idnits 2.17.1 draft-tran-ipsecme-yang-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 21 instances of too long lines in the document, the longest one being 14 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 399 has weird spacing: '...unction pse...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: grouping identity-grouping { description "Identification type. It is an union identity, "+ "possible type as follows: "+ "a) ID_FQDN: A fully-qualified domain name string. "+ " An example of a ID_FQDN is, example.com. "+ " The string MUST not contain any terminators "+ "(e.g., NULL, CR, etc.). "+ "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ " address string, An example of a ID_RFC822_ADDR is, "+ " jsmith@example.com. The string MUST not contain "+ " any terminators. "+ "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ "e) DN_X509: Distinguished name in the X.509 tradition."; choice identity { description "Choice of identity."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) "+ "octet IPv6 address. "+ "An example is, "+ "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf dnX509 { type string; description "Specifies the identity as a distinguished name in the X.509 tradition."; } } } /* grouping identity-grouping */ grouping ike-general-policy-profile-grouping { description "IKE policy."; leaf connection-type { type connection-type-t; mandatory true; description "Specify the IKE connection type"; } leaf pre-shared-key { type union { type string { length "16"; } type yang:hex-string { length "40"; } } description "Specify IKE pre-shared-key value"; } leaf validate-certificate-identity { type empty; description "Validate Remote-ID payload against the ID's available in the certificate"; } list seq { key seq-id; description "list of sequence of policy."; leaf seq-id { type uint32 { range "1..429496729"; } description "Sequence Number"; } leaf proposal { type leafref { path "/eipsec:ikev1/eipsec:proposal"+ "/eipsec:name"; } description "IKE Proposal reference."; } } container identity { description "Specify IKE identity value"; container local { description "Specify the identity of the local IP Security (IPSec) tunnel endpoint in an Internet Key Exchange (IKE) policy to use when negotiating IKE request with a remote peer."; uses identity-grouping; } container remote { description "Specify the identity of the remote IP Security (IPSec) tunnel endpoint in an Internet Key Exchange (IKE) policy to use when negotiating IKE request with a remote peer."; uses identity-grouping; } } } -- The document date (March 18, 2016) is 2961 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2234' is defined on line 4431, but no explicit reference was found in the text == Unused Reference: 'RFC6020' is defined on line 4435, but no explicit reference was found in the text == Unused Reference: 'RFC6021' is defined on line 4439, but no explicit reference was found in the text == Unused Reference: 'RFC6071' is defined on line 4450, but no explicit reference was found in the text == Unused Reference: 'RFC6087' is defined on line 4456, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) ** Obsolete normative reference: RFC 5996 (ref. 'RFC7296') (Obsoleted by RFC 7296) ** Downref: Normative reference to an Informational RFC: RFC 6071 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 6 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group K. Tran 2 Internet Draft Ericsson 3 Intended status: Standard Track H. Wang 4 Expires: September 18, 2016 V. Nagaraj 5 X. Chen 6 Huawei Technologies 7 March 18, 2016 9 Yang Data Model for Internet Protocol Security (IPsec) 10 draft-tran-ipsecme-yang-01.txt 12 Abstract 14 This document defines a YANG data model that can be used to 15 configure and manage Internet Protocol Security (IPsec). The model 16 covers the IPsec protocol operational state, remote procedural 17 calls, and event notifications data. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as Internet- 27 Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six 30 months and may be updated, replaced, or obsoleted by other documents 31 at any time. It is inappropriate to use Internet-Drafts as 32 reference material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html 40 This Internet-Draft will expire on November 18, 2016. 42 Copyright Notice 44 Copyright (c) 2016 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with 52 respect to this document. Code Components extracted from this 53 document must include Simplified BSD License text as described in 54 Section 4.e of the Trust Legal Provisions and are provided without 55 warranty as described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction...................................................3 60 2. Conventions used in this document..............................3 61 3. IPsec Configuration and Operation Model Overview...............4 62 3.1. IPsec Configuration Data Model............................5 63 3.2. IKEv1 Configuration Data Model............................8 64 3.3. IKEv2 Configuration Data Model...........................10 65 3.4. IPsec Operation Data Model...............................13 66 3.5. IKEv1 Operation Data Model...............................14 67 3.6. IKEv2 Operation Data Model...............................15 68 3.7. IPsec SAD Operational Data Model.........................16 69 3.8. IPsec SPD Operational Data Model.........................17 70 3.9. IPsec Global Statistics Operational Data Model...........19 71 3.10. RPC Operation...........................................21 72 3.11. Notifications...........................................22 73 4. IPsec YANG Module.............................................23 74 5. Security Considerations.......................................98 75 6. References....................................................98 76 6.1. Normative References.....................................98 77 6.2. Informative References...................................98 79 1. Introduction 81 Internet Protocol Security (IPsec) is a suite of protocols that 82 provides security to internet communications at the IP layer. This 83 document defines a YANG data model that can be used to configure and 84 manage the IPsec protocol including Encapsulating Security Payload 85 (ESP), Authentication Header (AH), Internet Key Exchange version 1 86 (IKEv1), and Internet Key Exchange version 2 (IKEv2) components. 88 2. Conventions used in this document 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in RFC-2119 [RFC2119]. 94 In this document, these words will appear with that interpretation 95 only when in ALL CAPS. Lower case uses of these words are not to be 96 interpreted as carrying RFC-2119 significance. 98 In this document, the characters ">>" preceding an indented line(s) 99 indicates a compliance requirement statement using the key words 100 listed above. This convention aids reviewers in quickly identifying 101 or finding the explicit compliance requirements of this RFC. 103 3. IPsec Configuration and Operation Model Overview 105 This section will give the relationship of AH/ESP/SA with IPsec, and 106 IKEv2 with IPsec. 108 Figure 1 shows the protocols of (AH and ESP) associated with IPsec. 110 +------------------------------------------------+ 111 | | 112 | Internet Protocol Security (IPsec) | 113 | +------------+ | 114 | | AH/ESP | | 115 | +------------+ | 116 | | | 117 | V | 118 | +------------+ | 119 | | SA | | 120 | +------------+ | 121 | | | 122 | V | 123 | +------------+ | 124 | | IPsec | | 125 | | Data Model | | 126 | +------------+ | 127 | | 128 +------------------------------------------------+ 130 Figure 1. Relationship between AH/ESP/SA and IPsec 132 3.1. IPsec Configuration Data Model 134 The IPsec data model provides the appropriate leaves for configuring 135 the IPsec protocol. The IPsec YANG data model shall contain AH, 136 ESP, Security Policy (SP), Security Policy Database (SPD), Security 137 Association (SA), Security Association Database (SAD), and Peer 138 Authorization Database (PAD) components. 140 module: ietf-ipsec 142 +--rw ipsec {ipsec}? 143 | +--rw sad {ipsec-sad}? 144 | | +--rw sad-entries* [spi direction] 145 | | +--rw spi uint32 146 | | +--rw anti-replay-window? uint16 147 | | +--rw ip-comp? empty 148 | | +--rw local-peer 149 | | | +--rw (ip-address)? 