idnits 2.17.1 draft-tran-ipsecme-yang-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 28 instances of too long lines in the document, the longest one being 13 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 442 has weird spacing: '...unction pse...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: grouping identity-grouping { description "Identification type. It is an union identity, "+ "possible type as follows: "+ "a) ID_FQDN: A fully-qualified domain name string. "+ " An example of a ID_FQDN is, example.com. "+ " The string MUST not contain any terminators "+ "(e.g., NULL, CR, etc.). "+ "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ " address string, An example of a ID_RFC822_ADDR is, "+ " jsmith@example.com. The string MUST not contain "+ " any terminators. "+ "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ "e) DN_X509: Distinguished name in the X.509 tradition."; choice identity { description "Choice of identity."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) "+ "octet IPv6 address. "+ "An example is, "+ "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf dnX509 { type string; description "Specifies the identity as a distinguished name in the X.509 tradition."; } } } /* grouping identity-grouping */ -- The document date (October 19, 2015) is 3111 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2234' is defined on line 4470, but no explicit reference was found in the text == Unused Reference: 'RFC6020' is defined on line 4474, but no explicit reference was found in the text == Unused Reference: 'RFC6021' is defined on line 4478, but no explicit reference was found in the text == Unused Reference: 'RFC6071' is defined on line 4489, but no explicit reference was found in the text == Unused Reference: 'RFC6087' is defined on line 4495, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) ** Obsolete normative reference: RFC 5996 (ref. 'RFC7296') (Obsoleted by RFC 7296) ** Downref: Normative reference to an Informational RFC: RFC 6071 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 6 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group K. Tran 2 Internet Draft Ericsson 3 Intended status: Standard Track H. Wang 4 Expires: April 19, 2016 V. Nagaraj 5 X. Chen 6 Huawei Technologies 7 October 19, 2015 9 Yang Data Model for Internet Protocol Security (IPsec) 10 draft-tran-ipsecme-yang-00.txt 12 Abstract 14 This document defines a YANG data model that can be used to 15 configure and manage Internet Protocol Security (IPsec). The model 16 covers the IPsec protocol operational state, remote procedural 17 calls, and event notifications data. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as Internet- 27 Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six 30 months and may be updated, replaced, or obsoleted by other documents 31 at any time. It is inappropriate to use Internet-Drafts as 32 reference material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html 40 This Internet-Draft will expire on November 15, 2009. 42 Copyright Notice 44 Copyright (c) 2015 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with 52 respect to this document. Code Components extracted from this 53 document must include Simplified BSD License text as described in 54 Section 4.e of the Trust Legal Provisions and are provided without 55 warranty as described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction...................................................3 60 2. Conventions used in this document..............................3 61 3. IPsec Configuration and Operation Model Overview...............4 62 3.1. IPsec Configuration Data Model............................6 63 3.2. IKEv1 Configuration Data Model............................9 64 3.3. IKEv2 Configuration Data Model...........................11 65 3.4. IPsec Operation Data Model...............................14 66 3.5. IKEv1 Operation Data Model...............................15 67 3.6. IKEv2 Operation Data Model...............................16 68 3.7. IPsec SAD Operational Data Model.........................17 69 3.8. IPsec SPD Operational Data Model.........................18 70 3.9. IPsec Global Statistics Operational Data Model...........20 71 3.10. RPC Operation...........................................22 72 3.11. Notifications...........................................23 73 4. IPsec YANG Module.............................................24 74 5. Security Considerations.......................................98 75 6. References....................................................99 76 6.1. Normative References.....................................99 77 6.2. Informative References...................................99 79 1. Introduction 81 Internet Protocol Security (IPsec) is a suite of protocols that 82 provides security to internet communications at the IP layer. This 83 document defines a YANG data model that can be used to configure and 84 manage the IPsec protocol including Encapsulating Security Payload 85 (ESP), Authentication Header (AH), Internet Key Exchange version 1 86 (IKEv1), and Internet Key Exchange version 2 (IKEv2) components. 88 2. Conventions used in this document 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in RFC-2119 [RFC2119]. 94 In this document, these words will appear with that interpretation 95 only when in ALL CAPS. Lower case uses of these words are not to be 96 interpreted as carrying RFC-2119 significance. 98 In this document, the characters ">>" preceding an indented line(s) 99 indicates a compliance requirement statement using the key words 100 listed above. This convention aids reviewers in quickly identifying 101 or finding the explicit compliance requirements of this RFC. 103 3. IPsec Configuration and Operation Model Overview 105 This section will give the relationship of AH/ESP/SA with IPsec, and 106 IKEv2 with IPsec. 108 Figure 1 shows the protocols of (AH and ESP) associated with IPsec. 110 +------------------------------------------------+ 111 | | 112 | Internet Protocol Security (IPsec) | 113 | +------------+ | 114 | | AH/ESP | | 115 | +------------+ | 116 | | | 117 | V | 118 | +------------+ | 119 | | SA | | 120 | +------------+ | 121 | | | 122 | V | 123 | +------------+ | 124 | | IPsec | | 125 | | Data Model | | 126 | +------------+ | 127 | | 128 +------------------------------------------------+ 130 Figure 1. Relationship between AH/ESP/SA and IPsec 132 Figure 2 shows the relationship with IPsec module and other modules 133 for IKEv2. 135 IPsec Crypto Module IPsec Type Module 136 +--------------------+ +-------------------+ 137 | ietf-ipsec-crypto | | ietf-ipsec-type | 138 +--------------------+ +-------------------+ 139 | | | | 140 | | | | 141 | | | | 142 INET Basic Type | v IPsec Module v | IKE Crypto Module 143 +----------------+ | +-----------------+ | +---------------+ 144 |ietf-inet-types | | | ietf-ipsec | | |ietf-ike-crypto| 145 +----------------+ | +-----------------+ | +---------------+ 146 | | | | | 147 | | | | | 148 | v v v | 149 | +---------------------------+ | 150 +-------->| ietf-ike | <------+ 151 +---------------------------+ 152 Figure 2. Relationship of IKE with IPsec module and other modules 154 3.1. IPsec Configuration Data Model 156 The IPsec data model provides the appropriate leaves for configuring 157 the IPsec protocol. The IPsec YANG data model shall contain AH, 158 ESP, Security Policy (SP), Security Policy Database (SPD), Security 159 Association (SA), Security Association Database (SAD), and Peer 160 Authorization Database (PAD) components. 162 module: ietf-ipsec 163 +--rw ipsec {ipsec}? 164 | +--rw sad {ipsec-sad}? 165 | | +--rw sad-entries* [spi direction] 166 | | +--rw spi uint32 167 | | +--rw anti-replay-window? uint16 168 | | +--rw ip-comp? empty 169 | | +--rw local-peer 170 | | | +--rw (ip-address)? 171 | | | +--:(ipv4-address) 172 | | | | +--rw ipv4-address? inet:ipv4-address 173 | | | +--:(ipv6-address) 174 | | | +--rw ipv6-address? inet:ipv6-address 175 | | +--rw remote-peer 176 | | | +--rw (ip-address)? 177 | | | +--:(ipv4-address) 178 | | | | +--rw ipv4-address? inet:ipv4-address 179 | | | +--:(ipv6-address) 180 | | | +--rw ipv6-address? inet:ipv6-address 181 | | +--rw sa-mode? ipsec-mode 182 | | +--rw security-protocol? ipsec-protocol 183 | | +--rw sequence-number? uint64 184 | | +--rw sequence-number-overflow-flag? boolean 185 | | +--rw path-mtu? uint16 186 | | +--rw life-time 187 | | | +--rw life-time-in-seconds? uint32 188 | | | +--rw remain-life-time-in-seconds? uint32 189 | | | +--rw life-time-in-byte? uint32 190 | | | +--rw remain-life-time-in-byte? uint32 191 | | +--rw upper-protocol? string 192 | | +--rw direction ipsec-traffic-direction 193 | | +--rw source-address 194 | | | +--rw (ip-address)? 195 | | | | +--:(ipv4-address) 196 | | | | | +--rw ipv4-address? inet:ipv4-address 197 | | | | +--:(ipv6-address) 198 | | | | +--rw ipv6-address? inet:ipv6-address 199 | | | +--rw port-number? uint32 200 | | +--rw destination-address 201 | | | +--rw (ip-address)? 202 | | | | +--:(ipv4-address) 203 | | | | | +--rw ipv4-address? inet:ipv4-address 204 | | | | +--:(ipv6-address) 205 | | | | +--rw ipv6-address? inet:ipv6-address 206 | | | +--rw port-number? uint32 207 | | +--rw nat-traversal-flag? boolean 208 | | +--rw ah 209 | | | +--rw (authentication-algorithm)? 210 | | | +--:(hmac-aes-xcbc) 211 | | | | +--rw hmac-aes-xcbc 212 | | | | +--rw key-str? union 213 | | | +--:(hmac-md5-96) 214 | | | | +--rw hmac-md5-96 215 | | | | +--rw key-str? union 216 | | | +--:(hmac-sha1-96) 217 | | | | +--rw hmac-sha1-96 218 | | | | +--rw key-str? union 219 | | | +--:(key-string) 220 | | | +--rw key-string 221 | | | +--rw key-str? union 222 | | +--rw esp 223 | | +--rw authentication 224 | | | +--rw (authentication-algorithm)? 225 | | | +--:(hmac-aes-xcbc) 226 | | | | +--rw hmac-aes-xcbc 227 | | | | +--rw key-str? union 228 | | | +--:(hmac-md5-96) 229 | | | | +--rw hmac-md5-96 230 | | | | +--rw key-str? union 231 | | | +--:(hmac-sha1-96) 232 | | | | +--rw hmac-sha1-96 233 | | | | +--rw key-str? union 234 | | | +--:(key-string) 235 | | | +--rw key-string 236 | | | +--rw key-str? union 237 | | +--rw encryption 238 | | +--rw (encryption-algorithm)? 239 | | +--:(des3-cbc) 240 | | | +--rw des3-cbd 241 | | | +--rw key-str? union 242 | | +--:(aes-128-cbc) 243 | | | +--rw aes-128-cbc 244 | | | +--rw key-str? union 245 | | +--:(aes-192-cbc) 246 | | | +--rw aes-192-cbc 247 | | | +--rw key-str? union 248 | | +--:(aes-256-cbc) 249 | | | +--rw aes-256-cbc 250 | | | +--rw key-str? union 251 | | +--:(des-cbc) 252 | | | +--rw des-cbc 253 | | | +--rw key-str? union 254 | | +--:(key-string) 255 | | +--rw key-string 256 | | +--rw key-str? union 257 | +--rw proposal {ipsec-proposal}? 258 | | +--rw ipsec-proposal* [name] 259 | | +--rw name string 260 | | +--rw ah? ike-integrity-algorithm-t 261 | | +--rw esp 262 | | | +--rw authentication? ike-integrity-algorithm-t 263 | | | +--rw encryption? ike-encryption-algorithm-t 264 | | +--rw ip-comp? empty 265 | | +--rw lifetime 266 | | +--rw kbytes? uint32 267 | | +--rw seconds? uint32 268 | +--rw spd {ipsec-spd}? 269 | | +--rw spd-entries* [name] 270 | | +--rw name string 271 | | +--rw description? string 272 | | +--rw anti-replay-window? uint32 273 | | +--rw perfect-forward-secrecy 274 | | | +--rw dh-group? diffie-hellman-group-t 275 | | +--rw seq* [seq-id] 276 | | +--rw seq-id uint32 277 | | +--rw description? string 278 | | +--rw proposal? leafref 279 | +--rw pad 280 | +--rw pad-entries* [pad-type pad-id] 281 | +--rw (identity)? 282 | | +--:(ipv4-address) 283 | | | +--rw ipv4-address? inet:ipv4-address 284 | | +--:(ipv6-address) 285 | | | +--rw ipv6-address? inet:ipv6-address 286 | | +--:(fqdn-string) 287 | | | +--rw fqdn-string? inet:domain-name 288 | | +--:(rfc822-address-string) 289 | | | +--rw rfc822-address-string? string 290 | | +--:(dnX509) 291 | | +--rw dnX509? string 292 | +--rw pad-id uint32 293 | +--rw pad-type pad-type-t 294 | +--rw ike-peer-name? string 295 | +--rw peer-authentication 296 | +--rw algorithm? ike-integrity-algorithm-t 297 | +--rw preshared-key? empty 298 | +--rw rsa-signature? empty 300 3.2. IKEv1 Configuration Data Model 302 This section will present the YANG data model for IKEv1. 304 +--rw ikev1 {ikev1}? 305 | +--rw proposal* [name] 306 | | +--rw name string 307 | | +--rw description? string 308 | | +--rw dh-group diffie-hellman-group-t 309 | | +--rw encryption 310 | | | +--rw algorithm? ike-encryption-algorithm-t 311 | | +--rw lifetime uint32 312 | | +--rw authentication 313 | | +--rw algorithm? ike-integrity-algorithm-t 314 | | +--rw preshared-key? empty 315 | | +--rw rsa-signature? empty 316 | +--rw keepalive? empty 317 | +--rw policy* [name] 318 | +--rw name string 319 | +--rw mode 320 | | +--rw aggressive? empty 321 | | +--rw main? empty 322 | +--rw connection-type connection-type-t 323 | +--rw pre-shared-key? union 324 | +--rw validate-certificate-identity? empty 325 | +--rw seq* [seq-id] 326 | | +--rw seq-id uint32 327 | | +--rw proposal? leafref 328 | +--rw identity 329 | +--rw local 330 | | +--rw (identity)? 331 | | +--:(ipv4-address) 332 | | | +--rw ipv4-address? inet:ipv4-address 333 | | +--:(ipv6-address) 334 | | | +--rw ipv6-address? inet:ipv6-address 335 | | +--:(fqdn-string) 336 | | | +--rw fqdn-string? inet:domain-name 337 | | +--:(rfc822-address-string) 338 | | | +--rw rfc822-address-string? string 339 | | +--:(dnX509) 340 | | +--rw dnX509? string 341 | +--rw remote 342 | +--rw (identity)? 343 | +--:(ipv4-address) 344 | | +--rw ipv4-address? inet:ipv4-address 345 | +--:(ipv6-address) 346 | | +--rw ipv6-address? inet:ipv6-address 347 | +--:(fqdn-string) 348 | | +--rw fqdn-string? inet:domain-name 349 | +--:(rfc822-address-string) 350 | | +--rw rfc822-address-string? string 351 | +--:(dnX509) 352 | +--rw dnX509? string 354 3.3. IKEv2 Configuration Data Model 356 This section will present the YANG data model for IKEv2. 