idnits 2.17.1 draft-tran-ipsecme-ikev2-yang-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 7 longer pages, the longest (page 18) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 98 instances of too long lines in the document, the longest one being 22 characters in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 659 has weird spacing: '...-length uin...' == Line 664 has weird spacing: '...gorithm ike...' == Line 667 has weird spacing: '...gorithm ike...' == Line 670 has weird spacing: '...gorithm ike...' == Line 674 has weird spacing: '...-length uin...' == (10 more instances...) -- The document date (March 18, 2016) is 2961 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC7256' is mentioned on line 238, but not defined == Missing Reference: 'CERTREQ' is mentioned on line 403, but not defined == Unused Reference: 'RFC2234' is defined on line 3456, but no explicit reference was found in the text == Unused Reference: 'RFC6020' is defined on line 3460, but no explicit reference was found in the text == Unused Reference: 'RFC6021' is defined on line 3464, but no explicit reference was found in the text == Unused Reference: 'RFC6071' is defined on line 3475, but no explicit reference was found in the text == Unused Reference: 'RFC6087' is defined on line 3481, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) ** Obsolete normative reference: RFC 5996 (ref. 'RFC7296') (Obsoleted by RFC 7296) ** Downref: Normative reference to an Informational RFC: RFC 6071 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 6 errors (**), 0 flaws (~~), 16 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group K. Tran 2 Internet Draft D. Migault 3 Intended status: Standard Track Ericsson 4 Expires: September 18, 2016 H. Wang 5 V. Nagaraj 6 X. Chen 7 Huawei Technologies 8 March 18, 2016 10 Yang Data Model for IKEv2 11 draft-tran-ipsecme-ikev2-yang-00.txt 13 Abstract 15 This document defines a YANG data model that can be used to 16 configure and manage Internet Key Exchange version 2 (IKEv2). The 17 model covers the IKEv2 protocol configuration and operational state. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as Internet- 27 Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six 30 months and may be updated, replaced, or obsoleted by other documents 31 at any time. It is inappropriate to use Internet-Drafts as 32 reference material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html 40 This Internet-Draft will expire on November 18, 2016. 42 Copyright Notice 44 Copyright (c) 2016 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with 52 respect to this document. Code Components extracted from this 53 document must include Simplified BSD License text as described in 54 Section 4.e of the Trust Legal Provisions and are provided without 55 warranty as described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction...................................................3 60 2. Conventions used in this document..............................3 61 3. IKEv2 protocol Overview........................................4 62 3.1. IKEv2 Transport Attributes................................4 63 3.2. IKEv2_INIT Exchange.......................................8 64 IKEv2_INIT Exchange Configuration Attributes:..................9 65 3.3. Creation of the IKE_SA...................................12 66 3.4. IKE_AUTH Exchange........................................14 67 3.5. IKEv2 Configuration Data Model...........................17 68 3.6. IKEv2 Operation Data Model...............................24 69 4. IKEv2 Crypto YANG Module......................................26 70 5. IKEv2 YANG Module.............................................46 71 6. Security Considerations.......................................75 72 7. References....................................................75 73 7.1. Normative References.....................................75 74 7.2. Informative References...................................76 76 1. Introduction 78 This document introduces a YANG data model for the Internet Exchange 79 Key version 2 (IKEv2) protocol. The model discussed in this 80 document covers IKEv2 [RFC7296] and other generic enhancements that 81 pertain to the base protocol operation. The YANG data model is 82 defined for the following constructs that are used for managing the 83 IKEv2 protocol including configuration and operational state. 85 2. Conventions used in this document 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in RFC-2119 [RFC2119]. 91 In this document, these words will appear with that interpretation 92 only when in ALL CAPS. Lower case uses of these words are not to be 93 interpreted as carrying RFC-2119 significance. 95 In this document, the characters ">>" preceding an indented line(s) 96 indicates a compliance requirement statement using the key words 97 listed above. This convention aids reviewers in quickly identifying 98 or finding the explicit compliance requirements of this RFC. 100 3. IKEv2 protocol Overview 102 This section provides a high level overview of IKEv2 [RFC7296] to 103 make the YANG model more comprehensive. The intent of this section 104 is to fill the gap between the IKEv2 specifications and its 105 associated YANG model. It is expected to clarify the YANG model, for 106 those that are more familiar to the IKEv2 specifications, and 107 provide some IKEv2 background for those that are more familiar to 108 YANG models. 110 Note that the purpose of IKEv2 standard is to provide 111 interoperability whereas the YANG model provides an implementation 112 independent way to configure IKEv2 daemons. With these different 113 goals application-dependent parameters or parameters that 114 interoperability-independent (like the life time of the IKE SA for 115 example) are not mentioned in the IKEv2 standard but needs to be 116 specified in the YANG model. 118 IKEv2 can be designed as a single monolithic daemon that is 119 configured in a single manner for all initiated and responding IKEv2 120 negotiation. On the other hand, IKEv2 can also be view as a daemon 121 that can enable some specific configuration for each peer. This 122 would mean for example that the IKE_SA could be set differently 123 according to the peer. In addition to these different levels of 124 configuration granularities, the IKEv2 daemon is not always aware of 125 the peer identity. When it acts as a responder, for example, the 126 peer ID is only known during the IKE_AUTH exchange, which means that 127 during the previous exchange (IKE_INIT) the IKEv2 daemon is likely 128 not to apply a per peer policy. 130 In order to address the multiple possible configurations the IKEv2 131 configuration and variables are subdivided into different modules. 132 An IKEv2 daemon needs to have all these modules to be specified, 133 however, each module may be specified at different level in the 134 tree. More specifically, module may be set for the global 135 implementation or for each peer. 137 3.1. IKEv2 Transport Attributes 139 This section provides the attributes used to enable the transport of 140 the IKEv2 messages between the initiator and the peer. The transport 141 often needs configuration attributes that define the behavior of the 142 IKEv2 daemon according to operational attributes (or counters). 144 IKEv2 Header defines the attributes that identifies the IKE session 145 between the peers. Although the configuration attributes may be 146 common for the whole implementation, it is expected that the 147 operational attributes are defines from each session, that is for 148 each IKE_SA. These attributes are provided in the header and are 149 described in [RFC7296] section 3.1. Although the IKE header contains 150 also attributes such as Message IDs, and flags for example that 151 indicate if corresponds to a query or a response, these headers 152 attributes are not considers as operational attributes of the IKE 153 header, instead, these are considered as operational attribute of 154 the Anti-Replay Mechanism. The attributes associated to the IKEv2 155 Header are thus: 157 . MjVer: defines the major version. As defined in [RFC7296] 158 section 3.1 implementations that of [RFC7296] MUST set this 159 attribute to 2. 160 . MnVer: defines the minor version. As defined in [RFC7296] 161 section 3.1 implementations that of [RFC7296] MUST set this 162 attribute to 0. 163 . SPI-generation-policies: defines how the SPI are expected to be 164 generated. Most likely SPIs will randomly generate. On the 165 other hand, it may be needed for some deployment such as 166 clusters to be able to reduce the spectrum of these SPIs. 167 . Initiator SPI: defines the SPI assigned by the Initiator to 168 index the inbound messages to the appropriated IKE_SA. The SPIs 169 are agreed between the peers after the IKE_INIT exchange and 170 are not part of the configuration parameters. 171 . Responder SPI: defines the SPI assigned by the Responder to 172 index the inbound messages to the appropriated IKE_SA. 174 IKEv2 Header Configuration Attributes # [RFC7296] section 3.1 175 - MjVer: The IKEv2 Major version (set to 2) 176 - MnVer: The IKEv2 Minor version (set to 0) 177 - SPI-generation-policies 179 IKEv2 Header Operational Attributes (1 per IKE_SA) 180 - Initiator SPI 181 - Responder SPI 183 Anti-Replay Mechanism describes when message should be rejected or 184 considered by the IKEv2 daemon. The anti-replay mechanism is defined 185 for each session. Although the configuration attributed may be 186 shared for the whole IKEv2 daemon, the operational attributes are 187 expected to be duplicated for each IKE_SA. The following attributes 188 are thus considered. 190 . Window Size defines how much parallel exchange can be performed 191 between the peers. By default this value is set to 1. When 192 greater than 1, as defined in [RFC7296] section 2.3, a 193 SET_WINDOW_SIZE Notify Payloads will be sent by the peer to 194 agree with the other peer on the Window Size. After this 195 exchange succeeds, the operational attribute that defines the 196 Window Size used by the IKE_SA, will be updated with the value 197 agreed by the peers. 198 . Optional Enable INVALID_MESSAGE_ID defines whether an optional 199 INVALID_MESSAGE_ID Notify Payload is sent when the IKEv2 200 message received is outside the Operational Window Size. 201 . Operational Window Size defines the Window size considered by 202 the IKE_SA. When the IKE_SA is created, it is set to 1. This 203 value is updated only once the peers have agreed on another 204 Window Size value with the SET_WINDOW_SIZE informational 205 exchange. 206 . Peer Request MESSAGE ID stores the Message ID of the last 207 request received by the peer. 208 . Peer Request MESSAGE ID stores the Message ID of the last 209 response received by the peer. 210 . Local Request MESSAGE ID stores the Message ID of the last 211 request received by the local host. 212 . Local Request MESSAGE ID stores the Message ID of the last 213 response received by the local host. 215 Anti-Replay Mechanism Configuration Attributes 216 - Window Size # [RFC7296] section 2.3 217 - Optional Enable INVALID_MESSAGE_ID # [RFC7296] section 2.3 219 Anti-Replay Mechanism Operational Attributes (1 per IKE_SA) 220 - Operational Window Size = 1 # [RFC7296] section 2.3 221 - Peer Request MESSAGE ID # [RFC7296] section 2.2 222 - Peer Response MESSAGE_ID # [RFC7296] section 2.2 223 - Local Request MESSAGE_ID # [RFC7296] section 2.2 224 - Local Response MESSAGE_ID # [RFC7296] section 2.2 226 IKEv2 Retransmission defines the necessary attributes to manage the 227 retransmission of message by the IKEv2 daemon. Such attributes are not 228 necessary for interoperability and as such are not defined in 229 [RFC7296]. However, retransmission mechanism is described in [RFC7296] 230 section 2.1. Although the configuration mechanism may be common to the 231 IKEv2 daemon, the operational attributes are expected to be defined for 232 each IKE_SA exchange. The number of parallel IKEv2 exchange is defined 233 by Window Size. 235 . Max Retries: [RFC7256] section 2.1 mentions that when 236 retransmission fails, all states associated to the IKE SA MUST 237 be removed. 238 . Initial Retransmission Timeout: [RFC7256] section 2.1 mentions 239 the retransmission timeout is not expected to be a fix value, 240 but instead it should depend on the on number of retries. How 241 the retransmission-timer value is set depends on the 242 Retransmission Timer Policy. 243 . Retransmission Timer Policy: defines of the Retransmission 244 Timer should be computed. 245 . Response Buffer Timeout: (section 2.1 of RFC7256). This timer 246 set when the response buffer can be clean when the message ID 247 is not being updated. It value is expected to be in the order 248 of several minutes. 249 . Retries: Defines the number of retries for a given exchange. 250 The number of exchange is defined by the Window Size. 251 . Retransmission Timeout: is an operational attribute that set 252 how long the IKEv2 daemon should wait until a retransmission 253 occurs. This attribute is derived from the Retransmission Timer 254 Policy and the Initial Retransmission Timeout. 