150 | | | +--:(ipv4-address) 151 | | | | +--rw ipv4-address? inet:ipv4-address 152 | | | +--:(ipv6-address) 153 | | | +--rw ipv6-address? inet:ipv6-address 154 | | +--rw remote-peer 155 | | | +--rw (ip-address)? 156 | | | +--:(ipv4-address) 157 | | | | +--rw ipv4-address? inet:ipv4-address 158 | | | +--:(ipv6-address) 159 | | | +--rw ipv6-address? inet:ipv6-address 160 | | +--rw sa-mode? ipsec-mode 161 | | +--rw security-protocol? ipsec-protocol 162 | | +--rw sequence-number? uint64 163 | | +--rw sequence-number-overflow-flag? boolean 164 | | +--rw path-mtu? uint16 165 | | +--rw life-time 166 | | | +--rw life-time-in-seconds? uint32 167 | | | +--rw remain-life-time-in-seconds? uint32 168 | | | +--rw life-time-in-byte? uint32 169 | | | +--rw remain-life-time-in-byte? uint32 170 | | +--rw upper-protocol? string 171 | | +--rw direction ipsec-traffic-direction 172 | | +--rw source-address 173 | | | +--rw (ip-address)? 174 | | | | +--:(ipv4-address) 175 | | | | | +--rw ipv4-address? inet:ipv4-address 176 | | | | +--:(ipv6-address) 177 | | | | +--rw ipv6-address? inet:ipv6-address 178 | | | +--rw port-number? uint32 179 | | +--rw destination-address 180 | | | +--rw (ip-address)? 181 | | | | +--:(ipv4-address) 182 | | | | | +--rw ipv4-address? inet:ipv4-address 183 | | | | +--:(ipv6-address) 184 | | | | +--rw ipv6-address? inet:ipv6-address 185 | | | +--rw port-number? uint32 186 | | +--rw nat-traversal-flag? boolean 187 | | +--rw ah 188 | | | +--rw (authentication-algorithm)? 189 | | | +--:(hmac-aes-xcbc) 190 | | | | +--rw hmac-aes-xcbc 191 | | | | +--rw key-str? union 192 | | | +--:(hmac-md5-96) 193 | | | | +--rw hmac-md5-96 194 | | | | +--rw key-str? union 195 | | | +--:(hmac-sha1-96) 196 | | | | +--rw hmac-sha1-96 197 | | | | +--rw key-str? union 198 | | | +--:(key-string) 199 | | | +--rw key-string 200 | | | +--rw key-str? union 201 | | +--rw esp 202 | | +--rw authentication 203 | | | +--rw (authentication-algorithm)? 204 | | | +--:(hmac-aes-xcbc) 205 | | | | +--rw hmac-aes-xcbc 206 | | | | +--rw key-str? union 207 | | | +--:(hmac-md5-96) 208 | | | | +--rw hmac-md5-96 209 | | | | +--rw key-str? union 210 | | | +--:(hmac-sha1-96) 211 | | | | +--rw hmac-sha1-96 212 | | | | +--rw key-str? union 213 | | | +--:(key-string) 214 | | | +--rw key-string 215 | | | +--rw key-str? union 216 | | +--rw encryption 217 | | +--rw (encryption-algorithm)? 218 | | +--:(des3-cbc) 219 | | | +--rw des3-cbd 220 | | | +--rw key-str? union 221 | | +--:(aes-128-cbc) 222 | | | +--rw aes-128-cbc 223 | | | +--rw key-str? union 224 | | +--:(aes-192-cbc) 225 | | | +--rw aes-192-cbc 226 | | | +--rw key-str? union 227 | | +--:(aes-256-cbc) 228 | | | +--rw aes-256-cbc 229 | | | +--rw key-str? union 230 | | +--:(des-cbc) 231 | | | +--rw des-cbc 232 | | | +--rw key-str? union 233 | | +--:(key-string) 234 | | +--rw key-string 235 | | +--rw key-str? union 236 | +--rw proposal {ipsec-proposal}? 237 | | +--rw ipsec-proposal* [name] 238 | | +--rw name string 239 | | +--rw ah? ike-integrity-algorithm-t 240 | | +--rw esp 241 | | | +--rw authentication? ike-integrity-algorithm-t 242 | | | +--rw encryption? ike-encryption-algorithm-t 243 | | +--rw ip-comp? empty 244 | | +--rw lifetime 245 | | +--rw kbytes? uint32 246 | | +--rw seconds? uint32 247 | +--rw spd {ipsec-spd}? 248 | | +--rw spd-entries* [name] 249 | | +--rw name string 250 | | +--rw description? string 251 | | +--rw anti-replay-window? uint32 252 | | +--rw perfect-forward-secrecy 253 | | | +--rw dh-group? diffie-hellman-group-t 254 | | +--rw seq* [seq-id] 255 | | +--rw seq-id uint32 256 | | +--rw description? string 257 | | +--rw proposal? leafref 258 | +--rw pad 259 | +--rw pad-entries* [pad-type pad-id] 260 | +--rw (identity)? 261 | | +--:(ipv4-address) 262 | | | +--rw ipv4-address? inet:ipv4-address 263 | | +--:(ipv6-address) 264 | | | +--rw ipv6-address? inet:ipv6-address 265 | | +--:(fqdn-string) 266 | | | +--rw fqdn-string? inet:domain-name 267 | | +--:(rfc822-address-string) 268 | | | +--rw rfc822-address-string? string 269 | | +--:(dnX509) 270 | | +--rw dnX509? string 271 | +--rw pad-id uint32 272 | +--rw pad-type pad-type-t 273 | +--rw ike-peer-name? string 274 | +--rw peer-authentication 275 | +--rw algorithm? ike-integrity-algorithm-t 276 | +--rw preshared-key? empty 277 | +--rw rsa-signature? empty 279 3.2. IKEv1 Configuration Data Model 281 This section will present the YANG data model for IKEv1. 283 +--rw ikev1 {ikev1}? 284 | +--rw proposal* [name] 285 | | +--rw name string 286 | | +--rw description? string 287 | | +--rw dh-group diffie-hellman-group-t 288 | | +--rw encryption 289 | | | +--rw algorithm? ike-encryption-algorithm-t 290 | | +--rw lifetime uint32 291 | | +--rw authentication 292 | | +--rw algorithm? ike-integrity-algorithm-t 293 | | +--rw preshared-key? empty 294 | | +--rw rsa-signature? empty 295 | +--rw keepalive? empty 296 | +--rw policy* [name] 297 | +--rw name string 298 | +--rw mode 299 | | +--rw aggressive? empty 300 | | +--rw main? empty 301 | +--rw connection-type connection-type-t 302 | +--rw pre-shared-key? union 303 | +--rw validate-certificate-identity? empty 304 | +--rw seq* [seq-id] 305 | | +--rw seq-id uint32 306 | | +--rw proposal? leafref 307 | +--rw identity 308 | +--rw local 309 | | +--rw (identity)? 310 | | +--:(ipv4-address) 311 | | | +--rw ipv4-address? inet:ipv4-address 312 | | +--:(ipv6-address) 313 | | | +--rw ipv6-address? inet:ipv6-address 314 | | +--:(fqdn-string) 315 | | | +--rw fqdn-string? inet:domain-name 316 | | +--:(rfc822-address-string) 317 | | | +--rw rfc822-address-string? string 318 | | +--:(dnX509) 319 | | +--rw dnX509? string 320 | +--rw remote 321 | +--rw (identity)? 322 | +--:(ipv4-address) 323 | | +--rw ipv4-address? inet:ipv4-address 324 | +--:(ipv6-address) 325 | | +--rw ipv6-address? inet:ipv6-address 326 | +--:(fqdn-string) 327 | | +--rw fqdn-string? inet:domain-name 328 | +--:(rfc822-address-string) 329 | | +--rw rfc822-address-string? string 330 | +--:(dnX509) 331 | +--rw dnX509? String 333 3.3. IKEv2 Configuration Data Model 335 This section will present the YANG data model for IKEv2 as per RFC- 336 7296 [RFC7296]. 338 The IKEv2 data model provides the appropriate leaves for configuring 339 the IKEv2 protocol. The IKEv2 YANG data model has the following 340 structure: 342 +--rw ikev2 {ikev2}? 343 | +--rw ike-global-configuration {ikev2-global}? 344 | | +--rw (df-flag)? 345 | | | +--:(set) 346 | | | | +--rw set? empty 347 | | | +--:(clear) 348 | | | | +--rw clear? empty 349 | | | +--:(copy) 350 | | | +--rw copy? empty 351 | | +--rw stateful-frag-check? boolean 352 | | +--rw life-time-kb? uint32 353 | | +--rw life-time-second? uint32 354 | | +--rw (anti-replay)? 355 | | | +--:(enable) 356 | | | | +--rw enable? empty 357 | | | | +--rw (anti-replay-windows-size)? 358 | | | | +--:(size-32) 359 | | | | +--:(size-64) 360 | | | | +--:(size-128) 361 | | | | +--:(size-256) 362 | | | | +--:(size-512) 363 | | | | +--:(size-1024) 364 | | | +--:(disable) 365 | | | +--rw disable? empty 366 | | +--rw inbound-dscp? uint16 367 | | +--rw outbound-dscp? uint16 368 | | +--rw local-name? string 369 | | +--rw nat-keepalive-interval? uint16 370 | | +--rw dpd-interval? uint16 371 | +--rw ike-peer {ikev2-peer}? 372 | | +--rw ike-peer-entries* [peer-name] 373 | | +--rw peer-name string 374 | | +--rw ike-proposal-number? ike-proposal-number-ref 375 | | +--rw PresharedKey? string 376 | | +--rw nat-traversal? boolean 377 | | +--rw (local-id-type)? 378 | | | +--:(ip) 379 | | | | +--rw ip? empty 380 | | | +--:(fqdn) 381 | | | | +--rw fqdn? empty 382 | | | +--:(dn) 383 | | | | +--rw dn? empty 384 | | | +--:(user_fqdn) 385 | | | +--rw user_fqdn? empty 386 | | +--rw local-id? string 387 | | +--rw remote-id? string 388 | | +--rw low-remote-address? inet:ip-address 389 | | +--rw high-remote-address? inet:ip-address 390 | | +--rw certificate? string 391 | | +--rw auth-address-begin? inet:ip-address 392 | | +--rw auth-address-end? inet:ip-address 393 | +--rw proposal* [name] {ikev2-proposal}? 394 | | +--rw name string 395 | | +--rw description? string 396 | | +--rw dh-group diffie-hellman-group-t 397 | | +--rw encryption 398 | | | +--rw algorithm? ike-encryption-algorithm-t 399 | | +--rw pseudo-random-function pseudo-random-function-t 400 | | +--rw authentication 401 | | +--rw algorithm? ike-integrity-algorithm-t 402 | +--rw policy* [name] {ikev2-policy}? 