358 IPsec Crypto Module IPsec Type Module 359 +--------------------+ +-------------------+ 360 | ietf-ipsec-crypto | | ietf-ipsec-type | 361 +--------------------+ +-------------------+ 362 | | | | 363 | | | | 364 | | | | 365 INET Basic Type | v IPsec Module v | IKE Crypto Module 366 +----------------+ | +-----------------+ | +---------------+ 367 |ietf-inet-types | | | ietf-ipsec | | |ietf-ike-crypto| 368 +----------------+ | +-----------------+ | +---------------+ 369 | | | | | 370 | | | | | 371 | v v v | 372 | +---------------------------+ | 373 +-------->| ietf-ike | <------+ 374 +---------------------------+ 375 Figure 1: Relationship of IKE with IPsec module and other 376 modules 378 This model aims to address only the core IKE parameters as per 379 RFC-7296 [RFC7296]. 381 The IKEv2 data model provides the appropriate leaves for configuring 382 the IKEv2 protocol. The IKEv2 YANG data model has the following 383 structure: 385 +--rw ikev2 {ikev2}? 386 | +--rw ike-global-configuration {ikev2-global}? 387 | | +--rw (df-flag)? 388 | | | +--:(set) 389 | | | | +--rw set? empty 390 | | | +--:(clear) 391 | | | | +--rw clear? empty 392 | | | +--:(copy) 393 | | | +--rw copy? empty 394 | | +--rw stateful-frag-check? boolean 395 | | +--rw life-time-kb? uint32 396 | | +--rw life-time-second? uint32 397 | | +--rw (anti-replay)? 398 | | | +--:(enable) 399 | | | | +--rw enable? empty 400 | | | | +--rw (anti-replay-windows-size)? 401 | | | | +--:(size-32) 402 | | | | +--:(size-64) 403 | | | | +--:(size-128) 404 | | | | +--:(size-256) 405 | | | | +--:(size-512) 406 | | | | +--:(size-1024) 407 | | | +--:(disable) 408 | | | +--rw disable? empty 409 | | +--rw inbound-dscp? uint16 410 | | +--rw outbound-dscp? uint16 411 | | +--rw local-name? string 412 | | +--rw nat-keepalive-interval? uint16 413 | | +--rw dpd-interval? uint16 414 | +--rw ike-peer {ikev2-peer}? 415 | | +--rw ike-peer-entries* [peer-name] 416 | | +--rw peer-name string 417 | | +--rw ike-proposal-number? ike-proposal-number-ref 418 | | +--rw PresharedKey? string 419 | | +--rw nat-traversal? boolean 420 | | +--rw (local-id-type)? 421 | | | +--:(ip) 422 | | | | +--rw ip? empty 423 | | | +--:(fqdn) 424 | | | | +--rw fqdn? empty 425 | | | +--:(dn) 426 | | | | +--rw dn? empty 427 | | | +--:(user_fqdn) 428 | | | +--rw user_fqdn? empty 429 | | +--rw local-id? string 430 | | +--rw remote-id? string 431 | | +--rw low-remote-address? inet:ip-address 432 | | +--rw high-remote-address? inet:ip-address 433 | | +--rw certificate? string 434 | | +--rw auth-address-begin? inet:ip-address 435 | | +--rw auth-address-end? inet:ip-address 436 | +--rw proposal* [name] {ikev2-proposal}? 437 | | +--rw name string 438 | | +--rw description? string 439 | | +--rw dh-group diffie-hellman-group-t 440 | | +--rw encryption 441 | | | +--rw algorithm? ike-encryption-algorithm-t 442 | | +--rw pseudo-random-function pseudo-random-function-t 443 | | +--rw authentication 444 | | +--rw algorithm? ike-integrity-algorithm-t 445 | +--rw policy* [name] {ikev2-policy}? 446 | +--rw name string 447 | +--rw authentication 448 | | +--rw preshared-key? empty 449 | | +--rw rsa-signature? empty 450 | +--rw lifetime uint32 451 | +--rw address-allocation 452 | | +--rw aaa? empty 453 | +--rw connection-type connection-type-t 454 | +--rw pre-shared-key? union 455 | +--rw validate-certificate-identity? empty 456 | +--rw seq* [seq-id] 457 | | +--rw seq-id uint32 458 | | +--rw proposal? leafref 459 | +--rw identity 460 | | +--rw local 461 | | | +--rw (identity)? 462 | | | +--:(ipv4-address) 463 | | | | +--rw ipv4-address? inet:ipv4-address 464 | | | +--:(ipv6-address) 465 | | | | +--rw ipv6-address? inet:ipv6-address 466 | | | +--:(fqdn-string) 467 | | | | +--rw fqdn-string? inet:domain-name 468 | | | +--:(rfc822-address-string) 469 | | | | +--rw rfc822-address-string? string 470 | | | +--:(dnX509) 471 | | | +--rw dnX509? string 472 | | +--rw remote 473 | | +--rw (identity)? 474 | | +--:(ipv4-address) 475 | | | +--rw ipv4-address? inet:ipv4-address 476 | | +--:(ipv6-address) 477 | | | +--rw ipv6-address? inet:ipv6-address 478 | | +--:(fqdn-string) 479 | | | +--rw fqdn-string? inet:domain-name 480 | | +--:(rfc822-address-string) 481 | | | +--rw rfc822-address-string? string 482 | | +--:(dnX509) 483 | | +--rw dnX509? string 484 | +--rw description? string 486 3.4. IPsec Operation Data Model 488 The IPsec data model provides the appropriate leaves for operational 489 states of the IPsec protocol. The IPsec YANG data model has the 490 following structure: 492 +--ro ipsec-state {ipsec-state}? 493 | +--ro policy* {ipsec-policy-state}? 494 | | +--ro name? string 495 | | +--ro anti-replay-window? uint32 496 | | +--ro perfect-forward-secrecy? diffie-hellman-group-t 497 | | +--ro seq* 498 | | +--ro seq-id? uint32 499 | | +--ro proposal-name? string 500 | +--ro proposal* {ipsec-proposal-state}? 501 | | +--ro name? string 502 | | +--ro ah? ike-integrity-algorithm-t 503 | | +--ro esp 504 | | | +--ro authentication? ike-integrity-algorithm-t 505 | | | +--ro encryption? ike-encryption-algorithm-t 506 | | +--ro ip-comp? empty 507 | | +--ro lifetime 508 | | +--ro kbytes? uint32 509 | | +--ro seconds? uint32 510 | +--ro hold-down? uint32 {ipsec-alarms-state}? 511 | +--ro sa* {ipsec-sa-state}? 512 | | +--ro name? string 513 | | +--ro anti-replay-window? uint16 514 | | +--ro ip-comp? empty 515 | | +--ro spi? uint32 {ipsec-sa-ah-state}? 516 | | +--ro description? string {ipsec-sa-ah-state}? 517 | | +--ro authentication-algorithm? ike-integrity-algorithm-t {ipsec-sa-ah- 518 state}? 519 | | +--ro encryption-algorithm? ike-encryption-algorithm-t {ipsec-sa- 520 ah-state}? 521 | +--ro redundancy {ipsec-redundancy}? 522 | +--ro inter-chassis? empty 524 3.5. IKEv1 Operation Data Model 526 The IKEv1 data model provides the appropriate leaves for operational 527 states of the IKEv1 protocol. The IKEv1 YANG data model has the 528 following structure: 530 +--ro ike-state {ikev1-state}? 531 | +--ro proposal* {ike-proposal-state}? 532 | | +--ro name? string 533 | | +--ro lifetime? uint32 534 | | +--ro encryption? ike-encryption-algorithm-t 535 | | +--ro dh-group? diffie-hellman-group-t 536 | | +--ro authentication? ike-integrity-algorithm-t 537 | +--ro policy* {ike-policy-state}? 538 | +--ro name? string 539 | +--ro description? string 540 | +--ro mode? enumeration 541 | +--ro connection-type? connection-type-t 542 | +--ro local-identity? inet:ipv4-address-no-zone 543 | +--ro remote-identity? inet:ipv4-address-no-zone 544 | +--ro pre-shared-key? string 545 | +--ro seq? uint32 546 | +--ro proposal? string 548 3.6. IKEv2 Operation Data Model 550 The IKEv2 data model provides the appropriate leaves for operational 551 sattes of the IKEv2 protocol. The IKEv2 YANG data model has the 552 following structure: 554 +--ro ikev2-state {ikev2-state}? 555 | +--ro proposal* {ikev2-proposal-state}? 556 | | +--ro name? string 557 | | +--ro pseudo-random-function? pseudo-random-function-t 558 | | +--ro authentication? ike-integrity-algorithm-t 559 | | +--ro encryption? ike-encryption-algorithm-t 560 | | +--ro dh-group diffie-hellman-group-t 561 | +--ro policy* {ike-policy-state}? 562 | +--ro name? string 563 | +--ro description? string 564 | +--ro mode? enumeration 565 | +--ro connection-type? connection-type-t 566 | +--ro local-identity? inet:ipv4-address-no-zone 567 | +--ro remote-identity? inet:ipv4-address-no-zone 568 | +--ro pre-shared-key? string 569 | +--ro seq? uint32 570 | +--ro proposal? string 572 3.7. IPsec SAD Operational Data Model 574 The IPsec SAD(Security Association Database) container maintains 575 information related to the IPSEC SAs established in a system. This 576 is a run-time data structure that is created upon the first SA being 577 established. The key for fetching SA in this database is the 578 triplet: SPI, Protocol and Destination address of the SA to be 579 fetched form the SA database. 581 The SAD entries also contain information about the IPSEC tunnel like 582 direction, SA-type (manual or VPN SA), sequence number, anti-replay 583 window size, protocol mode, ipsec algorithm info, life time in 584 Seconds/Bytes etc, NAT traversal info, path-mtu, dscp etc. 586 +--ro sad {sad}? 587 | +--ro sad-entries* [spi security-protocol direction] 588 | +--ro spi ipsec-spi 589 | +--ro security-protocol ipsec-protocol 590 | +--ro direction ipsec-traffic-direction 591 | +--ro sa-type? enumeration 592 | +--ro sequence-number? uint64 593 | +--ro sequence-number-overflow-flag? boolean 594 | +--ro anti-replay-enable-flag? boolean 595 | +--ro anti-replay-window-size? uint64 596 | +--ro ah-auth-algorithm? ipsec-authentication-algorithm 597 {ipsec-ah-authentication}? 598 | +--ro esp-integrity-algorithm? ipsec-authentication-algorithm 599 {ipsec-esp-integrity}? 600 | +--ro esp-encrypt-algorithm? ipsec-encryption-algorithm {ipsec- 601 esp-encrypt}? 602 | +--ro life-time 603 | | +--ro life-time-in-seconds? uint32 604 | | +--ro remain-life-time-in-seconds? uint32 605 | | +--ro life-time-in-byte? uint32 606 | | +--ro remain-life-time-in-byte? uint32 607 | +--ro protocol-mode? ipsec-mode 608 | +--ro tunnel-mode-process-info 609 | | +--ro local-address? string {ipsec-tunnel}? 610 | | +--ro remote-address? string {ipsec-tunnel}? 611 | | +--ro bypass-df? enumeration {ipsec-tunnel}? 612 | | +--ro dscp-flag? boolean {ipsec-tunnel}? 613 | | +--ro stateful-frag-check-flag? boolean {ipsec-tunnel}? 614 | +--ro dscp* uint8 615 | +--ro path-mtu? uint16 616 | +--ro nat-traversal-flag? boolean 618 3.8. IPsec SPD Operational Data Model 620 The IPSEC SPD(Security Policy Database) container maintains policy 621 information related to the IPSEC SAs established in a system. This 622 is a run-time data structure that is created when the first IPSEC 623 policy is created. 625 The SPD entries also contain information about the traffic 626 selectors, protect action (permit, deny), protocol information etc 627 as shown below. Based on these information the IPSEC module 628 processes the outbound and inbound traffic. 630 +--ro spd {spd}? 631 | +--ro spd-entries* 632 | +--ro name* 633 | | +--ro name-type? ipsec-spd-name 634 | | +--ro name-string? string 635 | | +--ro name-binary? binary 636 | +--ro pfp-flag? boolean 637 | +--ro traffic-selector* 638 | | +--ro local-address-low? inet:ip-address {ipsec-local-address- 639 range}? 640 | | +--ro local-address-high? inet:ip-address {ipsec-local-address- 641 range}? 642 | | +--ro remote-address-low? inet:ip-address {ipsec-remote-address- 643 range}? 644 | | +--ro remote-address-high? inet:ip-address {ipsec-remote-address- 645 range}? 646 | | +--ro next-protocol-low? uint16 {ipsec-next-protocol-range}? 647 | | +--ro next-protocol-high? uint16 {ipsec-next-protocol-range}? 648 | | +--ro local-port-low? inet:port-number {ipsec-local-port- 649 range}? 650 | | +--ro local-port-high? inet:port-number {ipsec-local-port- 651 range}? 652 | | +--ro remote-port-high? inet:port-number {ipsec-remote-port- 653 range}? 654 | | +--ro remote-port-low? inet:port-number {ipsec-remote-port- 655 range}? 656 | +--ro operation? ipsec-spd-operation 657 | +--ro protect-operation 658 | +--ro spd-ipsec-mode? ipsec-mode 659 | +--ro esn-flag? boolean 660 | +--ro spd-ipsec-protocol? ipsec-protocol 661 | +--ro tunnel-mode-additional 662 | | +--ro local-address? string {ipsec-tunnel}? 663 | | +--ro remote-address? string {ipsec-tunnel}? 664 | | +--ro bypass-df? enumeration {ipsec-tunnel}? 665 | | +--ro dscp-flag? boolean {ipsec-tunnel}? 666 | | +--ro stateful-frag-check-flag? boolean {ipsec-tunnel}? 667 | +--ro spd-algorithm* 668 | +--ro ah-auth-algorithm? ipsec-authentication-algorithm 669 {ipsec-ah-authentication}? 670 | +--ro esp-integrity-algorithm? ipsec-authentication-algorithm 671 {ipsec-esp-integrity}? 672 | +--ro esp-encrypt-algorithm? ipsec-encryption-algorithm {ipsec- 673 esp-encrypt}? 675 3.9. IPsec Global Statistics Operational Data Model 677 The IPSEC Global Statistics container is used to maintain 678 information related to all the IPSEC tunnels established in the 679 system. These could be related to IPv4 IPSEC tunnels or IPv6 IPSEC 680 tunnels. 682 The information maintained includes: traffic sent/received on an 683 IPSEC tunnel like number of outbound/inbound packets, number of 684 outbound/inbound bytes, number of packets dropped, number of 685 replayed packets, number of packet authentication failures, number 686 of packets dropped due to queue full, number of packets dropped due 687 to deny policy, number of packet dropped due to being malformed, 688 number of packets dropped due to being too large. 690 +--ro ipsec-global-statistics {ipsec-global-stats}? 691 +--ro ipv4 692 | +--ro inbound-packets? uint64 {ipsec-stat}? 693 | +--ro outbound-packets? uint64 {ipsec-stat}? 694 | +--ro inbound-bytes? uint64 {ipsec-stat}? 695 | +--ro outbound-bytes? uint64 {ipsec-stat}? 696 | +--ro inbound-drop-packets? uint64 {ipsec-stat}? 697 | +--ro outbound-drop-packets? uint64 {ipsec-stat}? 698 | +--ro dropped-packet-detail {ipsec-stat}? 699 | +--ro sa-non-exist? uint64 700 | +--ro queue-full? uint64 701 | +--ro auth-failure? uint64 702 | +--ro malform? uint64 703 | +--ro replay? uint64 704 | +--ro large-packet? uint64 705 | +--ro invalid-sa? uint64 706 | +--ro policy-deny? uint64 707 | +--ro other-reason? uint64 708 +--ro ipv6 709 | +--ro inbound-packets? uint64 {ipsec-stat}? 710 | +--ro outbound-packets? uint64 {ipsec-stat}? 711 | +--ro inbound-bytes? uint64 {ipsec-stat}? 712 | +--ro outbound-bytes? uint64 {ipsec-stat}? 713 | +--ro inbound-drop-packets? uint64 {ipsec-stat}? 714 | +--ro outbound-drop-packets? uint64 {ipsec-stat}? 715 | +--ro dropped-packet-detail {ipsec-stat}? 716 | +--ro sa-non-exist? uint64 717 | +--ro queue-full? uint64 718 | +--ro auth-failure? uint64 719 | +--ro malform? uint64 720 | +--ro replay? uint64 721 | +--ro large-packet? uint64 722 | +--ro invalid-sa? uint64 723 | +--ro policy-deny? uint64 724 | +--ro other-reason? uint64 725 +--ro global 726 +--ro inbound-packets? uint64 {ipsec-stat}? 727 +--ro outbound-packets? uint64 {ipsec-stat}? 728 +--ro inbound-bytes? uint64 {ipsec-stat}? 729 +--ro outbound-bytes? uint64 {ipsec-stat}? 730 +--ro inbound-drop-packets? uint64 {ipsec-stat}? 731 +--ro outbound-drop-packets? uint64 {ipsec-stat}? 732 +--ro dropped-packet-detail {ipsec-stat}? 733 +--ro sa-non-exist? uint64 734 +--ro queue-full? uint64 735 +--ro auth-failure? uint64 736 +--ro malform? uint64 737 +--ro replay? uint64 738 +--ro large-packet? uint64 739 +--ro invalid-sa? uint64 740 +--ro policy-deny? uint64 741 +--ro other-reason? uint64 743 3.10. RPC Operation 745 This section defines a list of RPC support for IPsec protocol. 747 rpcs: 748 +---x clear-ipsec-group {clear-ipsec-group}? 