255 . Retransmission Timer: is an operational attribute that defines 256 the time the response is being waited for. When its value 257 reaches, Retransmission Timeout, a retransmission occurs. This 258 Timer is set for each exchange. 259 . Response Buffer Timer: is an operational value that counts the 260 time each Message ID is stored. There is a timer associated to 261 each Message ID. 263 IKEv2 Retransmission Configuration Attributes 264 - Max Retries # [RFC7296] section 2.1 265 - Initial Retransmission Timeout # [RFC7296] section 2.1 266 - Retransmission Timeout Policy 267 - Max Response Buffer Timeout # [RFC7296] section 2.1 268 - Keep-Alive Timeout 269 - NAT Keep-Alive Timeout 271 IKEv2 Retransmission Operational Attributes (Window Size per IKE_SA) 272 - Retries 273 - Retransmission Timeout 274 - Retransmission Timer 275 - Response Buffer Timer 276 - Keep-Alive Timer 277 - NAT Keep-Alive Timer 279 IKEv2 COOKIE MECHANISM Configuration Attributes 280 - COOKIE Lifetime 281 - Half Open IKE_SA Threshold 283 IKEv2 COOKIE MECHANISM Operational Attributes (Window Size per 284 IKE_SA) 285 - Half Open IKE_SA Counter 287 IKEv2 VENDOR ID Configuration Attributes 289 - OPAQUE VALUES 291 3.2. IKEv2_INIT Exchange 293 This section provides the necessary configuration attributes so the 294 IKE_INIT exchange can be performed. 296 Authorized DH is an ordered list that contains DH Transform. DH 297 Transforms are ordered by preference. Such ordering avoids setting 298 an additional preference field. The Initiator will choose the first 299 and most preferred DH Transform to initiate the IKE_INIT. The DH 300 public key will be generated and the chosen DH Transform will be 301 included into the Transform Type 4 of the SAi1. If the DH Transform 302 is not accepted by the Responder, the Initiator may check the 303 acceptable DH Transform of the responder is acceptable by the 304 initiator. 306 IKE_SA Proposals defines the proposals similarly to the proposals 307 structure of SA1i. Note that the IKEv2 daemon is expected to place 308 the appropriated Transform of Type 4, that it the chosen DH 309 Transform. In addition, the IKEv2 daemons associates each transform 310 to an ID to build SA1i. 312 Optional IKE_INIT Responder CERTREQ indicates whether the 313 Certification authority supported by the responder should be added 314 into the response. 316 Authorized Certification Authorities lists the CA considered by the 317 responder. 319 Supported IKEv2 Options defines the option supported by the IKEv2 320 daemon. Some options should be considered in the IKE_INIT exchange, 321 other should be considered in the IKE_AUTH exchange. To avoid 322 duplication of the supported IKEv2 Options, they are all indicated 323 here. Each Option may be associated some specific configuration and 324 operational attributes detailed. 326 IKEv2_INIT Exchange Configuration Attributes: 328 ## Attributes Model is common to object so it is defined as 329 ## a preambule 330 Attributes [list] 331 - Attribute 332 - Attribute Type 333 - Attribute Value 335 ## Ordered list of the authorized DH 336 Authorized DH [list] 337 - DH Transform 338 - Name 339 - Attributes 341 ## Ordered list of proposals, the preference is indicated by the Num 342 IKE_SA Proposals [list] 343 - IKE_SA Proposal 344 - Proposal Num # specify the order the proposals are sent. 345 # Need to check there are no two identical 346 # numbers 347 - Protocol: IKE # It has a fix value 348 - Transform Type 1: Encryption Algorithm [list] 349 - ENCR Transform 350 - Name 351 - Attributes 352 - Transform Type 2: PRF [list] 353 - PRF Transform 354 - Name 355 - Transform Type 3: Integrity check Algorithm [list] 356 - INTEG Transform 357 - Name 358 - Attributes 359 ##- Transform Type 4: Diffie Hellman Group 360 ## RFC7296 this MUST be the DH Transform used in the KEi 362 ## lists the authorized Certification Authorities 363 Authorized Certification_Authorities [list] 364 - Certification Authority 365 - Cert Encoding 366 - Cert Value 368 Optional IKE_INIT Responder CERTREQ 370 ## IKEv2 options 371 Supported IKEv2 Options 372 ## sent during the IKE_INIT 373 - NAT_DETECTION_SOURCE_IP 374 - NAT_DETECTION_DESTINATION_IP 375 - REDIRECT_SUPPORTED 376 - IKEV2_FRAGMENTATION_SUPPORTED 377 ## sent during the IKE_AUTH 378 - MOBIKE_SUPPORTED 379 - ROHC_SUPPORTED 380 - CHILDLESS_IKEV2_SUPPORTED 381 - IKEV2_MESSAGE_ID_SYNC_SUPPORTED 382 - IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED 383 - ERX_SUPPORTED 384 - CLONE_IKE_SA_SUPPORTED 386 Section 1 of [RFC7296] provides a description of the IKEv2 387 exchanges. The purpose of the first exchange is that the initiator 388 and the responder are able to set a IKE SA. The IKE SA can be seen 389 as a control channel between the initiator and the responder that 390 will be used for further negotiations. To reach an agreement on the 391 IKE SA, the initiator and the responder must agree on the SKEYSEED 392 (KEi, Ni KEr, Nr payloads) that is a Diffie Hellman value and nonces 393 used to derived the cryptographic keys for the IKE SA and further 394 IPsec SA or Child SA. In addition, the initiator and the respond 395 must agree on how the IKE SA will use the cryptographic material 396 (SAi1, SAr1). 398 The IKE_INIT exchange is represented below: 400 Initiator Responder 401 ------------------------------------------------------------------- 402 HDR, SAi1, KEi, Ni --> 403 <-- HDR, SAr1, KEr, Nr, [CERTREQ] 405 All header of the IKEv2 payloads have a header which is built from 406 the IKEv2 Header values as well as the IKE_SA for the SPI values. 408 KEi is derived from Authorized DH that is an ordered list of DH 409 parameters. The public key is not stored into the model and is 410 computed by the initiator. The chosen transform MUST be inserted in 411 Transform 4 of IKE_SA Proposal in SA1i. 413 KEr is able to determine whether KEi is acceptable from the 414 Authorized DH. In case the the KEi is not acceptable, the responder 415 responds with an INVALID_KE_PAYLOAD. 417 SAi1 is derived from IKE_SA Proposals and KEi 419 SAr1: is derived by comparing the proposals from SA1i and the IKE_SA 420 Proposals. The responder is able to chose the appropriated IKE 421 proposal as well as to define whether none of the SAi1 is 422 acceptable. 424 Optional IKE_INIT Responder CERTREQ indicates whether the responder 425 sends CERTREQ payloads, the following attribute should be defined. 426 When set to true, one CERTREQ payload is provided per Certification 427 Authority in the Authorized Certification Authority. 429 When the NAT_DETECTION_SOURCE_IP, NAT_DETECTION_DESTINATION_IP, 430 REDIRECT_SUPPORTED or IKEV2_FRAGMENTATION_SUPPORTED have been 431 enabled, then additional notify payloads are added by the initiator. 432 Unless not supported by the responder, the responder responds to 433 them with an additional Notify payload. 435 3.3. Creation of the IKE_SA 437 In this model, it is assumed that the IKE_SA represents the relation 438 between the initiator and the responder. It is expected that the 439 IKE_SA model is created as soon as a peer initiates a IKE_INIT 440 exchange as well as a peer receives a new IKE_INIT request. Of 441 course this is implementation dependent, but the model relies on 442 this assumption. 444 The IKE_SA information model is represented with the following 445 attributes: 447 - Role: defines if the local peer acts as an initiator or as a 448 responder. 449 - Local IP address: defines the IP address used by the local 450 peer. 451 - Remote IP address: defines the IP address of the remote peer. 452 - Cryptographic material is derived after the IKE_INIT exchange. 453 The IKE_SA may keep the original material SKEYSEED and Nonces 454 Ni, Nr used to generate the necessary keys SK_d, SK_ai, SK_ar, 455 SK_ei, SK_er, SK_pi, SK_pr. The following keys are used to 456 protect the exchange. 457 - IKE SA Proposal: the agreed IKE_SA proposal. 458 - IKEv2 Header: the header with the agreed SPI values. 459 - IKEv2 Anti Replay Mechanism which contains the agreed (or to be 460 agreed Window Size) and current Message IDs. According to 461 RFC7296 section 2.2 Message IDs of the INKE_INIT exchange are 462 set to 0 during the IKE_INIT exchange. 463 - IKEv2 Retransmission CTX that contains the element to enable 464 retransmission for all ongoing exchange. 465 - IDi/IDr, Credentials are defined during the IKE_AUTH exchange. 466 - Vendor IDs. 467 - Supported IKEv2 Option CTX contains all necessary context 468 associated to the different IKEv2 Options. 470 IKE_SA Operational Attributes 472 IKE_SA 473 - Role 474 - Local IP address 475 - Remote IP address 476 - Cryptographic material 477 - SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi, SK_pr 478 - SKEYSEED, Nonces 479 - IKE_SA lifetime 480 - IKE SA Proposal ## cf IKE_INIT section 481 - IKEv2 Header ## cf Transport section 482 - IKEv2 Anti Replay Mechanism ## cf Transport section 483 - IKEv2 Retransmission CTX [list Window Size] ## cf Transport 484 section 485 - IKEv2 Retransmission 486 - IDi ## cf IKE_AUTH section 487 - IDr ## cf IKE_AUTH section 488 - Credentials ## fc IKE_AUTH section 489 - Vendor ID 490 - Supported IKEv2 Option CTX [list] 492 3.4. IKE_AUTH Exchange 494 This section provides the attributes associated to the IKE_AUTH 495 exchange. 497 The IKE_AUTH and CREATE_CHILD_SA exchange is represented below. 498 The IKE_AUTH exchange goal is to authenticate the respective 499 peers and the CREATE_CHILD_SA exchange intends to creates the 500 PIsec SA. 502 HDR, SK {IDi, [CERT,] [CERTREQ,] 503 [IDr,] AUTH, SAi2, 504 TSi, TSr} --> 505 <-- HDR, SK {IDr, [CERT,] AUTH, 506 SAr2, TSi, TSr} 508 Authentication is performed by providing an identity as well as a 509 proof of ownership associated to that identity. The Initiator and 510 Responder may have multiple identities and choose one. The Initiator 511 may choose a specific identity according to the expected responder, 512 and vise versa, the responder may choose a specific identity 513 according to the initiator identity (IDi) as well as the acceptable 514 Certificate Authorities of the initiator (CERTREQ) or the 515 Certificate Authority of the initiator, that is the one used in its 516 Certificate (CERT). 518 Available Signing Capabilities defines the signing capabilities of 519 the IKEv2 daemon. A Signing capability is defined by a method and 520 some Authentication Material such as a public key for example, or a 521 certificate. 523 Available Hash Capabilities and and Available Signature Verification 524 defines which are the acceptable authentication method provided by 525 the remote peer. In other words, outside these Signature 526 Verification and Hash Capabilities the peer will not be able to be 527 authenticated. The difference with Available Signing Capabilities is 528 that in this case, no credentials are required. For example a RSA 529 signature may be checked without the peer own a RSA private key. Has 530 and Signature are placed in different attributes as a signature 531 verification often results in a combination of these two structures. 532 The authentication life time indicates when re-authentication needs 533 to be performed. The minimum of the two values should be considered. 535 Local IDs lists the various IDs the Local IKEv2 daemon may use to 536 identify itself. The Preference field indicates which one should be 537 used preferably, but in most cases, it is expected that the Local Id 538 to use will depend on teh remote peer. 540 Peer is the database of the Peer attributes. A Peer is defined by a 541 list of IDr and a role. Once the Peer has been identified, it may be 542 associated to some specific attributes to proceed the IKE_AUTH 543 exchange. For example, suppose that the Local Peer want to set an 544 IKE session with a Remote Peer, and both Peers have multiple IDs. 545 When the Local Peer wants to reach the Remote Peer, it may use a 546 specific IDi and request a specific IDr for that session. In 547 addition, it can also redefine all configuration attributes 548 previously defined for the IKE-Transport, IKE_INIT and IKE_AUTH. 550 Note that The definition of the Preferred IDr is only mandatory when 551 the Local Peer initiates the exchange, so when the Remote Peer is a 552 responder. In that case, the IDi and IDr will be use to provide the 553 appropriated parameters for the CREATE_CHILD_SA exchange. As 554 detailed in Section 4.4.3 of RFC4301, the PAD use used to provide 555 such binding. 557 Optional attributes defines whether the optional payloads should be 558 added or if an additional notification payload should be exchanged. 560 IKEv2_AUTH Configuration Attributes 562 Available Signing Capabilities [list] 563 - Authentication Method 564 - Authentication Method Name 565 - Authentication Material 566 - Authentication Material Type 567 - Authentication Material Data 569 ## CERT Authentication Material 570 - Authentication Material Type = CERT 571 - Authentication Material Data 572 - Cert Encoding 573 - Cert Value 575 Available Hash Capabilities [list] 576 - Hash Method 577 - Authentication Life Time 579 Available Signature Verification [list] 580 - Authentication Method Name 581 - Authentication Life Time 583 Local IDs [list] 584 - Local ID 585 - preference 586 - ID type 587 - ID value 589 Peers [list] 590 - Peer 591 - PeerIDs [list] # use to identify the peer 592 - IDr 593 - Role initiator / responder / any # this is only to make 594 sure we can have different policies depending on who initiates the 595 communication. 