403 | +--rw name string 404 | +--rw authentication 405 | | +--rw preshared-key? empty 406 | | +--rw rsa-signature? empty 407 | +--rw lifetime uint32 408 | +--rw address-allocation 409 | | +--rw aaa? empty 410 | +--rw connection-type connection-type-t 411 | +--rw pre-shared-key? union 412 | +--rw validate-certificate-identity? empty 413 | +--rw seq* [seq-id] 414 | | +--rw seq-id uint32 415 | | +--rw proposal? leafref 416 | +--rw identity 417 | | +--rw local 418 | | | +--rw (identity)? 419 | | | +--:(ipv4-address) 420 | | | | +--rw ipv4-address? inet:ipv4-address 421 | | | +--:(ipv6-address) 422 | | | | +--rw ipv6-address? inet:ipv6-address 423 | | | +--:(fqdn-string) 424 | | | | +--rw fqdn-string? inet:domain-name 425 | | | +--:(rfc822-address-string) 426 | | | | +--rw rfc822-address-string? string 427 | | | +--:(dnX509) 428 | | | +--rw dnX509? string 429 | | +--rw remote 430 | | +--rw (identity)? 431 | | +--:(ipv4-address) 432 | | | +--rw ipv4-address? inet:ipv4-address 433 | | +--:(ipv6-address) 434 | | | +--rw ipv6-address? inet:ipv6-address 435 | | +--:(fqdn-string) 436 | | | +--rw fqdn-string? inet:domain-name 437 | | +--:(rfc822-address-string) 438 | | | +--rw rfc822-address-string? string 439 | | +--:(dnX509) 440 | | +--rw dnX509? string 441 | +--rw description? String 443 3.4. IPsec Operation Data Model 445 The IPsec data model provides the appropriate leaves for operational 446 states of the IPsec protocol. The IPsec YANG data model has the 447 following structure: 449 +--ro ipsec-state {ipsec-state}? 450 | +--ro policy* {ipsec-policy-state}? 451 | | +--ro name? string 452 | | +--ro anti-replay-window? uint32 453 | | +--ro perfect-forward-secrecy? diffie-hellman-group-t 454 | | +--ro seq* 455 | | +--ro seq-id? uint32 456 | | +--ro proposal-name? string 457 | +--ro proposal* {ipsec-proposal-state}? 458 | | +--ro name? string 459 | | +--ro ah? ike-integrity-algorithm-t 460 | | +--ro esp 461 | | | +--ro authentication? ike-integrity-algorithm-t 462 | | | +--ro encryption? ike-encryption-algorithm-t 463 | | +--ro ip-comp? empty 464 | | +--ro lifetime 465 | | +--ro kbytes? uint32 466 | | +--ro seconds? uint32 467 | +--ro hold-down? uint32 {ipsec-alarms-state}? 468 | +--ro sa* {ipsec-sa-state}? 469 | | +--ro name? string 470 | | +--ro anti-replay-window? uint16 471 | | +--ro ip-comp? empty 472 | | +--ro spi? uint32 {ipsec-sa-ah-state}? 473 | | +--ro description? string {ipsec-sa-ah-state}? 474 | | +--ro authentication-algorithm? ike-integrity-algorithm-t {ipsec-sa-ah- 475 state}? 476 | | +--ro encryption-algorithm? ike-encryption-algorithm-t {ipsec-sa-ah- 477 state}? 478 | +--ro redundancy {ipsec-redundancy}? 479 | +--ro inter-chassis? Empty 481 3.5. IKEv1 Operation Data Model 483 The IKEv1 data model provides the appropriate leaves for operational 484 states of the IKEv1 protocol. The IKEv1 YANG data model has the 485 following structure: 487 +--ro ike-state {ikev1-state}? 488 | +--ro proposal* {ike-proposal-state}? 489 | | +--ro name? string 490 | | +--ro lifetime? uint32 491 | | +--ro encryption? ike-encryption-algorithm-t 492 | | +--ro dh-group? diffie-hellman-group-t 493 | | +--ro authentication? ike-integrity-algorithm-t 494 | +--ro policy* {ike-policy-state}? 495 | +--ro name? string 496 | +--ro description? string 497 | +--ro mode? enumeration 498 | +--ro connection-type? connection-type-t 499 | +--ro local-identity? inet:ipv4-address-no-zone 500 | +--ro remote-identity? inet:ipv4-address-no-zone 501 | +--ro pre-shared-key? string 502 | +--ro seq? uint32 503 | +--ro proposal? String 505 3.6. IKEv2 Operation Data Model 507 The IKEv2 data model provides the appropriate leaves for operational 508 sattes of the IKEv2 protocol. The IKEv2 YANG data model has the 509 following structure: 511 +--ro ikev2-state {ikev2-state}? 512 | +--ro proposal* {ikev2-proposal-state}? 513 | | +--ro name? string 514 | | +--ro pseudo-random-function? pseudo-random-function-t 515 | | +--ro authentication? ike-integrity-algorithm-t 516 | | +--ro encryption? ike-encryption-algorithm-t 517 | | +--ro dh-group diffie-hellman-group-t 518 | +--ro policy* {ike-policy-state}? 519 | +--ro name? string 520 | +--ro description? string 521 | +--ro mode? enumeration 522 | +--ro connection-type? connection-type-t 523 | +--ro local-identity? inet:ipv4-address-no-zone 524 | +--ro remote-identity? inet:ipv4-address-no-zone 525 | +--ro pre-shared-key? string 526 | +--ro seq? uint32 527 | +--ro proposal? String 529 3.7. IPsec SAD Operational Data Model 531 The IPsec SAD(Security Association Database) container maintains 532 information related to the IPSEC SAs established in a system. This 533 is a run-time data structure that is created upon the first SA being 534 established. The key for fetching SA in this database is the 535 triplet: SPI, Protocol and Destination address of the SA to be 536 fetched form the SA database. 538 The SAD entries also contain information about the IPSEC tunnel like 539 direction, SA-type (manual or VPN SA), sequence number, anti-replay 540 window size, protocol mode, ipsec algorithm info, life time in 541 Seconds/Bytes etc, NAT traversal info, path-mtu, dscp etc. 543 +--ro sad {sad}? 544 | +--ro sad-entries* [spi security-protocol direction] 545 | +--ro spi ipsec-spi 546 | +--ro security-protocol ipsec-protocol 547 | +--ro direction ipsec-traffic-direction 548 | +--ro sa-type? enumeration 549 | +--ro sequence-number? uint64 550 | +--ro sequence-number-overflow-flag? boolean 551 | +--ro anti-replay-enable-flag? boolean 552 | +--ro anti-replay-window-size? uint64 553 | +--ro ah-auth-algorithm? ipsec-authentication-algorithm {ipsec- 554 ah-authentication}? 555 | +--ro esp-integrity-algorithm? ipsec-authentication-algorithm {ipsec- 556 esp-integrity}? 557 | +--ro esp-encrypt-algorithm? ipsec-encryption-algorithm {ipsec-esp- 558 encrypt}? 559 | +--ro life-time 560 | | +--ro life-time-in-seconds? uint32 561 | | +--ro remain-life-time-in-seconds? uint32 562 | | +--ro life-time-in-byte? uint32 563 | | +--ro remain-life-time-in-byte? uint32 564 | +--ro protocol-mode? ipsec-mode 565 | +--ro tunnel-mode-process-info 566 | | +--ro local-address? string {ipsec-tunnel}? 567 | | +--ro remote-address? string {ipsec-tunnel}? 568 | | +--ro bypass-df? enumeration {ipsec-tunnel}? 569 | | +--ro dscp-flag? boolean {ipsec-tunnel}? 570 | | +--ro stateful-frag-check-flag? boolean {ipsec-tunnel}? 571 | +--ro dscp* uint8 572 | +--ro path-mtu? uint16 573 | +--ro nat-traversal-flag? boolean 575 3.8. IPsec SPD Operational Data Model 577 The IPSEC SPD(Security Policy Database) container maintains policy 578 information related to the IPSEC SAs established in a system. This 579 is a run-time data structure that is created when the first IPSEC 580 policy is created. 582 The SPD entries also contain information about the traffic 583 selectors, protect action (permit, deny), protocol information etc 584 as shown below. Based on these information the IPSEC module 585 processes the outbound and inbound traffic. 587 +--ro spd {spd}? 588 | +--ro spd-entries* 589 | +--ro name* 590 | | +--ro name-type? ipsec-spd-name 591 | | +--ro name-string? string 592 | | +--ro name-binary? binary 593 | +--ro pfp-flag? boolean 594 | +--ro traffic-selector* 595 | | +--ro local-address-low? inet:ip-address {ipsec-local-address-range}? 596 | | +--ro local-address-high? inet:ip-address {ipsec-local-address-range}? 597 | | +--ro remote-address-low? inet:ip-address {ipsec-remote-address-range}? 598 | | +--ro remote-address-high? inet:ip-address {ipsec-remote-address-range}? 599 | | +--ro next-protocol-low? uint16 {ipsec-next-protocol-range}? 600 | | +--ro next-protocol-high? uint16 {ipsec-next-protocol-range}? 601 | | +--ro local-port-low? inet:port-number {ipsec-local-port-range}? 602 | | +--ro local-port-high? inet:port-number {ipsec-local-port-range}? 603 | | +--ro remote-port-high? inet:port-number {ipsec-remote-port-range}? 604 | | +--ro remote-port-low? inet:port-number {ipsec-remote-port-range}? 605 | +--ro operation? ipsec-spd-operation 606 | +--ro protect-operation 607 | +--ro spd-ipsec-mode? ipsec-mode 608 | +--ro esn-flag? boolean 609 | +--ro spd-ipsec-protocol? ipsec-protocol 610 | +--ro tunnel-mode-additional 611 | | +--ro local-address? string {ipsec-tunnel}? 