749 | +--ro input 750 | +--ro alarm-hold-down? uint8 751 | +--ro ipsec-policy-name? leafref 752 +---x clear-ike-group {clear-ike-group}? 753 | +--ro input 754 | +--ro proposal? leafref 755 +---x clear-ikev2-group {clear-ikev2-group}? 756 | +--ro input 757 | +--ro proposal? leafref 758 +---x reset-ipv4 {reset-ipv4}? 759 | +--ro input 760 | | +--ro ipv4? empty 761 | +--ro output 762 | +--ro status? string 763 +---x reset-ipv6 {reset-ipv6}? 764 | +--ro input 765 | | +--ro ipv6? empty 766 | +--ro output 767 | +--ro status? string 768 +---x reset-global {reset-global}? 769 +--ro input 770 | +--ro ipv6? empty 771 +--ro output 772 +--ro status? string 774 3.11. Notifications 776 This model defines a list of notifications to inform client of 777 important events detected during the protocol operation. These 778 events include events related to changes in the operational state of 779 an IKE SA, IPsec SA, Statistics etc. 781 notifications: 782 +---n dpd-failure 783 | +--ro peer-id? string 784 +---n peer-authentication-failure {peer-authentication-failure}? 785 | +--ro peer-id? string 786 +---n ike-reauth-failure {ike-reauth-failure}? 787 | +--ro peer-id? string 788 +---n ike-rekey-failure {ike-rekey-failure}? 789 | +--ro peer-id? string 790 | +--ro old-i-spi? uint64 791 | +--ro old-r-spi? uint64 792 +---n ipsec-rekey-failure {ipsec-rekey-failure}? 793 +--ro peer-id? string 794 +--ro old-inbound-spi? ipsec-spi 795 +--ro old-outbound-spi? ipsec-spi 797 4. IPsec YANG Module 799 This section will present the YANG data model for IPsec, IKEv1, and 800 IKEv2. 802 file "ietf-ipsec@2015-09-13.yang" 804 module ietf-ipsec { 805 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; 806 prefix "eipsec"; 808 import ietf-inet-types { 809 prefix inet; 810 } 812 import ietf-yang-types { 813 prefix yang; 814 } 816 organization "Ericsson AB. 817 Huawei Technologies India Pvt Ltd."; 819 contact "Web: "; 821 description 822 "This YANG module defines the configuration and operational 823 state data for Internet Protocol Security (IPSec) on 824 IETF draft. 825 Copyright (c) 2015 Ericsson AB. 826 All rights reserved."; 828 revision 2015-09-13 { 829 description 830 "Second revision."; 831 reference 832 "YANG Data model for Internet Protocol Security - IPSec. 833 draft-tran-ipecme-yang-ipsec-00. 834 draft-wang-ipsecme-ike-yang-00. 835 draft-wang-ipsecme-ipsec-yang-00."; 836 } 838 /*--------------------*/ 839 /* Feature */ 840 /*--------------------*/ 842 feature ikev1 { 843 description 844 "Feature IKEv1"; 845 } 846 feature ike-proposal-state { 847 description 848 "IKEv2 Proposal Operational State"; 849 } 851 feature ike-policy-state { 852 description 853 "IKEv1 Policy Operational State"; 854 } 856 feature ikev1-state { 857 description 858 "IKEv1 Operational State"; 859 } 861 feature ike-reauth-failure { 862 description 863 "IKEv1 Reauthorization Failure"; 864 } 866 feature ike-rekey-failure { 867 description 868 "IKEv1 Rekey Failure"; 869 } 871 feature ikev2 { 872 description 873 "Feature IKEv2"; 875 } 877 feature ikev2-global { 878 description 879 "Feature IKEv2 Global Parameters"; 881 } 883 feature ikev2-peer { 884 description 885 "Feature IKEv2 Peer"; 887 } 889 feature ikev2-proposal { 890 description 891 "Feature IKEv2 Proposal"; 893 } 895 feature ikev2-policy { 896 description 897 "Feature IKEv2 Policy"; 899 } 901 feature ikev2-proposal-state { 902 description 903 "IKEv2 Proposal Operational State"; 904 } 906 feature ikev2-state { 907 description 908 "IKEv2 Operational State"; 909 } 911 feature ipsec { 912 description 913 "Feature IPsec"; 915 } 917 feature ipsec-acl { 918 description 919 "Feature IPsec ACL"; 921 } 922 feature ipsec-sad { 923 description 924 "Feature IPsec SAD"; 926 } 928 feature ipsec-proposal { 929 description 930 "Feature IPsec Proposal"; 932 } 934 feature ipsec-spd { 935 description 936 "Feature IPsec SPD"; 938 } 940 feature ipsec-policy-state { 941 description 942 "IPsec Policy Operational State"; 943 } 945 feature ipsec-proposal-state { 946 description 947 "IPsec Proposal Operational State"; 948 } 950 feature ipsec-alarms-state { 951 description 952 "IPsec Alarm State Operational State"; 953 } 955 feature ipsec-sa-ah-state { 956 description 957 "IPsec SA AH Operational State"; 958 } 960 feature ipsec-sa-state { 961 description 962 "IPsec SA Operational State"; 963 } 965 feature ipsec-tunnel { 966 description 967 "IPsec Tunnel"; 968 } 970 feature ipsec-local-address-range { 971 description 972 "IPsec Local Address Range"; 973 } 975 feature ipsec-remote-address-range { 976 description 977 "IPsec Remote Address Range"; 978 } 980 feature ipsec-next-protocol-range { 981 description 982 "IPsec Next Protocol Range"; 983 } 985 feature ipsec-local-port-range { 986 description 987 "IPsec Local Port Range"; 988 } 990 feature ipsec-remote-port-range { 991 description 992 "IPsec Remote Port Range"; 993 } 995 feature ipsec-ah-authentication { 996 description 997 "IPsec AH Authentication"; 998 } 1000 feature ipsec-esp-integrity { 1001 description 1002 "IPsec ESP Integrity"; 1003 } 1005 feature ipsec-esp-encrypt { 1006 description 1007 "IPsec ESP encryption"; 1008 } 1010 feature ipsec-stat { 1011 description 1012 "IPsec Stats"; 1013 } 1015 feature ipsec-state { 1016 description 1017 "IPsec Operational State"; 1018 } 1020 feature ipsec-rekey-failure { 1021 description 1022 "IPsec Rekey Failure"; 1023 } 1025 feature ipsec-redundancy { 1026 description 1027 "IPsec Redundancy State"; 1028 } 1030 feature sad { 1031 description 1032 "Security Association (SA) Database"; 1033 } 1035 feature spd { 1036 description 1037 "Security Policy Database"; 1038 } 1039 feature ipsec-global-stats { 1040 description 1041 "IPsec Global Stats"; 1042 } 1044 feature clear-ipsec-group { 1045 description 1046 "Clear IPsec group"; 1047 } 1049 feature clear-ike-group { 1050 description 1051 "Clear IKE group"; 1052 } 1054 feature clear-ikev2-group { 1055 description 1056 "Clear IKEv2 group"; 1057 } 1059 feature reset-ipv4 { 1060 description 1061 "Reset IPv4"; 1062 } 1064 feature reset-ipv6 { 1065 description 1066 "Reset IPv6"; 1067 } 1069 feature reset-global { 1070 description 1071 "Reset Global"; 1072 } 1074 feature peer-authentication-failure { 1075 description 1076 "Peer Authentication Failure"; 1077 } 1078 /*--------------------*/ 1079 /* Typedefs */ 1080 /*--------------------*/ 1082 typedef authentication-method-t { 1083 type enumeration { 1084 enum psk { 1085 value 0; 1086 description 1087 "Pre-Sharing Keys."; 1089 } 1090 enum certificate { 1091 value 1; 1092 description 1093 "Certificate."; 1094 } 1095 } 1096 description 1097 "Available authentication methods."; 1098 } 1100 /* IKEv2 Exchange Types (ET) */ 1101 typedef ikev2-exchange-type-t { 1102 type enumeration { 1103 enum ikev2-et-ike-sa-init { 1104 value 34; 1105 description 1106 "ikev2-et-ike-sa-init - RFC 7296."; 1107 } 1108 enum ikev2-et-ike-auth { 1109 value 35; 1110 description 1111 "ikev2-et-ike-auth - RFC 7296."; 1112 } 1113 enum ikev2-et-create-child-sa { 1114 value 36; 1115 description 1116 "ikev2-et-create-child-sa - RFC 7296."; 1117 } 1118 enum ikev2-et-informational { 1119 value 37; 1120 description 1121 "ikev2-et-informational - RFC 7296."; 1122 } 1123 enum ikev2-et-ike-session-resume { 1124 value 38; 1125 description 1126 "ikev2-et-ike-session-resume - RFC 7296."; 1127 } 1128 enum ikev2-et-gsa-auth { 1129 value 39; 1130 description 1131 "ikev2-et-gsa-auth - RFC 7296."; 1132 } 1133 enum ikev2-et-gsa-registration { 1134 value 40; 1135 description 1136 "ikev2-et-gsa-registration - RFC 7296."; 1137 } 1138 enum ikev2-et-gsa-rekey { 1139 value 41; 1140 description 1141 "ikev2-et-gsa-rekey - RFC 7296."; 1142 } 1143 } 1144 description 1145 "IKEv2 Exchange Types (ET)."; 1146 } 1148 /* Transform Type Values (TTV), RFC 7296 */ 1149 typedef transform-type-value-t { 1150 type enumeration { 1151 enum ttv-reserved-0 { 1152 value 0; 1153 description 1154 "ttv-reserved-0 - Transform Type Value Reserved "+ 1155 "(RFC 7296)."; 1156 } 1157 enum ttv-encr { 1158 value 1; 1159 description 1160 "ttv-encr - Transform Type Value 1, 1161 Encryption Algorithm "+ 1162 "(ENCR) used in IKE and ESP."; 1163 } 1164 enum ttv-prf { 1165 value 2; 1166 description 1167 "ttv-prf - Transform Type Value 2, "+ 1168 "Pseudo-Random Function(PRF) used in IKE."; 1169 } 1170 enum ttv-integ { 1171 value 3; 1172 description 1173 "ttv-integ - Transform Type Value 3, Integrity Algorithm"+ 1174 " (INTEG) used in IKE, AH, optional ESP."; 1175 } 1176 enum ttv-dh { 1177 value 4; 1178 description 1179 "ttv-dh - Transform Type Value 4, Diffie-Hellman (DH) "+ 1180 "used in IKE, optional AH and ESP."; 1181 } 1182 enum ttv-esn { 1183 value 5; 1184 description 1185 "ttv-esn - Transform Type Value 5, Extended Sequence "+ 1186 "Numbers (ESN) used in AH and ESP."; 1188 } 1189 } 1190 description 1191 "Transform Type Values (RFC 7296)."; 1192 } 1194 /* IKEv2 Transform Attribute Types (TAT) */ 1195 typedef ikev2-transform-attribute-type-t { 1196 type enumeration { 1197 enum ikev2-tat-reserved-0 { 1198 value 0; 1199 description 1200 "ikev2-tat-reserved-0 - IKEv2 Transform Attribute "+ 1201 "Type Reserved-0 (RFC 7296)."; 1202 } 1203 enum ikev2-tat-reserved-1 { 1204 value 1; 1205 description 1206 "ikev2-tat-reserved-1 - IKEv2 Transform Attribute "+ 1207 "Type Reserved-1 (RFC 7296)."; 1208 } 1209 enum ikev2-tat-reserved-13 { 1210 value 13; 1211 description 1212 "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+ 1213 "Type Reserved-13 (RFC 7296)."; 1214 } 1215 enum ikev2-tat-key-length { 1216 value 41; 1217 description 1218 "ikev2-tat-key-length - IKEv2 Transform Attribute "+ 1219 "Type KEY LENGTH (in bits) (RFC 7296)."; 1220 } 1221 } 1222 description 1223 "IKEv2 Transform Attribute Types (TAT) (RFC 7296)."; 1224 } 1226 /* Transform Type 1 (Encryption Algorithm Transform IDs) */ 1227 typedef ike-encryption-algorithm-t { 1228 type enumeration { 1229 enum encr-reserved-0 { 1230 value 0; 1231 description 1232 "encr-reserved-0 --> RFC_5996."; 1233 } 1234 enum encr-des-iv4 { 1235 value 1; 1236 description 1237 "encr-des-iv4 --> RFC_5996."; 1238 } 1239 enum encr-des { 1240 value 2; 1241 description 1242 "encr-des --> RFC_5996."; 1243 } 1244 enum encr-3des { 1245 value 3; 1246 description 1247 "encr-3des --> RFC_5996."; 1248 } 1249 enum encr-rc5 { 1250 value 4; 1251 description 1252 "encr-rc5 --> RFC_5996."; 1253 } 1254 enum encr-idea { 1255 value 5; 1256 description 1257 "encr-idea --> RFC_5996."; 1258 } 1259 enum encr-cast { 1260 value 6; 1261 description 1262 "encr-cast --> RFC_5996."; 1263 } 1264 enum encr-blowfish { 1265 value 7; 1266 description 1267 "encr-blowfish --> RFC_5996."; 1268 } 1269 enum encr-3idea { 1270 value 8; 1271 description 1272 "encr-3idea --> RFC_5996."; 1273 } 1274 enum encr-des-iv32 { 1275 value 9; 1276 description 1277 "encr-des-iv32 --> RFC_5996."; 1278 } 1279 enum encr-reserved-10 { 1280 value 10; 1281 description 1282 "encr-reserved-10 --> RFC_5996."; 1283 } 1284 enum encr-null { 1285 value 11; 1286 description 1287 "encr-null --> RFC_5996."; 1288 } 1289 enum encr-aes-cbc { 1290 value 12; 1291 description 1292 "encr-aes-cbc --> RFC_5996."; 1293 } 1294 enum encr-aes-ctr { 1295 value 13; 1296 description 1297 "encr-aes-ctr --> RFC_5996."; 1298 } 1299 enum encr-aes-ccm-8 { 1300 value 14; 1301 description 1302 "encr-aes-ccm-8 --> RFC_5996."; 1303 } 1304 enum encr-aes-ccm-12 { 1305 value 15; 1306 description 1307 "encr-aes-ccm-12 --> RFC_5996."; 1308 } 1309 enum encr-aes-ccm-16 { 1310 value 16; 1311 description 1312 "encr-aes-ccm-16 --> RFC_5996."; 1313 } 1314 enum encr-reserved-17 { 1315 value 17; 1316 description 1317 "encr-reserved-17 --> RFC_5996."; 1318 } 1319 enum encr-aes-gcm-8-icv { 1320 value 18; 1321 description 1322 "encr-aes-gcm-8-icv --> RFC_5996."; 1323 } 1324 enum encr-aes-gcm-12-icv { 1325 value 19; 1326 description 1327 "encr-aes-gcm-12-icv --> RFC_5996."; 1328 } 1329 enum encr-aes-gcm-16-icv { 1330 value 20; 1331 description 1332 "encr-aes-gcm-16-icv--> RFC_5996."; 1333 } 1334 enum encr-null-auth-aes-gmac { 1335 value 21; 1336 description 1337 "encr-null-auth-aes-gmac --> RFC_5996."; 1338 } 1339 enum encr-ieee-p1619-xts-aes { 1340 value 22; 1341 description 1342 "encr-ieee-p1619-xts-aes --> Reserved for "+ 1343 "IEEE P1619 XTS-AES."; 1344 } 1345 enum encr-camellia-cbc { 1346 value 23; 1347 description 1348 "encr-camellia-cbc --> RFC_5996."; 1349 } 1350 enum encr-camellia-ctr { 1351 value 24; 1352 description 1353 "encr-camellia-ctr --> RFC_5996."; 1354 } 1355 enum encr-camellia-ccm-8-icv { 1356 value 25; 1357 description 1358 "encr-camellia-ccm-8-icv --> RFC_5996."; 1359 } 1360 enum encr-camellia-ccm-12-icv { 1361 value 26; 1362 description 1363 "encr-camellia-ccm-12-icv --> RFC_5996."; 1364 } 1365 enum encr-camellia-ccm-16-icv { 1366 value 27; 1367 description 1368 "encr-camellia-ccm-16-icv --> RFC_5996."; 1369 } 1370 enum encr-aes-cbc-128 { 1371 value 1024; 1372 description 1373 "encr-aes-cbc-128 --> RFC_5996."; 1374 } 1375 enum encr-aes-cbc-192 { 1376 value 1025; 1377 description 1378 "encr-aes-cbc-192 --> RFC_5996."; 1379 } 1380 enum encr-aes-cbc-256 { 1381 value 1026; 1382 description 1383 "encr-aes-cbc-256 --> RFC_5996."; 1385 } 1386 enum encr-blowfish-128 { 1387 value 1027; 1388 description 1389 "encr-blowfish-128 --> RFC_5996."; 1390 } 1391 enum encr-blowfish-192 { 1392 value 1028; 1393 description 1394 "encr-blowfish-192 --> RFC_5996."; 1395 } 1396 enum encr-blowfish-256 { 1397 value 1029; 1398 description 1399 "encr-blowfish-256 --> RFC_5996."; 1400 } 1401 enum encr-blowfish-448 { 1402 value 1030; 1403 description 1404 "encr-blowfish-448 --> RFC_5996."; 1405 } 1406 enum encr-camellia-128 { 1407 value 1031; 1408 description 1409 "encr-camellia-128 --> RFC_5996."; 1410 } 1411 enum encr-camellia-192 { 1412 value 1032; 1413 description 1414 "encr-camellia-192 --> RFC_5996."; 1415 } 1416 enum encr-camellia-256 { 1417 value 1033; 1418 description 1419 "encr-camellia-256 --> RFC_5996."; 1420 } 1421 } 1422 description 1423 "Transform Type 1 - Internet Key Exchange (IKE) "+ 1424 "encryption algorithms."; 1425 } 1427 /* Transform Type 2 (Pseudo-Random Function PRF) */ 1428 typedef pseudo-random-function-t { 1429 type enumeration { 1430 enum prf-reserved-0 { 1431 value 0; 1432 description 1433 "prf-reserved-0 --> RFC_2104."; 1435 } 1436 enum