Qualified 1458 Domain Name (FQDN) string. 1459 An example is: example.com. 1460 The string MUST not contain any terminators 1461 (e.g., NULL, CR, etc.)."; 1462 } 1463 leaf rfc822-address-string { 1464 type string; 1465 description 1466 "Specifies the identity as a fully-qualified RFC822 1467 email address string. 1468 An example is, jsmith@example.com. 1469 The string MUST not contain any terminators 1470 (e.g., NULL, CR, etc.)."; 1471 } 1472 leaf dnX509 { 1473 type string; 1474 description 1475 "Specifies the identity as a distinguished name 1476 in the X.509 tradition."; 1477 } 1478 } 1479 } /* grouping identity-grouping */ 1481 grouping ike-general-policy-profile-grouping { 1482 description 1483 "IKE policy."; 1484 leaf connection-type { 1485 type connection-type-t; 1486 mandatory true; 1487 description 1488 "Specify the IKE connection type"; 1489 } 1490 leaf pre-shared-key { 1491 type union { 1492 type string { 1493 length "16"; 1494 } 1495 type yang:hex-string { 1496 length "40"; 1497 } 1498 } 1499 description 1500 "Specify IKE pre-shared-key value"; 1501 } 1502 leaf validate-certificate-identity { 1503 type empty; 1504 description 1505 "Validate Remote-ID payload against the 1506 ID's available in the certificate"; 1507 } 1508 list seq { 1509 key seq-id; 1510 description 1511 "list of sequence of policy."; 1512 leaf seq-id { 1513 type uint32 { 1514 range "1..429496729"; 1515 } 1516 description 1517 "Sequence Number"; 1518 } 1519 leaf proposal { 1520 type leafref { 1521 path "/eipsec:ike/eipsec:proposal"+ 1522 "/eipsec:name"; 1523 } 1524 description 1525 "IKE Proposal reference."; 1526 } 1527 } 1528 container identity { 1529 description 1530 "Specify IKE identity value"; 1531 container local { 1532 description 1533 "Specify the identity of the local IP Security (IPSec) 1534 tunnel endpoint in an Internet Key Exchange (IKE) 1535 policy to use when negotiating IKE request with a 1536 remote peer."; 1537 uses identity-grouping; 1538 } 1539 container remote { 1540 description 1541 "Specify the identity of the remote IP Security (IPSec) 1542 tunnel endpoint in an 1543 Internet Key Exchange (IKE) policy to use when 1544 negotiating IKE request with a remote peer."; 1545 uses identity-grouping; 1546 } 1547 } 1548 } 1550 grouping ike-policy-mode-grouping { 1551 description 1552 "IKE Policy Mode"; 1553 container mode { 1554 description 1555 "Specify IKE mode configuration"; 1556 leaf aggressive { 1557 type empty; 1558 description 1559 "Set IKE Aggressive mode"; 1560 } 1561 leaf main { 1562 type empty; 1563 description 1564 "Set IKE Main mode"; 1565 } 1566 } 1567 } 1569 grouping ike-policy-profile-grouping { 1570 description 1571 "Configure IKE policy"; 1572 leaf name { 1573 type string; 1574 mandatory true; 1575 description 1576 "Specify an IKE policy name"; 1577 } 1578 uses ike-policy-mode-grouping; 1579 uses ike-general-policy-profile-grouping; 1580 } 1582 grouping ikev2-policy-profile-grouping { 1583 description 1584 "Common information for multiple IKE sessions 1585 to be instantiated on a managed element.; 1586 One or more Ikev2Session instances might refer 1587 to this instance."; 1588 leaf name { 1589 type string; 1590 mandatory true; 1591 description 1592 "Value component of the RDN."; 1593 } 1594 container authentication { 1595 description 1596 "Specify IKE Proposal authentication configuration"; 1597 leaf preshared-key { 1598 type empty; 1599 description 1600 "Use pre-shared key based authentication"; 1601 } 1602 leaf rsa-signature { 1603 type empty; 1604 description 1605 "Use signature based authentication by using 1606 PKI certificates"; 1607 } 1608 } 1609 leaf lifetime { 1610 type uint32; 1611 mandatory true; 1612 description 1613 "Configure lifetime for IKE SAs 1614 0: for no timeout. 