612 | | +--ro remote-address? string {ipsec-tunnel}? 613 | | +--ro bypass-df? enumeration {ipsec-tunnel}? 614 | | +--ro dscp-flag? boolean {ipsec-tunnel}? 615 | | +--ro stateful-frag-check-flag? boolean {ipsec-tunnel}? 616 | +--ro spd-algorithm* 617 | +--ro ah-auth-algorithm? ipsec-authentication-algorithm {ipsec- 618 ah-authentication}? 619 | +--ro esp-integrity-algorithm? ipsec-authentication-algorithm {ipsec- 620 esp-integrity}? 621 | +--ro esp-encrypt-algorithm? ipsec-encryption-algorithm {ipsec-esp- 622 encrypt}? 623 3.9. IPsec Global Statistics Operational Data Model 625 The IPSEC Global Statistics container is used to maintain 626 information related to all the IPSEC tunnels established in the 627 system. These could be related to IPv4 IPSEC tunnels or IPv6 IPSEC 628 tunnels. 630 The information maintained includes: traffic sent/received on an 631 IPSEC tunnel like number of outbound/inbound packets, number of 632 outbound/inbound bytes, number of packets dropped, number of 633 replayed packets, number of packet authentication failures, number 634 of packets dropped due to queue full, number of packets dropped due 635 to deny policy, number of packet dropped due to being malformed, 636 number of packets dropped due to being too large. 638 +--ro ipsec-global-statistics {ipsec-global-stats}? 639 +--ro ipv4 640 | +--ro inbound-packets? uint64 {ipsec-stat}? 641 | +--ro outbound-packets? uint64 {ipsec-stat}? 642 | +--ro inbound-bytes? uint64 {ipsec-stat}? 643 | +--ro outbound-bytes? uint64 {ipsec-stat}? 644 | +--ro inbound-drop-packets? uint64 {ipsec-stat}? 645 | +--ro outbound-drop-packets? uint64 {ipsec-stat}? 646 | +--ro dropped-packet-detail {ipsec-stat}? 647 | +--ro sa-non-exist? uint64 648 | +--ro queue-full? uint64 649 | +--ro auth-failure? uint64 650 | +--ro malform? uint64 651 | +--ro replay? uint64 652 | +--ro large-packet? uint64 653 | +--ro invalid-sa? uint64 654 | +--ro policy-deny? uint64 655 | +--ro other-reason? uint64 656 +--ro ipv6 657 | +--ro inbound-packets? uint64 {ipsec-stat}? 658 | +--ro outbound-packets? uint64 {ipsec-stat}? 659 | +--ro inbound-bytes? uint64 {ipsec-stat}? 660 | +--ro outbound-bytes? uint64 {ipsec-stat}? 661 | +--ro inbound-drop-packets? uint64 {ipsec-stat}? 662 | +--ro outbound-drop-packets? uint64 {ipsec-stat}? 663 | +--ro dropped-packet-detail {ipsec-stat}? 664 | +--ro sa-non-exist? uint64 665 | +--ro queue-full? uint64 666 | +--ro auth-failure? uint64 667 | +--ro malform? uint64 668 | +--ro replay? uint64 669 | +--ro large-packet? uint64 670 | +--ro invalid-sa? uint64 671 | +--ro policy-deny? uint64 672 | +--ro other-reason? uint64 673 +--ro global 674 +--ro inbound-packets? uint64 {ipsec-stat}? 675 +--ro outbound-packets? uint64 {ipsec-stat}? 676 +--ro inbound-bytes? uint64 {ipsec-stat}? 677 +--ro outbound-bytes? uint64 {ipsec-stat}? 678 +--ro inbound-drop-packets? uint64 {ipsec-stat}? 679 +--ro outbound-drop-packets? uint64 {ipsec-stat}? 680 +--ro dropped-packet-detail {ipsec-stat}? 681 +--ro sa-non-exist? uint64 682 +--ro queue-full? uint64 683 +--ro auth-failure? uint64 684 +--ro malform? uint64 685 +--ro replay? uint64 686 +--ro large-packet? uint64 687 +--ro invalid-sa? uint64 688 +--ro policy-deny? uint64 689 +--ro other-reason? uint64 691 3.10. RPC Operation 693 This section defines a list of RPC support for IPsec protocol. 695 rpcs: 696 +---x clear-ipsec-group {clear-ipsec-group}? 697 | +--ro input 698 | +--ro alarm-hold-down? uint8 699 | +--ro ipsec-policy-name? leafref 700 +---x clear-ike-group {clear-ike-group}? 701 | +--ro input 702 | +--ro proposal? leafref 703 +---x clear-ikev2-group {clear-ikev2-group}? 704 | +--ro input 705 | +--ro proposal? leafref 706 +---x reset-ipv4 {reset-ipv4}? 707 | +--ro input 708 | | +--ro ipv4? empty 709 | +--ro output 710 | +--ro status? string 711 +---x reset-ipv6 {reset-ipv6}? 712 | +--ro input 713 | | +--ro ipv6? empty 714 | +--ro output 715 | +--ro status? string 716 +---x reset-global {reset-global}? 717 +--ro input 718 | +--ro ipv6? empty 719 +--ro output 720 +--ro status? string 722 3.11. Notifications 724 This model defines a list of notifications to inform client of 725 important events detected during the protocol operation. These 726 events include events related to changes in the operational state of 727 an IKE SA, IPsec SA, Statistics etc. 729 notifications: 730 +---n dpd-failure 731 | +--ro peer-id? string 732 +---n peer-authentication-failure {peer-authentication-failure}? 733 | +--ro peer-id? string 734 +---n ike-reauth-failure {ike-reauth-failure}? 735 | +--ro peer-id? string 736 +---n ike-rekey-failure {ike-rekey-failure}? 737 | +--ro peer-id? string 738 | +--ro old-i-spi? uint64 739 | +--ro old-r-spi? uint64 740 +---n ipsec-rekey-failure {ipsec-rekey-failure}? 741 +--ro peer-id? string 742 +--ro old-inbound-spi? ipsec-spi 743 +--ro old-outbound-spi? ipsec-spi 745 4. IPsec YANG Module 747 This section will present the YANG data model for IPsec, IKEv1, and 748 IKEv2. 750 file "ietf-ipsec@2016-03-09.yang" 752 module ietf-ipsec { 753 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; 754 prefix "eipsec"; 756 import ietf-inet-types { 757 prefix inet; 758 } 760 import ietf-yang-types { 761 prefix yang; 762 } 764 organization "Ericsson AB. 765 Huawei Technologies India Pvt Ltd."; 767 contact "Web: "; 769 description 770 "This YANG module defines the configuration and operational 771 state data for Internet Protocol Security (IPSec) on 772 IETF draft. 773 Copyright (c) 2016 Ericsson AB. 774 All rights reserved."; 776 revision 2016-03-09 { 777 description 778 "Third revision. 779 Fix YANG compiling error because it used internal 780 data model econtext and should be removed in the 781 draft. 782 Fix warnings. 783 Run validation on 784 http://www.netconfcentral.org/yangdumpresults"; 785 reference 786 "Update since second revision."; 787 } 788 revision 2015-09-13 { 789 description 790 "Second revision."; 791 reference 792 "updates since initial revision. 794 combining: 795 draft-tran-ipecme-yang-ipsec-00. 796 draft-wang-ipsecme-ike-yang-00. 797 draft-wang-ipsecme-ipsec-yang-00."; 798 } 799 revision 2015-05-14 { 800 description 801 "Initial revision."; 802 reference 803 "May 14, 2015 draft-tran-ipecme-yang-ipsec-00. 804 May 22, 2015 draft-wang-ipsecme-ike-yang-00. 805 June 15, 2015 draft-wang-ipsecme-ipsec-yang-00."; 806 } 807 /*--------------------*/ 808 /* Feature */ 809 /*--------------------*/ 811 feature ikev1 { 812 description 813 "Feature IKEv1"; 814 } 816 feature ike-proposal-state { 817 description 818 "IKEv2 Proposal Operational State"; 819 } 821 feature ike-policy-state { 822 description 823 "IKEv1 Policy Operational State"; 824 } 826 feature ikev1-state { 827 description 828 "IKEv1 Operational State"; 829 } 831 feature ike-reauth-failure { 832 description 833 "IKEv1 Reauthorization Failure"; 834 } 836 feature ike-rekey-failure { 837 description 838 "IKEv1 Rekey Failure"; 839 } 841 feature ikev2 { 842 description 843 "Feature IKEv2"; 845 } 847 feature ikev2-global { 848 description 849 "Feature IKEv2 Global Parameters"; 851 } 853 feature ikev2-peer { 854 description 855 "Feature IKEv2 Peer"; 857 } 859 feature ikev2-proposal { 860 description 861 "Feature IKEv2 Proposal"; 863 } 865 feature ikev2-policy { 866 description 867 "Feature IKEv2 Policy"; 869 } 871 feature ikev2-proposal-state { 872 description 873 "IKEv2 Proposal Operational State"; 874 } 876 feature ikev2-state { 877 description 878 "IKEv2 Operational State"; 879 } 881 feature ipsec { 882 description 883 "Feature IPsec"; 885 } 887 feature ipsec-acl { 888 description 889 "Feature IPsec ACL"; 891 } 892 feature ipsec-sad { 893 description 894 "Feature IPsec SAD"; 896 } 898 feature ipsec-proposal { 899 description 900 "Feature IPsec Proposal"; 902 } 904 feature ipsec-spd { 905 description 906 "Feature IPsec SPD"; 908 } 910 feature ipsec-policy-state { 911 description 912 "IPsec Policy Operational State"; 913 } 915 feature ipsec-proposal-state { 916 description 917 "IPsec Proposal Operational State"; 918 } 920 feature ipsec-alarms-state { 921 description 922 "IPsec Alarm State Operational State"; 923 } 925 feature ipsec-sa-ah-state { 926 description 927 "IPsec SA AH Operational State"; 928 } 930 feature ipsec-sa-state { 931 description 932 "IPsec SA Operational State"; 933 } 935 feature ipsec-tunnel { 936 description 937 "IPsec Tunnel"; 938 } 939 feature ipsec-local-address-range { 940 description 941 "IPsec Local Address Range"; 942 } 944 feature ipsec-remote-address-range { 945 description 946 "IPsec Remote Address Range"; 947 } 949 feature ipsec-next-protocol-range { 950 description 951 "IPsec Next Protocol Range"; 952 } 954 feature ipsec-local-port-range { 955 description 956 "IPsec Local Port Range"; 957 } 959 feature ipsec-remote-port-range { 960 description 961 "IPsec Remote Port Range"; 962 } 964 feature ipsec-ah-authentication { 965 description 966 "IPsec AH Authentication"; 967 } 969 feature ipsec-esp-integrity { 970 description 971 "IPsec ESP Integrity"; 972 } 974 feature ipsec-esp-encrypt { 975 description 976 "IPsec ESP encryption"; 977 } 979 feature ipsec-stat { 980 description 981 "IPsec Stats"; 982 } 984 feature ipsec-state { 985 description 986 "IPsec Operational State"; 987 } 988 feature ipsec-rekey-failure { 989 description 990 "IPsec Rekey Failure"; 991 } 993 feature ipsec-redundancy { 994 description 995 "IPsec Redundancy State"; 996 } 998 feature sad { 999 description 1000 "Security Association (SA) Database"; 1001 } 1003 feature spd { 1004 description 1005 "Security Policy Database"; 1006 } 1008 feature ipsec-global-stats { 1009 description 1010 "IPsec Global Stats"; 1011 } 1013 feature clear-ipsec-group { 1014 description 1015 "Clear IPsec group"; 1016 } 1018 feature clear-ike-group { 1019 description 1020 "Clear IKE group"; 1021 } 1023 feature clear-ikev2-group { 1024 description 1025 "Clear IKEv2 group"; 1026 } 1028 feature reset-ipv4 { 1029 description 1030 "Reset IPv4"; 1031 } 1033 feature reset-ipv6 { 1034 description 1035 "Reset IPv6"; 1037 } 1039 feature reset-global { 1040 description 1041 "Reset Global"; 1042 } 1044 feature peer-authentication-failure { 1045 description 1046 "Peer Authentication Failure"; 1047 } 1048 /*--------------------*/ 1049 /* Typedefs */ 1050 /*--------------------*/ 1052 typedef authentication-method-t { 1053 type enumeration { 1054 enum psk { 1055 value 0; 1056 description 1057 "Pre-Sharing Keys."; 1058 } 1059 enum certificate { 1060 value 1; 1061 description 1062 "Certificate."; 1063 } 1064 } 1065 description 1066 "Available authentication methods."; 1067 } 1069 /* IKEv2 Exchange Types (ET) */ 1070 typedef ikev2-exchange-type-t { 1071 type enumeration { 1072 enum ikev2-et-ike-sa-init { 1073 value 34; 1074 description 1075 "ikev2-et-ike-sa-init - RFC 7296."; 1076 } 1077 enum ikev2-et-ike-auth { 1078 value 35; 1079 description 1080 "ikev2-et-ike-auth - RFC 7296."; 1081 } 1082 enum ikev2-et-create-child-sa { 1083 value 36; 1084 description 1085 "ikev2-et-create-child-sa - RFC 7296."; 1087 } 1088 enum ikev2-et-informational { 1089 value 37; 1090 description 1091 "ikev2-et-informational - RFC 7296."; 1092 } 1093 enum ikev2-et-ike-session-resume { 1094 value 38; 1095 description 1096 "ikev2-et-ike-session-resume - RFC 7296."; 1097 } 1098 enum ikev2-et-gsa-auth { 1099 value 39; 1100 description 1101 "ikev2-et-gsa-auth - RFC 7296."; 1102 } 1103 enum ikev2-et-gsa-registration { 1104 value 40; 1105 description 1106 "ikev2-et-gsa-registration - RFC 7296."; 1107 } 1108 enum ikev2-et-gsa-rekey { 1109 value 41; 1110 description 1111 "ikev2-et-gsa-rekey - RFC 7296."; 1112 } 1113 } 1114 description 1115 "IKEv2 Exchange Types (ET)."; 1116 } 1118 /* Transform Type Values (TTV), RFC 7296 */ 1119 typedef transform-type-value-t { 1120 type enumeration { 1121 enum ttv-reserved-0 { 1122 value 0; 1123 description 1124 "ttv-reserved-0 - Transform Type Value Reserved "+ 1125 "(RFC 7296)."; 1126 } 1127 enum ttv-encr { 1128 value 1; 1129 description 1130 "ttv-encr - Transform Type Value 1, 1131 Encryption Algorithm "+ 1132 "(ENCR) used in IKE and ESP."; 1133 } 1134 enum ttv-prf { 1135 value 2; 1136 description 1137 "ttv-prf - Transform Type Value 2, "+ 1138 "Pseudo-Random Function(PRF) used in IKE."; 1139 } 1140 enum ttv-integ { 1141 value 3; 1142 description 1143 "ttv-integ - Transform Type Value 3, Integrity Algorithm"+ 1144 " (INTEG) used in IKE, AH, optional ESP."; 1145 } 1146 enum ttv-dh { 1147 value 4; 1148 description 1149 "ttv-dh - Transform Type Value 4, Diffie-Hellman (DH) "+ 1150 "used in IKE, optional AH and ESP."; 1151 } 1152 enum ttv-esn { 1153 value 5; 1154 description 1155 "ttv-esn - Transform Type Value 5, Extended Sequence "+ 1156 "Numbers (ESN) used in AH and ESP."; 1157 } 1158 } 1159 description 1160 "Transform Type Values (RFC 7296)."; 1161 } 1163 /* IKEv2 Transform Attribute Types (TAT) */ 1164 typedef ikev2-transform-attribute-type-t { 1165 type enumeration { 1166 enum ikev2-tat-reserved-0 { 1167 value 0; 1168 description 1169 "ikev2-tat-reserved-0 - IKEv2 Transform Attribute "+ 1170 "Type Reserved-0 (RFC 7296)."; 1171 } 1172 enum ikev2-tat-reserved-1 { 1173 value 1; 1174 description 1175 "ikev2-tat-reserved-1 - IKEv2 Transform Attribute "+ 1176 "Type Reserved-1 (RFC 7296)."; 1177 } 1178 enum ikev2-tat-reserved-13 { 1179 value 13; 1180 description 1181 "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+ 1182 "Type Reserved-13 (RFC 7296)."; 1183 } 1184 enum ikev2-tat-key-length { 1185 value 41; 1186 description 1187 "ikev2-tat-key-length - IKEv2 Transform Attribute "+ 1188 "Type KEY LENGTH (in bits) (RFC 7296)."; 1189 } 1190 } 1191 description 1192 "IKEv2 Transform Attribute Types (TAT) (RFC 7296)."; 1193 } 1195 /* Transform Type 1 (Encryption Algorithm Transform IDs) */ 1196 typedef ike-encryption-algorithm-t { 1197 type enumeration { 1198 enum encr-reserved-0 { 1199 value 0; 1200 description 1201 "encr-reserved-0 --> RFC_5996."; 1202 } 1203 enum encr-des-iv4 { 1204 value 1; 1205 description 1206 "encr-des-iv4 --> RFC_5996."; 1207 } 1208 enum encr-des { 1209 value 2; 1210 description 1211 "encr-des --> RFC_5996."; 1212 } 1213 enum encr-3des { 1214 value 3; 1215 description 1216 "encr-3des --> RFC_5996."; 1217 } 1218 enum encr-rc5 { 1219 value 4; 1220 description 1221 "encr-rc5 --> RFC_5996."; 1222 } 1223 enum encr-idea { 1224 value 5; 1225 description 1226 "encr-idea --> RFC_5996."; 1227 } 1228 enum encr-cast { 1229 value 6; 1230 description 1231 "encr-cast --> RFC_5996."; 1232 } 1233 enum encr-blowfish { 1234 value 7; 1235 description 1236 "encr-blowfish --> RFC_5996."; 1237 } 1238 enum encr-3idea { 1239 value 8; 1240 description 1241 "encr-3idea --> RFC_5996."; 1242 } 1243 enum encr-des-iv32 { 1244 value 9; 1245 description 1246 "encr-des-iv32 --> RFC_5996."; 1247 } 1248 enum encr-reserved-10 { 1249 value 10; 1250 description 1251 "encr-reserved-10 --> RFC_5996."; 1252 } 1253 enum encr-null { 1254 value 11; 1255 description 1256 "encr-null --> RFC_5996."; 1257 } 1258 enum encr-aes-cbc { 1259 value 12; 1260 description 1261 "encr-aes-cbc --> RFC_5996."; 1262 } 1263 enum encr-aes-ctr { 1264 value 13; 1265 description 1266 "encr-aes-ctr --> RFC_5996."; 1267 } 1268 enum encr-aes-ccm-8 { 1269 value 14; 1270 description 1271 "encr-aes-ccm-8 --> RFC_5996."; 1272 } 1273 enum encr-aes-ccm-12 { 1274 value 15; 1275 description 1276 "encr-aes-ccm-12 --> RFC_5996."; 1277 } 1278 enum encr-aes-ccm-16 { 1279 value 16; 1280 description 1281 "encr-aes-ccm-16 --> RFC_5996."; 1282 } 1283 enum encr-reserved-17 { 1284 value 17; 1285 description 1286 "encr-reserved-17 --> RFC_5996."; 1287 } 1288 enum encr-aes-gcm-8-icv { 1289 value 18; 1290 description 1291 "encr-aes-gcm-8-icv --> RFC_5996."; 1292 } 1293 enum encr-aes-gcm-12-icv { 1294 value 19; 1295 description 1296 "encr-aes-gcm-12-icv --> RFC_5996."; 1297 } 1298 enum encr-aes-gcm-16-icv { 1299 value 20; 1300 description 1301 "encr-aes-gcm-16-icv--> RFC_5996."; 1302 } 1303 enum encr-null-auth-aes-gmac { 1304 value 21; 1305 description 1306 "encr-null-auth-aes-gmac --> RFC_5996."; 1307 } 1308 enum encr-ieee-p1619-xts-aes { 1309 value 22; 1310 description 1311 "encr-ieee-p1619-xts-aes --> Reserved for "+ 1312 "IEEE P1619 XTS-AES."; 1313 } 1314 enum encr-camellia-cbc { 1315 value 23; 1316 description 1317 "encr-camellia-cbc --> RFC_5996."; 1318 } 1319 enum encr-camellia-ctr { 1320 value 24; 1321 description 1322 "encr-camellia-ctr --> RFC_5996."; 1323 } 1324 enum encr-camellia-ccm-8-icv { 1325 value 25; 1326 description 1327 "encr-camellia-ccm-8-icv --> RFC_5996."; 1328 } 1329 enum encr-camellia-ccm-12-icv { 1330 value 26; 1331 description 1332 "encr-camellia-ccm-12-icv --> RFC_5996."; 1333 } 1334 enum encr-camellia-ccm-16-icv { 1335 value 27; 1336 description 1337 "encr-camellia-ccm-16-icv --> RFC_5996."; 1338 } 1339 enum encr-aes-cbc-128 { 1340 value 1024; 1341 description 1342 "encr-aes-cbc-128 --> RFC_5996."; 1343 } 1344 enum encr-aes-cbc-192 { 1345 value 1025; 1346 description 1347 "encr-aes-cbc-192 --> RFC_5996."; 1348 } 1349 enum encr-aes-cbc-256 { 1350 value 1026; 1351 description 1352 "encr-aes-cbc-256 --> RFC_5996."; 1353 } 1354 enum encr-blowfish-128 { 1355 value 1027; 1356 description 1357 "encr-blowfish-128 --> RFC_5996."; 1358 } 1359 enum encr-blowfish-192 { 1360 value 1028; 1361 description 1362 "encr-blowfish-192 --> RFC_5996."; 1363 } 1364 enum encr-blowfish-256 { 1365 value 1029; 1366 description 1367 "encr-blowfish-256 --> RFC_5996."; 1368 } 1369 enum encr-blowfish-448 { 1370 value 1030; 1371 description 1372 "encr-blowfish-448 --> RFC_5996."; 1373 } 1374 enum encr-camellia-128 { 1375 value 1031; 1376 description 1377 "encr-camellia-128 --> RFC_5996."; 1378 } 1379 enum encr-camellia-192 { 1380 value 1032; 1381 description 1382 "encr-camellia-192 --> RFC_5996."; 1383 } 1384 enum encr-camellia-256 { 1385 value 1033; 1386 description 1387 "encr-camellia-256 --> RFC_5996."; 1388 } 1389 } 1390 description 1391 "Transform Type 1 - Internet Key Exchange (IKE) "+ 1392 "encryption algorithms."; 1393 } 1395 /* Transform Type 2 (Pseudo-Random Function PRF) */ 1396 typedef pseudo-random-function-t { 1397 type enumeration { 1398 enum prf-reserved-0 { 1399 value 0; 1400 description 1401 "prf-reserved-0 --> RFC_2104."; 1402 } 1403 enum prf-hmac-md5 { 1404 value 1; 1405 description 1406 "prf-hmac-md5 --> RFC_2104."; 1407 } 1408 enum prf-hmac-sha1 { 1409 value 2; 1410 description 1411 "prf-hmac-sha1 --> RFC2104."; 1412 } 1413 enum prf-hmac-tiger { 1414 value 3; 1415 description 1416 "prf-hmac-tiger --> RFC2104."; 1417 } 1418 enum prf-aes128-xcbc { 1419 value 4; 1420 description 1421 "prf-aes128-xcbc --> RFC_4434."; 1422 } 1423 enum prf-hmac-sha2-256 { 1424 value 5; 1425 description 1426 "prf-hmac-sha2-256 --> RFC_4434."; 1427 } 1428 enum prf-hmac-sha2-384 { 1429 value 6; 1430 description 1431 "prf-hmac-sha2-384 --> RFC_4434."; 1432 } 1433 enum prf-hmac-sha2-512 { 1434 value 7; 1435 description 1436 "prf-hmac-sha2-512 --> RFC_4434."; 1437 } 1438 enum prf-aes128-cmac { 1439 value 8; 1440 description 1441 "prf-aes128-cmac --> RFC_4615."; 1442 } 1443 } 1444 description 1445 "Available Pseudo-Random Functions (PRF)."; 1446 } 1448 /* Transform Type 3 (Integrity Algorithm) */ 1449 typedef ike-integrity-algorithm-t { 1450 type enumeration { 1451 enum auth-none { 1452 value 0; 1453 description 1454 "auth-none --> RFC_5996."; 1455 } 1456 enum auth-hmac-md5-96 { 1457 value 1; 1458 description 1459 "auth-hmac-md5-96 --> RFC_5996."; 1460 } 1461 enum auth-hmac-sha1-96 { 1462 value 2; 1463 description 1464 "auth-hmac-sha1-96 --> RFC_5996."; 1465 } 1466 enum auth-des-mac { 1467 value 3; 1468 description 1469 "auth-des-mac --> RFC_5996."; 1470 } 1471 enum auth-kpdk-md5 { 1472 value 4; 1473 description 1474 "auth-kpdk-md5 --> RFC_5996."; 1475 } 1476 enum auth-aes-xcbc-96 { 1477 value 5; 1478 description 1479 "auth-aes-xcbc-96 --> RFC_5996."; 1480 } 1481 enum auth-hmac-md5-128 { 1482 value 6; 1483 description 1484 "auth-hmac-md5-128 --> RFC_5996."; 1485 } 1486 enum auth-hmac-sha1-160 { 1487 value 7; 1488 description 1489 "auth-hmac-sha1-160 --> RFC_5996."; 1490 } 1491 enum auth-aes-cmac-96 { 1492 value 8; 1493 description 1494 "auth-aes-cmac-96 --> RFC_5996."; 1495 } 1496 enum auth-aes-128-gmac { 1497 value 9; 1498 description 1499 "auth-aes-128-gmac --> RFC_5996."; 1500 } 1501 enum auth-aes-192-gmac { 1502 value 10; 1503 description 1504 "auth-aes-192-gmac --> RFC_5996."; 1505 } 1506 enum auth-aes-256-gmac { 1507 value 11; 1508 description 1509 "auth-aes-256-gmac --> RFC_5996."; 1510 } 1511 enum auth-hmac-sha2-256-128 { 1512 value 12; 1513 description 1514 "auth-hmac-sha2-256-128 --> RFC_5996."; 1515 } 1516 enum auth-hmac-sha2-384-192 { 1517 value 13; 1518 description 1519 "auth-hmac-sha2-384-192 --> RFC_5996."; 1520 } 1521 enum auth-hmac-sha2-512-256 { 1522 value 14; 1523 description 1524 "auth-hmac-sha2-512-256 --> RFC_5996."; 1525 } 1526 enum auth-hmac-sha2-256-96 { 1527 value 1024; 1528 description 1529 "auth-hmac-sha2-256-96."; 1530 } 1531 } 1532 description 1533 "Transform Type 3 - Internet Key Exchange (IKE) "+ 1534 "Integrity Algorithms."; 1535 } 1537 /* Transform Type 4 (Diffie-Hellman Group) */ 1538 typedef diffie-hellman-group-t { 1539 type enumeration { 1540 enum group-none { 1541 value 0; 1542 description 1543 "group-none --> RFC_5996."; 1544 } 1545 enum modp-768-group-1 { 1546 value 1; 1547 description 1548 "modp-768-group-1 --> RFC_5996."; 1549 } 1550 enum modp-1024-group-2 { 1551 value 2; 1552 description 1553 "modp-1024-group-2 --> RFC_5996."; 1554 } 1555 enum modp-1536-group-5 { 1556 value 5; 1557 description 1558 "modp-1536-group-5 --> RFC_3526."; 1559 } 1560 enum modp-2048-group-14 { 1561 value 14; 1562 description 1563 "modp-2048-group-14 --> RFC_3526."; 1564 } 1565 enum modp-3072-group-15 { 1566 value 15; 1567 description 1568 "modp-3072-group-15 --> RFC_3526."; 1569 } 1570 enum modp-4096-group-16 { 1571 value 16; 1572 description 1573 "modp-4096-group-16 --> RFC_3526."; 1574 } 1575 enum modp-6144-group-17 { 1576 value 17; 1577 description 1578 "modp-6144-group-17 --> RFC_3526."; 1579 } 1580 enum modp-8192-group-18 { 1581 value 18; 1582 description 1583 "modp-8192-group-18 --> RFC_3526."; 1584 } 1585 enum recp-256-group-19 { 1586 value 19; 1587 description 1588 "recp-256-group-19 --> RFC_6989. 256-bit"+ 1589 " Random ECP Group."; 1590 } 1591 enum recp-384-group-20 { 1592 value 20; 1593 description 1594 "recp-384-group-20 --> RFC_6989. 384-bit"+ 1595 " Random ECP Group."; 1596 } 1597 enum recp-521-group-21 { 1598 value 21; 1599 description 1600 "recp-521-group-21 --> RFC_6989. 521-bit"+ 1601 " Random ECP Group."; 1602 } 1603 enum modp-1024-160-pos-group-22 { 1604 value 22; 1605 description 1606 "modp-1024-160-pos-group-22 --> RFC_6989."+ 1607 " 1024-bit MODP Group with"+ 1608 " 160-bit Prime Order Subgroup (POS)."; 1609 } 1610 enum modp-2048-224-pos-group-23 { 1611 value 23; 1612 description 1613 "modp-2048-224-pos-group-23 --> RFC_6989."+ 1614 " 2048-bit MODP Group with"+ 1615 " 224-bit Prime Order Subgroup (POS)."; 1616 } 1617 enum modp-2048-256-pos-group-24 { 1618 value 24; 1619 description 1620 "modp-2048-256-pos-group-24 --> RFC_6989."+ 1621 " 2048-bit MODP Group with"+ 1622 " 256-bit Prime Order Subgroup (POS)."; 1623 } 1624 enum recp-192-group-25 { 1625 value 25; 1626 description 1627 "recp-192-group-25 --> RFC_6989."+ 1628 " 192-bit Random ECP Group."; 1629 } 1630 enum recp-224-group-26 { 1631 value 26; 1632 description 1633 "recp-224-group-26 --> RFC_6989."+ 1634 " 224-bit Random ECP Group."; 1635 } 1636 } 1637 description 1638 "Diffie-Hellman Groups (RFC 5996)."; 1639 } 1641 /* Transform Type 5 (Extended Sequence Numbers 1642 Transform ESN IDs) */ 1643 typedef extended-sequence-number-t { 1644 type enumeration { 1645 enum esn-none { 1646 value 0; 1647 description 1648 "esn-none - Extended Sequence Number None --> RFC_7296."; 1649 } 1650 enum esn-1 { 1651 value 1; 1652 description 1653 "esn-1 - Extended Sequence Number --> RFC_7296."; 1654 } 1655 } 1656 description 1657 "Extended Sequence Number (RFC 7296)."; 1658 } 1660 typedef connection-type-t { 1661 type enumeration { 1662 enum initiator-only { 1663 value 0; 1664 description 1665 "initiator-only: ME will act as initiator for"+ 1666 " bringing up IKEv2"+ 1667 " session with its IKE peer."; 1668 } 1669 enum responder-only { 1670 value 1; 1671 description 1672 "responder-only: ME will act as responder for"+ 1673 " bringing up IKEv2"+ 1674 " session with its IKE peer."; 1675 } 1676 enum both { 1677 value 2; 1678 description 1679 "both: ME can act as initiator or responder."; 1680 } 1681 } 1682 description 1683 "Connection type for IKE session."; 1684 } 1686 typedef transport-protocol-name-t { 1687 type enumeration { 1688 enum tcp { 1689 value 1; 1690 description 1691 "Transmission Control Protocol (TCP) Transport Protocol."; 1692 } 1693 enum udp { 1694 value 2; 1695 description 1696 "User Datagram Protocol (UDP) Transport Protocol"; 1697 } 1698 enum sctp { 1699 value 3; 1700 