prf-hmac-md5 { 1437 value 1; 1438 description 1439 "prf-hmac-md5 --> RFC_2104."; 1440 } 1441 enum prf-hmac-sha1 { 1442 value 2; 1443 description 1444 "prf-hmac-sha1 --> RFC2104."; 1445 } 1446 enum prf-hmac-tiger { 1447 value 3; 1448 description 1449 "prf-hmac-tiger --> RFC2104."; 1450 } 1451 enum prf-aes128-xcbc { 1452 value 4; 1453 description 1454 "prf-aes128-xcbc --> RFC_4434."; 1455 } 1456 enum prf-hmac-sha2-256 { 1457 value 5; 1458 description 1459 "prf-hmac-sha2-256 --> RFC_4434."; 1460 } 1461 enum prf-hmac-sha2-384 { 1462 value 6; 1463 description 1464 "prf-hmac-sha2-384 --> RFC_4434."; 1465 } 1466 enum prf-hmac-sha2-512 { 1467 value 7; 1468 description 1469 "prf-hmac-sha2-512 --> RFC_4434."; 1470 } 1471 enum prf-aes128-cmac { 1472 value 8; 1473 description 1474 "prf-aes128-cmac --> RFC_4615."; 1475 } 1476 } 1477 description 1478 "Available Pseudo-Random Functions (PRF)."; 1479 } 1481 /* Transform Type 3 (Integrity Algorithm) */ 1482 typedef ike-integrity-algorithm-t { 1483 type enumeration { 1484 enum auth-none { 1485 value 0; 1486 description 1487 "auth-none --> RFC_5996."; 1488 } 1489 enum auth-hmac-md5-96 { 1490 value 1; 1491 description 1492 "auth-hmac-md5-96 --> RFC_5996."; 1493 } 1494 enum auth-hmac-sha1-96 { 1495 value 2; 1496 description 1497 "auth-hmac-sha1-96 --> RFC_5996."; 1498 } 1499 enum auth-des-mac { 1500 value 3; 1501 description 1502 "auth-des-mac --> RFC_5996."; 1503 } 1504 enum auth-kpdk-md5 { 1505 value 4; 1506 description 1507 "auth-kpdk-md5 --> RFC_5996."; 1508 } 1509 enum auth-aes-xcbc-96 { 1510 value 5; 1511 description 1512 "auth-aes-xcbc-96 --> RFC_5996."; 1513 } 1514 enum auth-hmac-md5-128 { 1515 value 6; 1516 description 1517 "auth-hmac-md5-128 --> RFC_5996."; 1518 } 1519 enum auth-hmac-sha1-160 { 1520 value 7; 1521 description 1522 "auth-hmac-sha1-160 --> RFC_5996."; 1523 } 1524 enum auth-aes-cmac-96 { 1525 value 8; 1526 description 1527 "auth-aes-cmac-96 --> RFC_5996."; 1528 } 1529 enum auth-aes-128-gmac { 1530 value 9; 1531 description 1532 "auth-aes-128-gmac --> RFC_5996."; 1534 } 1535 enum auth-aes-192-gmac { 1536 value 10; 1537 description 1538 "auth-aes-192-gmac --> RFC_5996."; 1539 } 1540 enum auth-aes-256-gmac { 1541 value 11; 1542 description 1543 "auth-aes-256-gmac --> RFC_5996."; 1544 } 1545 enum auth-hmac-sha2-256-128 { 1546 value 12; 1547 description 1548 "auth-hmac-sha2-256-128 --> RFC_5996."; 1549 } 1550 enum auth-hmac-sha2-384-192 { 1551 value 13; 1552 description 1553 "auth-hmac-sha2-384-192 --> RFC_5996."; 1554 } 1555 enum auth-hmac-sha2-512-256 { 1556 value 14; 1557 description 1558 "auth-hmac-sha2-512-256 --> RFC_5996."; 1559 } 1560 enum auth-hmac-sha2-256-96 { 1561 value 1024; 1562 description 1563 "auth-hmac-sha2-256-96."; 1564 } 1565 } 1566 description 1567 "Transform Type 3 - Internet Key Exchange (IKE) "+ 1568 "Integrity Algorithms."; 1569 } 1571 /* Transform Type 4 (Diffie-Hellman Group) */ 1572 typedef diffie-hellman-group-t { 1573 type enumeration { 1574 enum group-none { 1575 value 0; 1576 description 1577 "group-none --> RFC_5996."; 1578 } 1579 enum modp-768-group-1 { 1580 value 1; 1581 description 1582 "modp-768-group-1 --> RFC_5996."; 1584 } 1585 enum modp-1024-group-2 { 1586 value 2; 1587 description 1588 "modp-1024-group-2 --> RFC_5996."; 1589 } 1590 enum modp-1536-group-5 { 1591 value 5; 1592 description 1593 "modp-1536-group-5 --> RFC_3526."; 1594 } 1595 enum modp-2048-group-14 { 1596 value 14; 1597 description 1598 "modp-2048-group-14 --> RFC_3526."; 1599 } 1600 enum modp-3072-group-15 { 1601 value 15; 1602 description 1603 "modp-3072-group-15 --> RFC_3526."; 1604 } 1605 enum modp-4096-group-16 { 1606 value 16; 1607 description 1608 "modp-4096-group-16 --> RFC_3526."; 1609 } 1610 enum modp-6144-group-17 { 1611 value 17; 1612 description 1613 "modp-6144-group-17 --> RFC_3526."; 1614 } 1615 enum modp-8192-group-18 { 1616 value 18; 1617 description 1618 "modp-8192-group-18 --> RFC_3526."; 1619 } 1620 enum recp-256-group-19 { 1621 value 19; 1622 description 1623 "recp-256-group-19 --> RFC_6989. 256-bit"+ 1624 " Random ECP Group."; 1625 } 1626 enum recp-384-group-20 { 1627 value 20; 1628 description 1629 "recp-384-group-20 --> RFC_6989. 384-bit"+ 1630 " Random ECP Group."; 1631 } 1632 enum recp-521-group-21 { 1633 value 21; 1634 description 1635 "recp-521-group-21 --> RFC_6989. 521-bit"+ 1636 " Random ECP Group."; 1637 } 1638 enum modp-1024-160-pos-group-22 { 1639 value 22; 1640 description 1641 "modp-1024-160-pos-group-22 --> RFC_6989."+ 1642 " 1024-bit MODP Group with"+ 1643 " 160-bit Prime Order Subgroup (POS)."; 1644 } 1645 enum modp-2048-224-pos-group-23 { 1646 value 23; 1647 description 1648 "modp-2048-224-pos-group-23 --> RFC_6989."+ 1649 " 2048-bit MODP Group with"+ 1650 " 224-bit Prime Order Subgroup (POS)."; 1651 } 1652 enum modp-2048-256-pos-group-24 { 1653 value 24; 1654 description 1655 "modp-2048-256-pos-group-24 --> RFC_6989."+ 1656 " 2048-bit MODP Group with"+ 1657 " 256-bit Prime Order Subgroup (POS)."; 1658 } 1659 enum recp-192-group-25 { 1660 value 25; 1661 description 1662 "recp-192-group-25 --> RFC_6989."+ 1663 " 192-bit Random ECP Group."; 1664 } 1665 enum recp-224-group-26 { 1666 value 26; 1667 description 1668 "recp-224-group-26 --> RFC_6989."+ 1669 " 224-bit Random ECP Group."; 1670 } 1671 } 1672 description 1673 "Diffie-Hellman Groups (RFC 5996)."; 1674 } 1676 /* Transform Type 5 (Extended Sequence Numbers 1677 Transform ESN IDs) */ 1678 typedef extended-sequence-number-t { 1679 type enumeration { 1680 enum esn-none { 1681 value 0; 1682 description 1683 "esn-none - Extended Sequence Number None --> RFC_7296."; 1684 } 1685 enum esn-1 { 1686 value 1; 1687 description 1688 "esn-1 - Extended Sequence Number --> RFC_7296."; 1689 } 1690 } 1691 description 1692 "Extended Sequence Number (RFC 7296)."; 1693 } 1695 typedef connection-type-t { 1696 type enumeration { 1697 enum initiator-only { 1698 value 0; 1699 description 1700 "initiator-only: ME will act as initiator for"+ 1701 " bringing up IKEv2"+ 1702 " session with its IKE peer."; 1703 } 1704 enum responder-only { 1705 value 1; 1706 description 1707 "responder-only: ME will act as responder for"+ 1708 " bringing up IKEv2"+ 1709 " session with its IKE peer."; 1710 } 1711 enum both { 1712 value 2; 1713 description 1714 "both: ME can act as initiator or responder."; 1715 } 1716 } 1717 description 1718 "Connection type for IKE session."; 1719 } 1721 typedef transport-protocol-name-t { 1722 type enumeration { 1723 enum tcp { 1724 value 1; 1725 description 1726 "Transmission Control Protocol (TCP) Transport Protocol."; 1727 } 1728 enum udp { 1729 value 2; 1730 description 1731 "User Datagram Protocol (UDP) Transport Protocol"; 1732 } 1733 enum sctp { 1734 value 3; 1735 description 1736 "Stream Control Transmission Protocol (SCTP) Transport "+ 1737 "Protocol"; 1738 } 1739 enum icmp { 1740 value 4; 1741 description 1742 "Internet Control Message Protocol (ICMP) Transport "+ 1743 "Protocol"; 1744 } 1745 } 1746 description 1747 "Enumeration of well known transport protocols."; 1748 } 1750 typedef preshared-key-t { 1751 type string; 1752 description 1753 "Derived string used as Pre-Shared Key."; 1754 } 1756 typedef pad-type-t { 1757 type enumeration { 1758 enum dns-name { 1759 value 1; 1760 description 1761 "DNS name (specific or partial)"; 1762 } 1763 enum distinguished-name { 1764 value 2; 1765 description 1766 "Distinguished Name (complete or sub-tree constrained)"; 1767 } 1768 enum rfc-822 { 1769 value 3; 1770 description 1771 "RFC 822 email address (complete or partially qualified)"; 1772 } 1773 enum ipv4-range { 1774 value 4; 1775 description 1776 "IPv4 Address Range"; 1777 } 1778 enum ipv6-range { 1779 value 5; 1780 description 1781 "IPv6 Address Range"; 1782 } 1783 enum key-id { 1784 value 6; 1785 description 1786 "Key ID (exact match only)"; 1787 } 1788 } 1789 description 1790 "PAD Type"; 1791 } 1793 /*-------------------------------------------------- */ 1794 /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-type */ 1795 /*-------------------------------------------------- */ 1796 typedef ipsec-mode { 1797 type enumeration { 1798 enum "transport" { 1799 description 1800 "Transport mode"; 1801 } 1802 enum "tunnel" { 1803 description 1804 "Tunnel mode"; 1805 } 1806 } 1807 description 1808 "type define of ipsec mode"; 1809 } 1811 typedef ipsec-protocol { 1812 type enumeration { 1813 enum "ah" { 1814 description 1815 "AH Protocol"; 1816 } 1817 enum "esp" { 1818 description 1819 "ESP Protocol"; 1820 } 1821 } 1822 description 1823 "type define of ipsec security protocol"; 1824 } 1825 typedef ipsec-spi { 1826 type uint32 { 1827 range "1..max"; 1828 } 1829 description 1830 "SPI"; 1831 } 1833 typedef ipsec-spd-name { 1834 type enumeration { 1835 enum id_rfc_822_addr { 1836 description 1837 "Fully qualified user name string."; 1838 } 1839 enum id_fqdn { 1840 description 1841 "Fully qualified DNS name."; 1842 } 1843 enum id_der_asn1_dn { 1844 description 1845 "X.500 distinguished name."; 1846 } 1847 enum id_key { 1848 description 1849 "IKEv2 Key ID."; 1850 } 1851 } 1852 description 1853 "IPsec SPD name type"; 1854 } 1856 typedef ipsec-traffic-direction { 1857 type enumeration { 1858 enum inbound { 1859 description 1860 "Inbound traffic"; 1861 } 1862 enum outbound { 1863 description 1864 "Outbound traffic"; 1865 } 1866 } 1867 description 1868 "IPsec traffic direction"; 1869 } 1871 typedef ipsec-spd-operation { 1872 type enumeration { 1873 enum protect { 1874 description 1875 "PROTECT the traffic with IPsec"; 1876 } 1877 enum bypass { 1878 description 1879 "BYPASS the traffic"; 1880 } 1881 enum discard { 1882 description 1883 "DISCARD the traffic"; 1884 } 1885 } 1886 description 1887 "The operation when traffic matches IPsec security policy"; 1888 } 1890 /*---------------------------------------------------- */ 1891 /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-crypto */ 1892 /*---------------------------------------------------- */ 1893 typedef ipsec-authentication-algorithm { 1894 type enumeration { 1895 enum "null" { 1896 value 0; 1897 description 1898 "null"; 1899 } 1900 enum "md5" { 1901 value 1; 1902 description 1903 "MD5 authentication algorithm"; 1904 } 1905 enum "sha1" { 1906 value 2; 1907 description 1908 "SHA1 authentication algorithm"; 1909 } 1910 enum "sha2-256" { 1911 value 3; 1912 description 1913 "SHA2-256 authentication algorithm"; 1914 } 1915 enum "sha2-384" { 1916 value 4; 1917 description 1918 "SHA2-384 authentication algorithm"; 1919 } 1920 enum "sha2-512" { 1921 value 5; 1922 description 1923 "SHA2-512 authentication algorithm"; 1924 } 1925 } 1926 description 1927 "typedef for ipsec authentication algorithm"; 1928 } 1930 typedef ipsec-encryption-algorithm { 1931 type enumeration { 1932 enum "null" { 1933 description 1934 "null"; 1935 } 1936 enum "des" { 1937 description 1938 "DES encryption algorithm"; 1939 } 1940 enum "3des" { 1941 description 1942 "3DES encryption algorithm"; 1943 } 1944 enum "aes-128" { 1945 description 1946 "AES-128 encryption algorithm"; 1947 } 1948 enum "aes-192" { 1949 description 1950 "AES-192 encryption algorithm"; 1951 } 1952 enum "aes-256" { 1953 description 1954 "AES-256 encryption algorithm"; 1955 } 1956 } 1957 description 1958 "typedef for ipsec encryption algorithm"; 1959 } 1961 /*-------------------------------------------------- */ 1962 /* draft-wang-ipsecme-ike-yang-00: ietf-ipsec-type */ 1963 /*-------------------------------------------------- */ 1964 typedef ike-integrity-algorithm { 1965 type enumeration { 1966 enum "hmac-md5-96" { 1967 description 1968 "HMAC-MD5-96 Integrity Algorithm"; 1969 } 1970 enum "hmac-sha1-96" { 1971 description 1972 "HMAC-SHA1-96 Integrity Algorithm"; 1973 } 1974 enum "hmac-sha2-256" { 1975 description 1976 "HMAC-SHA2-256 Integrity Algorithm"; 1977 } 1978 enum "hmac-sha2-384" { 1979 description 1980 "HMAC-SHA2-384 Integrity Algorithm"; 1981 } 1982 enum "hmac-sha2-512" { 1983 description 1984 "HMAC-SHA2-512 Integrity Algorithm"; 1985 } 1986 } 1987 description 1988 "typedef for ike integrity algorithm."; 1989 } 1991 typedef ike-encryption-algorithm { 1992 type enumeration { 1993 enum "des-cbc" { 1994 description 1995 "DES-CBC Encryption algorithm"; 1996 } 1997 enum "3des-cbc" { 1998 description 1999 "3DES-CBC Encryption algorithm"; 2000 } 2001 enum "aes-cbc-128" { 2002 description 2003 "AES-CBC-128 Encryption algorithm"; 2004 } 2005 enum "aes-cbc-192" { 2006 description 2007 "AES-CBC-192 Encryption algorithm"; 2008 } 2009 enum "aes-cbc-256" { 2010 description 2011 "AES-CBC-256 Encryption algorithm"; 2012 } 2013 } 2014 description 2015 "typedef for ike encryption algorithm."; 2016 } 2018 typedef ike-prf-algorithm { 2019 type enumeration { 2020 enum "hmac-md5-96" { 2021 description 2022 "HMAC-MD5-96 PRF Algorithm"; 2023 } 2024 enum "hmac-sha1-96" { 2025 description 2026 "HMAC-SHA1-96 PRF Algorithm"; 2027 } 2028 enum "hmac-sha2-256" { 2029 description 2030 "HMAC-SHA2-256 PRF Algorithm"; 2031 } 2032 enum "hmac-sha2-384" { 2033 description 2034 "HMAC-SHA2-384 PRF Algorithm"; 2035 } 2036 enum "hmac-sha2-512" { 2037 description 2038 "HMAC-SHA2-512 PRF Algorithm"; 2039 } 2040 } 2041 description 2042 "typedef for ike prf algorithm."; 2043 } 2045 typedef ike-dh-group { 2046 type enumeration { 2047 enum "dh-group-none" { 2048 description 2049 "None Diffie-Hellman group"; 2050 } 2051 enum "dh-group-1" { 2052 description 2053 "768 bits Diffie-Hellman group"; 2054 } 2055 enum "dh-group-2" { 2056 description 2057 "1024 bits Diffie-Hellman group"; 2058 } 2059 enum "dh-group-5" { 2060 description 2061 "1536 bits Diffie-Hellman group"; 2062 } 2063 enum "dh-group-14" { 2064 description 2065 "2048 bits Diffie-Hellman group"; 2066 } 2067 } 2068 description 2069 "typedef for ike dh group"; 2070 } 2072 typedef ike-peer-name-ref { 2073 type leafref { 2074 path "/ikev2/ike-peer/ike-peer-entries/peer-name"; 2075 } 2076 description "reference to ike peer name"; 2077 } 2079 typedef ike-proposal-number-ref { 2080 type leafref { 2081 path "/ikev2/proposal/name"; 2082 } 2083 description "reference to ike proposal name"; 2084 } 2086 typedef ipsec-proposal-name-ref{ 2087 type leafref { 2088 path "/ipsec/proposal/ipsec-proposal/name"; 2089 } 2090 description "reference to ike proposal name"; 2091 } 2093 typedef ike-auth-method { 2094 type enumeration { 2095 enum