1615 300 .. 99999999: IKE SA lifetime in seconds."; 1616 } 1618 container address-allocation { 1619 must "../connection-type == 'responder-only'" { 1620 description 1621 "address-allocation can be configured only with 1622 responder-only in ike2 policy"; 1623 } 1624 leaf aaa { 1625 type empty; 1626 description 1627 "IRAC address allocation by AAA"; 1628 } 1629 description 1630 "Specify IKE IRAS address allocation option"; 1631 } 1632 uses ike-general-policy-profile-grouping; 1634 leaf description { 1635 type string; 1636 description 1637 "Specify the description."; 1638 } 1639 } 1641 grouping ipsec-policy-grouping { 1642 description 1643 "Holds configuration information for IPSec policies."; 1644 leaf name { 1645 type string; 1646 mandatory true; 1647 description 1648 "IPSec Policy Identification"; 1649 } 1650 leaf description { 1651 type string; 1652 description 1653 "Specify the description."; 1654 } 1656 leaf anti-replay-window { 1657 type uint32 { 1658 range "0 | 32..1024"; 1659 } 1660 description 1661 "Configure replay window size 1662 0: to disable anti-replay-window 1663 32..1024: IPSec anti-replay-window size in multiple of 32"; 1664 } 1665 container perfect-forward-secrecy { 1666 description 1667 "Configure Perfect Forward Secrecy (PFS) for IPSec Policy"; 1669 leaf dh-group { 1670 type diffie-hellman-group-t; 1671 description 1672 "Configure Diffie-Hellman group for 1673 perfect-forward-secrecy"; 1674 } 1675 } 1676 list seq { 1677 key seq-id; 1678 description 1679 "Specify IPSEC proposal sequence number"; 1680 leaf seq-id { 1681 type uint32; 1682 description 1683 "Sequence ID"; 1684 } 1685 leaf description { 1686 type string; 1687 description 1688 "Specify the description."; 1689 } 1691 leaf proposal { 1692 type leafref { 1693 path "/eipsec:ipsec/"+ 1694 "eipsec:proposal/eipsec:ipsec-proposal/eipsec:name"; 1695 } 1696 description 1697 "IKE proposal reference."; 1698 } 1699 } 1700 } 1702 grouping key-string-grouping { 1703 description 1704 "Configure key for authentication algorithm"; 1705 leaf key-str { 1706 type union { 1707 type string { 1708 length "16"; 1709 } 1710 type yang:hex-string { 1711 length "40"; 1712 } 1713 } 1714 description 1715 "Key string input is either string value (length of 16) 1716 or hexadecimal (length of 40)"; 1717 } 1719 } 1721 grouping ipsec-sa-ah-grouping { 1722 description 1723 "Configure Authentication Header (AH) for 1724 Security Association (SA)"; 1725 container ah { 1726 description 1727 "Configure Authentication Header (AH) for SA"; 1728 leaf spi { 1729 type uint32 { 1730 range "256..131071"; 1731 } 1732 description 1733 "Configure Security Parameter Index (SPI) value"; 1734 } 1735 leaf description { 1736 type string; 1737 description 1738 "Specify the description."; 1739 } 1741 choice authentication-algorithm { 1742 description 1743 "choice for authentication algorithm to set for AH"; 1744 case hmac-aes-xcbc { 1745 container hmac-aes-xcbc { 1746 description 1747 "Set the authentication algorithm to hmac-aes-xcbc"; 1748 uses