description 1701 "Stream Control Transmission Protocol (SCTP) Transport "+ 1702 "Protocol"; 1703 } 1704 enum icmp { 1705 value 4; 1706 description 1707 "Internet Control Message Protocol (ICMP) Transport "+ 1708 "Protocol"; 1709 } 1710 } 1711 description 1712 "Enumeration of well known transport protocols."; 1713 } 1715 typedef preshared-key-t { 1716 type string; 1717 description 1718 "Derived string used as Pre-Shared Key."; 1719 } 1721 typedef pad-type-t { 1722 type enumeration { 1723 enum dns-name { 1724 value 1; 1725 description 1726 "DNS name (specific or partial)"; 1727 } 1728 enum distinguished-name { 1729 value 2; 1730 description 1731 "Distinguished Name (complete or sub-tree constrained)"; 1732 } 1733 enum rfc-822 { 1734 value 3; 1735 description 1736 "RFC 822 email address (complete or partially qualified)"; 1737 } 1738 enum ipv4-range { 1739 value 4; 1740 description 1741 "IPv4 Address Range"; 1742 } 1743 enum ipv6-range { 1744 value 5; 1745 description 1746 "IPv6 Address Range"; 1747 } 1748 enum key-id { 1749 value 6; 1750 description 1751 "Key ID (exact match only)"; 1752 } 1753 } 1754 description 1755 "PAD Type"; 1756 } 1758 /*-------------------------------------------------- */ 1759 /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-type */ 1760 /*-------------------------------------------------- */ 1761 typedef ipsec-mode { 1762 type enumeration { 1763 enum "transport" { 1764 description 1765 "Transport mode"; 1766 } 1767 enum "tunnel" { 1768 description 1769 "Tunnel mode"; 1771 } 1772 } 1773 description 1774 "type define of ipsec mode"; 1775 } 1777 typedef ipsec-protocol { 1778 type enumeration { 1779 enum "ah" { 1780 description 1781 "AH Protocol"; 1782 } 1783 enum "esp" { 1784 description 1785 "ESP Protocol"; 1786 } 1787 } 1788 description 1789 "type define of ipsec security protocol"; 1790 } 1792 typedef ipsec-spi { 1793 type uint32 { 1794 range "1..max"; 1795 } 1796 description 1797 "SPI"; 1798 } 1800 typedef ipsec-spd-name { 1801 type enumeration { 1802 enum id_rfc_822_addr { 1803 description 1804 "Fully qualified user name string."; 1805 } 1806 enum id_fqdn { 1807 description 1808 "Fully qualified DNS name."; 1809 } 1810 enum id_der_asn1_dn { 1811 description 1812 "X.500 distinguished name."; 1813 } 1814 enum id_key { 1815 description 1816 "IKEv2 Key ID."; 1817 } 1818 } 1819 description 1820 "IPsec SPD name type"; 1821 } 1823 typedef ipsec-traffic-direction { 1824 type enumeration { 1825 enum inbound { 1826 description 1827 "Inbound traffic"; 1828 } 1829 enum outbound { 1830 description 1831 "Outbound traffic"; 1832 } 1833 } 1834 description 1835 "IPsec traffic direction"; 1836 } 1838 typedef ipsec-spd-operation { 1839 type enumeration { 1840 enum protect { 1841 description 1842 "PROTECT the traffic with IPsec"; 1843 } 1844 enum bypass { 1845 description 1846 "BYPASS the traffic"; 1847 } 1848 enum discard { 1849 description 1850 "DISCARD the traffic"; 1851 } 1852 } 1853 description 1854 "The operation when traffic matches IPsec security policy"; 1855 } 1857 /*---------------------------------------------------- */ 1858 /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-crypto */ 1859 /*---------------------------------------------------- */ 1860 typedef ipsec-authentication-algorithm { 1861 type enumeration { 1862 enum "null" { 1863 value 0; 1864 description 1865 "null"; 1866 } 1867 enum "md5" { 1868 value 1; 1869 description 1870 "MD5 authentication algorithm"; 1871 } 1872 enum "sha1" { 1873 value 2; 1874 description 1875 "SHA1 authentication algorithm"; 1876 } 1877 enum "sha2-256" { 1878 value 3; 1879 description 1880 "SHA2-256 authentication algorithm"; 1881 } 1882 enum "sha2-384" { 1883 value 4; 1884 description 1885 "SHA2-384 authentication algorithm"; 1886 } 1887 enum "sha2-512" { 1888 value 5; 1889 description 1890 "SHA2-512 authentication algorithm"; 1891 } 1892 } 1893 description 1894 "typedef for ipsec authentication algorithm"; 1895 } 1897 typedef ipsec-encryption-algorithm { 1898 type enumeration { 1899 enum "null" { 1900 description 1901 "null"; 1902 } 1903 enum "des" { 1904 description 1905 "DES encryption algorithm"; 1906 } 1907 enum "3des" { 1908 description 1909 "3DES encryption algorithm"; 1910 } 1911 enum "aes-128" { 1912 description 1913 "AES-128 encryption algorithm"; 1914 } 1915 enum "aes-192" { 1916 description 1917 "AES-192 encryption algorithm"; 1918 } 1919 enum "aes-256" { 1920 description 1921 "AES-256 encryption algorithm"; 1922 } 1923 } 1924 description 1925 "typedef for ipsec encryption algorithm"; 1926 } 1928 /*-------------------------------------------------- */ 1929 /* draft-wang-ipsecme-ike-yang-00: ietf-ipsec-type */ 1930 /*-------------------------------------------------- */ 1931 typedef ike-integrity-algorithm { 1932 type enumeration { 1933 enum "hmac-md5-96" { 1934 description 1935 "HMAC-MD5-96 Integrity Algorithm"; 1936 } 1937 enum "hmac-sha1-96" { 1938 description 1939 "HMAC-SHA1-96 Integrity Algorithm"; 1940 } 1941 enum "hmac-sha2-256" { 1942 description 1943 "HMAC-SHA2-256 Integrity Algorithm"; 1944 } 1945 enum "hmac-sha2-384" { 1946 description 1947 "HMAC-SHA2-384 Integrity Algorithm"; 1948 } 1949 enum "hmac-sha2-512" { 1950 description 1951 "HMAC-SHA2-512 Integrity Algorithm"; 1952 } 1953 } 1954 description 1955 "typedef for ike integrity algorithm."; 1956 } 1958 typedef ike-encryption-algorithm { 1959 type enumeration { 1960 enum "des-cbc" { 1961 description 1962 "DES-CBC Encryption algorithm"; 1963 } 1964 enum "3des-cbc" { 1965 description 1966 "3DES-CBC Encryption algorithm"; 1967 } 1968 enum "aes-cbc-128" { 1969 description 1970 "AES-CBC-128 Encryption algorithm"; 1971 } 1972 enum "aes-cbc-192" { 1973 description 1974 "AES-CBC-192 Encryption algorithm"; 1975 } 1976 enum "aes-cbc-256" { 1977 description 1978 "AES-CBC-256 Encryption algorithm"; 1979 } 1980 } 1981 description 1982 "typedef for ike encryption algorithm."; 1983 } 1985 typedef ike-prf-algorithm { 1986 type enumeration { 1987 enum "hmac-md5-96" { 1988 description 1989 "HMAC-MD5-96 PRF Algorithm"; 1990 } 1991 enum "hmac-sha1-96" { 1992 description 1993 "HMAC-SHA1-96 PRF Algorithm"; 1994 } 1995 enum "hmac-sha2-256" { 1996 description 1997 "HMAC-SHA2-256 PRF Algorithm"; 1998 } 1999 enum "hmac-sha2-384" { 2000 description 2001 "HMAC-SHA2-384 PRF Algorithm"; 2002 } 2003 enum "hmac-sha2-512" { 2004 description 2005 "HMAC-SHA2-512 PRF Algorithm"; 2006 } 2007 } 2008 description 2009 "typedef for ike prf algorithm."; 2010 } 2012 typedef ike-dh-group { 2013 type enumeration { 2014 enum "dh-group-none" { 2015 description 2016 "None Diffie-Hellman group"; 2017 } 2018 enum "dh-group-1" { 2019 description 2020 "768 bits Diffie-Hellman group"; 2021 } 2022 enum "dh-group-2" { 2023 description 2024 "1024 bits Diffie-Hellman group"; 2025 } 2026 enum "dh-group-5" { 2027 description 2028 "1536 bits Diffie-Hellman group"; 2029 } 2030 enum "dh-group-14" { 2031 description 2032 "2048 bits Diffie-Hellman group"; 2033 } 2034 } 2035 description 2036 "typedef for ike dh group"; 2037 } 2039 typedef ike-peer-name-ref { 2040 type leafref { 2041 path "/ikev2/ike-peer/ike-peer-entries/peer-name"; 2042 } 2043 description "reference to ike peer name"; 2044 } 2046 typedef ike-proposal-number-ref { 2047 type leafref { 2048 path "/ikev2/proposal/name"; 2049 } 2050 description "reference to ike proposal name"; 2051 } 2053 typedef ipsec-proposal-name-ref{ 2054 type leafref { 2055 path "/ipsec/proposal/ipsec-proposal/name"; 2056 } 2057 description "reference to ike proposal name"; 2058 } 2060 typedef ike-auth-method { 2061 type enumeration { 2062 enum pre-share { 2063 description 2064 "Select pre-shared key message as the 2065 authentication method"; 2066 } 2067 enum rsa-digital-signature { 2068 description 2069 "Select rsa digital signature as the 2070 authentication method"; 2071 } 2072 enum dss-digital-signature { 2073 description 2074 "Select dss digital signature as the 2075 authentication method"; 2076 } 2077 } 2078 description "IKE authentication methods"; 2079 } 2081 /*--------------------*/ 2082 /* grouping */ 2083 /*--------------------*/ 2085 /* The following groupings are used in both configuration data 2086 and operational state data */ 2087 grouping name-grouping { 2088 description 2089 "This grouping provides a leaf identifying the name."; 2090 leaf