pre-share { 2096 description 2097 "Select pre-shared key message as the 2098 authentication method"; 2099 } 2100 enum rsa-digital-signature { 2101 description 2102 "Select rsa digital signature as the 2103 authentication method"; 2104 } 2105 enum dss-digital-signature { 2106 description 2107 "Select dss digital signature as the 2108 authentication method"; 2109 } 2110 } 2111 description "IKE authentication methods"; 2112 } 2114 /*--------------------*/ 2115 /* grouping */ 2116 /*--------------------*/ 2117 /* The following groupings are used in both configuration data 2118 and operational state data */ 2119 grouping name-grouping { 2120 description 2121 "This grouping provides a leaf identifying the name."; 2122 leaf name { 2123 type string; 2124 description 2125 "Name of a identifying."; 2126 } 2127 leaf description { 2128 type string; 2129 description 2130 "Specify the description."; 2131 } 2132 } 2134 grouping sequence-number-grouping { 2135 description 2136 "This grouping provides a leaf identifying 2137 a sequence number."; 2138 leaf sequence-number { 2139 type uint32 { 2140 range "1..4294967295"; 2141 } 2142 description 2143 "Specify the sequence number."; 2144 } 2145 } 2147 grouping description-grouping { 2148 description 2149 "description for free use."; 2150 leaf description { 2151 type string; 2152 description 2153 "description for free use."; 2154 } 2155 } 2157 grouping traffic-selector-grouping { 2158 description 2159 "Traffic selector to be used for SA negotiation."; 2160 leaf traffic-selector-id { 2161 type string; 2162 mandatory true; 2163 description 2164 "Traffic selector identifier."; 2166 } 2167 leaf protocol-name { 2168 type transport-protocol-name-t; 2169 description 2170 "Specifies the protocol selector."; 2171 } 2172 leaf address-range { 2173 type string; 2174 mandatory true; 2175 description 2176 "Specifies the IPv4 or IPv6 address range."; 2177 } 2178 } 2180 grouping ike-general-proposal-grouping { 2181 description 2182 "IKE proposal."; 2183 leaf name { 2184 type string; 2185 mandatory true; 2186 description 2187 "IKE Proposal identify."; 2188 } 2189 leaf description { 2190 type string; 2191 description 2192 "Specify the description."; 2193 } 2195 leaf dh-group { 2196 type diffie-hellman-group-t; 2197 mandatory true; 2198 description 2199 "Specifies a Diffie-Hellman group."; 2200 } 2201 container encryption { 2202 description 2203 "Specify IKE Proposal encryption configuration"; 2204 leaf algorithm { 2205 type ike-encryption-algorithm-t; 2206 description 2207 "Specifies an Encryption Algorithm."; 2208 } 2209 } 2210 } 2212 grouping ike-proposal-grouping { 2213 description 2214 "Configure the IKE Proposal"; 2215 uses ike-general-proposal-grouping; 2217 leaf lifetime { 2218 type uint32; 2219 mandatory true; 2220 description 2221 "Configure lifetime for IKE SAs 2222 0: for no timeout. 2223 300 .. 99999999: IKE SA lifetime in seconds."; 2224 } 2225 container authentication { 2226 description 2227 "Specify IKE Proposal authentication configuration"; 2228 leaf algorithm { 2229 type ike-integrity-algorithm-t; 2230 description 2231 "Specify the authentication algorithm"; 2232 } 2233 leaf preshared-key { 2234 type empty; 2235 description 2236 "Use pre-shared key based authentication"; 2237 } 2238 leaf rsa-signature { 2239 type empty; 2240 description 2241 "Use signature based authentication by using 2242 PKI certificates"; 2243 } 2244 } 2245 } 2247 grouping ikev2-proposal-grouping { 2248 description 2249 "Holds an IKEv2 transform proposal used during "+ 2250 "IKEv2 SA negotiation. Multiple IKEv2 Transforms "+ 2251 " can be proposed during an IKEv2 session initiation "+ 2252 "in an ordered list."; 2253 uses ike-general-proposal-grouping; 2255 leaf pseudo-random-function { 2256 type pseudo-random-function-t; 2257 mandatory true; 2258 description 2259 "Specifies Pseudo Random Function for IKEv2 key exchange"; 2260 } 2261 container authentication { 2262 description 2263 "Specify IKEv2 Proposal authentication configuration"; 2264 leaf algorithm { 2265 type ike-integrity-algorithm-t; 2266 description 2267 "Specify the authentication algorithm"; 2268 } 2269 } 2270 } 2272 grouping ipsec-proposal-grouping { 2273 description 2274 "Configure IPSec Proposal"; 2275 leaf name { 2276 type string; 2277 mandatory true; 2278 description 2279 "IPSec proposal identifier."; 2280 } 2281 leaf ah { 2282 type ike-integrity-algorithm-t; 2283 description 2284 "Configure Authentication Header (AH)."; 2285 } 2286 container esp { 2287 description 2288 "Configure Encapsulating Security Payload (ESP)."; 2289 leaf authentication { 2290 type ike-integrity-algorithm-t; 2291 description 2292 "Configure ESP authentication"; 2293 } 2294 leaf encryption { 2295 type ike-encryption-algorithm-t; 2296 description 2297 "Configure ESP encryption"; 2298 } 2299 } 2300 leaf ip-comp{ 2301 type empty; 2302 description 2303 "Enable IPSec proposal IP-COMP which uses the IP Payload "+ 2304 "compression protocol to compress IP Security (IPSec) "+ 2305 "packets before encryption"; 2306 } 2307 container lifetime { 2308 description 2309 "Configure lifetime for IPSEC SAs"; 2310 leaf kbytes { 2311 type uint32 { 2312 range "128..2147483647"; 2313 } 2314 description 2315 "Enter lifetime kbytes for IPSEC SAs"; 2316 } 2317 leaf seconds { 2318 type uint32 { 2319 range "300..99999999"; 2320 } 2321 description 2322 "Enter lifetime seconds for IPSEC SAs 2323 0: lifetime of 0 for no timeout 2324 300..99999999: IPSec SA lifetime in seconds"; 2325 } 2326 } 2327 } 2329 grouping identity-grouping { 2330 description 2331 "Identification type. It is an union identity, "+ 2332 "possible type as follows: "+ 2333 "a) ID_FQDN: A fully-qualified domain name string. "+ 2334 " An example of a ID_FQDN is, example.com. "+ 2335 " The string MUST not contain any terminators "+ 2336 "(e.g., NULL, CR, etc.). "+ 2337 "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ 2338 " address string, An example of a ID_RFC822_ADDR is, "+ 2339 " jsmith@example.com. The string MUST not contain "+ 2340 " any terminators. "+ 2341 "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ 2342 "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ 2343 "e) DN_X509: Distinguished name in the X.509 tradition."; 2344 choice identity { 2345 description 2346 "Choice of identity."; 2347 leaf ipv4-address { 2348 type inet:ipv4-address; 2349 description 2350 "Specifies the identity as a single four (4) 2351 octet IPv4 address. 2352 An example is, 10.10.10.10. "; 2353 } 2354 leaf ipv6-address { 2355 type inet:ipv6-address; 2356 description 2357 "Specifies the identity as a single sixteen (16) "+ 2358 "octet IPv6 address. "+ 2359 "An example is, "+ 2360 "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; 2361 } 2362 leaf fqdn-string { 2363 type inet:domain-name; 2364 description 2365 "Specifies the identity as a Fully-Qualified 2366 Domain Name (FQDN) string. 2367 An example is: example.com. 2368 The string MUST not contain any terminators 2369 (e.g., NULL, CR, etc.)."; 2370 } 2371 leaf rfc822-address-string { 2372 type string; 2373 description 2374 "Specifies the identity as a fully-qualified RFC822 2375 email address string. 2376 An example is, jsmith@example.com. 2377 The string MUST not contain any terminators 2378 (e.g., NULL, CR, etc.)."; 2379 } 2380 leaf dnX509 { 2381 type string; 2382 description 2383 "Specifies the identity as a distinguished name 2384 in the X.509 tradition."; 2385 } 2386 } 2387 } /* grouping identity-grouping */ 2389 grouping ike-general-policy-profile-grouping { 2390 description 2391 "IKE policy."; 2392 leaf connection-type { 2393 type connection-type-t; 2394 mandatory true; 2395 description 2396 "Specify the IKE connection type"; 2397 } 2398 leaf pre-shared-key { 2399 type union { 2400 type string { 2401 length "16"; 2402 } 2403 type yang:hex-string { 2404 length "40"; 2405 } 2406 } 2407 description 2408 "Specify IKE pre-shared-key value"; 2410 } 2411 leaf validate-certificate-identity { 2412 type empty; 2413 description 2414 "Validate Remote-ID payload against the 2415 ID's available in the certificate"; 2416 } 2417 list seq { 2418 key seq-id; 2419 description 2420 "list of sequence of policy."; 2421 leaf seq-id { 2422 type uint32 { 2423 range "1..429496729"; 2424 } 2425 description 2426 "Sequence Number"; 2427 } 2428 leaf proposal { 2429 type leafref { 2430 path "/eipsec:ikev1/eipsec:proposal"+ 2431 "/eipsec:name"; 2432 } 2433 description 2434 "IKE Proposal reference."; 2435 } 2436 } 2437 container identity { 2438 description 2439 "Specify IKE identity value"; 2440 container local { 2441 description 2442 "Specify the identity of the local IP Security (IPSec) 2443 tunnel endpoint in an Internet Key Exchange (IKE) 2444 policy to use when negotiating IKE request with a 2445 remote peer."; 2446 uses identity-grouping; 2447 } 2448 container remote { 2449 description 2450 "Specify the identity of the remote IP Security (IPSec) 2451 tunnel endpoint in an 2452 Internet Key Exchange (IKE) policy to use when 2453 negotiating IKE request with a remote peer."; 2454 uses identity-grouping; 2455 } 2456 } 2457 } 2458 grouping ike-policy-mode-grouping { 2459 description 2460 "IKE Policy Mode"; 2461 container mode { 2462 description 2463 "Specify IKE mode configuration"; 2464 leaf aggressive { 2465 type empty; 2466 description 2467 "Set IKE Aggressive mode"; 2468 } 2469 leaf main { 2470 type empty; 2471 description 2472 "Set IKE Main mode"; 2473 } 2474 } 2475 } 2477 grouping ike-policy-profile-grouping { 2478 description 2479 "Configure IKE policy"; 2480 leaf name { 2481 type string; 2482 mandatory true; 2483 description 2484 "Specify an IKE policy name"; 2485 } 2486 uses ike-policy-mode-grouping; 2487 uses ike-general-policy-profile-grouping; 2488 } 2490 grouping ikev2-policy-profile-grouping { 2491 description 2492 "Common information for multiple IKE sessions 2493 to be instantiated on a managed element.; 2494 One or more Ikev2Session instances might refer 2495 to this instance."; 2496 leaf name { 2497 type string; 2498 mandatory true; 2499 description 2500 "Value component of the RDN."; 2501 } 2502 container authentication { 2503 description 2504 "Specify IKE Proposal authentication configuration"; 2505 leaf preshared-key { 2506 type empty; 2507 description 2508 "Use pre-shared key based authentication"; 2509 } 2510 leaf rsa-signature { 2511 type empty; 2512 description 2513 "Use signature based authentication by using 2514 PKI certificates"; 2515 } 2516 } 2517 leaf lifetime { 2518 type uint32; 2519 mandatory true; 2520 description 2521 "Configure lifetime for IKE SAs 2522 0: for no timeout. 2523 300 .. 99999999: IKE SA lifetime in seconds."; 2524 } 2526 container address-allocation { 2527 must "../connection-type == 'responder-only'" { 2528 description 2529 "address-allocation can be configured only with 2530 responder-only in ike2 policy"; 2531 } 2532 leaf aaa { 2533 type empty; 2534 description 2535 "IRAC address allocation by AAA"; 2536 } 2537 description 2538 "Specify IKE IRAS address allocation option"; 2539 } 2540 uses ike-general-policy-profile-grouping; 2542 leaf description { 2543 type string; 2544 description 2545 "Specify the description."; 2546 } 2547 } 2549 grouping ipsec-policy-grouping { 2550 description 2551 "Holds configuration information for IPSec policies."; 2552 leaf name { 2553 type string; 2554 mandatory true; 2555 description 2556 "IPSec Policy Identification"; 2557 } 2558 leaf description { 2559 type string; 2560 description 2561 "Specify the description."; 2562 } 2564 leaf anti-replay-window { 2565 type uint32 { 2566 range "0 | 32..1024"; 2567 } 2568 description 2569 "Configure replay window size 2570 0: to disable anti-replay-window 2571 32..1024: IPSec anti-replay-window size in multiple of 32"; 2572 } 2573 container perfect-forward-secrecy { 2574 description 2575 "Configure Perfect Forward Secrecy (PFS) for IPSec Policy"; 2576 leaf dh-group { 2577 type diffie-hellman-group-t; 2578 description 2579 "Configure Diffie-Hellman group for 2580 perfect-forward-secrecy"; 2581 } 2582 } 2583 list seq { 2584 key seq-id; 2585 description 2586 "Specify IPSEC proposal sequence number"; 2587 leaf seq-id { 2588 type uint32; 2589 description 2590 "Sequence ID"; 2591 } 2592 leaf description { 2593 type string; 2594 description 2595 "Specify the description."; 2596 } 2598 leaf proposal { 2599 type leafref { 2600 path "/eipsec:ipsec/"+ 2601 "eipsec:proposal/eipsec:ipsec-proposal/eipsec:name"; 2602 } 2603 description 2604 "IKE proposal reference."; 2606 } 2607 } 2608 } 2610 grouping key-string-grouping { 2611 description 2612 "Configure key for authentication algorithm"; 2613 leaf key-str { 2614 type union { 2615 type string { 2616 length "16"; 2617 } 2618 type yang:hex-string { 2619 length "40"; 2620 } 2621 } 2622 description 2623 "Key string input is either string value (length of 16) 2624 or hexadecimal (length of 40)"; 2625 } 2626 } 2628 grouping ipsec-sa-ah-grouping { 2629 description 2630 "Configure Authentication Header (AH) for 2631 Security Association (SA)"; 2632 container ah { 2633 description 2634 "Configure Authentication Header (AH) for SA"; 2635 choice authentication-algorithm { 2636 description 2637 "choice for authentication algorithm to set for AH"; 2638 case hmac-aes-xcbc { 2639 container hmac-aes-xcbc { 2640 description 2641 "Set the authentication algorithm to hmac-aes-xcbc"; 2642 uses key-string-grouping; 2643 } 2644 } 2645 case hmac-md5-96 { 2646 container hmac-md5-96 { 2647 description 2648 "Set the authentication algorithm to hmac-md5-96"; 2649 uses key-string-grouping; 2650 } 2651 } 2652 case hmac-sha1-96 { 2653 container hmac-sha1-96 { 2654 description 2655 "Set the authentication algorithm to hmac-sha1-96"; 2656 uses key-string-grouping; 2657 } 2658 } 2659 case key-string { 2660 container key-string { 2661 description 2662 "Configure key for authentication algorithm"; 2663 uses key-string-grouping; 2664 } 2665 } 2666 } 2667 } 2668 } 2670 grouping ipsec-sa-esp-grouping { 2671 description 2672 "Configure IPSec Encapsulation Security Payload (ESP)"; 2673 container esp { 2674 description 2675 "Set IPSec Encapsulation Security Payloer (ESP)"; 2676 container authentication { 2677 description 2678 "Configure authentication for IPSec 2679 Encapsulation Secutiry Payload (ESP)"; 2680 choice