596 - Sessions [list] 597 - Session 598 - Session Label 599 - IDi 600 ## When initiating an IKEv2 exchange with Peer 601 - IDr 602 ## Can set (redefine) all configuration attributes 603 - IKE_Tranport Attributes 604 - IKE_INIT Attributes 605 - IKE_AUTH Attributes 606 - ... 607 - Optional Configuration Request 608 - INTERNAL_ADDRESS 609 - ... 610 - Optional Configuration Reply 611 - INTERNAL_ADDRESS 613 Optional Enable INITIAL_CONTACT #[RFC7296] section 2.4 614 Optional IKE_AUTH Initiator CERTREQ 615 Optional IKE_AUTH Initiator CERT 616 Optional IKE_AUTH Initiator-IDr 617 Optional IKE_AUTH Responder-CERT 619 3.5. IKEv2 Configuration Data Model 621 This section will present the YANG data model for IKEv2. The 622 IKEv2 data model provides the appropriate leaves for configuring the 623 IKEv2 protocol. The IKEv2 YANG data model has the following 624 structure: 626 module: ietf-ikev2 627 +--rw ikev2 {ikev2}? 628 | +--rw transport {ikev2-transport}? 629 | +--rw init {ikev2-init}? 630 | +--rw sa {ikev2-sa}? 631 | +--rw peer* [peer-address] {ikev2-peer}? 633 The tree detail is: 635 +--rw ikev2 {ikev2}? 636 | +--rw transport {ikev2-transport}? 637 | | +--rw base-info 638 | | | +--rw major-version? uint8 639 | | | +--rw minor-version? uint8 640 | | | +--rw spi-generation-policy? string 641 | | +--rw anti-replay-mechanism 642 | | | +--rw window-size? uint32 643 | | | +--rw enable-notify-invalid-msg-id? empty {ikev2-transport-enable-notify- 644 invalid-msg-id}? 645 | | +--rw retransmision {ikev2-transport-retransmission}? 646 | | | +--rw max-retries? uint32 647 | | | +--rw initial-retransmission-timeout? uint32 648 | | | +--rw retransmission-timeout-policy? string 649 | | | +--rw max-response-buffer-timeout? uint32 650 | | | +--rw keepalive-timeout? uint32 651 | | | +--rw nat-keepalive-timeout? uint32 652 | | +--rw cookie-mechanism {ikev2-transport-cookie-mechanism}? 653 | | | +--rw cookie-lifetime? uint32 654 | | | +--rw half-open-ike-sa-threshold? uint32 655 | | +--rw vendor-id? uint64 656 | +--rw init {ikev2-init}? 657 | | +--rw authorized-dh* [dhg key-length] {ikev2-init-authorized-dh}? 658 | | | +--rw dhg ikev2-crypto:ikev2-diffie-hellman-group-t 659 | | | +--rw key-length uint32 660 | | +--rw proposal* [number] 661 | | | +--rw name? string 662 | | | +--rw description? string 663 | | | +--rw transform-encr-algorithm* [encr-algorithm key-length] 664 | | | | +--rw encr-algorithm ikev2-crypto:ikev2-encryption-algorithm-t 665 | | | | +--rw key-length uint32 666 | | | +--rw transform-prf-algorithm* [prf-algorithm key-length] 667 | | | | +--rw prf-algorithm ikev2-crypto:ikev2-pseudo-random-function-t 668 | | | | +--rw key-length uint32 669 | | | +--rw transform-integrity-algorithm* [integrity-algorithm key-length] 670 | | | | +--rw integrity-algorithm ikev2-crypto:ikev2-integrity-algorithm-t 671 | | | | +--rw key-length uint32 672 | | | +--rw transform-dh* [dh key-length] 673 | | | | +--rw dh ikev2-crypto:ikev2-diffie-hellman-group-t 674 | | | | +--rw key-length uint32 675 | | | +--rw number uint32 676 | | | +--rw protocol? ikev2-crypto:ikev2-protocol-identifiers- 677 t 678 | | +--rw optional {ikev2-init-optional}? 679 | | | +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? 680 | | | | +--rw (ip-address)? 681 | | | | | +--:(ipv4-address) 682 | | | | | | +--rw ipv4-address? inet:ipv4-address 683 | | | | | +--:(ipv6-address) 684 | | | | | +--rw ipv6-address? inet:ipv6-address 685 | | | | +--rw nat-keepalive-interval? uint16 686 | | | +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination-ip}? 687 | | | | +--rw (ip-address)? 688 | | | | | +--:(ipv4-address) 689 | | | | | | +--rw ipv4-address? inet:ipv4-address 690 | | | | | +--:(ipv6-address) 691 | | | | | +--rw ipv6-address? inet:ipv6-address 692 | | | | +--rw nat-keepalive-interval? uint16 693 | | | +--rw redirect-supported? boolean {ikev2-init-redirect- 694 supported}? 695 | | | +--rw fragmentation-supported? boolean {ikev2-init-fragmentation- 696 supported}? 697 | | | +--rw mobike-supported? boolean {ikev2-auth-mobike- 698 supported}? 699 | | | +--rw rohc-supported? boolean {ikev2-auth-rohc- 700 supported}? 701 | | | +--rw childless-ikev2-supported? boolean {ikev2-auth-childless- 702 supported}? 703 | | | +--rw message-id-sync-supported? boolean {ikev2-auth-message-id- 704 supported}? 705 | | | +--rw ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec-replay- 706 counter-sync-supported}? 707 | | | +--rw erx-supported? boolean {ikev2-auth-erx- 708 supported}? 709 | | | +--rw clone-ike-sa-supported? boolean {ikev2-auth-clone-ike-sa- 710 supported}? 711 | | +--rw auth-method? ikev2-crypto:ikev2-authentication-method-t 712 | | +--rw responder-certreq {ikev2-init-responder-certreq}? 713 | | | +--rw cert-encoding? ikev2-crypto:ikev2-cert-encoding-t 714 | | | +--rw cert-value? uint32 715 | | +--rw config-request 716 | | | +--rw (ip-address)? 717 | | | +--:(ipv4-address) 718 | | | | +--rw ipv4-address? inet:ipv4-address 719 | | | +--:(ipv6-address) 720 | | | +--rw ipv6-address? inet:ipv6-address 721 | | +--rw config-responder 722 | | | +--rw (ip-address)? 723 | | | +--:(ipv4-address) 724 | | | | +--rw ipv4-address? inet:ipv4-address 725 | | | +--:(ipv6-address) 726 | | | +--rw ipv6-address? inet:ipv6-address 727 | | +--rw authorized-cert-auth* [cert-encoding] {ikev2-init-authorized-certification- 728 auth}? 729 | | +--rw cert-encoding ikev2-crypto:ikev2-cert-encoding-t 730 | | +--rw cert-value? uint32 731 | +--rw sa {ikev2-sa}? 732 | | +--rw role? role-t 733 | | +--rw local-ip-address 734 | | | +--rw (ip-address)? 735 | | | +--:(ipv4-address) 736 | | | | +--rw ipv4-address? inet:ipv4-address 737 | | | +--:(ipv6-address) 738 | | | +--rw ipv6-address? inet:ipv6-address 739 | | +--rw remote-ip-address 740 | | | +--rw (ip-address)? 741 | | | +--:(ipv4-address) 742 | | | | +--rw ipv4-address? inet:ipv4-address 743 | | | +--:(ipv6-address) 744 | | | +--rw ipv6-address? inet:ipv6-address 745 | | +--rw cryptgraphic? cryptographic-material-t 746 | | +--rw lifetime? uint32 747 | | +--rw proposal? ikev2-proposal-number-ref 748 | | +--rw base-info 749 | | | +--rw major-version? uint8 750 | | | +--rw minor-version? uint8 751 | | | +--rw spi-generation-policy? string 752 | | +--rw anti-replay-mechanism 753 | | | +--rw window-size? uint32 754 | | | +--rw enable-notify-invalid-msg-id? empty {ikev2-transport-enable-notify- 755 invalid-msg-id}? 756 | | +--rw retransmistion-ctx* [window-id] 757 | | | +--rw window-id uint32 758 | | | +--rw retransmision {ikev2-transport-retransmission}? 759 | | | +--rw max-retries? uint32 760 | | | +--rw initial-retransmission-timeout? uint32 761 | | | +--rw retransmission-timeout-policy? string 762 | | | +--rw max-response-buffer-timeout? uint32 763 | | | +--rw keepalive-timeout? uint32 764 | | | +--rw nat-keepalive-timeout? uint32 765 | | +--rw initiator-id 766 | | | +--rw initiator-id-type? ikev2-crypto:pad-type-t 767 | | | +--rw initiator-id? string 768 | | +--rw responder-id 769 | | | +--rw responder-id-type? ikev2-crypto:pad-type-t 770 | | | +--rw responder-id? string 771 | | +--rw cert-authentication-type? string 772 | | +--rw cert-auth 773 | | | +--rw cert-auth-encoding? ikev2-crypto:ikev2-cert-encoding-t 774 | | | +--rw cert-auth-value? uint32 775 | | +--rw vendor-id? uint64 776 | | +--rw optional-ctx* [window-id] 777 | | +--rw window-id uint32 778 | | +--rw optional {ikev2-init-optional}? 779 | | +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? 780 | | | +--rw (ip-address)? 781 | | | | +--:(ipv4-address) 782 | | | | | +--rw ipv4-address? inet:ipv4-address 783 | | | | +--:(ipv6-address) 784 | | | | +--rw ipv6-address? inet:ipv6-address 785 | | | +--rw nat-keepalive-interval? uint16 786 | | +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination- 787 ip}? 788 | | | +--rw (ip-address)? 789 | | | | +--:(ipv4-address) 790 | | | | | +--rw ipv4-address? inet:ipv4-address 791 | | | | +--:(ipv6-address) 792 | | | | +--rw ipv6-address? inet:ipv6-address 793 | | | +--rw nat-keepalive-interval? uint16 794 | | +--rw redirect-supported? boolean {ikev2-init-redirect- 795 supported}? 796 | | +--rw fragmentation-supported? boolean {ikev2-init- 797 fragmentation-supported}? 798 | | +--rw mobike-supported? boolean {ikev2-auth-mobike- 799 supported}? 800 | | +--rw rohc-supported? boolean {ikev2-auth-rohc- 801 supported}? 802 | | +--rw childless-ikev2-supported? boolean {ikev2-auth-childless- 803 supported}? 804 | | +--rw message-id-sync-supported? boolean {ikev2-auth-message-id- 805 supported}? 806 | | +--rw ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec- 807 replay-counter-sync-supported}? 808 | | +--rw erx-supported? boolean {ikev2-auth-erx- 809 supported}? 810 | | +--rw clone-ike-sa-supported? boolean {ikev2-auth-clone-ike- 811 sa-supported}? 812 | +--rw peer* [peer-address] {ikev2-peer}? 813 | +--rw peer-address string 814 | +--rw role? role-t 815 | +--rw peer-id-entries* [peer-id peer-id-type] 816 | | +--rw peer-id-type ikev2-crypto:pad-type-t 817 | | +--rw peer-id string 818 | +--rw session* [session-label] 819 | | +--rw session-label string 820 | | +--rw initiator-id 821 | | | +--rw initiator-id-type? ikev2-crypto:pad-type-t 822 | | | +--rw initiator-id? string 823 | | +--rw responder-id 824 | | | +--rw responder-id-type? ikev2-crypto:pad-type-t 825 | | | +--rw responder-id? string 826 | | +--rw transport {ikev2-transport}? 827 | | | +--rw base-info 828 | | | | +--rw major-version? uint8 829 | | | | +--rw minor-version? uint8 830 | | | | +--rw spi-generation-policy? string 831 | | | +--rw anti-replay-mechanism 832 | | | | +--rw window-size? uint32 833 | | | | +--rw enable-notify-invalid-msg-id? empty {ikev2-transport-enable- 834 notify-invalid-msg-id}? 835 | | | +--rw retransmision {ikev2-transport-retransmission}? 836 | | | | +--rw max-retries? uint32 837 | | | | +--rw initial-retransmission-timeout? uint32 838 | | | | +--rw retransmission-timeout-policy? string 839 | | | | +--rw max-response-buffer-timeout? uint32 840 | | | | +--rw keepalive-timeout? uint32 841 | | | | +--rw nat-keepalive-timeout? uint32 842 | | | +--rw cookie-mechanism {ikev2-transport-cookie-mechanism}? 843 | | | | +--rw cookie-lifetime? uint32 844 | | | | +--rw half-open-ike-sa-threshold? uint32 845 | | | +--rw vendor-id? uint64 846 | | +--rw init {ikev2-init}? 847 | | | +--rw authorized-dh* [dhg key-length] {ikev2-init-authorized-dh}? 848 | | | | +--rw dhg ikev2-crypto:ikev2-diffie-hellman-group-t 849 | | | | +--rw key-length uint32 850 | | | +--rw proposal* [number] 851 | | | | +--rw name? string 852 | | | | +--rw description? string 853 | | | | +--rw transform-encr-algorithm* [encr-algorithm key-length] 854 | | | | | +--rw encr-algorithm ikev2-crypto:ikev2-encryption-algorithm-t 855 | | | | | +--rw key-length uint32 856 | | | | +--rw transform-prf-algorithm* [prf-algorithm key-length] 857 | | | | | +--rw prf-algorithm ikev2-crypto:ikev2-pseudo-random-function-t 858 | | | | | +--rw key-length uint32 859 | | | | +--rw transform-integrity-algorithm* [integrity-algorithm key-length] 860 | | | | | +--rw integrity-algorithm ikev2-crypto:ikev2-integrity-algorithm-t 861 | | | | | +--rw key-length uint32 862 | | | | +--rw transform-dh* [dh key-length] 863 | | | | | +--rw dh ikev2-crypto:ikev2-diffie-hellman-group-t 864 | | | | | +--rw key-length uint32 865 | | | | +--rw number uint32 866 | | | | +--rw protocol? ikev2-crypto:ikev2-protocol- 867 identifiers-t 868 | | | +--rw optional {ikev2-init-optional}? 869 | | | | +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? 870 | | | | | +--rw (ip-address)? 871 | | | | | | +--:(ipv4-address) 872 | | | | | | | +--rw ipv4-address? inet:ipv4-address 873 | | | | | | +--:(ipv6-address) 874 | | | | | | +--rw ipv6-address? inet:ipv6-address 875 | | | | | +--rw nat-keepalive-interval? uint16 876 | | | | +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination- 877 ip}? 878 | | | | | +--rw (ip-address)? 879 | | | | | | +--:(ipv4-address) 880 | | | | | | | +--rw ipv4-address? inet:ipv4-address 881 | | | | | | +--:(ipv6-address) 882 | | | | | | +--rw ipv6-address? inet:ipv6-address 883 | | | | | +--rw nat-keepalive-interval? uint16 884 | | | | +--rw redirect-supported? boolean {ikev2-init- 885 redirect-supported}? 886 | | | | +--rw fragmentation-supported? boolean {ikev2-init- 887 fragmentation-supported}? 888 | | | | +--rw mobike-supported? boolean {ikev2-auth-mobike- 889 supported}? 890 | | | | +--rw rohc-supported? boolean {ikev2-auth-rohc- 891 supported}? 892 | | | | +--rw childless-ikev2-supported? boolean {ikev2-auth- 893 childless-supported}? 894 | | | | +--rw message-id-sync-supported? boolean {ikev2-auth-message- 895 id-supported}? 896 | | | | +--rw ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec- 897 replay-counter-sync-supported}? 898 | | | | +--rw erx-supported? boolean {ikev2-auth-erx- 899 supported}? 900 | | | | +--rw clone-ike-sa-supported? boolean {ikev2-auth-clone- 901 ike-sa-supported}? 902 | | | +--rw auth-method? ikev2-crypto:ikev2-authentication-method-t 903 | | | +--rw responder-certreq {ikev2-init-responder-certreq}? 