key-string-grouping; 1749 } 1750 } 1751 case hmac-md5-96 { 1752 container hmac-md5-96 { 1753 description 1754 "Set the authentication algorithm to hmac-md5-96"; 1755 uses key-string-grouping; 1756 } 1757 } 1758 case hmac-sha1-96 { 1759 container hmac-sha1-96 { 1760 description 1761 "Set the authentication algorithm to hmac-sha1-96"; 1762 uses key-string-grouping; 1763 } 1764 } 1765 case key-string { 1766 container key-string { 1767 description 1768 "Configure key for authentication algorithm"; 1769 uses key-string-grouping; 1770 } 1771 } 1772 } 1773 } 1774 } 1776 grouping ipsec-sa-esp-grouping { 1777 description 1778 "Configure IPSec Encapsulation Security Payload (ESP)"; 1779 container esp { 1780 description 1781 "Set IPSec Encapsulation Security Payloer (ESP)"; 1782 leaf description { 1783 type string; 1784 description 1785 "Specify the description."; 1786 } 1788 container authentication { 1789 description 1790 "Configure authentication for IPSec 1791 Encapsulation Secutiry Payload (ESP)"; 1792 choice authentication-algorithm { 1793 description 1794 "choice for authentication algorithm to set"; 1795 case hmac-aes-xcbc { 1796 container hmac-aes-xcbc { 1797 description 1798 "Set the authentication algorithm to hmac-aes-xcbc"; 1799 uses key-string-grouping; 1800 } 1801 } 1802 case hmac-md5-96 { 1803 container hmac-md5-96 { 1804 description 1805 "Set the authentication algorithm to hmac-md5-96"; 1806 uses key-string-grouping; 1807 } 1808 } 1809 case hmac-sha1-96 { 1810 container hmac-sha1-96 { 1811 description 1812 "Set the authentication algorithm to hmac-sha1-96"; 1813 uses key-string-grouping; 1814 } 1815 } 1816 case key-string { 1817 container key-string { 1818 description 1819 "Configure key for authentication algorithm"; 1820 uses key-string-grouping; 1821 } 1822 } 1823 } 1824 } 1825 container encryption { 1826 description 1827 "Configure encryption for IPSec 1828 Encapsulation Secutiry Payload (ESP)"; 1829 choice encryption-algorithm { 1830 description 1831 "type of encryption"; 1832 case des3-cbc { 1833 container des3-cbd { 1834 description 1835 "Set the encryption algorithm to des3-cbc"; 1836 uses key-string-grouping; 1837 } 1838 } 1839 case aes-128-cbc { 1840 container aes-128-cbc { 1841 description 1842 "Set the encryption algorithm to aes-128-cbc"; 1843 uses key-string-grouping; 1844 } 1845 } 1846 case aes-192-cbc { 1847 container aes-192-cbc { 1848 description 1849 "Set the encryption algorithm to aes-192-cbc"; 1850 uses key-string-grouping; 1851 } 1852 } 1853 case aes-256-cbc { 1854 container aes-256-cbc { 1855 description 1856 "Set the encryption algorithm to aes-256-cbc"; 1857 uses key-string-grouping; 1858 } 1859 } 1860 case des-cbc { 1861 container des-cbc { 1862 description 1863 "Set the encryption algorithm to des-cbc"; 1864 uses key-string-grouping; 1865 } 1867 } 1868 case key-string { 1869 container key-string { 1870 description 1871 "Configure key for encryption algorithm"; 1872 uses key-string-grouping; 1873 } 1874 } 1875 } 1876 } 1877 } 1878 } 1880 grouping ipsec-acl-dest-grouping { 1881 description 1882 "IPSEC ACL destination."; 1883 /* For destination */ 1884 choice dest-address { 1885 description 1886 "destination address."; 1887 case dest-ipv4-address { 1888 leaf destination-ipv4-address { 1889 type inet:ipv4-address; 1890 description 1891 "Destination IPv4 Address A.B.C.D/0..32."; 1892 } 1893 } 1894 case