authentication-algorithm { 2681 description 2682 "choice for authentication algorithm to set"; 2683 case hmac-aes-xcbc { 2684 container hmac-aes-xcbc { 2685 description 2686 "Set the authentication algorithm to hmac-aes-xcbc"; 2687 uses key-string-grouping; 2688 } 2689 } 2690 case hmac-md5-96 { 2691 container hmac-md5-96 { 2692 description 2693 "Set the authentication algorithm to hmac-md5-96"; 2694 uses key-string-grouping; 2695 } 2696 } 2697 case hmac-sha1-96 { 2698 container hmac-sha1-96 { 2699 description 2700 "Set the authentication algorithm to hmac-sha1-96"; 2701 uses key-string-grouping; 2702 } 2703 } 2704 case key-string { 2705 container key-string { 2706 description 2707 "Configure key for authentication algorithm"; 2708 uses key-string-grouping; 2709 } 2710 } 2711 } 2712 } 2713 container encryption { 2714 description 2715 "Configure encryption for IPSec 2716 Encapsulation Secutiry Payload (ESP)"; 2717 choice encryption-algorithm { 2718 description 2719 "type of encryption"; 2720 case des3-cbc { 2721 container des3-cbd { 2722 description 2723 "Set the encryption algorithm to des3-cbc"; 2724 uses key-string-grouping; 2725 } 2726 } 2727 case aes-128-cbc { 2728 container aes-128-cbc { 2729 description 2730 "Set the encryption algorithm to aes-128-cbc"; 2731 uses key-string-grouping; 2732 } 2733 } 2734 case aes-192-cbc { 2735 container aes-192-cbc { 2736 description 2737 "Set the encryption algorithm to aes-192-cbc"; 2738 uses key-string-grouping; 2739 } 2740 } 2741 case aes-256-cbc { 2742 container aes-256-cbc { 2743 description 2744 "Set the encryption algorithm to aes-256-cbc"; 2745 uses key-string-grouping; 2746 } 2747 } 2748 case des-cbc { 2749 container des-cbc { 2750 description 2751 "Set the encryption algorithm to des-cbc"; 2752 uses key-string-grouping; 2754 } 2755 } 2756 case key-string { 2757 container key-string { 2758 description 2759 "Configure key for encryption algorithm"; 2760 uses key-string-grouping; 2761 } 2762 } 2763 } 2764 } 2765 } 2766 } 2768 grouping ipsec-acl-dest-grouping { 2769 description 2770 "IPSEC ACL destination."; 2771 /* For destination */ 2772 choice dest-address { 2773 description 2774 "destination address."; 2775 case dest-ipv4-address { 2776 leaf destination-ipv4-address { 2777 type inet:ipv4-address; 2778 description 2779 "Destination IPv4 Address A.B.C.D/0..32."; 2780 } 2781 } 2782 case dest-any { 2783 leaf dest-any { 2784 type empty; 2785 description 2786 "Match Any Destination IPv4 Address."; 2787 } 2788 } 2789 } 2790 } 2792 grouping ipsec-acl-seq-protocol-number-grouping { 2793 description 2794 "IPSec ACL Sequence protocol number."; 2795 leaf number { 2796 type uint16 { 2797 range "0..255"; 2798 } 2799 description 2800 "Specify protocol number."; 2801 } 2802 choice argument { 2803 description 2804 "Source IPv4 address."; 2805 case source-ipv4-address { 2806 leaf source-ipv4-address { 2807 type inet:ipv4-address; 2808 description 2809 "Source IPv4 Address A.B.C.D/0..32."; 2810 } 2811 } 2812 case any { 2813 /* For source */ 2814 leaf source-any { 2815 type empty; 2816 description 2817 "Match Any Source IPv4 Address."; 2818 } 2819 } 2820 } 2821 } 2823 grouping ipsec-acl-seq-ip-address-grouping { 2824 description 2825 "IPSec ACL Sequence IP Address."; 2826 leaf source-ipv4-address { 2827 type inet:ipv4-address; 2828 description 2829 "Source is IPv4 Address A.B.C.D/0..32."; 2830 } 2831 } 2833 grouping ipsec-acl-seq-any-grouping { 2834 description 2835 "IPSec ACL Sequence Any."; 2836 leaf any { 2837 type empty; 2838 description 2839 "Source is Any."; 2840 } 2841 } 2843 grouping ipsec-acl-seq-tcp-grouping { 2844 description 2845 "IPSec ACL Sequence TCP."; 2846 leaf tcp { 2847 type empty; 2848 description 2849 "Source is TCP protocol."; 2850 } 2851 } 2852 grouping ipsec-acl-seq-udp-grouping { 2853 description 2854 "IPSec ACL Sequence for UDP."; 2855 leaf udp { 2856 type empty; 2857 description 2858 "Source is UDP protocol."; 2859 } 2860 } 2862 grouping ipsec-acl-grouping { 2863 description 2864 "IPSec ACL"; 2865 list access-list { 2866 if-feature ipsec-acl; 2867 key "name sequence-number"; 2868 uses name-grouping; 2869 uses sequence-number-grouping; 2870 description 2871 "Configure the IPSec access-list."; 2872 choice protocol { 2873 description 2874 "IPSec ACL protocol."; 2875 case number { 2876 uses ipsec-acl-seq-protocol-number-grouping; 2877 } 2878 case source-ipv4-address { 2879 uses ipsec-acl-seq-ip-address-grouping; 2880 } 2881 case any { 2882 uses ipsec-acl-seq-any-grouping; 2883 } 2884 case tcp { 2885 uses ipsec-acl-seq-tcp-grouping; 2886 } 2887 case udp { 2888 uses ipsec-acl-seq-udp-grouping; 2889 } 2890 } 2891 uses ipsec-acl-dest-grouping; 2892 } 2893 } 2895 grouping ipsec-df-bit-grouping { 2896 description 2897 "IPSec Dont Fragment (DF) bit for IP header."; 2898 container df-bit { 2899 description 2900 "Configure Don't Fragment (DF) bit for IP Header."; 2901 leaf clear { 2902 type empty; 2903 description 2904 "Clear DF bit for outer IP header."; 2905 } 2906 leaf propagate { 2907 type empty; 2908 description 2909 "Propagate DF bit for outer IP header."; 2910 } 2911 leaf set { 2912 type empty; 2913 description 2914 "Set DF bit for outer IP header."; 2915 } 2916 } 2917 } 2919 grouping ipsec-profile-grouping { 2920 description 2921 "IPSec profile."; 2922 list profile { 2923 key "name"; 2924 uses name-grouping; 2925 uses ipsec-df-bit-grouping; 2926 description 2927 "Configure the IPSec Profile."; 2928 leaf mtu { 2929 type uint32 { 2930 range "256..1600"; 2931 } 2932 description 2933 "Set the MTU."; 2934 } 2935 list seq { 2936 key "sequence-number"; 2937 uses sequence-number-grouping; 2938 description 2939 "IPSec Access List sequence number."; 2940 leaf policy { 2941 type leafref { 2942 path "/eipsec:ipsec/eipsec:policy"+ 2943 "/eipsec:ipsec-policy/eipsec:name"; 2944 } 2945 description 2946 "Specify IPSec policy name."; 2947 } 2948 leaf access-list { 2949 type leafref { 2950 path "/econtext:contexts/econtext:context/"+ 2951 "econtext:name/econtext:ipsec"+ 2952 "/econtext:access-list/econtext:name"; 2953 } 2954 description 2955 "Specify IPSec access-list name."; 2956 } 2957 } 2958 } 2959 } 2961 grouping ip-address-grouping { 2962 description 2963 "IP Address grouping"; 2965 choice ip-address { 2966 description 2967 "Choice of IPv4 or IPv6."; 2968 leaf ipv4-address { 2969 type inet:ipv4-address; 2970 description 2971 "Specifies the identity as a single four (4) 2972 octet IPv4 address. 2973 An example is, 10.10.10.10. "; 2974 } 2975 leaf ipv6-address { 2976 type inet:ipv6-address; 2977 description 2978 "Specifies the identity as a single sixteen (16) "+ 2979 "octet IPv6 address. "+ 2980 "An example is, "+ 2981 "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; 2982 } 2983 } 2984 } 2986 grouping ipsec-sa-grouping { 2987 description 2988 "Configure Security Association (SA)"; 2989 leaf spi { 2990 type uint32; 2991 description 2992 "Specify Security Parameter Index"; 2993 } 2994 leaf anti-replay-window { 2995 type uint16 { 2996 range "0 | 32..1024"; 2998 } 2999 description 3000 "Specify replay window size"; 3001 } 3002 leaf ip-comp { 3003 type empty; 3004 description 3005 "Enables IPCOMP, which uses the IP payload compression 3006 protocol to compress IP security (IPsec) packets 3007 before encryption"; 3008 } 3010 container local-peer { 3011 description 3012 "Specify the local peer IP address"; 3013 uses ip-address-grouping; 3014 } 3015 container remote-peer { 3016 description 3017 "Specify the remote peer IP address"; 3018 uses ip-address-grouping; 3019 } 3020 leaf sa-mode { 3021 type ipsec-mode; 3022 description 3023 "SA Mode: tunnel or transport mode"; 3024 } 3025 leaf security-protocol { 3026 type ipsec-protocol; 3027 description 3028 "Security protocol of IPsec SA: Either AH or ESP."; 3029 } 3030 leaf sequence-number { 3031 type uint64; 3032 description 3033 "Current sequence number of IPsec packet."; 3034 } 3035 leaf sequence-number-overflow-flag { 3036 type boolean; 3037 description 3038 "The flag indicating whether overflow of the sequence 3039 number counter should prevent transmission of additional 3040 packets on the SA, or whether rollover is permitted."; 3041 } 3042 leaf path-mtu { 3043 type uint16; 3044 description 3045 "maximum size of an IPsec packet that can be transmitted 3046 without fragmentation"; 3048 } 3049 container life-time { 3050 leaf life-time-in-seconds { 3051 type uint32; 3052 description 3053 "SA life time in seconds"; 3054 } 3055 leaf remain-life-time-in-seconds { 3056 type uint32; 3057 description 3058 "Remain SA life time in seconds"; 3059 } 3060 leaf life-time-in-byte { 3061 type uint32; 3062 description 3063 "SA life time in bytes"; 3064 } 3065 leaf remain-life-time-in-byte { 3066 type uint32; 3067 description 3068 "Remain SA life time in bytes"; 3069 } 3070 description 3071 "SA life time information"; 3072 } 3073 leaf upper-protocol { 3074 type string; 3075 description 3076 "Upper-layer protocol to be used"; 3077 } 3078 leaf direction { 3079 type ipsec-traffic-direction; 3080 description 3081 "It indicates whether the SA is inbound SA or 3082 out bound SA."; 3083 } 3084 container source-address { 3085 description 3086 "Specify the source IP address and 3087 port of protected traffic"; 3088 uses ip-address-grouping; 3089 leaf port-number { 3090 type uint32; 3091 description 3092 "port of protected traffic"; 3093 } 3094 } 3095 container destination-address { 3096 description 3097 "Specify the destination IP address and 3098 port of protected traffic"; 3099 uses ip-address-grouping; 3100 leaf port-number { 3101 type uint32; 3102 description 3103 "port of protected traffic"; 3104 } 3105 } 3106 leaf nat-traversal-flag { 3107 type boolean; 3108 description 3109 "Whether the SA is used to protect traffic that needs 3110 nat traversal"; 3111 } 3112 uses ipsec-sa-ah-grouping; 3113 uses ipsec-sa-esp-grouping; 3114 } 3116 /* draft-wang-ipsecme-ike-yang-00 */ 3117 grouping ipsec-common-configuration { 3118 choice df-flag { 3119 default copy; 3120 case set { 3121 leaf set { 3122 type empty; 3123 description 3124 "Set the df bit when encapsulate IPsec tunnel."; 3125 } 3126 } 3127 case clear { 3128 leaf clear { 3129 type empty; 3130 description 3131 "Clear the df bit when encapsulate IPsec tunnel."; 3132 } 3133 } 3134 case copy { 3135 leaf copy { 3136 type empty; 3137 description 3138 "Copy the inner IP header df bit."; 3139 } 3140 } 3141 description 3142 "It indicates how to process the df bit when encapsulate 3143 IPsec tunnel."; 3144 } 3145 leaf stateful-frag-check { 3146 type boolean; 3147 default false; 3148 description "Whether stateful fragment checking applies."; 3149 } 3150 leaf life-time-kb { 3151 type uint32; 3152 units "KB"; 3153 default 2000000; 3154 description "IPsec SA Life time in KB."; 3155 } 3156 leaf life-time-second { 3157 type uint32; 3158 units "Second"; 3159 default 18400; 3160 description "IPsec SA Life time in Seconds"; 3161 } 3162 choice anti-replay { 3163 default enable; 3164 case enable { 3165 leaf enable { 3166 type empty; 3167 description "Enable Anti-replay"; 3168 } 3169 choice anti-replay-windows-size { 3170 case size-32; 3171 case size-64; 3172 case size-128; 3173 case size-256; 3174 case size-512; 3175 case size-1024; 3176 default size-1024; 3177 description "It indicate the size of anti-replay window"; 3178 } 3179 } 3180 case disable { 3181 leaf disable { 3182 type empty; 3183 description "Disable Anti-replay"; 3184 } 3185 } 3186 description "Whether enable or disable anti-replay"; 3187 } 3188 leaf inbound-dscp { 3189 type uint16 { 3190 range "0..63"; 3191 } 3192 default 0; 3193 description "Inbound DSCP value"; 3195 } 3196 leaf outbound-dscp { 3197 type uint16 { 3198 range "0..63"; 3199 } 3200 default 0; 3201 description "Outbound DSCP value"; 3202 } 3203 description "Common IPsec configurations"; 3204 } 3206 /*--------------------*/ 3207 /* Configuration Data */ 3208 /*--------------------*/ 3209 container ikev1 { 3210 if-feature ikev1; 3211 description 3212 "Configuration IPSec IKEv1"; 3213 /* The following is for */ 3214 list proposal { 3215 key "name"; 3216 uses ike-proposal-grouping; 3217 description 3218 "Configure IKE proposal"; 3219 } 3220 leaf keepalive { 3221 type empty; 3222 description 3223 "Enables sending Dead Peer Detection (DPD) messages "+ 3224 "to Internet Key Exchange (IKE) peers."; 3225 } 3226 list policy { 3227 key "name"; 3228 uses ike-policy-profile-grouping; 3229 description 3230 "Configure IKE Policy Profile."; 3231 } 3232 } 3234 container ikev2 { 3235 if-feature ikev2; 3236 description 3237 "Configuration IPSec IKEv2"; 3238 /* The following is for */ 3239 /* draft-wang-ipsecme-ike-yang-00 */ 3240 container ike-global-configuration { 3241 if-feature ikev2-global; 3242 description "Global IKE configurations"; 3243 uses ipsec-common-configuration; 3244 leaf local-name { 3245 type string; 3246 description 3247 "Global local name configuration, if it is not configed, 3248 ip address will be used as default. If configing special 3249 local name for special peer, it will overwrite the global 3250 name configuration when negotion with that peer."; 3251 } 3252 leaf nat-keepalive-interval { 3253 type uint16 { 3254 range "5..300"; 3255 } 3256 units "Seconds"; 3257 default 20; 3258 description "Global nat keepalive interval"; 3259 } 3260 leaf dpd-interval { 3261 type uint16 { 3262 range "10..3600"; 3263 } 3264 units "Seconds"; 3265 default 30; 3266 description "Global DPD interval"; 3267 } 3268 } 3269 container ike-peer { 3270 if-feature ikev2-peer; 3271 description "IKE peer information"; 3272 list ike-peer-entries { 3273 key "peer-name"; 3274 description "IKE peer information"; 3275 leaf peer-name { 3276 type string; 3277 mandatory true; 3278 description "Name of IKE peer"; 3279 } 3280 leaf ike-proposal-number { 3281 type ike-proposal-number-ref; 3282 description "IKE proposal number referenced by IKE peer"; 3283 } 3284 leaf PresharedKey { 3285 type string; 3286 description "Preshare key"; 3287 } 3288 leaf nat-traversal { 3289 type boolean; 3290 default false; 3291 description "Enable/Disable nat traversal"; 3292 } 3293 choice local-id-type { 3294 default ip; 3295 case ip { 3296 leaf ip { 3297 type empty; 3298 description "IP address"; 3299 } 3300 } 3301 case fqdn { 3302 leaf fqdn { 3303 type empty; 3304 description "Fully Qualifed Domain