904 | | | | +--rw cert-encoding? ikev2-crypto:ikev2-cert-encoding-t 905 | | | | +--rw cert-value? uint32 906 | | | +--rw config-request 907 | | | | +--rw (ip-address)? 908 | | | | +--:(ipv4-address) 909 | | | | | +--rw ipv4-address? inet:ipv4-address 910 | | | | +--:(ipv6-address) 911 | | | | +--rw ipv6-address? inet:ipv6-address 912 | | | +--rw config-responder 913 | | | | +--rw (ip-address)? 914 | | | | +--:(ipv4-address) 915 | | | | | +--rw ipv4-address? inet:ipv4-address 916 | | | | +--:(ipv6-address) 917 | | | | +--rw ipv6-address? inet:ipv6-address 918 | | | +--rw authorized-cert-auth* [cert-encoding] {ikev2-init-authorized- 919 certification-auth}? 920 | | | +--rw cert-encoding ikev2-crypto:ikev2-cert-encoding-t 921 | | | +--rw cert-value? uint32 922 | | +--rw auth {ikev2-auth}? 923 | | | +--rw avail-signing-capabilities* [auth-method-name] 924 | | | | +--rw auth-method-name string 925 | | | | +--rw auth-method? ikev2-crypto:ikev2-authentication-method-t 926 | | | | +--rw auth-material-data? string 927 | | | +--rw cert-auth 928 | | | | +--rw cert-auth-encoding? ikev2-crypto:ikev2-cert-encoding-t 929 | | | | +--rw cert-auth-value? uint32 930 | | | +--rw avail-hash* [hash-method] 931 | | | | +--rw hash-method string 932 | | | | +--rw auth-hash-lifetime? uint32 933 | | | +--rw avail-signature-verify* [signature-id] 934 | | | | +--rw signature-id string 935 | | | | +--rw signature-lifetime? uint32 936 | | | +--rw local-id* [host-id] 937 | | | | +--rw host-id string 938 | | | | +--rw preference? string 939 | | | | +--rw id-type? string 940 | | | | +--rw id-value? string 941 | | | +--rw authorized-certificate-authority 942 | | | +--rw cert-encoding? ikev2-crypto:ikev2-cert-encoding-t 943 | | | +--rw cert-value? uint32 944 | | +--rw config-request 945 | | | +--rw (ip-address)? 946 | | | +--:(ipv4-address) 947 | | | | +--rw ipv4-address? inet:ipv4-address 948 | | | +--:(ipv6-address) 949 | | | +--rw ipv6-address? inet:ipv6-address 950 | | +--rw config-responder 951 | | +--rw (ip-address)? 952 | | +--:(ipv4-address) 953 | | | +--rw ipv4-address? inet:ipv4-address 954 | | +--:(ipv6-address) 955 | | +--rw ipv6-address? inet:ipv6-address 956 | +--rw preshared-key? string 957 | +--rw nat-traversal? boolean 959 3.6. IKEv2 Operation Data Model 961 The IKEv2 data model provides the appropriate leaves for operational 962 sattes of the IKEv2 protocol. The IKEv2 YANG data model has the 963 following structure: 965 +--ro ikev2-state {ikev2-state}? 966 +--ro transport-state {ikev2-transport-state}? 967 +--ro ike-sa-state* [initiator-spi responder-spi] 969 The tree detail is: 971 +--ro ikev2-state {ikev2-state}? 972 +--ro ikev2-state {ikev2-state}? 973 +--ro transport-state {ikev2-transport-state}? 974 | +--ro major-version? uint8 975 | +--ro minor-version? uint8 976 | +--ro spi-generation-policy? string 977 | +--ro exchange-type? ikev2-crypto:ikev2-exchange-type-t 978 | +--ro flags? uint8 979 +--ro sa-state* [initiator-spi responder-spi] 980 +--ro initiator-spi ipsec-spi 981 +--ro responder-spi ipsec-spi 982 +--ro retransmistion-ctx* [window-id] 983 | +--ro window-id uint32 984 | +--ro retransmision {ikev2-transport-retransmission}? 985 | +--ro max-retries? uint32 986 | +--ro initial-retransmission-timeout? uint32 987 | +--ro retransmission-timeout-policy? string 988 | +--ro max-response-buffer-timeout? uint32 989 | +--ro keepalive-timeout? uint32 990 | +--ro nat-keepalive-timeout? uint32 991 +--ro anti-replay-mechanism 992 | +--ro window-size? uint32 993 | +--ro peer-request-msg-id? uint32 994 | +--ro peer-response-msg-id? uint32 995 | +--ro local-request-msg-id? uint32 996 | +--ro local-response-msg-id? uint32 997 +--ro vendor-id? uint64 998 +--ro initiator-id 999 | +--ro initiator-id-type? ikev2-crypto:pad-type-t 1000 | +--ro initiator-id? string 1001 +--ro responder-id 1002 | +--ro responder-id-type? ikev2-crypto:pad-type-t 1003 | +--ro responder-id? string 1004 +--ro auth {ikev2-auth}? 1005 | +--ro avail-signing-capabilities* [auth-method-name] 1006 | | +--ro auth-method-name string 1007 | | +--ro auth-method? ikev2-crypto:ikev2-authentication-method-t 1008 | | +--ro auth-material-data? string 1009 | +--ro cert-auth 1010 | | +--ro cert-auth-encoding? ikev2-crypto:ikev2-cert-encoding-t 1011 | | +--ro cert-auth-value? uint32 1012 | +--ro avail-hash* [hash-method] 1013 | | +--ro hash-method string 1014 | | +--ro auth-hash-lifetime? uint32 1015 | +--ro avail-signature-verify* [signature-id] 1016 | | +--ro signature-id string 1017 | | +--ro signature-lifetime? uint32 1018 | +--ro local-id* [host-id] 1019 | | +--ro host-id string 1020 | | +--ro preference? string 1021 | | +--ro id-type? string 1022 | | +--ro id-value? string 1023 | +--ro authorized-certificate-authority 1024 | +--ro cert-encoding? ikev2-crypto:ikev2-cert-encoding-t 1025 | +--ro cert-value? uint32 1026 +--ro half-open-ike-sa-counter? uint32 1027 +--ro optional-ctx* [window-id] 1028 +--ro window-id uint32 1029 +--ro optional {ikev2-init-optional}? 1030 +--ro nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? 1031 | +--ro (ip-address)? 1032 | | +--:(ipv4-address) 1033 | | | +--ro ipv4-address? inet:ipv4-address 1034 | | +--:(ipv6-address) 1035 | | +--ro ipv6-address? inet:ipv6-address 1036 | +--ro nat-keepalive-interval? uint16 1037 +--ro nat-detection-destination-ip {ikev2-init-nat-detection-destination- 1038 ip}? 1039 | +--ro (ip-address)? 1040 | | +--:(ipv4-address) 1041 | | | +--ro ipv4-address? inet:ipv4-address 1042 | | +--:(ipv6-address) 1043 | | +--ro ipv6-address? inet:ipv6-address 1044 | +--ro nat-keepalive-interval? uint16 1045 +--ro redirect-supported? boolean {ikev2-init-redirect- 1046 supported}? 1047 +--ro fragmentation-supported? boolean {ikev2-init- 1048 fragmentation-supported}? 1049 +--ro mobike-supported? boolean {ikev2-auth-mobike- 1050 supported}? 1051 +--ro rohc-supported? boolean {ikev2-auth-rohc- 1052 supported}? 1053 +--ro childless-ikev2-supported? boolean {ikev2-auth-childless- 1054 supported}? 1055 +--ro message-id-sync-supported? boolean {ikev2-auth-message-id- 1056 supported}? 1057 +--ro ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec- 1058 replay-counter-sync-supported}? 1059 +--ro erx-supported? boolean {ikev2-auth-erx- 1060 supported}? 1061 +--ro clone-ike-sa-supported? boolean {ikev2-auth-clone-ike- 1062 sa-supported}? 1064 4. IKEv2 Crypto YANG Module 1066 This section will present the YANG data model for IKEv2 Crypto. 1068 file "ietf-ikev2-crypto@2016-02-26.yang" 1070 module ietf-ikev2-crypto { 1071 namespace "urn:ietf:params:xml:ns:yang:ietf-ikev2-crypto"; 1072 prefix ikev2-crypto; 1074 organization "Ericsson AB. 1075 Huawei Technologies India Pvt Ltd."; 1077 contact "Web: "; 1079 description 1080 "This YANG module defines the parameters"+ 1081 " for IANA, Internet Key Exchange Version 2 (IKEv2)"+ 1082 " Parameters."+ 1083 " "+ 1084 " Copyright (c) 2016 Ericsson AB."+ 1085 " All rights reserved."; 1087 revision 2016-02-26 { 1088 description 1089 "First revision."; 1090 reference 1091 "RFC 7296: Internet Key Exchange Protocol Version 2."; 1092 } 1094 /*--------------------*/ 1095 /* Typedefs */ 1096 /*--------------------*/ 1098 /* IKEv2 Exchange Types (ET) */ 1099 typedef ikev2-exchange-type-t { 1100 type enumeration { 1101 enum et-ike-sa-init { 1102 value 34; 1103 description 1104 "et-ike-sa-init - IKEv2 Exchange Types (ET)"; 1105 } 1106 enum et-ike-auth { 1107 value 35; 1108 description 1109 "et-ike-auth - IKEv2 Exchange Types (ET)"; 1110 } 1111 enum et-create-child-sa { 1112 value 36; 1113 description 1114 "et-create-child-sa - IKEv2 Exchange Types (ET)"; 1115 } 1116 enum et-informational { 1117 value 37; 1118 description 1119 "et-informational - IKEv2 Exchange Types (ET)"; 1120 } 1121 enum et-ike-session-resume { 1122 value 38; 1123 description 1124 "et-ike-session-resume - IKEv2 Exchange Types (ET)"; 1125 } 1126 enum et-gsa-auth { 1127 value 39; 1128 description 1129 "et-gsa-auth - IKEv2 Exchange Types (ET)"; 1130 } 1131 enum et-gsa-registration { 1132 value 40; 1133 description 1134 "et-gsa-registration - IKEv2 Exchange Types (ET)"; 1135 } 1136 enum et-gsa-rekey { 1137 value 41; 1138 description 1139 "et-gsa-rekey - IKEv2 Exchange Types (ET)"; 1140 } 1141 } 1142 description 1143 "IKEv2 Exchange Types (ET)."; 1144 } 1146 /* Transform Type Values (TTV), RFC 7296 */ 1147 typedef ikev2-transform-type-value-t { 1148 type enumeration { 1149 enum ttv-reserved-0 { 1150 value 0; 1151 description 1152 "ttv-reserved-0 - Transform Type Value (TTV)"+ 1153 " Reserved "; 1154 } 1155 enum ttv-encr { 1156 value 1; 1157 description 1158 "ttv-encr - Transform Type Value 1 (TTV),"+ 1159 " Encryption Algorithm "+ 1160 "(ENCR) used in IKE and ESP."; 1161 } 1162 enum ttv-prf { 1163 value 2; 1164 description 1165 "ttv-prf - Transform Type Value 2 (TTV),"+ 1166 " Pseudo-Random Function(PRF) used in IKE."; 1167 } 1168 enum ttv-integ { 1169 value 3; 1170 description 1171 "ttv-integ - Transform Type Value 3 (TTV),"+ 1172 " Integrity Algorithm"+ 1173 " (INTEG) used in IKE, AH, optional ESP."; 1174 } 1175 enum ttv-dh { 1176 value 4; 1177 description 1178 "ttv-dh - Transform Type Value 4 (TTV),"+ 1179 " Diffie-Hellman (DH)"+ 1180 " used in IKE, optional AH and ESP."; 1181 } 1182 enum ttv-esn { 1183 value 5; 1184 description 1185 "ttv-esn - Transform Type Value 5 (TTV),"+ 1186 " Extended Sequence"+ 1187 " Numbers (ESN) used in AH and ESP."; 1188 } 1189 } 1190 description 1191 "IKEv2 Transform Type Values ((TTV)."; 1192 } 1194 /* IKEv2 Transform Attribute Types (TAT) */ 1195 typedef ikev2-transform-attribute-type-t { 1196 type enumeration { 1197 enum tat-reserved-0 { 1198 value 0; 1199 description 1200 "tat-reserved-0 - IKEv2 Transform Attribute "+ 1201 "Type (TAT) Reserved-0"; 1202 } 1203 enum tat-reserved-1 { 1204 value 1; 1205 description 1206 "tat-reserved-1 - IKEv2 Transform Attribute "+ 1207 "Type (TAT) Reserved-1"; 1208 } 1209 enum tat-reserved-13 { 1210 value 13; 1211 description 1212 "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+ 1213 "Type (TAT) Reserved-13"; 1214 } 1215 enum tat-key-length { 1216 value 41; 1217 description 1218 "ikev2-tat-key-length - IKEv2 Transform Attribute "+ 1219 "Type (TAT) KEY LENGTH (in bits)"; 1220 } 1221 } 1222 description 1223 "IKEv2 Transform Attribute Types (TAT)"; 1224 } 1226 /* Transform Type 1 (Encryption Algorithm) Transform IDs */ 1227 typedef ikev2-encryption-algorithm-t { 1228 type enumeration { 1229 enum encr-reserved-0 { 1230 value 0; 1231 description 1232 "encr-reserved-0 - IKEv2 Encryption Algorithm Transform"; 1233 } 1234 enum encr-des-iv4 { 1235 value 1; 1236 description 1237 "encr-des-iv4 - IKEv2 Encryption Algorithm Transform"; 1238 } 1239 enum encr-des { 1240 value 2; 1241 description 1242 "encr-des - IKEv2 Encryption Algorithm Transform"; 1243 } 1244 enum encr-3des { 1245 value 3; 1246 description 1247 "encr-3des - IKEv2 Encryption Algorithm Transform"; 1248 } 1249 enum encr-rc5 { 1250 value 4; 1251 description 1252 "encr-rc5 - IKEv2 Encryption Algorithm Transform"; 1253 } 1254 enum encr-idea { 1255 value 5; 1256 description 1257 "encr-idea - IKEv2 Encryption Algorithm Transform"; 1258 } 1259 enum encr-cast { 1260 value 6; 1261 description 1262 "encr-cast - IKEv2 Encryption Algorithm Transform"; 1263 } 1264 enum encr-blowfish { 1265 value 7; 1266 description 1267 "encr-blowfish - IKEv2 Encryption Algorithm Transform"; 1268 } 1269 enum encr-3idea { 1270 value 8; 1271 description 1272 "encr-3idea - IKEv2 Encryption Algorithm Transform"; 1273 } 1274 enum encr-des-iv32 { 1275 value 9; 1276 description 1277 "encr-des-iv32 - IKEv2 Encryption Algorithm Transform"; 1278 } 1279 enum encr-reserved-10 { 1280 value 10; 1281 description 1282 "encr-reserved-10 - IKEv2 Encryption Algorithm"+ 1283 " Transform"; 1284 } 1285 enum encr-null { 1286 value 11; 1287 description 1288 "encr-null - IKEv2 Encryption Algorithm Transform"; 1289 } 1290 enum encr-aes-cbc { 1291 value 12; 1292 description 1293 "encr-aes-cbc - IKEv2 Encryption Algorithm Transform"; 1294 } 1295 enum encr-aes-ctr { 1296 value 13; 1297 description 1298 "encr-aes-ctr - IKEv2 Encryption Algorithm Transform"; 1299 } 1300 enum encr-aes-ccm-8 { 1301 value 14; 1302 description 1303 "encr-aes-ccm-8 - IKEv2 Encryption Algorithm Transform"; 1304 } 1305 enum encr-aes-ccm-12 { 1306 value 15; 1307 description 1308 "encr-aes-ccm-12 - IKEv2 Encryption Algorithm"+ 1309 " Transform"; 1310 } 1311 enum encr-aes-ccm-16 { 1312 value 16; 1313 description 1314 "encr-aes-ccm-16 - IKEv2 Encryption Algorithm"+ 1315 " Transform"; 1316 } 1317 enum encr-reserved-17 { 1318 value 17; 1319 description 1320 "encr-reserved-17 - IKEv2 Encryption Algorithm"+ 1321 " Transform"; 1322 } 1323 enum encr-aes-gcm-8-icv { 1324 value 18; 1325 description 1326 "encr-aes-gcm-8-icv - IKEv2 Encryption Algorithm"+ 1327 " Transform"; 1328 } 1329 enum encr-aes-gcm-12-icv { 1330 value 19; 1331 description 1332 "encr-aes-gcm-12-icv - IKEv2 Encryption Algorithm"+ 1333 " Transform"; 1334 } 1335 enum encr-aes-gcm-16-icv { 1336 value 20; 1337 description 1338 "encr-aes-gcm-16-icv - IKEv2 Encryption Algorithm"+ 1339 " Transform"; 1340 } 1341 enum encr-null-auth-aes-gmac { 1342 value 21; 1343 description 1344 "encr-null-auth-aes-gmac - IKEv2 Encryption Algorithm"+ 1345 " Transform"; 1346 } 1347 enum encr-ieee-p1619-xts-aes { 1348 value 22; 1349 description 