dest-any { 1895 leaf dest-any { 1896 type empty; 1897 description 1898 "Match Any Destination IPv4 Address."; 1899 } 1900 } 1901 } 1902 } 1904 grouping ipsec-acl-seq-protocol-number-grouping { 1905 description 1906 "IPSec ACL Sequence protocol number."; 1907 leaf number { 1908 type uint16 { 1909 range "0..255"; 1910 } 1911 description 1912 "Specify protocol number."; 1913 } 1914 choice argument { 1915 description 1916 "Source IPv4 address."; 1917 case source-ipv4-address { 1918 leaf source-ipv4-address { 1919 type inet:ipv4-address; 1920 description 1921 "Source IPv4 Address A.B.C.D/0..32."; 1922 } 1923 } 1924 case any { 1925 /* For source */ 1926 leaf source-any { 1927 type empty; 1928 description 1929 "Match Any Source IPv4 Address."; 1930 } 1931 } 1932 } 1933 } 1935 grouping ipsec-acl-seq-ip-address-grouping { 1936 description 1937 "IPSec ACL Sequence IP Address."; 1938 leaf source-ipv4-address { 1939 type inet:ipv4-address; 1940 description 1941 "Source is IPv4 Address A.B.C.D/0..32."; 1942 } 1943 } 1945 grouping ipsec-acl-seq-any-grouping { 1946 description 1947 "IPSec ACL Sequence Any."; 1948 leaf any { 1949 type empty; 1950 description 1951 "Source is Any."; 1952 } 1953 } 1955 grouping ipsec-acl-seq-tcp-grouping { 1956 description 1957 "IPSec ACL Sequence TCP."; 1958 leaf tcp { 1959 type empty; 1960 description 1961 "Source is TCP protocol."; 1962 } 1963 } 1964 grouping ipsec-acl-seq-udp-grouping { 1965 description 1966 "IPSec ACL Sequence for UDP."; 1967 leaf udp { 1968 type empty; 1969 description 1970 "Source is UDP protocol."; 1971 } 1972 } 1974 grouping ipsec-acl-grouping { 1975 description 1976 "IPSec ACL"; 1977 list access-list { 1978 key "name sequence-number"; 1979 uses name-grouping; 1980 uses sequence-number-grouping; 1981 description 1982 "Configure the IPSec access-list."; 1983 choice protocol { 1984 description 1985 "IPSec ACL protocol."; 1986 case number { 1987 uses ipsec-acl-seq-protocol-number-grouping; 1988 } 1989 case source-ipv4-address { 1990 uses ipsec-acl-seq-ip-address-grouping; 1991 } 1992 case any { 1993 uses ipsec-acl-seq-any-grouping; 1994 } 1995 case tcp { 1996 uses ipsec-acl-seq-tcp-grouping; 1997 } 1998 case udp { 1999 uses ipsec-acl-seq-udp-grouping; 2000 } 2001 } 2002 uses ipsec-acl-dest-grouping; 2003 } 2004 } 2006 grouping ipsec-df-bit-grouping { 2007 description 2008 "IPSec Dont Fragment (DF) bit for IP header."; 2009 container df-bit { 2010 description 2011 "Configure Don't Fragment (DF) bit for IP Header."; 2012 leaf clear { 2013 type empty; 2014 description 2015 "Clear DF bit for outer IP header."; 2016 } 2017 leaf propagate { 2018 type empty; 2019 description 2020 "Propagate DF bit for outer IP header."; 2021 } 2022 leaf set { 2023 type empty; 2024 description 2025 "Set DF bit for outer IP header."; 2026 } 2027 } 2028 } 2030 grouping ipsec-profile-grouping { 2031 description 2032 "IPSec profile."; 2033 list profile { 2034 key "name"; 2035 uses name-grouping; 2036 uses ipsec-df-bit-grouping; 2037 description 2038 "Configure the IPSec Profile."; 2039 leaf mtu { 2040 type uint32 { 2041 range "256..1600"; 2042 } 2043 description 2044 "Set the MTU."; 2045 } 2046 list seq { 2047 key "sequence-number"; 2048 uses sequence-number-grouping; 2049 description 2050 "IPSec Access List sequence number."; 2051 leaf policy { 2052 type leafref { 2053 path "/eipsec:ipsec/eipsec:policy"+ 2054 "/eipsec:ipsec-policy/eipsec:name"; 2055 } 2056 description 2057 "Specify IPSec policy name."; 2058 } 2059 leaf access-list { 2060 type leafref { 2061 path "/econtext:contexts/econtext:context/"+ 2062 "econtext:name/econtext:ipsec"+ 2063 "/econtext:access-list/econtext:name"; 2064 } 2065 description 2066 "Specify IPSec access-list name."; 2067 } 2068 } 2069 } 2070 } 2072 /*--------------------*/ 2073 /* Configuration Data */ 2074 /*--------------------*/ 2075 container ike { 2076 description 2077 "Configuration IPSec IKE"; 2078 /* The following is for */ 2079 list proposal { 2080 key "name"; 2081 uses ike-proposal-grouping; 2082 description 2083 "Configure IKE proposal"; 2084 } 2085 leaf keepalive { 2086 type empty; 2087 description 2088 "Enables sending Dead Peer Detection (DPD) messages "+ 2089 "to Internet Key Exchange (IKE) peers."; 2090 } 2091 list policy { 2092 key "name"; 2093 uses ike-policy-profile-grouping; 2094 description 2095 "Configure IKE Policy Profile."; 2096 } 2097 } 2099 container ikev2 { 2100 description 2101 "Configuration IPSec IKEv2"; 2102 /* The following is for */ 2103 list proposal { 2104 key "name"; 2105 uses ikev2-proposal-grouping; 2106 description 2107 "Configure IKEv2 proposal"; 2108 } 2109 list policy { 2110 key "name"; 2111 uses ikev2-policy-profile-grouping; 2112 description 2113 "IKEv2 Policy Profile"; 2114 } 2115 } 2117 container ipsec { 2118 description 2119 "Configuration IPSec"; 2120 uses ipsec-acl-grouping; 2121 container alarms { 2122 description 2123 "Configure the IPSec alarm for tunnels"; 2124 leaf hold-down { 2125 type uint8 { 2126 range "1..120"; 2127 } 2128 description 2129 "Hold-down time (in seconds) before tunnel 2130 alarms are generated"; 2131 } 2132 } 2133 container qos { 2134 description 2135 "Configure the IPSec QoS priority queuing policy"; 2136 list policy { 2137 key "name"; 2138 leaf name { 2139 type string; 2140 description 2141 "Specify IPSec QoS priority queuing name"; 2142 } 2143 description 2144 "Configure IPSec QoS priority queuing name"; 2145 container pq { 2146 description 2147 "Configure IPSec QoS priority queuing policy"; 2148 leaf num-queues { 2149 type uint8 { 2150 range "1 | 4"; 2151 } 2152 description 2153 "IPSec QoS Number of queues is either 1 or 4"; 2154 } 2155 } 2156 } 2157 } 2158 container redundancy { 2159 description 2160 "Configure redundancy for IPSec"; 2161 leaf inter-chassis { 2162 type empty; 2163 description 2164 "Set redundancy at chassis level"; 2165 } 2166 } 2167 container security-association { 2168 description 2169 "Configure the IPSec Security Association (SA)"; 2170 list ipsec-sa { 2171 key "name"; 2172 leaf name { 2173 type string; 2174 description 2175 "Specify IPSec Security Association (SA) name"; 2176 } 2177 description 2178 "Configure IPSec Security Association (SA)"; 2179 leaf anti-replay-window { 2180 type uint16 { 2181 range "0 | 32..1024"; 2182 } 2183 description 2184 "Specify replay window size"; 2185 } 2186 leaf ip-comp { 2187 type empty; 2188 description 2189 "Enables IPCOMP, which uses the IP payload compression 2190 protocol to compress IP security (IPsec) packets 2191 before encryption"; 2192 } 2193 container in { 2194 description 2195 "Configure inbound SA"; 2196 uses ipsec-sa-ah-grouping; 2197 uses ipsec-sa-esp-grouping; 2198 } 2199 container out { 2200 uses ipsec-sa-ah-grouping; 2201 uses ipsec-sa-esp-grouping; 2202 description 2203 "Configure