name "; 3305 } 3306 } 3307 case dn { 3308 leaf dn { 3309 type empty; 3310 description "Domain name"; 3311 } 3312 } 3313 case user_fqdn { 3314 leaf user_fqdn { 3315 type empty; 3316 description "User FQDN"; 3317 } 3318 } 3319 description "Local ID type"; 3320 } 3321 leaf local-id { 3322 type string; 3323 description 3324 "Local ID Name. When IP is used as local ID type, 3325 it is ignored. If it is not configurated, 3326 global local name will be used."; 3327 } 3328 leaf remote-id { 3329 type "string"; 3330 description "ID of IKE peer"; 3331 } 3332 leaf low-remote-address { 3333 type inet:ip-address; 3334 description "Low range of remote address"; 3335 } 3336 leaf high-remote-address { 3337 type inet:ip-address; 3338 description "High range of remote address"; 3339 } 3340 leaf certificate { 3341 type string; 3342 description "Certificate file name"; 3343 } 3344 leaf auth-address-begin { 3345 type inet:ip-address; 3346 description 3347 "The begin range of authenticated peer address"; 3348 } 3349 leaf auth-address-end { 3350 type inet:ip-address; 3351 description 3352 "The end range of authenticated peer address"; 3353 } 3354 } 3355 }//End of IKEPeerEntries 3357 list proposal { 3358 if-feature ikev2-proposal; 3359 key "name"; 3360 uses ikev2-proposal-grouping; 3361 description 3362 "Configure IKEv2 proposal"; 3363 } 3364 list policy { 3365 if-feature ikev2-policy; 3366 key "name"; 3367 uses ikev2-policy-profile-grouping; 3368 description 3369 "IKEv2 Policy Profile"; 3370 } 3371 } 3373 container ipsec { 3374 if-feature ipsec; 3375 description 3376 "Configuration IPsec"; 3377 container sad { 3378 if-feature ipsec-sad; 3379 description 3380 "Configure the IPSec Security Association Database (SAD)"; 3381 list sad-entries { 3382 key "spi direction"; 3383 description 3384 "Configure IPsec Security Association Database(SAD)"; 3385 uses ipsec-sa-grouping; 3386 } 3387 } 3388 container proposal { 3389 if-feature ipsec-proposal; 3390 description 3391 "IPSec Proposal Profile"; 3392 list ipsec-proposal { 3393 key "name"; 3394 uses ipsec-proposal-grouping; 3395 description 3396 "Configure the IP Security (IPSec) proposal"; 3397 } 3398 } 3399 container spd { 3400 if-feature ipsec-spd; 3401 description 3402 "Configure the Security Policy Database (SPD)"; 3403 list spd-entries { 3404 key "name"; 3405 ordered-by user; 3406 uses ipsec-policy-grouping; 3407 description 3408 "Specify an IPSec policy name"; 3409 } 3410 } 3411 container pad { 3412 description 3413 "Configure Peer Authorization Database (PAD)"; 3414 list pad-entries { 3415 key "pad-type pad-id"; 3416 ordered-by user; 3417 uses identity-grouping; 3418 description 3419 "Peer Authorization Database (PAD)"; 3420 leaf pad-id { 3421 type uint32; 3422 description 3423 "PAD identity"; 3424 } 3425 leaf pad-type { 3426 type pad-type-t; 3427 description 3428 " PAD type"; 3429 } 3430 leaf ike-peer-name { 3431 type string; 3432 description 3433 "IKE Peer Name"; 3434 } 3435 container peer-authentication { 3436 description 3437 "Specify IKE peer authentication configuration"; 3438 leaf algorithm { 3439 type ike-integrity-algorithm-t; 3440 description 3441 "Specify the authentication algorithm"; 3442 } 3443 leaf preshared-key { 3444 type empty; 3445 description 3446 "Use pre-shared key based authentication"; 3447 } 3448 leaf rsa-signature { 3449 type empty; 3450 description 3451 "Use signature based authentication by using 3452 PKI certificates"; 3453 } 3454 } 3455 } 3456 } 3457 } 3459 /*--------------------------*/ 3460 /* Operational State Data */ 3461 /*--------------------------*/ 3462 grouping ike-proposal-state-components { 3463 description 3464 "IKE Proposal operational state"; 3465 list proposal { 3466 if-feature ike-proposal-state; 3467 description 3468 "Operational data for IKE Proposal"; 3469 leaf name { 3470 type string { 3471 length "1..50"; 3472 } 3473 description 3474 "Name of the IKE proposal."; 3475 } 3476 leaf lifetime { 3477 type uint32; 3478 units "seconds"; 3479 description 3480 "lifetime"; 3481 } 3482 leaf encryption { 3483 type ike-encryption-algorithm-t; 3484 description 3485 "Encryption algorithm"; 3487 } 3488 leaf dh-group { 3489 type diffie-hellman-group-t; 3490 description 3491 "Diffie-Hellman group."; 3492 } 3493 leaf authentication { 3494 type ike-integrity-algorithm-t; 3495 description 3496 "authentication"; 3497 } 3498 } 3499 } 3501 grouping ike-policy-state-grouping { 3502 description 3503 "IKE Policy State."; 3504 list policy { 3505 if-feature ike-policy-state; 3506 description 3507 "Operational data for IKE policy"; 3508 leaf name { 3509 type string { 3510 length "1..50"; 3511 } 3512 description 3513 "Name of the IKE Policy."; 3514 } 3515 leaf description { 3516 type string; 3517 description 3518 "Description for IKE Policy."; 3519 } 3520 leaf mode { 3521 type enumeration { 3522 enum aggressive { 3523 description 3524 "Aggressive mode."; 3525 } 3526 enum main { 3527 description 3528 "Main mode."; 3529 } 3530 } 3531 description 3532 "IKE policy mode."; 3533 } 3534 leaf connection-type { 3535 type connection-type-t; 3536 description 3537 "IKE policy connection type."; 3538 } 3539 leaf local-identity { 3540 type inet:ipv4-address-no-zone; 3541 description 3542 "IP address of the local identity."; 3543 } 3544 leaf remote-identity { 3545 type inet:ipv4-address-no-zone; 3546 description 3547 "IP address of the remote identity."; 3548 } 3549 leaf pre-shared-key { 3550 type string; 3551 description 3552 "Pre-shared key"; 3553 } 3554 leaf seq { 3555 type uint32; 3556 description 3557 "sequence number"; 3558 } 3559 leaf proposal { 3560 type string; 3561 description 3562 "proposal name"; 3563 } 3564 } 3565 } 3567 grouping ikev2-proposal-state-components { 3568 description 3569 "IKEv2 Operational state"; 3570 list proposal { 3571 if-feature ikev2-proposal-state; 3572 description 3573 "IKEv2 proposal operational data"; 3574 leaf name { 3575 type string; 3576 description 3577 "Name of IKEv2 Proposal."; 3578 } 3579 leaf pseudo-random-function { 3580 type pseudo-random-function-t; 3581 description 3582 "Pseudo Random Function for IKEv2."; 3583 } 3584 leaf authentication { 3585 type ike-integrity-algorithm-t; 3586 description 3587 "authentication"; 3588 } 3589 leaf encryption { 3590 type ike-encryption-algorithm-t; 3591 description 3592 "Encryption algorithm"; 3593 } 3594 leaf dh-group { 3595 type diffie-hellman-group-t; 3596 mandatory true; 3597 description 3598 "Diffie-Hellman group."; 3599 } 3600 } 3601 } 3603 grouping ipsec-policy-state-grouping { 3604 description 3605 "IPSec operational state"; 3606 list policy { 3607 if-feature ipsec-policy-state; 3608 description 3609 "IPSec policy operational data"; 3610 leaf name { 3611 type string; 3612 description 3613 "IPSec Policy name."; 3614 } 3615 leaf anti-replay-window { 3616 type uint32; 3617 description 3618 "replay window size"; 3619 } 3620 leaf perfect-forward-secrecy { 3621 type diffie-hellman-group-t; 3622 description 3623 "Diffie-Hellman group for perfect-forward-secrecy"; 3624 } 3625 list seq { 3626 description 3627 "Sequence number"; 3628 leaf seq-id { 3629 type uint32; 3630 description 3631 "Sequence number"; 3632 } 3633 leaf proposal-name { 3634 type string; 3635 description 3636 "IPSec proposal name"; 3637 } 3638 } 3639 } 3640 } 3641 grouping ipsec-proposal-state-grouping { 3642 description 3643 "IPSec proposal operational data"; 3644 list proposal { 3645 if-feature ipsec-proposal-state; 3646 description 3647 "IPSec proposal operational data"; 3648 leaf name { 3649 type string; 3650 description 3651 "IPSec Proposal name"; 3652 } 3653 leaf ah { 3654 type ike-integrity-algorithm-t; 3655 description 3656 "Authentication Header (AH)."; 3657 } 3658 container esp { 3659 description 3660 "Encapsulating Security Payload (ESP)."; 3661 leaf authentication { 3662 type ike-integrity-algorithm-t; 3663 description 3664 "ESP authentication"; 3665 } 3666 leaf encryption { 3667 type ike-encryption-algorithm-t; 3668 description 3669 "ESP encryption"; 3670 } 3671 } 3672 leaf ip-comp{ 3673 type empty; 3674 description 3675 "IPSec proposal IP-COMP which uses the IP Payload "+ 3676 "compression protocol to compress IP Security (IPSec) "+ 3677 "packets before encryption"; 3678 } 3679 container lifetime { 3680 description 3681 "lifetime for IPSEC SAs"; 3682 leaf kbytes { 3683 type uint32; 3684 description 3685 "lifetime kbytes for IPSEC SAs"; 3687 } 3688 leaf seconds { 3689 type uint32; 3690 description 3691 "lifetime seconds for IPSEC SAs"; 3692 } 3693 } 3694 } 3695 } 3697 grouping ipsec-alarms-state-grouping { 3698 description 3699 "IPSec alarms operational data"; 3700 leaf hold-down { 3701 if-feature ipsec-alarms-state; 3702 type uint32; 3703 description 3704 "Hold-down value"; 3705 } 3706 } 3708 grouping ipsec-sa-ah-state-grouping { 3709 description 3710 "IPSec SA's AH operational data"; 3712 leaf spi { 3713 if-feature ipsec-sa-ah-state; 3714 type uint32; 3715 description 3716 "Security Parameter Index (SPI) value"; 3717 } 3718 leaf description { 3719 if-feature ipsec-sa-ah-state; 3720 type string; 3721 description 3722 "the description."; 3723 } 3724 leaf authentication-algorithm { 3725 if-feature ipsec-sa-ah-state; 3726 type ike-integrity-algorithm-t; 3727 description 3728 "Authentication algorithm"; 3729 } 3730 leaf encryption-algorithm { 3731 if-feature ipsec-sa-ah-state; 3732 type ike-encryption-algorithm-t; 3733 description 3734 "Encryption algorithm"; 3735 } 3736 } 3738 grouping ipsec-sa-state-grouping { 3739 description 3740 "IPSec Security Association Operational data"; 3741 list sa { 3742 if-feature ipsec-sa-state; 3743 description 3744 "IPSec SA operational data"; 3745 leaf name { 3746 type string; 3747 description 3748 "Specify IPSec Security Association (SA) name"; 3749 } 3750 leaf anti-replay-window { 3751 type uint16; 3752 description 3753 "replay window size"; 3754 } 3755 leaf ip-comp { 3756 type empty; 3757 description 3758 "Enables IPCOMP, which uses the IP payload compression 3759 protocol to compress IP security (IPsec) packets before 3760 encryption"; 3761 } 3762 uses ipsec-sa-ah-state-grouping; 3763 } 3764 } 3766 /* draft-wang-ipsecme-ipsec-yang-00 */ 3767 grouping ipsec-tunnel-mode-info { 3768 description 3769 "common infomations when using IPsec tunnel mode"; 3770 leaf local-address { 3771 if-feature ipsec-tunnel; 3772 type string; 3773 description 3774 "Local address of IPsec tunnel mode"; 3775 } 3776 leaf remote-address { 3777 if-feature ipsec-tunnel; 3778 type string; 3779 description 3780 "Remote address of IPsec tunnel mode"; 3782 } 3783 leaf bypass-df { 3784 if-feature ipsec-tunnel; 3785 type enumeration { 3786 enum "set" { 3787 description 3788 "Set the df bit"; 3789 } 3790 enum "clear" { 3791 description 3792 "Clear the df bit"; 3793 } 3794 enum "copy" { 3795 description 3796 "Copy the df bit from inner header"; 3797 } 3798 } 3799 description 3800 "This flag indicates how to process tunnel mode df flag"; 3801 } 3802 leaf dscp-flag { 3803 if-feature ipsec-tunnel; 3804 type boolean; 3805 description 3806 "This flag indicate whether bypass DSCP or map to 3807 unprotected DSCP values (array) if needed to 3808 restrict bypass of DSCP values."; 3809 } 3810 leaf stateful-frag-check-flag { 3811 if-feature ipsec-tunnel; 3812 type boolean; 3813 description 3814 "This flag indicates whether stateful fragment checking 3815 will be used."; 3816 } 3817 } 3818 grouping traffic-selector { 3819 description 3820 "IPsec traffic selector information"; 3821 leaf local-address-low { 3822 if-feature ipsec-local-address-range; 3823 type inet:ip-address; 3824 description 3825 "Low range of local address"; 3826 } 3827 leaf local-address-high { 3828 if-feature ipsec-local-address-range; 3829 type inet:ip-address; 3830 description 3831 "High range of local address"; 3832 } 3833 leaf remote-address-low { 3834 if-feature ipsec-remote-address-range; 3835 type inet:ip-address; 3836 description 3837 "Low range of remote address"; 3838 } 3839 leaf remote-address-high { 3840 if-feature ipsec-remote-address-range; 3841 type inet:ip-address; 3842 description 3843 "High range of remote address"; 3844 } 3845 leaf next-protocol-low { 3846 if-feature ipsec-next-protocol-range; 3847 type uint16; 3848 description 3849 "Low range of next protocol"; 3850 } 3851 leaf next-protocol-high { 3852 if-feature ipsec-next-protocol-range; 3853 type uint16; 3854 description 3855 "High range of next protocol"; 3856 } 3857 leaf local-port-low { 3858 if-feature ipsec-local-port-range; 3859 type inet:port-number; 3860 description 3861 "Low range of local port"; 3862 } 3863 leaf local-port-high { 3864 if-feature ipsec-local-port-range; 3865 type inet:port-number; 3866 description 3867 "High range of local port"; 3868 } 3869 leaf remote-port-high { 3870 if-feature ipsec-remote-port-range; 3871 type inet:port-number; 3872 description 3873 "Low range of remote port"; 3874 } 3875 leaf remote-port-low { 3876 if-feature ipsec-remote-port-range; 3877 type inet:port-number; 3878 description 3879 "High range of remote port"; 3881 } 3882 } 3883 grouping ipsec-algorithm-info { 3884 description 3885 "IPsec algorithm information used by SPD and SAD"; 3886 leaf ah-auth-algorithm { 3887 if-feature ipsec-ah-authentication; 3888 type ipsec-authentication-algorithm; 3889 description 3890 "Authentication algorithm used by AH"; 3891 } 3892 leaf esp-integrity-algorithm { 3893 if-feature ipsec-esp-integrity; 3894 type ipsec-authentication-algorithm; 3895 description 3896 "Integrity algorithm used by ESP"; 3897 } 3898 leaf esp-encrypt-algorithm { 3899 if-feature ipsec-esp-encrypt; 3900 type ipsec-encryption-algorithm; 3901 description 3902 "Encryption algorithm used by ESP"; 3903 } 3904 } 3905 grouping ipsec-stat { 3906 leaf inbound-packets { 3907 if-feature ipsec-stat; 3908 type uint64; 3909 config false; 3910 description "Inbound Packet count"; 3911 } 3912 leaf outbound-packets { 3913 if-feature ipsec-stat; 3914 type uint64; 3915 config false; 3916 description "Outbound Packet count"; 3917 } 3918 leaf inbound-bytes { 3919 if-feature ipsec-stat; 3920 type uint64; 3921 config false; 3922 description "Inbound Packet bytes"; 3923 } 3924 leaf outbound-bytes { 3925 if-feature ipsec-stat; 3926 type uint64; 3927 config false; 3928 description "Outbound Packet bytes"; 3929 } 3930 leaf inbound-drop-packets { 3931 if-feature