1350 "encr-ieee-p1619-xts-aes - IKEv2 Encryption Algorithm"+ 1351 " Transform IEEE P1619 XTS-AES."; 1352 } 1353 enum encr-camellia-cbc { 1354 value 23; 1355 description 1356 "encr-camellia-cbc - IKEv2 Encryption Algorithm"+ 1357 " Transform"; 1359 } 1360 enum encr-camellia-ctr { 1361 value 24; 1362 description 1363 "encr-camellia-ctr - IKEv2 Encryption Algorithm"+ 1364 " Transform"; 1365 } 1366 enum encr-camellia-ccm-8-icv { 1367 value 25; 1368 description 1369 "encr-camellia-ccm-8-icv - IKEv2 Encryption Algorithm"+ 1370 " Transform"; 1371 } 1372 enum encr-camellia-ccm-12-icv { 1373 value 26; 1374 description 1375 "encr-camellia-ccm-12-icv - IKEv2 Encryption Algorithm"+ 1376 " Transform"; 1377 } 1378 enum encr-camellia-ccm-16-icv { 1379 value 27; 1380 description 1381 "encr-camellia-ccm-16-icv - IKEv2 Encryption Algorithm"+ 1382 " Transform"; 1383 } 1384 enum encr-chacha20-poly1305 { 1385 value 28; 1386 description 1387 "encr-chacha20-poly1305 - IKEv2 Encryption Algorithm"+ 1388 " Transform"; 1389 } 1390 enum encr-aes-cbc-128 { 1391 value 1024; 1392 description 1393 "encr-aes-cbc-128 - IKEv2 Encryption Algorithm Transform"; 1394 } 1395 enum encr-aes-cbc-192 { 1396 value 1025; 1397 description 1398 "encr-aes-cbc-192 - IKEv2 Encryption Algorithm Transform"; 1399 } 1400 enum encr-aes-cbc-256 { 1401 value 1026; 1402 description 1403 "encr-aes-cbc-256 - IKEv2 Encryption Algorithm Transform"; 1404 } 1405 enum encr-blowfish-128 { 1406 value 1027; 1407 description 1408 "encr-blowfish-128 - IKEv2 Encryption Algorithm"+ 1409 " Transform"; 1410 } 1411 enum encr-blowfish-192 { 1412 value 1028; 1413 description 1414 "encr-blowfish-192 - IKEv2 Encryption Algorithm"+ 1415 " Transform"; 1416 } 1417 enum encr-blowfish-256 { 1418 value 1029; 1419 description 1420 "encr-blowfish-256 - IKEv2 Encryption Algorithm"+ 1421 " Transform"; 1422 } 1423 enum encr-blowfish-448 { 1424 value 1030; 1425 description 1426 "encr-blowfish-448 - IKEv2 Encryption Algorithm"+ 1427 " Transform"; 1428 } 1429 enum encr-camellia-128 { 1430 value 1031; 1431 description 1432 "encr-camellia-128 - IKEv2 Encryption Algorithm"+ 1433 " Transform"; 1434 } 1435 enum encr-camellia-192 { 1436 value 1032; 1437 description 1438 "encr-camellia-192 - IKEv2 Encryption Algorithm"+ 1439 " Transform"; 1440 } 1441 enum encr-camellia-256 { 1442 value 1033; 1443 description 1444 "encr-camellia-256 - IKEv2 Encryption Algorithm"+ 1445 " Transform"; 1446 } 1447 } 1448 description 1449 "Transform Type 1 - IKEv2 Encryption Algorithm Transformm"+ 1450 " IDs"; 1451 } 1453 /* Transform Type 2 (Pseudo-Random Function PRF) Transform IDs */ 1454 typedef ikev2-pseudo-random-function-t { 1455 type enumeration { 1456 enum prf-reserved-0 { 1457 value 0; 1458 description 1459 "prf-reserved-0 - IKEv2 Pseudo-Random Function (PRF)"; 1460 } 1461 enum prf-hmac-md5 { 1462 value 1; 1463 description 1464 "prf-hmac-md5 - IKEv2 Pseudo-Random Function (PRF)"; 1465 } 1466 enum prf-hmac-sha1 { 1467 value 2; 1468 description 1469 "prf-hmac-sha1 - IKEv2 Pseudo-Random Function (PRF)"; 1470 } 1471 enum prf-hmac-tiger { 1472 value 3; 1473 description 1474 "prf-hmac-tiger - IKEv2 Pseudo-Random Function (PRF)"; 1475 } 1476 enum prf-aes128-xcbc { 1477 value 4; 1478 description 1479 "prf-aes128-xcbc - IKEv2 Pseudo-Random Function (PRF)"; 1480 } 1481 enum prf-hmac-sha2-256 { 1482 value 5; 1483 description 1484 "prf-hmac-sha2-256 - IKEv2 Pseudo-Random Function (PRF)"; 1485 } 1486 enum prf-hmac-sha2-384 { 1487 value 6; 1488 description 1489 "prf-hmac-sha2-384 - IKEv2 Pseudo-Random Function (PRF)"; 1490 } 1491 enum prf-hmac-sha2-512 { 1492 value 7; 1493 description 1494 "prf-hmac-sha2-512 - IKEv2 Pseudo-Random Function (PRF)"; 1495 } 1496 enum prf-aes128-cmac { 1497 value 8; 1498 description 1499 "prf-aes128-cmac - IKEv2 Pseudo-Random Function (PRF)"; 1500 } 1501 } 1502 description 1503 "Transform Type 2 - IKEv2 Pseudo-Random Function (PRF)"+ 1504 " Transform IDs"; 1505 } 1506 /* Transform Type 3 (Integrity Algorithm) Transform IDs */ 1507 typedef ikev2-integrity-algorithm-t { 1508 type enumeration { 1509 enum auth-none { 1510 value 0; 1511 description 1512 "auth-none - IKEv2 Integrity Algorithm"; 1513 } 1514 enum auth-hmac-md5-96 { 1515 value 1; 1516 description 1517 "auth-hmac-md5-96 - IKEv2 Integrity Algorithm"; 1518 } 1519 enum auth-hmac-sha1-96 { 1520 value 2; 1521 description 1522 "auth-hmac-sha1-96 - IKEv2 Integrity Algorithm"; 1523 } 1524 enum auth-des-mac { 1525 value 3; 1526 description 1527 "auth-des-mac - IKEv2 Integrity Algorithm"; 1528 } 1529 enum auth-kpdk-md5 { 1530 value 4; 1531 description 1532 "auth-kpdk-md5 - IKEv2 Integrity Algorithm"; 1533 } 1534 enum auth-aes-xcbc-96 { 1535 value 5; 1536 description 1537 "auth-aes-xcbc-96 - IKEv2 Integrity Algorithm"; 1538 } 1539 enum auth-hmac-md5-128 { 1540 value 6; 1541 description 1542 "auth-hmac-md5-128 - IKEv2 Integrity Algorithm"; 1543 } 1544 enum auth-hmac-sha1-160 { 1545 value 7; 1546 description 1547 "auth-hmac-sha1-160 - IKEv2 Integrity Algorithm"; 1548 } 1549 enum auth-aes-cmac-96 { 1550 value 8; 1551 description 1552 "auth-aes-cmac-96 - IKEv2 Integrity Algorithm"; 1553 } 1554 enum auth-aes-128-gmac { 1555 value 9; 1556 description 1557 "auth-aes-128-gmac - IKEv2 Integrity Algorithm"; 1558 } 1559 enum auth-aes-192-gmac { 1560 value 10; 1561 description 1562 "auth-aes-192-gmac - IKEv2 Integrity Algorithm"; 1563 } 1564 enum auth-aes-256-gmac { 1565 value 11; 1566 description 1567 "auth-aes-256-gmac - IKEv2 Integrity Algorithm"; 1568 } 1569 enum auth-hmac-sha2-256-128 { 1570 value 12; 1571 description 1572 "auth-hmac-sha2-256-128 - IKEv2 Integrity Algorithm"; 1573 } 1574 enum auth-hmac-sha2-384-192 { 1575 value 13; 1576 description 1577 "auth-hmac-sha2-384-192 - IKEv2 Integrity Algorithm"; 1578 } 1579 enum auth-hmac-sha2-512-256 { 1580 value 14; 1581 description 1582 "auth-hmac-sha2-512-256 - IKEv2 Integrity Algorithm"; 1583 } 1584 enum auth-hmac-sha2-256-96 { 1585 value 1024; 1586 description 1587 "auth-hmac-sha2-256-96 - IKEv2 Integrity Algorithm"; 1588 } 1589 } 1590 description 1591 "Transform Type 3 - IKEv2"+ 1592 " Integrity Algorithms Transform IDs"; 1593 } 1595 /* Transform Type 4 (Diffie-Hellman Group) Transform IDs */ 1596 typedef ikev2-diffie-hellman-group-t { 1597 type enumeration { 1598 enum dh-group-none { 1599 value 0; 1600 description 1601 "dh-group-none - IKEv2 Diffie-Hellman Group (DH)"; 1602 } 1603 enum dh-modp-768-group-1 { 1604 value 1; 1605 description 1606 "dh-modp-768-group-1 - IKEv2 Diffie-Hellman Group (DH)"; 1607 } 1608 enum dh-modp-1024-group-2 { 1609 value 2; 1610 description 1611 "dh-modp-1024-group-2 - IKEv2 Diffie-Hellman Group (DH)"; 1612 } 1613 enum dh-modp-1536-group-5 { 1614 value 5; 1615 description 1616 "dh-modp-1536-group-5 - IKEv2 Diffie-Hellman Group (DH)"; 1617 } 1618 enum dh-modp-2048-group-14 { 1619 value 14; 1620 description 1621 "dh-modp-2048-group-14 - IKEv2 Diffie-Hellman Group (DH)"; 1622 } 1623 enum dh-modp-3072-group-15 { 1624 value 15; 1625 description 1626 "dh-modp-3072-group-15 - IKEv2 Diffie-Hellman Group (DH)"; 1627 } 1628 enum dh-modp-4096-group-16 { 1629 value 16; 1630 description 1631 "dh-modp-4096-group-16 - IKEv2 Diffie-Hellman Group (DH)"; 1632 } 1633 enum dh-modp-6144-group-17 { 1634 value 17; 1635 description 1636 "dh-modp-6144-group-17 - IKEv2 Diffie-Hellman Group (DH)"; 1637 } 1638 enum dh-modp-8192-group-18 { 1639 value 18; 1640 description 1641 "dh-modp-8192-group-18 - IKEv2 Diffie-Hellman Group (DH)"; 1642 } 1643 enum dh-recp-256-group-19 { 1644 value 19; 1645 description 1646 "dh-recp-256-group-19 - IKEv2 Diffie-Hellman Group (DH)"; 1647 } 1648 enum dh-recp-384-group-20 { 1649 value 20; 1650 description 1651 "dh-recp-384-group-20 - IKEv2 Diffie-Hellman Group (DH)"; 1653 } 1654 enum dh-recp-521-group-21 { 1655 value 21; 1656 description 1657 "dh-recp-521-group-21 - IKEv2 Diffie-Hellman Group (DH)"; 1658 } 1659 enum dh-modp-1024-160-pos-group-22 { 1660 value 22; 1661 description 1662 "dh-modp-1024-160-pos-group-22 - IKEv2 Diffie-Hellman"+ 1663 " Group (DH)"; 1664 } 1665 enum dh-modp-2048-224-pos-group-23 { 1666 value 23; 1667 description 1668 "dh-modp-2048-224-pos-group-23 - IKEv2 Diffie-Hellman"+ 1669 " Group (DH)"; 1670 } 1671 enum dh-modp-2048-256-pos-group-24 { 1672 value 24; 1673 description 1674 "dh-modp-2048-256-pos-group-24 - IKEv2 Diffie-Hellman"+ 1675 " Group (DH)"; 1676 } 1677 enum dh-recp-192-group-25 { 1678 value 25; 1679 description 1680 "dh-recp-192-group-25 - IKEv2 Diffie-Hellman Group (DH)"; 1681 } 1682 enum dh-recp-224-group-26 { 1683 value 26; 1684 description 1685 "dh-recp-224-group-26 - IKEv2 Diffie-Hellman Group (DH)"; 1686 } 1687 enum dh-brainpool-ip-224-r1 { 1688 value 27; 1689 description 1690 "dh-brainpool-ip-224-r1 - IKEv2 Diffie-Hellman Group"+ 1691 " (DH)"; 1692 } 1693 enum dh-brainpool-ip-256-r1 { 1694 value 28; 1695 description 1696 "dh-brainpool-ip-256-r1 - IKEv2 Diffie-Hellman Group"+ 1697 " (DH)"; 1698 } 1699 enum dh-brainpool-ip-384-r1 { 1700 value 29; 1701 description 1702 "dh-brainpool-ip-384-r1 - IKEv2 Diffie-Hellman Group"+ 1703 " (DH)"; 1704 } 1705 enum dh-brainpool-ip-512-r1 { 1706 value 30; 1707 description 1708 "dh-brainpool-ip-512-r1 - IKEv2 Diffie-Hellman Group"+ 1709 " (DH)"; 1710 } 1711 } 1712 description 1713 "Transform Type 4 - IKEv2"+ 1714 " Diffie-Hellman Groups (DH) Transform IDs"; 1715 } 1716 /* Transform Type 5 (Extended Sequence Numbers ESN 1717 Transform IDs) */ 1718 typedef ikev2-extended-sequence-number-t { 1719 type enumeration { 1720 enum esn-none { 1721 value 0; 1722 description 1723 "esn-none - IKEv2 Extended Sequence Number"; 1724 } 1725 enum esn-1 { 1726 value 1; 1727 description 1728 "esn-1 - IKEv2 Extended Sequence Number"; 1729 } 1730 } 1731 description 1732 "Transform Type 5 - IKEv2 Extended Sequence Number (ESN)"; 1733 } 1734 typedef ikev2-connection-type-t { 1735 type enumeration { 1736 enum initiator-only { 1737 value 0; 1738 description 1739 "initiator-only: ME will act as initiator for"+ 1740 " bringing up IKEv2"+ 1741 " session with its IKE peer."; 1742 } 1743 enum responder-only { 1744 value 1; 1745 description 1746 "responder-only: ME will act as responder for"+ 1747 " bringing up IKEv2"+ 1748 " session with its IKE peer."; 1749 } 1750 enum both { 1751 value 2; 1752 description 1753 "both: ME can act as initiator or responder."; 1754 } 1755 } 1756 description 1757 "IKEv2 Connection type for IKE session."; 1758 } 1759 typedef ikev2-transport-protocol-name-t { 1760 type enumeration { 1761 enum tcp { 1762 value 1; 1763 description 1764 "Transmission Control Protocol (TCP) Transport Protocol."; 1765 } 1766 enum udp { 1767 value 2; 1768 description 1769 "User Datagram Protocol (UDP) Transport Protocol"; 1770 } 1771 enum sctp { 1772 value 3; 1773 description 1774 "Stream Control Transmission Protocol (SCTP) Transport "+ 1775 "Protocol"; 1776 } 1777 enum icmp { 1778 value 4; 1779 description 1780 "Internet Control Message Protocol (ICMP) Transport "+ 1781 "Protocol"; 1782 } 1783 } 1784 description 1785 "Enumeration of well known transport protocols."; 1786 } 1788 typedef preshared-key-t { 1789 type string; 1790 description 1791 "Derived string used as Pre-Shared Key."; 1792 } 1794 typedef pad-type-t { 1795 type enumeration { 1796 enum id-ipv4-addr { 1797 value 1; 1798 description 1799 "A single four (4) octet IPv4 address"; 1801 } 1802 enum id-fdqn { 1803 value 2; 1804 description 1805 "A fully-qualified domain name string."; 1806 } 1807 enum id-rfc822-addr { 1808 value 3; 1809 description 1810 "A fully-qualified RFC 822 email address string"; 1811 } 1812 enum id-ipv6-addr { 1813 value 5; 1814 description 1815 "A single sixteen (16) octet IPv6 address"; 1816 } 1817 enum id-der-asn1-dn { 1818 value 9; 1819 description 1820 "The binary Distinguished Encoding Rules (DER) encoding"+ 1821 " of an ASN.1 X.500 Distinguished Name"; 1822 } 1823 enum id-der-asn1-gn { 1824 value 10; 1825 description 1826 "The binary Distinguished Encoding Rules (DER) encoding"+ 1827 " of an ASN.1 X.509 General Name"; 1828 } 1829 enum id-key { 1830 value 11; 1831 description 1832 "Key ID (exact match only). An opaque octet stream that"+ 1833 " may be used to pass vendor-specific information"+ 1834 " necessary to do certain proprietary types of"+ 1835 " identification"; 1836 } 1837 enum id-any { 1838 value 100; 1839 description 1840 "Optional: openIKEv2.conf"; 1841 } 1842 } 1843 description 1844 "Peer Authorization Database (PAD) Type"; 1845 } 1847 typedef ikev2-protocol-identifiers-t { 1848 type enumeration { 1849 enum "reserved-0" { 1850 value 0; 1851 description 1852 "Reserved IKEv2 Security Protocol Identifier"; 1853 } 1854 enum "ike" { 1855 value 1; 1856 description 1857 "Internet Key Exchange (IKE) Protocol Identifier"; 1858 } 1859 enum "ah" { 1860 value 2; 1861 description 1862 "Authentication Header (AH) Protocol Identifier"; 1863 } 1864 enum "esp" { 1865 value 3; 1866 description 1867 "Encapsulating Security Payload (ESP) Protocol"+ 1868 " Identifier"; 1869 } 1870 enum "fc_esp_header" { 1871 value 4; 1872 description 1873 "Fibre Channel Encapsulating Security Payload Header"; 1874 } 1875 enum "fc_ct_authentication" { 1876 value 5; 1877 description 1878 "Fibre Channel Common Transport Authentication"; 1879 } 1880 } 1881 description 1882 "IKEv2 Security