outbound SA"; 2204 } 2205 } 2206 } 2207 container proposal { 2208 description 2209 "IPSec Proposal Profile"; 2210 list ipsec-proposal { 2211 key "name"; 2212 uses ipsec-proposal-grouping; 2213 description 2214 "Configure the IP Security (IPSec) proposal"; 2215 } 2216 } 2217 container policy { 2218 description 2219 "Configure the IPSec policy"; 2220 list ipsec-policy { 2221 key "name"; 2222 uses ipsec-policy-grouping; 2223 description 2224 "Specify an IPSec policy name"; 2225 } 2226 } 2227 } 2229 /*--------------------------*/ 2230 /* Operational State Data */ 2231 /*--------------------------*/ 2232 grouping ike-proposal-state-components { 2233 description 2234 "IKE Proposal operational state"; 2235 list proposal { 2236 description 2237 "Operational data for IKE Proposal"; 2238 leaf name { 2239 type string { 2240 length "1..50"; 2241 } 2242 description 2243 "Name of the IKE proposal."; 2244 } 2245 leaf lifetime { 2246 type uint32; 2247 units "seconds"; 2248 description 2249 "lifetime"; 2250 } 2251 leaf encryption { 2252 type ike-encryption-algorithm-t; 2253 description 2254 "Encryption algorithm"; 2255 } 2256 leaf dh-group { 2257 type diffie-hellman-group-t; 2258 description 2259 "Diffie-Hellman group."; 2260 } 2261 leaf authentication { 2262 type ike-integrity-algorithm-t; 2263 description 2264 "authentication"; 2265 } 2266 } 2267 } 2269 grouping ike-policy-state-grouping { 2270 description 2271 "IKE Policy State."; 2272 list policy { 2273 description 2274 "Operational data for IKE policy"; 2275 leaf name { 2276 type string { 2277 length "1..50"; 2278 } 2279 description 2280 "Name of the IKE Policy."; 2281 } 2282 leaf description { 2283 type string; 2284 description 2285 "Description for IKE Policy."; 2286 } 2287 leaf mode { 2288 type enumeration { 2289 enum aggressive { 2290 description 2291 "Aggressive mode."; 2292 } 2293 enum main { 2294 description 2295 "Main mode."; 2296 } 2297 } 2298 description 2299 "IKE policy mode."; 2300 } 2301 leaf connection-type { 2302 type connection-type-t; 2303 description 2304 "IKE policy connection type."; 2306 } 2307 leaf local-identity { 2308 type inet:ipv4-address-no-zone; 2309 description 2310 "IP address of the local identity."; 2311 } 2312 leaf remote-identity { 2313 type inet:ipv4-address-no-zone; 2314 description 2315 "IP address of the remote identity."; 2316 } 2317 leaf pre-shared-key { 2318 type string; 2319 description 2320 "Pre-shared key"; 2321 } 2322 leaf seq { 2323 type uint32; 2324 description 2325 "sequence number"; 2326 } 2327 leaf proposal { 2328 type string; 2329 description 2330 "proposal name"; 2331 } 2332 } 2333 } 2335 grouping ikev2-proposal-state-components { 2336 description 2337 "IKEv2 Operational state"; 2338 list proposal { 2339 description 2340 "IKEv2 proposal operational data"; 2341 leaf name { 2342 type string; 2343 description 2344 "Name of IKEv2 Proposal."; 2345 } 2346 leaf pseudo-random-function { 2347 type pseudo-random-function-t; 2348 description 2349 "Pseudo Random Function for IKEv2."; 2350 } 2351 leaf authentication { 2352 type ike-integrity-algorithm-t; 2353 description 2354 "authentication"; 2356 } 2357 leaf encryption { 2358 type ike-encryption-algorithm-t; 2359 description 2360 "Encryption algorithm"; 2361 } 2362 leaf dh-group { 2363 type diffie-hellman-group-t; 2364 mandatory true; 2365 description 2366 "Diffie-Hellman group."; 2367 } 2368 } 2369 } 2371 grouping ipsec-policy-state-grouping { 2372 description 2373 "IPSec operational state"; 2374 list policy { 2375 description 2376 "IPSec policy operational data"; 2377 leaf name { 2378 type string; 2379 description 2380 "IPSec Policy name."; 2381 } 2382 leaf anti-replay-window { 2383 type uint32; 2384 description 2385 "replay window size"; 2386 } 2387 leaf perfect-forward-secrecy { 2388 type diffie-hellman-group-t; 2389 description 2390 "Diffie-Hellman group for perfect-forward-secrecy"; 2391 } 2392 list seq { 2393 description 2394 "Sequence number"; 2395 leaf seq-id { 2396 type uint32; 2397 description 2398 "Sequence number"; 2399 } 2400 leaf proposal-name { 2401 type string; 2402 description 2403 "IPSec proposal name"; 2404 } 2406 } 2407 } 2408 } 2409 grouping ipsec-proposal-state-grouping { 2410 description 2411 "IPSec proposal operational data"; 2412 list proposal { 2413 description 2414 "IPSec proposal operational data"; 2415 leaf name { 2416 type string; 2417 description 2418 "IPSec Proposal name"; 2419 } 2420 leaf ah { 2421 type ike-integrity-algorithm-t; 2422 description 2423 "Authentication Header (AH)."; 2424 } 2425 container esp { 2426 description 2427 "Encapsulating Security Payload (ESP)."; 2428 leaf authentication { 2429 type ike-integrity-algorithm-t; 2430 description 2431 "ESP authentication"; 2432 } 2433 leaf encryption { 2434 type ike-encryption-algorithm-t; 2435 description 2436 "ESP encryption"; 2437 } 2438 } 2439 leaf ip-comp{ 2440 type empty; 2441 description 2442 "IPSec proposal IP-COMP which uses the IP Payload "+ 2443 "compression protocol to compress IP Security (IPSec) "+ 2444 "packets before encryption"; 2445 } 2446 container lifetime { 2447 description 2448 "lifetime for IPSEC SAs"; 2449 leaf kbytes { 2450 type uint32; 2451 description 2452 "lifetime kbytes for IPSEC SAs"; 2454 } 2455 leaf seconds { 2456 type uint32; 2457 description 2458 "lifetime seconds for IPSEC SAs"; 2459 } 2460 } 2461 } 2462 } 2464 grouping ipsec-alarms-state-grouping { 2465 description 2466 "IPSec alarms operational data"; 2467 leaf hold-down { 2468 type uint32; 2469 description 2470 "Hold-down value"; 2471 } 2472 } 2474 grouping ipsec-sa-ah-state-grouping { 2475 description 2476 "IPSec SA's AH operational data"; 2478 leaf spi { 2479 type uint32; 2480 description 2481 "Security Parameter Index (SPI) value"; 2482 } 2483 leaf description { 2484 type string; 2485 description 2486 "the description."; 2487 } 2488 leaf authentication-algorithm { 2489 type ike-integrity-algorithm-t; 2490 description 2491 "Authentication algorithm"; 2492 } 2493 leaf encryption-algorithm { 2494 type ike-encryption-algorithm-t; 2495 description 2496 "Encryption algorithm"; 2497 } 2498 } 2500 grouping ipsec-sa-state-grouping { 2501 description 2502 "IPSec Security Association Operational data"; 2504 list sa { 2505 description 2506 "IPSec SA operational data"; 2507 leaf name { 2508 type string; 2509 description 2510 "Specify IPSec Security Association (SA) name"; 2511 } 2512 leaf anti-replay-window { 2513 type uint16; 2514 description 2515 "replay window size"; 2516 } 2517 leaf ip-comp { 2518 type empty; 2519 description 2520 "Enables IPCOMP, which uses the IP payload compression 2521 protocol to compress IP security (IPsec) packets before 2522 encryption"; 2523 } 2524 uses ipsec-sa-ah-state-grouping; 2525 } 2526 } 2528 container ike-state { 2529 config "false"; 2530 uses ike-proposal-state-components; 2531 uses ike-policy-state-grouping; 2532 description 2533 "Contain the operational data for IKE."; 2534 } 2536 container ikev2-state { 2537 config "false"; 2538 uses ikev2-proposal-state-components; 2539 uses ike-policy-state-grouping; 2540 description 2541 "Contain the operational data for IKEv2."; 2542 } 2544 container ipsec-state { 2545 config "false"; 2546 uses ipsec-policy-state-grouping; 2547 uses ipsec-proposal-state-grouping; 2548 uses ipsec-alarms-state-grouping; 2549 uses ipsec-sa-state-grouping; 2550 description 2551 "Contain the operational data for IPSec."; 2553 } 2555 /*--------------------*/ 2556 /* RPC */ 2557 /*--------------------*/ 2558 rpc clear-ipsec-group { 2559 description 2560 "RPC for clear ipsec states"; 2561 input { 2562 leaf alarm-hold-down { 2563 type uint8; 2564 description 2565 "IPSec alarm hold-down"; 2566 } 2567 leaf ipsec-policy-name { 2568 type leafref { 2569 path "/eipsec:ipsec/eipsec:policy/"+ 2570 "eipsec:ipsec-policy/eipsec:name"; 2571 } 2572 description 2573 "IPSec Policy name."; 2574 } 2575 } 2576 } 2578 rpc clear-ike-group { 2579 description 2580 "RPC for clear IKE states"; 2581 input { 2582 leaf proposal { 2583 type leafref { 2584 path "/eipsec:ike/eipsec:proposal/"+ 2585 "eipsec:name"; 2586 } 2587 description 2588 "IPSec IKE Proposal name."; 2589 } 2590 } 2591 } 2593 rpc clear-ikev2-group { 2594 description 2595 "RPC for clear IKEv2 states"; 2596 input { 2597 leaf proposal { 2598 type leafref { 2599 path "/eipsec:ikev2/eipsec:proposal/"+ 2600 "eipsec:name"; 2601 } 2602 description 2603 "IPSec IKEv2 Proposal name."; 2604 } 2605 } 2606 } 2608 } /* module ericsson-ipsec */ 2610 2612 5. Security Considerations 2614 The configuration, state, and action data defined in this document 2615 are designed to be accessed via the NETCONF protocol [RFC6241]. The 2616 data model by itself does not create any security implications. The 2617 security considerations for the NETCONF protocol are applicable. 2618 The NETCONF protocol used for sending the data supports 2619 authentication and encryption. 2621 6. References 2623 6.1. Normative References 2625 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2626 Requirement Levels", BCP 14, RFC 2119, March 1997. 2628 [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for 2629 Syntax Specifications: ABNF", RFC 2234, Internet Mail 2630 Consortium and Demon Internet Ltd., November 1997. 2632 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 2633 Network Configuration Protocol (NETCONF)", RFC 6020, 2634 October 2010. 2636 [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, 2637 October 2010. 2639 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 2640 Bierman, "Network Configuration Protocol (NETCONF)", RFC 2641 6241, June 2011. 2643 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, 2644 T., "Internet Key Exchange Protocol Version 2 (IKEv2)", 2645 RFC 5996, October 2014. 2647 [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPSec) and 2648 Internet Key Exchange (IKE) Document Roadmap", February 2649 2011. 2651 6.2. Informative References 2653 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 2654 Data Model Documents", RFC 6087, January 2011. 2656 Authors' Addresses 2658 Khanh Tran 2659 Ericsson 2660 300 Holger Way 2661 San Jose, CA 95134 2662 USA 2664 Email: khanh.x.tran@ericsson.com