ipsec-stat; 3932 type uint64; 3933 config false; 3934 description "Inbound dropped packets count"; 3935 } 3936 leaf outbound-drop-packets { 3937 if-feature ipsec-stat; 3938 type uint64; 3939 config false; 3940 description "Outbound dropped packets count"; 3941 } 3942 container dropped-packet-detail { 3943 if-feature ipsec-stat; 3944 description "The detail information of dropped packets"; 3945 leaf sa-non-exist { 3946 type uint64; 3947 config false; 3948 description 3949 "The dropped packets counts caused by SA non-exist."; 3950 } 3951 leaf queue-full { 3952 type uint64; 3953 config false; 3954 description 3955 "The dropped packets counts caused by full processing 3956 queue"; 3957 } 3958 leaf auth-failure { 3959 type uint64; 3960 config false; 3961 description 3962 "The dropped packets counts caused by authentication 3963 failure"; 3964 } 3965 leaf malform { 3966 type uint64; 3967 config false; 3968 description "The dropped packets counts of malform"; 3969 } 3970 leaf replay { 3971 type uint64; 3972 config false; 3973 description "The dropped packets counts of replay"; 3974 } 3975 leaf large-packet { 3976 type uint64; 3977 config false; 3978 description "The dropped packets counts of too large"; 3980 } 3981 leaf invalid-sa { 3982 type uint64; 3983 config false; 3984 description "The dropped packets counts of invalid SA"; 3985 } 3986 leaf policy-deny { 3987 type uint64; 3988 config false; 3989 description 3990 "The dropped packets counts of denyed by policy"; 3991 } 3992 leaf other-reason { 3993 type uint64; 3994 config false; 3995 description 3996 "The dropped packets counts of other reason"; 3997 } 3998 } 3999 description "IPsec statistics information"; 4000 } 4002 container ike-state { 4003 if-feature ikev1-state; 4004 config "false"; 4005 uses ike-proposal-state-components; 4006 uses ike-policy-state-grouping; 4007 description 4008 "Contain the operational data for IKE."; 4009 } 4010 container ikev2-state { 4011 if-feature ikev2-state; 4012 config "false"; 4013 uses ikev2-proposal-state-components; 4014 uses ike-policy-state-grouping; 4015 description 4016 "Contain the operational data for IKEv2."; 4017 } 4018 container ipsec-state { 4019 if-feature ipsec-state; 4020 config "false"; 4021 uses ipsec-policy-state-grouping; 4022 uses ipsec-proposal-state-grouping; 4023 uses ipsec-alarms-state-grouping; 4024 uses ipsec-sa-state-grouping; 4025 container redundancy { 4026 if-feature ipsec-redundancy; 4027 description 4028 "Configure redundancy for IPSec"; 4029 leaf inter-chassis { 4030 type empty; 4031 description 4032 "Set redundancy at chassis level"; 4033 } 4034 } 4036 description 4037 "Contain the operational data for IPSec."; 4038 } 4040 /* draft-wang-ipsecme-ipsec-yang-00 */ 4041 container sad { 4042 if-feature sad; 4043 config false; 4044 description 4045 "The IPsec SA database"; 4046 list sad-entries { 4047 key "spi security-protocol direction"; 4048 description 4049 "The SA entries information"; 4050 leaf spi { 4051 type ipsec-spi; 4052 description 4053 "Security parameter index of SA entry."; 4054 } 4055 leaf security-protocol { 4056 type ipsec-protocol; 4057 description 4058 "Security protocol of IPsec SA."; 4059 } 4060 leaf direction { 4061 type ipsec-traffic-direction; 4062 description 4063 "It indicates whether the SA is inbound SA or 4064 out bound SA."; 4065 } 4066 leaf sa-type { 4067 type enumeration { 4068 enum "manual" { 4069 description 4070 "Manual IPsec SA"; 4071 } 4072 enum "isakmp" { 4073 description 4074 "ISAKMP IPsec SA"; 4075 } 4076 } 4077 description 4078 "It indicates whether the SA is created by manual 4079 or by dynamic protocol."; 4080 } 4081 leaf sequence-number { 4082 type uint64; 4083 description 4084 "Current sequence number of IPsec packet."; 4085 } 4086 leaf sequence-number-overflow-flag { 4087 type boolean; 4088 description 4089 "The flag indicating whether overflow of the sequence 4090 number counter should prevent transmission of additional 4091 packets on the SA, or whether rollover is permitted."; 4092 } 4093 leaf anti-replay-enable-flag { 4094 type boolean; 4095 description 4096 "It indicates whether anti-replay is enable or disable."; 4097 } 4098 leaf anti-replay-window-size { 4099 type uint64; 4100 description 4101 "The size of anti-replay window."; 4102 } 4103 uses ipsec-algorithm-info; 4104 container life-time { 4105 leaf life-time-in-seconds { 4106 type uint32; 4107 description 4108 "SA life time in seconds"; 4109 } 4110 leaf remain-life-time-in-seconds { 4111 type uint32; 4112 description 4113 "Remain SA life time in seconds"; 4114 } 4115 leaf life-time-in-byte { 4116 type uint32; 4117 description 4118 "SA life time in bytes"; 4119 } 4120 leaf remain-life-time-in-byte { 4121 type uint32; 4122 description 4123 "Remain SA life time in bytes"; 4124 } 4125 description 4126 "SA life time information"; 4127 } 4128 leaf protocol-mode { 4129 type ipsec-mode; 4130 description 4131 "It indicates whether tunnel mode or transport mode 4132 will be used."; 4133 } 4134 container tunnel-mode-process-info { 4135 when "protocol-mode = 'tunnel'" { 4136 description 4137 "External information of SA when SA works in 4138 tunnel mode."; 4139 } 4140 uses ipsec-tunnel-mode-info; 4141 description 4142 "External information of SA when SA works in 4143 tunnel mode."; 4144 } 4145 leaf-list dscp { 4146 type uint8 { 4147 range "0..63"; 4148 } 4149 description 4150 "When traffic matchs SPD, the DSCP values used to 4151 filter traffic"; 4152 } 4153 leaf path-mtu { 4154 type uint16; 4155 description 4156 "Path MTU valie"; 4157 } 4158 leaf nat-traversal-flag { 4159 type boolean; 4160 description 4161 "Whether the SA is used to protect traffic that needs 4162 nat traversal"; 4163 } 4164 } 4165 } 4166 container spd { 4167 if-feature spd; 4168 config false; 4169 description 4170 "IPsec security policy database information"; 4171 list spd-entries { 4172 description 4173 "IPsec SPD entry information"; 4174 list name { 4175 description 4176 "SPD name information."; 4177 leaf name-type { 4178 type ipsec-spd-name; 4179 description 4180 "SPD name type."; 4181 } 4182 leaf name-string { 4183 when "name-type = 'id_rfc_822_addr' or name-type = 4184 'id_fqdn'" { 4185 description 4186 "when name type is id_rfc_822_addr or id_fqdn, the 4187 name are saved in string"; 4188 } 4189 type string; 4190 description 4191 "SPD name content"; 4192 } 4193 leaf name-binary { 4194 when "name-type = 'id_der_asn1_dn' or name-type = 4195 'id_key'" { 4196 description 4197 "when name type is id_der_asn1_dn or id_key, the name 4198 are saved in binary"; 4199 } 4200 type binary; 4201 description 4202 "SPD name content"; 4203 } 4204 } 4205 leaf pfp-flag { 4206 type boolean; 4207 description 4208 "populate from packet flag"; 4209 } 4210 list traffic-selector { 4211 min-elements 1; 4212 uses traffic-selector; 4213 description 4214 "Traffic selectors of SAD entry"; 4215 } 4216 leaf operation { 4217 type ipsec-spd-operation; 4218 description 4219 "It indicates how to process the traffic when it matches 4220 the security policy."; 4221 } 4222 container protect-operation { 4223 when "operation = 'protect'" { 4224 description 4225 "How to protect the traffic when the SPD operation 4226 is protect"; 4227 } 4228 leaf spd-ipsec-mode { 4229 type ipsec-mode; 4230 description 4231 "It indicates which mode is chosen when the traffic need 4232 be protected by IPsec."; 4233 } 4234 leaf esn-flag { 4235 type boolean; 4236 description 4237 "It indicates whether ESN is used."; 4238 } 4239 leaf spd-ipsec-protocol { 4240 type ipsec-protocol; 4241 description 4242 "It indicates which protocol (AH or ESP) is chosen."; 4243 } 4244 container tunnel-mode-additional { 4245 when "spd-ipsec-mode = 'tunnel'" { 4246 description 4247 "Additional informations when choose tunnel mode"; 4248 } 4249 uses ipsec-tunnel-mode-info; 4250 description 4251 "When use tunnel mode, the additional information of 4252 SPD."; 4253 } 4254 list spd-algorithm { 4255 min-elements 1; 4256 uses ipsec-algorithm-info; 4257 description 4258 "Algorithms defined in SPD, ordered by decreasing 4259 priority."; 4260 } 4261 description 4262 "How to protect the traffic when the SPD operation is 4263 protect"; 4264 } 4265 } 4266 } 4268 container ipsec-global-statistics { 4269 if-feature ipsec-global-stats; 4270 config false; 4271 description "IPsec global statistics"; 4272 container ipv4 { 4273 description "IPsec statistics of IPv4"; 4274 uses ipsec-stat; 4275 } 4276 container ipv6 { 4277 description "IPsec statistics of IPv6"; 4278 uses ipsec-stat; 4279 } 4280 container global { 4281 description "IPsec statistics of global"; 4282 uses ipsec-stat; 4283 } 4284 } 4286 /*--------------------*/ 4287 /* RPC */ 4288 /*--------------------*/ 4289 rpc clear-ipsec-group { 4290 if-feature clear-ipsec-group; 4291 description 4292 "RPC for clear ipsec states"; 4293 input { 4294 leaf alarm-hold-down { 4295 type uint8; 4296 description 4297 "IPSec alarm hold-down"; 4298 } 4299 leaf ipsec-policy-name { 4300 type leafref { 4301 path "/eipsec:ipsec/eipsec:spd/"+ 4302 "eipsec:spd-entries/eipsec:name"; 4303 } 4304 description 4305 "IPSec Policy name."; 4306 } 4307 } 4308 } 4310 rpc clear-ike-group { 4311 if-feature clear-ike-group; 4312 description 4313 "RPC for clear IKE states"; 4314 input { 4315 leaf proposal { 4316 type leafref { 4317 path "/eipsec:ikev1/eipsec:proposal/"+ 4318 "eipsec:name"; 4319 } 4320 description 4321 "IPSec IKE Proposal name."; 4322 } 4323 } 4324 } 4326 rpc clear-ikev2-group { 4327 if-feature clear-ikev2-group; 4328 description 4329 "RPC for clear IKEv2 states"; 4330 input { 4331 leaf proposal { 4332 type leafref { 4333 path "/eipsec:ikev2/eipsec:proposal/"+ 4334 "eipsec:name"; 4335 } 4336 description 4337 "IPSec IKEv2 Proposal name."; 4338 } 4339 } 4340 } 4342 /* draft-wang-ipsecme-ipsec-yang-00 */ 4343 rpc reset-ipv4 { 4344 if-feature reset-ipv4; 4345 description "Reset IPsec IPv4 statistics"; 4346 input { 4347 leaf ipv4 { 4348 type empty; 4349 description "Reset IPsec IPv4 statistics"; 4350 } 4351 } 4352 output { 4353 leaf status { 4354 type string; 4355 description "Operation status"; 4356 } 4357 } 4358 } 4359 rpc reset-ipv6 { 4360 if-feature reset-ipv6; 4361 description "Reset IPsec IPv6 statistics"; 4362 input { 4363 leaf ipv6 { 4364 type empty; 4365 description "Reset IPsec IPv6 statistics"; 4366 } 4367 } 4368 output { 4369 leaf status { 4370 type string; 4371 description "Operation status"; 4372 } 4373 } 4374 } 4375 rpc reset-global { 4376 if-feature reset-global; 4377 description "Reset IPsec global statistics"; 4378 input { 4379 leaf ipv6 { 4380 type empty; 4381 description "Reset IPsec global statistics"; 4382 } 4383 } 4384 output { 4385 leaf status { 4386 type string; 4387 description "Operation status"; 4388 } 4389 } 4390 } 4392 notification dpd-failure{ 4393 description "IKE peer DPD detect failure"; 4394 leaf peer-id { 4395 type string; 4396 description "Peer ID"; 4397 } 4398 } 4400 notification peer-authentication-failure { 4401 if-feature peer-authentication-failure; 4402 description "Peer authentication fail when negotication"; 4403 leaf peer-id { 4404 type string; 4405 description "The ID of remote peer"; 4406 } 4407 } 4409 notification ike-reauth-failure { 4410 if-feature ike-reauth-failure; 4411 description "IKE peer reauthentication fail"; 4412 leaf peer-id { 4413 type string; 4414 description "The ID of remote peer"; 4415 } 4416 } 4418 notification ike-rekey-failure { 4419 if-feature ike-rekey-failure; 4420 description "IKE SA rekey failure"; 4421 leaf peer-id { 4422 type string; 4423 description "The ID of remote peer"; 4424 } 4425 leaf old-i-spi { 4426 type uint64; 4427 description "old SPI"; 4428 } 4429 leaf old-r-spi { 4430 type uint64; 4431 description "old SPI"; 4432 } 4433 } 4435 notification ipsec-rekey-failure { 4436 if-feature ipsec-rekey-failure; 4437 description "IPsec SA rekey failure"; 4438 leaf peer-id { 4439 type string; 4440 description "The ID of remote peer"; 4441 } 4442 leaf old-inbound-spi { 4443 type ipsec-spi; 4444 description "old inbound SPI"; 4445 } 4446 leaf old-outbound-spi { 4447 type ipsec-spi; 4448 description "old outbound SPI"; 4449 } 4450 } 4451 } /* module ericsson-ipsec */ 4452 4454 5. Security Considerations 4456 The configuration, state, and action data defined in this document 4457 are designed to be accessed via the NETCONF protocol [RFC6241]. The 4458 data model by itself does not create any security implications. The 4459 security considerations for the NETCONF protocol are applicable. 4460 The NETCONF protocol used for sending the data supports 4461 authentication and encryption. 4463 6. References 4465 6.1. Normative References 4467 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4468 Requirement Levels", BCP 14, RFC 2119, March 1997. 4470 [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for 4471 Syntax Specifications: ABNF", RFC 2234, Internet Mail 4472 Consortium and Demon Internet Ltd., November 1997. 4474 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 4475 Network Configuration Protocol (NETCONF)", RFC 6020, 4476 October 2010. 4478 [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, 4479 October 2010. 4481 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 4482 Bierman, "Network Configuration Protocol (NETCONF)", RFC 4483 6241, June 2011. 4485 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, 4486 T., "Internet Key Exchange Protocol Version 2 (IKEv2)", 4487 RFC 5996, October 2014. 4489 [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPsec) and 4490 Internet Key Exchange (IKE) Document Roadmap", February 4491 2011. 4493 6.2. Informative References 4495 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 4496 Data Model Documents", RFC 6087, January 2011. 4498 Authors' Addresses 4500 Khanh Tran 4501 Ericsson 4502 300 Holger Way 4503 San Jose, CA 95134 4504 USA 4506 Email: khanh.x.tran@ericsson.com 4508 Honglei Wang 4509 Huawei Technologies 4510 Huawei Bld., No.156 Beiqing Rd. 4511 Beijing 100095 4512 China 4514 Email: stonewater.wang@huawei.com 4516 Vijay Kumar Nagaraj 4517 Huawei Technologies 4518 Huawei Technologies India Pvt Ltd 4519 Bangalore 560008 4520 India 4522 Email: vijay.kn@huawei.com 4524 Xia Chen 4525 Huawei Technologies 4526 Huawei Bld., No.156 Beiqing Rd. 4527 Beijing 100095 4528 China 4530 Email: xiachen@huawei.com