Protocol Identifiers"; 1883 } 1885 typedef ikev2-authentication-method-t { 1886 type enumeration { 1887 enum auth-preshared { 1888 value 0; 1889 description 1890 "authorization preshared - IKEv2 Authentication Method"; 1891 } 1892 enum rsa-digital-signature { 1893 value 1; 1894 description 1895 "rsa-digital-signature - IKEv2 Authentication Method"; 1896 } 1897 enum shared-key-msg-integrity-code { 1898 value 2; 1899 description 1900 "shared-key-msg-integrity-code - IKEv2 Authentication"+ 1901 " Method"; 1902 } 1903 enum dss-digital-signature { 1904 value 3; 1905 description 1906 "dss-digital-signature - IKEv2 Authentication Method"; 1907 } 1908 enum ecdsa-sha-256-p256-curve { 1909 value 9; 1910 description 1911 "ecdsa-sha-256-p256-curve - IKEv2 Authentication Method"; 1912 } 1913 enum ecdsa-sha-384-p384-curve { 1914 value 10; 1915 description 1916 "ecdsa-sha-384-p384-curve - IKEv2 Authentication Method"; 1917 } 1918 enum ecdsa-sha-512-p512-curve { 1919 value 11; 1920 description 1921 "ecdsa-sha-512-p512-curve - IKEv2 Authentication Method"; 1922 } 1923 enum generic-secure-passwd-auth-method { 1924 value 12; 1925 description 1926 "generic-secure-passwd-auth-method - IKEv2"+ 1927 " Authentication Method"; 1928 } 1929 enum null-auth-method { 1930 value 13; 1931 description 1932 "null-auth-method - IKEv2 Authentication Method"; 1933 } 1934 enum digital-signature { 1935 value 14; 1936 description 1937 "digital-signature - IKEv2 Authentication Method"; 1938 } 1939 } 1940 description "IKEv2 Authentication Methods"; 1941 } 1943 typedef ikev2-traffic-selector-types-t { 1944 type enumeration { 1945 enum "ts-ipv4-addr-range" { 1946 value 7; 1947 description 1948 "ts-ipv4-addr-range - IKEv2 Traffic Selector Type (TS)"; 1949 } 1950 enum "ts-ipv6-addr-range" { 1951 value 8; 1952 description 1953 "ts-ipv6-addr-range - IKEv2 Traffic Selector Type (TS)"; 1954 } 1955 enum "ts-fc-addr-range" { 1956 value 9; 1957 description 1958 "ts-fc-addr-range - IKEv2 Traffic Selector Type (TS)"; 1959 } 1960 } 1961 description 1962 "IKEv2 Traffic Selector Types"; 1963 } 1965 typedef ikev2-cert-encoding-t { 1966 type enumeration { 1967 enum cert-pkcs-7-wrapped-x509 { 1968 value 1; 1969 description 1970 "PKCS #7 wrapped X.509 certificate"; 1971 } 1972 enum cert-pgp { 1973 value 2; 1974 description 1975 "PGP Certificate"; 1976 } 1977 enum cert-dns-signed-key { 1978 value 3; 1979 description 1980 "DNS Signed Key"; 1981 } 1982 enum cert-x509-signature { 1983 value 4; 1984 description 1985 "X.509 Certificate - Signature"; 1986 } 1987 enum cert-kerberos-token { 1988 value 6; 1989 description 1990 "Kerberos Token"; 1991 } 1992 enum cert-revocation-list { 1993 value 7; 1994 description 1995 "Certificate Revocation List (CRL)"; 1996 } 1997 enum cert-authority-revocation-list { 1998 value 8; 1999 description 2000 "Authority Revocation List (ARL)"; 2001 } 2002 enum cert-spki { 2003 value 9; 2004 description 2005 "SPKI Certificate"; 2006 } 2007 enum cert-x509-attribute { 2008 value 10; 2009 description 2010 "X.509 Certificate - Attribute"; 2011 } 2012 enum cert-raw-rsa-key { 2013 value 11; 2014 description 2015 "Raw RSA Key"; 2016 } 2017 enum cert-hash-url-x509 { 2018 value 12; 2019 description 2020 "Hash and URL of X.509 certificate"; 2021 } 2022 enum cert-hash-url-x509-bundle { 2023 value 13; 2024 description 2025 "Hash and URL of X.509 bundle"; 2026 } 2027 enum cert-ocsp-content { 2028 value 14; 2029 description 2030 "OCSP Content"; 2031 } 2032 enum cert-raw-public-key { 2033 value 15; 2034 description 2035 "Raw Public Key"; 2036 } 2037 } 2038 description 2039 "Type of Certificate Encoding"; 2040 } 2041 } 2043 2045 5. IKEv2 YANG Module 2047 This section will present the YANG data model for IKEv2. 2049 file "ietf-ikev2@2016-03-10.yang" 2051 module ietf-ikev2 { 2052 namespace "urn:ietf:params:xml:ns:yang:ietf-ikev2"; 2053 prefix "ikev2"; 2055 import "ietf-ikev2-crypto" { 2056 prefix "ikev2-crypto"; 2057 } 2059 import ietf-inet-types { 2060 prefix inet; 2061 } 2063 organization "Ericsson AB. 2064 Huawei Technologies India Pvt Ltd."; 2066 contact "Web: "; 2068 description 2069 "This YANG module defines the configuration and operational 2070 state data for Internet Key Exchange version 2 (IKEv2) on 2071 IETF draft. 2072 Copyright (c) 2016 Ericsson AB. 2073 All rights reserved."; 2075 revision 2016-03-10 { 2076 description 2077 "First revision."; 2078 reference 2079 "YANG Data model for Internet Protocol Security - IPSec. 2080 draft-tran-ipecme-yang-ipsec-00. 2081 draft-wang-ipsecme-ike-yang-00. 2082 draft-wang-ipsecme-ipsec-yang-00."; 2083 } 2085 /*--------------------*/ 2086 /* Feature */ 2087 /*--------------------*/ 2089 feature ikev2 { 2090 description 2091 "Feature IKEv2"; 2093 } 2094 feature ikev2-transport { 2095 description 2096 "Common IKEv2 Transport attributes"; 2097 } 2098 feature ikev2-transport-anti-replay-mechanism { 2099 description 2100 "Optional: Enable INVALID_MESSAGE_ID defines whether an"+ 2101 " optional INVALID_MESSAGE_ID Notify Payload is sent when"+ 2102 " the IKEv2 message received is outside the Operational"+ 2103 " Window Size"; 2104 } 2105 feature ikev2-transport-enable-notify-invalid-msg-id { 2106 description 2107 "Feature IKEv2 Transport enable notify of invalid message id"; 2109 } 2110 feature ikev2-transport-retransmission { 2111 description 2112 "Feature IKEv2 Transport retransmission"; 2114 } 2115 feature ikev2-transport-cookie-mechanism { 2116 description 2117 "Feature IKEv2 Transport Cookie mechanism"; 2119 } 2120 feature ikev2-init { 2121 description 2122 "Feature IKEv2 INIT"; 2124 } 2125 feature ikev2-init-authorized-dh { 2126 description 2127 "Feature IKEv2 INIT authorized Diffie-Hellman (DH)"; 2129 } 2130 feature ikev2-init-authorized-certification-auth { 2131 description 2132 "Feature IKEv2 INIT authorized certification author"; 2134 } 2135 feature ikev2-init-nat-detection-src-ip { 2136 description 2137 "Feature IKEv2 INIT NAT Detection Source IP Address"; 2139 } 2140 feature ikev2-init-nat-detection-destination-ip { 2141 description 2142 "Feature IKEv2 INIT Detection Destination IP Address"; 2144 } 2145 feature ikev2-init-redirect-supported { 2146 description 2147 "Feature IKEv2 INIT Redirect Supported"; 2149 } 2150 feature ikev2-init-fragmentation-supported { 2151 description 2152 "Feature IKEv2 INIT Fragmentation Supported"; 2154 } 2155 feature ikev2-init-responder-certreq { 2156 description 2157 "Feature IKEv2 INIT Responder CERTREQ"; 2158 } 2159 feature ikev2-init-optional { 2160 description 2161 "Feature IKEv2 INIT Optional Attributes"; 2162 } 2163 feature ikev2-auth-mobike-supported { 2164 description 2165 "Feature IKEv2 AUTH Mobike Supported"; 2167 } 2168 feature ikev2-auth-rohc-supported { 2169 description 2170 "Feature IKEv2 AUTH RObust Header Compression ROHC Supported"; 2172 } 2173 feature ikev2-auth-childless-supported { 2174 description 2175 "Feature IKEv2 AUTH Childless Supported"; 2177 } 2178 feature ikev2-auth-message-id-supported { 2179 description 2180 "Feature IKEv2 AUTH Message ID supported"; 2182 } 2183 feature ikev2-auth-ipsec-replay-counter-sync-supported { 2184 description 2185 "Feature IKEv2 AUTH IPSec Replay Counter Sync Supported"; 2187 } 2188 feature ikev2-auth-erx-supported { 2189 description 2190 "Feature IKEv2 AUTH ERX Supported"; 2192 } 2193 feature ikev2-auth-clone-ike-sa-supported { 2194 description 2195 "Feature IKEv2 AUTH Clone IKE-SA Supported"; 2197 } 2199 feature ikev2-sa { 2200 description 2201 "Feature IKEv2 Security Association (SA)"; 2202 } 2204 feature ikev2-auth { 2205 description 2206 "Feature IKEv2 AUTH"; 2207 } 2209 feature ikev2-peer { 2210 description 2211 "Feature IKEv2 Peer"; 2212 } 2214 feature ikev2-state { 2215 description 2216 "IKEv2 Operational State"; 2217 } 2219 feature ikev2-proposal-state { 2220 description 2221 "IKEv2 Proposal Operational State"; 2222 } 2224 feature ikev2-transport-state { 2225 description 2226 "IKEv2 Transport State"; 2227 } 2229 /*--------------------*/ 2230 /* Typedefs */ 2231 /*--------------------*/ 2232 typedef ipsec-spi { 2233 type uint64 { 2234 range "1..max"; 2235 } 2236 description 2237 "Security Parameter Index SPI"; 2238 } 2239 typedef transport-protocol-name-t { 2240 type enumeration { 2241 enum tcp { 2242 value 1; 2243 description 2244 "Transmission Control Protocol (TCP) Transport Protocol."; 2245 } 2246 enum udp { 2247 value 2; 2248 description 2249 "User Datagram Protocol (UDP) Transport Protocol"; 2250 } 2251 enum sctp { 2252 value 3; 2253 description 2254 "Stream Control Transmission Protocol (SCTP) Transport "+ 2255 "Protocol"; 2256 } 2257 enum icmp { 2258 value 4; 2259 description 2260 "Internet Control Message Protocol (ICMP) Transport "+ 2261 "Protocol"; 2262 } 2263 } 2264 description 2265 "Enumeration of well known transport protocols."; 2266 } 2268 typedef role-t { 2269 type enumeration { 2270 enum any { 2271 value 0; 2272 description 2273 "Role: Any"; 2274 } 2275 enum initiator { 2276 value 1; 2277 description 2278 "Role: Initiator"; 2279 } 2280 enum responder { 2281 value 2; 2282 description 2283 "Role: Responder"; 2284 } 2285 } 2286 description 2287 "Role Type"; 2288 } 2290 typedef cryptographic-material-t { 2291 type enumeration { 2292 enum sk-d { 2293 value 0; 2294 description 2295 "SK_d"; 2296 } 2297 enum sk-ai { 2298 value 1; 2299 description 2300 "SK_ai"; 2301 } 2302 enum sk-ar { 2303 value 2; 2304 description 2305 "SK_ar"; 2306 } 2307 enum sk-ei { 2308 value 3; 2309 description 2310 "SK_ei"; 2311 } 2312 enum sk-er { 2313 value 4; 2314 description 2315 "SK_er"; 2316 } 2317 enum sk-pi { 2318 value 5; 2319 description 2320 "SK_pi"; 2321 } 2322 enum sk-pr { 2323 value 6; 2324 description 2325 "SK_pr"; 2326 } 2327 enum skeyseed { 2328 value 7; 2329 description 2330 "SKEYSEED"; 2331 } 2332 enum nonces { 2333 value 8; 2334 description 2335 "Nonces"; 2337 } 2338 } 2339 description 2340 "Cryptographic Material Type"; 2341 } 2343 typedef ikev2-proposal-number-ref { 2344 type leafref { 2345 path "/ikev2/init/proposal/number"; 2346 } 2347 description 2348 "reference to IKEv2 proposal number"; 2349 } 2351 typedef ikev2-transport-base-mjver-ref { 2352 type leafref { 2353 path "/ikev2/transport/base-info/major-version"; 2354 } 2355 description 2356 "reference to IKEv2 Transport Base Information 2357 Major Version"; 2358 } 2360 typedef ikev2-transport-base-mnver-ref { 2361 type leafref { 2362 path "/ikev2/transport/base-info/minor-version"; 2363 } 2364 description 2365 "reference to IKEv2 Transport Base Information 2366 Minor Version"; 2367 } 2369 typedef ikev2-transport-base-spi-gen-policy-ref { 2370 type leafref { 2371 path "/ikev2/transport/base-info/spi-generation-policy"; 2372 } 2373 description 2374 "reference to IKEv2 Transport Base Information 2375 SPI Generation Policy"; 2376 } 2378 typedef ikev2-transport-anti-replay-mechanism-window-size-ref { 2379 type leafref { 2380 path "/ikev2/transport/anti-replay-mechanism/window-size"; 2381 } 2382 description 2383 "reference to IKEv2 Transport Anti Replay Mechanism 2384 Window Size"; 2385 } 2386 typedef ikev2-transport-anti-replay-mechanism-enable-notify-ref { 2387 type leafref { 2388 path "/ikev2/transport/anti-replay-mechanism/"+ 2389 "enable-notify-invalid-msg-id"; 2390 } 2391 description 2392 "reference to IKEv2 Transport Anti Replay Mechanism 2393 Enable Notify Invalid Message ID"; 2394 } 2396 /*--------------------*/ 2397 /* grouping */ 2398 /*--------------------*/ 2400 /* The following groupings are used in both configuration data 2401 and operational state data */ 2402 grouping name-grouping { 2403 description 2404 "This grouping provides a leaf identifying the name."; 2405 leaf name { 2406 type string; 2407 description 2408 "Name of a identifying."; 2409 } 2410 leaf description { 2411 type string; 2412 description 2413 "Specify the description."; 2414 } 2415 } 2417 grouping ip-address-grouping { 2418 description 2419 "IP Address grouping"; 2421 choice ip-address { 2422 description 2423 "Choice of IPv4 or IPv6."; 2424 leaf ipv4-address { 2425 type inet:ipv4-address; 2426 description 2427 "Specifies the identity as a single four (4) 2428 octet IPv4 address. 2429 An example is, 10.10.10.10. "; 2430 } 2431 leaf ipv6-address { 2432 type inet:ipv6-address; 2433 description 2434 "Specifies the identity as a single sixteen (16) "+ 2435 "octet IPv6 address. "+ 2436 "An example is, "+ 2437 "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; 2438 } 2439 } 2440 } 2442 grouping certificate-auth-grouping { 2443 description 2444 "Certificate Authority"; 2445 leaf cert-encoding { 2446 type ikev2-crypto:ikev2-cert-encoding-t; 2447 description 2448 "Certificate Authority Encoding"; 2449 } 2450 leaf cert-value { 2451 type uint32; 2452 description 2453 "Certificate Authority value"; 2454 } 2455 } 2457 grouping sequence-number-grouping { 2458 description 2459 "This grouping provides a leaf identifying 2460 a sequence number."; 2461 leaf sequence-number { 2462 type uint32 { 2463 range "1..4294967295"; 2464 } 2465 description 2466 "Specify the sequence number."; 2467 } 2468 } 2470 grouping description-grouping { 2471 description 2472 "description for free use."; 2473 leaf description { 2474 type string; 2475 description 2476 "description for free use."; 2477 } 2478 } 2480 grouping transform-encr-algorithm-grouping { 2481 description 2482 "Transform Type 1, Encryption Algorithm"; 2484 list transform-encr-algorithm { 2485 key "encr-algorithm key-length"; 2486 leaf encr-algorithm { 2487 type ikev2-crypto:ikev2-encryption-algorithm-t; 2488 description 2489 "IKEv2 Transform Type 1, Encryption Algorithm"; 2490 } 2491 leaf key-length { 2492 type uint32; 2493 description 2494 "IKEv2 Transform Type 1, key length for Encryption"+ 2495 " Algorithm"; 2496 } 2497 description 2498 "IKEv2 Transform Type 1, Encryption Algorithm"; 2499 } 2500 } 2502 grouping transform-prf-algorithm-grouping { 2503 description 2504 "IKEv2 Transform Type 2, Pseudo-Random Function PRF"; 2505 list transform-prf-algorithm { 2506 key "prf-algorithm key-length"; 2507 leaf prf-algorithm { 2508 type ikev2-crypto:ikev2-pseudo-random-function-t; 2509 description 2510 "IKEv2 Transform Type 2, Pseudo-Random Function"+ 2511 " (PRF) Algorithm"; 2512 } 2513 leaf key-length { 2514 type uint32; 2515 description 2516 "IKEv2 Transform Type 2, key length for PRF"; 2517 } 2518 description 2519 "IKEv2 Transform Type 2, Pseudo-Random Function PRF"; 2520 } 2521 } 2523 grouping transform-integrity-algorithm-grouping { 2524 description 2525 "IKEv2 Transform Type 3, Integrity Algorithm"; 2526 list transform-integrity-algorithm { 2527 key "integrity-algorithm key-length"; 2528 leaf integrity-algorithm { 2529 type ikev2-crypto:ikev2-integrity-algorithm-t; 2530 description 2531 "IKEv2 Transform Type 3, Integrity Algorithm"; 2533 } 2534 leaf key-length { 2535 type uint32; 2536 description 2537 "IKEv2 Transform Type 3, key length for Integrity"+ 2538 " Algorithm"; 2539 } 2540 description 2541 "IKEv2 Transform Type 3, Integrity Algorithm"; 2542 } 2543 } 2545 grouping transform-dh-grouping { 2546 description 2547 "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; 2548 list transform-dh { 2549 key "dh key-length"; 2550 leaf dh { 2551 type ikev2-crypto:ikev2-diffie-hellman-group-t; 2552 description 2553 "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; 2554 } 2555 leaf key-length { 2556 type uint32; 2557 description 2558 "IKEv2 Transform Type 4, key length for Diffie-Hellman"+ 2559 " Group (DH)"; 2560 } 2561 description 2562 "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; 2563 } 2564 } 2566 grouping ikev2-proposal-grouping { 2567 description 2568 "IKEv2 Proposal"; 2569 list proposal { 2570 key "number"; 2571 description 2572 "Configure IKEv2 proposal"; 2573 uses name-grouping; 2574 uses transform-encr-algorithm-grouping; 2575 uses transform-prf-algorithm-grouping; 2576 uses transform-integrity-algorithm-grouping; 2577 uses transform-dh-grouping; 2578 leaf number { 2579 type uint32; 2580 description 2581 "specify the order the proposals are sent"; 2583 } 2584 leaf protocol { 2585 type ikev2-crypto:ikev2-protocol-identifiers-t; 2586 description 2587 "IKEv2 Proposal Protocol Identifier"; 2588 } 2589 } 2590 } 2592 grouping ikev2-retransmission-grouping { 2593 description 2594 "IKEv2 retransmission policy configuration"; 2595 container retransmision { 2596 if-feature ikev2-transport-retransmission; 2597 leaf max-retries { 2598 type uint32; 2599 description 2600 "maximum retry when retransmission failed"; 2601 } 2602 leaf initial-retransmission-timeout { 2603 type uint32; 2604 description 2605 "initial retransmission timeout value"; 2606 } 2607 leaf retransmission-timeout-policy { 2608 type string; 2609 description 2610 "defines of the Retransmission Timeout should be"+ 2611 " computed"; 2612 } 2613 leaf max-response-buffer-timeout { 2614 type uint32; 2615 description 2616 "This timer set when the response buffer can be clean"+ 2617 " when the message ID is not being updated. It value"+ 2618 " is expected to be in the order of several minutes"; 2619 } 2620 leaf keepalive-timeout { 2621 type uint32; 2622 description 2623 "Keep-alive timeout"; 2624 } 2625 leaf nat-keepalive-timeout { 2626 type uint32; 2627 description 2628 "Network Address Translation (NAT) Keep-alive timeout"; 2629 } 2630 description 2631 "IKEv2 retransmission policy configuration"; 2633 } 2634 } 2636 grouping ikev2-cookie-mechanism-grouping { 2637 description 2638 "IKEv2 Cookie Mechanism"; 2639 container cookie-mechanism { 2640 if-feature ikev2-transport-cookie-mechanism; 2641 leaf cookie-lifetime { 2642 type uint32; 2643 description 2644 "Cookie Lifetime"; 2645 } 2646 leaf half-open-ike-sa-threshold { 2647 type uint32; 2648 description 2649 "Half-open IKE-SA Threshold"; 2650 } 2651 description 2652 "IKEv2 Cookie Mechanism"; 2653 } 2654 } 2656 grouping ikev2-auth-avail-signing-capabilities-grouping { 2657 description 2658 "IKEv2 AUTH Available Signing Capabilities"; 2659 list avail-signing-capabilities { 2660 key "auth-method-name"; 2661 description 2662 "availiable signing capabilities"; 2663 leaf auth-method-name { 2664 type string; 2665 description 2666 "Authentication method name"; 2667 } 2668 leaf auth-method { 2669 type ikev2-crypto:ikev2-authentication-method-t; 2670 description 2671 "type of authentication method"; 2672 } 2673 leaf auth-material-data { 2674 type string; 2675 description 2676 "authentication material data"; 2677 } 2678 } 2679 } 2681 grouping ikev2-cert-auth-grouping { 2682 description 2683 "IKEv2 AUTH Certificate Authentication"; 2684 container cert-auth { 2685 description 2686 "Certificate authentication"; 2687 leaf cert-auth-encoding { 2688 type ikev2-crypto:ikev2-cert-encoding-t; 2689 description 2690 "certificate authentication encoding"; 2691 } 2692 leaf cert-auth-value { 2693 type uint32; 2694 description 2695 "certificate authentication value"; 2696 } 2697 } 2698 } 2700 grouping ikev2-cert-authentication-material-grouping { 2701 description 2702 "IKEv2 CERT Authentication Material"; 2703 leaf cert-authentication-type { 2704 type string; 2705 default "cert"; 2706 description 2707 "CERT Authentication Type"; 2708 } 2709 uses ikev2-cert-auth-grouping; 2710 } 2712 grouping ikev2-auth-avail-hash-capabilities-grouping { 2713 description 2714 "IKEv2 AUTH Available Hash Capabilities"; 2715 list avail-hash { 2716 key "hash-method"; 2717 description 2718 "available hash"; 2719 leaf hash-method { 2720 type string; 2721 description 2722 "hash method"; 2723 } 2724 leaf auth-hash-lifetime { 2725 type uint32; 2726 description 2727 "Authentication Hash lifetime"; 2728 } 2729 } 2730 } 2731 grouping ikev2-auth-avail-signature-verification-grouping { 2732 description 2733 "IKEv2 AUTH Available Signature Verification"; 2734 list avail-signature-verify { 2735 key "signature-id"; 2736 description 2737 "available signature verification"; 2738 leaf signature-id { 2739 type string; 2740 description 2741 "signature ID"; 2742 } 2743 leaf signature-lifetime { 2744 type uint32; 2745 description 2746 "signature lifetime"; 2747 } 2748 } 2749 } 2751 grouping local-id-grouping { 2752 description 2753 "IKEv2 AUTH Local ID"; 2754 list local-id { 2755 key "host-id"; 2756 description 2757 "list of Local ID"; 2758 leaf host-id { 2759 type string; 2760 description 2761 "Local Host ID"; 2762 } 2763 leaf preference { 2764 type string; 2765 description 2766 "Local Preference"; 2767 } 2768 leaf id-type { 2769 type string; 2770 description 2771 "Local ID type"; 2772 } 2773 leaf id-value { 2774 type string; 2775 description 2776 "ID value"; 2777 } 2778 } 2780 } 2782 grouping ikev2-vendor-id-grouping { 2783 description 2784 "IKEv2 Vendor ID"; 2785 leaf vendor-id { 2786 type uint64; 2787 description 2788 "IKEv2 Vendor ID"; 2789 } 2790 } 2792 grouping ikev2-base-info-grouping { 2793 description 2794 "IKEv2 Base Information"; 2795 container base-info { 2796 description 2797 "IKEv2 basic information"; 2798 leaf major-version { 2799 type uint8; 2800 default 2; 2801 description 2802 "IKEv2 Major Version"; 2803 } 2804 leaf minor-version { 2805 type uint8; 2806 default 0; 2807 description 2808 "IKEv2 Minor Version"; 2809 } 2810 leaf spi-generation-policy { 2811 type string; 2812 description 2813 "SPI genration policy"; 2814 } 2815 } 2816 } 2818 grouping ikev2-anti-replay-mechanism-grouping { 2819 description 2820 "IKEv2 Anti Replay Mechanism"; 2821 container anti-replay-mechanism { 2822 leaf window-size { 2823 type uint32; 2824 default 1; 2825 description 2826 "Window Size defines how much parallel exchange can"+ 2827 " be performed between the peers. By default this"+ 2828 " value is set to 1. When greater than 1, as defined"+ 2829 " in [RFC7296] section 2.3, a SET_WINDOW_SIZE Notify"+ 2830 " Payloads will be sent by the peer to agree withe the"+ 2831 " other peer on the Window Size. After this exchange"+ 2832 " succeeds, the operational attribute that defines"+ 2833 " the Window Size used by the IKE_SA, will be updated"+ 2834 " with the value agreed by the peers."; 2835 } 2836 leaf enable-notify-invalid-msg-id { 2837 if-feature ikev2-transport-enable-notify-invalid-msg-id; 2838 type empty; 2839 description 2840 "Optional Enable INVALID_MESSAGE_ID defines whether an"+ 2841 " optional INVALID_MESSAGE_ID Notify Payload is sent"+ 2842 " when the IKEv2 message received is outside the"+ 2843 " Operational Window Size."; 2844 } 2845 description 2846 "Anti Replay Mechanism describes when message should be"+ 2847 " rejected or considered by the IKEv2 daemon. The anti"+ 2848 " reply mechanism is defined for each session."; 2849 } 2850 } 2852 grouping ikev2-init-optional-grouping { 2853 description 2854 "IKEv2 INIT Optional"; 2855 container optional { 2856 if-feature ikev2-init-optional; 2857 container nat-detection-source-ip { 2858 if-feature ikev2-init-nat-detection-src-ip; 2859 description 2860 "Optional support: for Network Address Translation (NAT)"+ 2861 " Destination Source IP Address, sent during the"+ 2862 " IKE_INIT"; 2863 uses ip-address-grouping; 2864 leaf nat-keepalive-interval { 2865 type uint16 { 2866 range "5..300"; 2867 } 2868 units "Seconds"; 2869 default 20; 2870 description "NAT detected and keepalive interval"; 2871 } 2872 } 2874 container nat-detection-destination-ip { 2875 if-feature ikev2-init-nat-detection-destination-ip; 2876 description 2877 "Optional support: for Network Address Translation (NAT)"+ 2878 " Detecttion Destination IP Address, sent during the"+ 2879 " IKE_INIT"; 2880 uses ip-address-grouping; 2881 leaf nat-keepalive-interval { 2882 type uint16 { 2883 range "5..300"; 2884 } 2885 units "Seconds"; 2886 default 20; 2887 description "NAT detected and keepalive interval"; 2888 } 2889 } 2891 leaf redirect-supported { 2892 if-feature ikev2-init-redirect-supported; 2893 type boolean; 2894 default true; 2895 description 2896 "Optional support: for redirect supported, sent"+ 2897 " during the IKE_INIT"; 2898 } 2899 leaf fragmentation-supported { 2900 if-feature ikev2-init-fragmentation-supported; 2901 type boolean; 2902 default true; 2903 description 2904 "Optional support: for fragmentation supported"+ 2905 " sent during the IKE_INIT"; 2906 } 2907 leaf mobike-supported { 2908 if-feature ikev2-auth-mobike-supported; 2909 type boolean; 2910 default true; 2911 description 2912 "Optional support: for mobike supported, sent during"+ 2913 " IKE-AUTH"; 2914 } 2915 leaf rohc-supported { 2916 if-feature ikev2-auth-rohc-supported; 2917 type boolean; 2918 default true; 2919 description 2920 "Optional support: for RObust Header Compression (ROHC)"+ 2921 " supported, sent during IKE-AUTH"; 2922 } 2923 leaf childless-ikev2-supported { 2924 if-feature ikev2-auth-childless-supported; 2925 type boolean; 2926 default true; 2927 description 2928 "Optional support: for CHILDLESS_IKEV2_SUPPORTED,"+ 2929 " sent during IKE-AUTH"; 2930 } 2931 leaf message-id-sync-supported { 2932 if-feature ikev2-auth-message-id-supported; 2933 type boolean; 2934 default true; 2935 description 2936 "Optional support: for IKEV2_MESSAGE_ID_SYNC_SUPPORTED,"+ 2937 " sent during IKE-AUTH"; 2938 } 2939 leaf ipsec-replay-counter-sync-supported { 2940 if-feature ikev2-auth-ipsec-replay-counter-sync-supported; 2941 type boolean; 2942 default true; 2943 description 2944 "Optional support: for"+ 2945 " IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED,"+ 2946 " sent during IKE-AUTH"; 2947 } 2948 leaf erx-supported { 2949 if-feature ikev2-auth-erx-supported; 2950 type boolean; 2951 default true; 2952 description 2953 "Optional support: for ERX_SUPPORTED,"+ 2954 " sent during IKE-AUTH"; 2955 } 2956 leaf clone-ike-sa-supported { 2957 if-feature ikev2-auth-clone-ike-sa-supported; 2958 type boolean; 2959 default true; 2960 description 2961 "Optional support: for CLONE_IKE_SA_SUPPORTED,"+ 2962 " sent during IKE-AUTH"; 2963 } 2964 description 2965 "IKEv2 INIT Optional Attributes"; 2966 } 2967 } 2969 grouping ikev2-initiator-id-grouping { 2970 container initiator-id { 2971 leaf initiator-id-type { 2972 type ikev2-crypto:pad-type-t; 2973 description 2974 "Initiator ID Type"; 2976 } 2977 leaf initiator-id { 2978 type string; 2979 description 2980 "Initiator ID"; 2981 } 2982 description 2983 "Initiator ID"; 2984 } 2985 description 2986 "Initiator ID"; 2987 } 2989 grouping ikev2-responder-id-grouping { 2990 container responder-id { 2991 leaf responder-id-type { 2992 type ikev2-crypto:pad-type-t; 2993 description 2994 "Responder ID Type"; 2995 } 2996 leaf responder-id { 2997 type string; 2998 description 2999 "Responder ID"; 3000 } 3001 description 3002 "Responder ID"; 3003 } 3004 description 3005 "Responder ID"; 3006 } 3008 grouping ikev2-transport-grouping { 3009 description 3010 "IKEv2 Transport Attributes"; 3011 container transport { 3012 if-feature ikev2-transport; 3013 description 3014 "Common IKEv2 transport attributes"; 3016 uses ikev2-base-info-grouping; 3017 uses ikev2-anti-replay-mechanism-grouping; 3018 uses ikev2-retransmission-grouping; 3019 uses ikev2-cookie-mechanism-grouping; 3020 uses ikev2-vendor-id-grouping; 3021 } // End of container transport 3022 } 3024 grouping ikev2-config-request-grouping { 3025 description 3026 "Optional Configuration Request"; 3027 container config-request { 3028 uses ip-address-grouping; 3029 description 3030 "Optional Configuration Requester"; 3031 } 3032 } 3034 grouping ikev2-config-responder-grouping { 3035 description 3036 "Optional Configuration Responder"; 3037 container config-responder { 3038 uses ip-address-grouping; 3039 description 3040 "Optional Configuration Responder"; 3041 } 3042 } 3044 grouping ikev2-init-grouping { 3045 description 3046 "IKEv2 INIT Attributes"; 3047 container init { 3048 if-feature ikev2-init; 3049 description 3050 "configuration attributes for the IKE_INIT exchange"; 3052 list authorized-dh { 3053 if-feature ikev2-init-authorized-dh; 3054 key "dhg key-length"; 3055 leaf dhg { 3056 type ikev2-crypto:ikev2-diffie-hellman-group-t; 3057 description 3058 "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; 3059 } 3060 leaf key-length { 3061 type uint32; 3062 description 3063 "IKEv2 Transform Type 4, key length for Diffie-Hellman"+ 3064 " Group (DH)"; 3065 } 3066 description 3067 "IKEv2 INIT Authorized Diffie-Hellman"; 3068 } 3070 uses ikev2-proposal-grouping; 3071 uses ikev2-init-optional-grouping; 3073 leaf auth-method { 3074 type ikev2-crypto:ikev2-authentication-method-t; 3075 default auth-preshared; 3076 description 3077 "The authentication method of IKEv2 peer"; 3078 } 3080 container responder-certreq { 3081 if-feature ikev2-init-responder-certreq; 3082 uses certificate-auth-grouping; 3083 description 3084 "IKEv2 INIT Responder CERTREQ"; 3085 } 3087 uses ikev2-config-request-grouping; 3088 uses ikev2-config-responder-grouping; 3090 list authorized-cert-auth { 3091 if-feature ikev2-init-authorized-certification-auth; 3092 key "cert-encoding"; 3093 uses certificate-auth-grouping; 3094 description 3095 "IKev2 Initiator authorized certification authorities"; 3096 } 3097 } // end of container init 3098 } 3100 grouping ikev2-auth-grouping { 3101 description 3102 "IKEv2 AUTH Attributes"; 3103 container auth { 3104 if-feature ikev2-auth; 3105 description 3106 "IKEv2 AUTH Exchange"; 3107 uses ikev2-auth-avail-signing-capabilities-grouping; 3108 uses ikev2-cert-auth-grouping; 3109 uses ikev2-auth-avail-hash-capabilities-grouping; 3110 uses ikev2-auth-avail-signature-verification-grouping; 3111 uses local-id-grouping; 3112 container authorized-certificate-authority { 3113 uses certificate-auth-grouping; 3114 description 3115 "IKEv2 AUTH Authorized Certificate Authority"; 3116 } 3117 } // End of container auth 3118 } 3119 grouping ikev2-proposal-state-components { 3120 description 3121 "IKEv2 Operational state"; 3122 list proposal { 3123 if-feature ikev2-proposal-state; 3124 key "name"; 3125 description 3126 "IKEv2 proposal operational data"; 3127 uses name-grouping; 3129 leaf encryption-algorithm { 3130 type ikev2-crypto:ikev2-encryption-algorithm-t; 3131 description 3132 "Transform Type 1 - IKEv2 Encryption Algorithm"; 3133 } 3134 leaf prf-algorithm { 3135 type ikev2-crypto:ikev2-pseudo-random-function-t; 3136 description 3137 "Transform Type 2 - IKEv2 Pseudo-Random Function (PRF)"; 3138 } 3139 leaf integrity-algorithm { 3140 type ikev2-crypto:ikev2-integrity-algorithm-t; 3141 description 3142 "Transform Type 3 - IKEv2 Integrity Algorithms"; 3143 } 3144 leaf dh-group { 3145 type ikev2-crypto:ikev2-diffie-hellman-group-t; 3146 mandatory true; 3147 description 3148 "Transform Type 4 - IKEv2 Diffie-Hellman group."; 3149 } 3150 leaf esn { 3151 type ikev2-crypto:ikev2-extended-sequence-number-t; 3152 description 3153 "Transform Type 5 - IKEv2 Extended Sequence Number (ESN)"; 3154 } 3155 } 3156 leaf connection-type { 3157 type ikev2-crypto:ikev2-connection-type-t; 3158 description 3159 "define whether the corresponding IKEv2 SA is being used"+ 3160 " as an initiator or as a responder or both"; 3161 } 3162 } 3164 /*---------------------------------------------------------*/ 3165 /************* Configuration Data *************/ 3166 /*---------------------------------------------------------*/ 3168 /* ------------------- */ 3169 /* IKEv2 configuration */ 3170 /* ------------------- */ 3171 container ikev2 { 3172 if-feature ikev2; 3173 description 3174 "Configuration IPSec IKEv2"; 3176 uses ikev2-transport-grouping; 3177 uses ikev2-init-grouping; 3179 container sa { 3180 if-feature ikev2-sa; 3181 description 3182 "IKEv2 Security Association"; 3183 leaf role { 3184 type role-t; 3185 description 3186 "IKEv2 SA Role [any | initiator | responder]"; 3187 } 3188 container local-ip-address { 3189 description 3190 "IKEv2 SA Local IP Address"; 3191 uses ip-address-grouping; 3192 } 3193 container remote-ip-address { 3194 description 3195 "IKEv2 SA Remote IP Address"; 3196 uses ip-address-grouping; 3197 } 3198 leaf cryptgraphic { 3199 type cryptographic-material-t; 3200 description 3201 "Cryptographic Material Type"; 3202 } 3203 leaf lifetime { 3204 type uint32; 3205 description 3206 "lifetime for IKEv2 SAs 3207 0: for no timeout. 3208 300 .. 99999999: IKEv2 SA lifetime in seconds."; 3209 } 3210 leaf proposal { 3211 type ikev2-proposal-number-ref; 3212 description 3213 "IKE proposal number referenced by IKE peer"; 3214 } 3215 uses ikev2-base-info-grouping; 3216 uses ikev2-anti-replay-mechanism-grouping; 3218 list retransmistion-ctx { 3219 key "window-id"; 3220 leaf window-id { 3221 type uint32; 3222 description 3223 "Window ID"; 3224 } 3225 uses ikev2-retransmission-grouping; 3226 description 3227 "IKEv2 Security Association Retransmission CTX 3228 that contains the element to enable retransmission 3229 for all ongoing exchange"; 3230 } 3231 uses ikev2-initiator-id-grouping; 3232 uses ikev2-responder-id-grouping; 3233 uses ikev2-cert-authentication-material-grouping; 3234 uses ikev2-vendor-id-grouping; 3235 list optional-ctx { 3236 key "window-id"; 3237 description 3238 "Optional Security Association CTX"; 3239 leaf window-id { 3240 type uint32; 3241 description 3242 "Window ID"; 3243 } 3244 uses ikev2-init-optional-grouping; 3245 } 3246 } // end of container sa 3248 list peer { 3249 if-feature ikev2-peer; 3250 key "peer-address"; 3251 description "IKEv2 peer information"; 3252 leaf peer-address { 3253 type string; 3254 description 3255 "Peer address"; 3256 } 3257 leaf role { 3258 type role-t; 3259 default any; 3260 description 3261 "Peer Role [any | initiator | responder]"; 3262 } 3264 list peer-id-entries { 3265 key "peer-id peer-id-type"; 3266 description "IKE peer information"; 3267 leaf peer-id-type { 3268 type ikev2-crypto:pad-type-t; 3269 description 3270 "Peer ID Type"; 3271 } 3272 leaf peer-id { 3273 type string; 3274 description 3275 "Peer ID"; 3276 } 3277 } // End of peer-entries 3279 list session { 3280 key "session-label"; 3281 description 3282 "List of session"; 3283 leaf session-label { 3284 type string; 3285 description 3286 "Session Label"; 3287 } 3288 uses ikev2-initiator-id-grouping; 3289 uses ikev2-responder-id-grouping; 3290 uses ikev2-transport-grouping; 3291 uses ikev2-init-grouping; 3292 uses ikev2-auth-grouping; 3293 uses ikev2-config-request-grouping; 3294 uses ikev2-config-responder-grouping; 3295 } 3297 leaf preshared-key { 3298 type string; 3299 description "Preshare key"; 3300 } 3301 leaf nat-traversal { 3302 type boolean; 3303 default false; 3304 description 3305 "Enable/Disable Network Address Translation"+ 3306 " (NAT) traversal"; 3307 } 3308 } //End of peer 3310 } // End of ikev2 3312 /*---------------------------------------------------------*/ 3313 /************* Operational State *************/ 3314 /*---------------------------------------------------------*/ 3315 /*--------------------------*/ 3316 /* IKEv2 Operational State */ 3317 /*--------------------------*/ 3318 container ikev2-state { 3319 if-feature ikev2-state; 3320 config "false"; 3322 container transport-state { 3323 if-feature ikev2-transport-state; 3324 description 3325 "Common IKEv2 operational transport state"; 3326 leaf major-version { 3327 type uint8; 3328 default 2; 3329 description 3330 "IKEv2 Major Version"; 3331 } 3332 leaf minor-version { 3333 type uint8; 3334 default 0; 3335 description 3336 "IKEv2 Minor Version"; 3337 } 3338 leaf spi-generation-policy { 3339 type string; 3340 description 3341 "SPI genration policy"; 3342 } 3343 leaf exchange-type { 3344 type ikev2-crypto:ikev2-exchange-type-t; 3345 description 3346 "IKEv2 Exchange Type"; 3347 } 3348 leaf flags { 3349 type uint8; 3350 description 3351 "indicate specific options that are set for message"; 3352 } 3353 } 3355 list sa-state { 3356 key "initiator-spi responder-spi"; 3357 description 3358 "IKEv2 Security Association (SA) Operational State"; 3360 leaf initiator-spi { 3361 type ipsec-spi; 3362 description 3363 "initiator Security Parameter Index (SPI)"; 3364 } 3365 leaf responder-spi { 3366 type ipsec-spi; 3367 description 3368 "initiator Security Parameter Index (SPI)"; 3369 } 3370 list retransmistion-ctx { 3371 key "window-id"; 3372 leaf window-id { 3373 type uint32; 3374 description 3375 "Window ID"; 3376 } 3377 uses ikev2-retransmission-grouping; 3378 description 3379 "IKEv2 Security Association Retransmission CTX 3380 that contains the element to enable retransmission 3381 for all ongoing exchange"; 3382 } 3383 container anti-replay-mechanism { 3384 leaf window-size { 3385 type uint32; 3386 description 3387 "window size"; 3388 } 3389 leaf peer-request-msg-id { 3390 type uint32; 3391 description 3392 "Peer Request Message ID"; 3393 } 3394 leaf peer-response-msg-id { 3395 type uint32; 3396 description 3397 "Peer Response Message ID"; 3398 } 3399 leaf local-request-msg-id { 3400 type uint32; 3401 description 3402 "Local Request Message ID"; 3403 } 3404 leaf local-response-msg-id { 3405 type uint32; 3406 description 3407 "Local Response Message ID"; 3408 } 3409 description 3410 "IKEv2 Anti Replay Mechanism Operational State"; 3411 } 3412 uses ikev2-vendor-id-grouping; 3413 uses ikev2-initiator-id-grouping; 3414 uses ikev2-responder-id-grouping; 3415 uses ikev2-auth-grouping; 3416 leaf half-open-ike-sa-counter { 3417 type uint32; 3418 description 3419 "IKEv2 Cookie Mechanism Half-Open IKE-SA counter"; 3420 } 3421 list optional-ctx { 3422 key "window-id"; 3423 description 3424 "Optional Security Association CTX"; 3425 leaf window-id { 3426 type uint32; 3427 description 3428 "Window ID"; 3429 } 3430 uses ikev2-init-optional-grouping; 3431 } 3432 } 3433 description 3434 "Contain the operational data for IKEv2"; 3435 } 3436 } /* module ietf-ikev2 */ 3438 3440 6. Security Considerations 3442 The configuration, state, and action data defined in this document 3443 are designed to be accessed via the NETCONF protocol [RFC6241]. The 3444 data model by itself does not create any security implications. The 3445 security considerations for the NETCONF protocol are applicable. 3446 The NETCONF protocol used for sending the data supports 3447 authentication and encryption. 3449 7. References 3451 7.1. Normative References 3453 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3454 Requirement Levels", BCP 14, RFC 2119, March 1997. 3456 [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for 3457 Syntax Specifications: ABNF", RFC 2234, Internet Mail 3458 Consortium and Demon Internet Ltd., November 1997. 3460 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 3461 Network Configuration Protocol (NETCONF)", RFC 6020, 3462 October 2010. 3464 [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, 3465 October 2010. 3467 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 3468 Bierman, "Network Configuration Protocol (NETCONF)", RFC 3469 6241, June 2011. 3471 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, 3472 T., "Internet Key Exchange Protocol Version 2 (IKEv2)", 3473 RFC 5996, October 2014. 3475 [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPsec) and 3476 Internet Key Exchange (IKE) Document Roadmap", February 3477 2011. 3479 7.2. Informative References 3481 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3482 Data Model Documents", RFC 6087, January 2011. 3484 Authors' Addresses 3486 Khanh Tran 3487 Ericsson 3488 300 Holger Way 3489 San Jose, CA 95134 3490 USA 3491 Email: khanh.x.tran@ericsson.com 3493 Daniel Migault 3494 Ericsson 3495 8500 Decarie Blvd 3496 Montreal, Quebec H4P 2N2 3497 CANADA 3498 Email: daniel.migault@ericsson.com 3500 Honglei Wang 3501 Huawei Technologies 3502 Huawei Bld., No.156 Beiqing Rd. 3503 Beijing 100095 3504 China 3505 Email: stonewater.wang@huawei.com 3507 Vijay Kumar Nagaraj 3508 Huawei Technologies 3509 Huawei Technologies India Pvt Ltd 3510 Bangalore 560008 3511 India 3512 Email: vijay.kn@huawei.com 3514 Xia Chen 3515 Huawei Technologies 3516 Huawei Bld., No.156 Beiqing Rd. 3517 Beijing 100095 3518 China 3519 Email: xiachen@huawei.com