name { 2091 type string; 2092 description 2093 "Name of a identifying."; 2094 } 2095 leaf description { 2096 type string; 2097 description 2098 "Specify the description."; 2099 } 2100 } 2102 grouping sequence-number-grouping { 2103 description 2104 "This grouping provides a leaf identifying 2105 a sequence number."; 2106 leaf sequence-number { 2107 type uint32 { 2108 range "1..4294967295"; 2109 } 2110 description 2111 "Specify the sequence number."; 2113 } 2114 } 2116 grouping description-grouping { 2117 description 2118 "description for free use."; 2119 leaf description { 2120 type string; 2121 description 2122 "description for free use."; 2123 } 2124 } 2126 grouping traffic-selector-grouping { 2127 description 2128 "Traffic selector to be used for SA negotiation."; 2129 leaf traffic-selector-id { 2130 type string; 2131 mandatory true; 2132 description 2133 "Traffic selector identifier."; 2134 } 2135 leaf protocol-name { 2136 type transport-protocol-name-t; 2137 description 2138 "Specifies the protocol selector."; 2139 } 2140 leaf address-range { 2141 type string; 2142 mandatory true; 2143 description 2144 "Specifies the IPv4 or IPv6 address range."; 2145 } 2146 } 2148 grouping ike-general-proposal-grouping { 2149 description 2150 "IKE proposal."; 2151 leaf name { 2152 type string; 2153 mandatory true; 2154 description 2155 "IKE Proposal identify."; 2156 } 2157 leaf description { 2158 type string; 2159 description 2160 "Specify the description."; 2161 } 2163 leaf dh-group { 2164 type diffie-hellman-group-t; 2165 mandatory true; 2166 description 2167 "Specifies a Diffie-Hellman group."; 2168 } 2169 container encryption { 2170 description 2171 "Specify IKE Proposal encryption configuration"; 2172 leaf algorithm { 2173 type ike-encryption-algorithm-t; 2174 description 2175 "Specifies an Encryption Algorithm."; 2176 } 2177 } 2178 } 2180 grouping ike-proposal-grouping { 2181 description 2182 "Configure the IKE Proposal"; 2183 uses ike-general-proposal-grouping; 2185 leaf lifetime { 2186 type uint32; 2187 mandatory true; 2188 description 2189 "Configure lifetime for IKE SAs 2190 0: for no timeout. 2191 300 .. 99999999: IKE SA lifetime in seconds."; 2192 } 2193 container authentication { 2194 description 2195 "Specify IKE Proposal authentication configuration"; 2196 leaf algorithm { 2197 type ike-integrity-algorithm-t; 2198 description 2199 "Specify the authentication algorithm"; 2200 } 2201 leaf preshared-key { 2202 type empty; 2203 description 2204 "Use pre-shared key based authentication"; 2205 } 2206 leaf rsa-signature { 2207 type empty; 2208 description 2209 "Use signature based authentication by using 2210 PKI certificates"; 2211 } 2212 } 2213 } 2215 grouping ikev2-proposal-grouping { 2216 description 2217 "Holds an IKEv2 transform proposal used during "+ 2218 "IKEv2 SA negotiation. Multiple IKEv2 Transforms "+ 2219 " can be proposed during an IKEv2 session initiation "+ 2220 "in an ordered list."; 2221 uses ike-general-proposal-grouping; 2223 leaf pseudo-random-function { 2224 type pseudo-random-function-t; 2225 mandatory true; 2226 description 2227 "Specifies Pseudo Random Function for IKEv2 key exchange"; 2228 } 2229 container authentication { 2230 description 2231 "Specify IKEv2 Proposal authentication configuration"; 2232 leaf algorithm { 2233 type ike-integrity-algorithm-t; 2234 description 2235 "Specify the authentication algorithm"; 2236 } 2237 } 2238 } 2240 grouping ipsec-proposal-grouping { 2241 description 2242 "Configure IPSec Proposal"; 2243 leaf name { 2244 type string; 2245 mandatory true; 2246 description 2247 "IPSec proposal identifier."; 2248 } 2249 leaf ah { 2250 type ike-integrity-algorithm-t; 2251 description 2252 "Configure Authentication Header (AH)."; 2253 } 2254 container esp { 2255 description 2256 "Configure Encapsulating Security Payload (ESP)."; 2257 leaf authentication { 2258 type ike-integrity-algorithm-t; 2259 description 2260 "Configure ESP authentication"; 2261 } 2262 leaf encryption { 2263 type ike-encryption-algorithm-t; 2264 description 2265 "Configure ESP encryption"; 2266 } 2267 } 2268 leaf ip-comp{ 2269 type empty; 2270 description 2271 "Enable IPSec proposal IP-COMP which uses the IP Payload "+ 2272 "compression protocol to compress IP Security (IPSec) "+ 2273 "packets before encryption"; 2274 } 2275 container lifetime { 2276 description 2277 "Configure lifetime for IPSEC SAs"; 2278 leaf kbytes { 2279 type uint32 { 2280 range "128..2147483647"; 2281 } 2282 description 2283 "Enter lifetime kbytes for IPSEC SAs"; 2284 } 2285 leaf seconds { 2286 type uint32 { 2287 range "300..99999999"; 2288 } 2289 description 2290 "Enter lifetime seconds for IPSEC SAs 2291 0: lifetime of 0 for no timeout 2292 300..99999999: IPSec SA lifetime in seconds"; 2293 } 2294 } 2295 } 2297 grouping identity-grouping { 2298 description 2299 "Identification type. It is an union identity, "+ 2300 "possible type as follows: "+ 2301 "a) ID_FQDN: A fully-qualified domain name string. "+ 2302 " An example of a ID_FQDN is, example.com. "+ 2303 " The string MUST not contain any terminators "+ 2304 "(e.g., NULL, CR, etc.). "+ 2305 "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ 2306 " address string, An example of a ID_RFC822_ADDR is, "+ 2307 " jsmith@example.com. The string MUST not contain "+ 2308 " any terminators. "+ 2309 "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ 2310 "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ 2311 "e) DN_X509: Distinguished name in the X.509 tradition."; 2312 choice identity { 2313 description 2314 "Choice of identity."; 2315 leaf ipv4-address { 2316 type inet:ipv4-address; 2317 description 2318 "Specifies the identity as a single four (4) 2319 octet IPv4 address. 2320 An example is, 10.10.10.10. "; 2321 } 2322 leaf ipv6-address { 2323 type inet:ipv6-address; 2324 description 2325 "Specifies the identity as a single sixteen (16) "+ 2326 "octet IPv6 address. "+ 2327 "An example is, "+ 2328 "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; 2329 } 2330 leaf fqdn-string { 2331 type inet:domain-name; 2332 description 2333 "Specifies the identity as a Fully-Qualified 2334 Domain Name (FQDN) string. 2335 An example is: example.com. 2336 The string MUST not contain any terminators 2337 (e.g., NULL, CR, etc.)."; 2338 } 2339 leaf rfc822-address-string { 2340 type string; 2341 description 2342 "Specifies the identity as a fully-qualified RFC822 2343 email address string. 2344 An example is, jsmith@example.com. 2345 The string MUST not contain any terminators 2346 (e.g., NULL, CR, etc.)."; 2347 } 2348 leaf dnX509 { 2349 type string; 2350 description 2351 "Specifies the identity as a distinguished name 2352 in the X.509 tradition."; 2353 } 2354 } 2355 } /* grouping identity-grouping */ 2356 grouping ike-general-policy-profile-grouping { 2357 description 2358 "IKE policy."; 2359 leaf connection-type { 2360 type connection-type-t; 2361 mandatory true; 2362 description 2363 "Specify the IKE connection type"; 2364 } 2365 leaf pre-shared-key { 2366 type union { 2367 type string { 2368 length "16"; 2369 } 2370 type yang:hex-string { 2371 length "40"; 2372 } 2373 } 2374 description 2375 "Specify IKE pre-shared-key value"; 2376 } 2377 leaf validate-certificate-identity { 2378 type empty; 2379 description 2380 "Validate Remote-ID payload against the 2381 ID's available in the certificate"; 2382 } 2383 list seq { 2384 key seq-id; 2385 description 2386 "list of sequence of policy."; 2387 leaf seq-id { 2388 type uint32 { 2389 range "1..429496729"; 2390 } 2391 description 2392 "Sequence Number"; 2393 } 2394 leaf proposal { 2395 type leafref { 2396 path "/eipsec:ikev1/eipsec:proposal"+ 2397 "/eipsec:name"; 2398 } 2399 description 2400 "IKE Proposal reference."; 2401 } 2402 } 2403 container identity { 2404 description 2405 "Specify IKE identity value"; 2406 container local { 2407 description 2408 "Specify the identity of the local IP Security (IPSec) 2409 tunnel endpoint in an Internet Key Exchange (IKE) 2410 policy to use when negotiating IKE request with a 2411 remote peer."; 2412 uses identity-grouping; 2413 } 2414 container remote { 2415 description 2416 "Specify the identity of the remote IP Security (IPSec) 2417 tunnel endpoint in an 2418 Internet Key Exchange (IKE) policy to use when 2419 negotiating IKE request with a remote peer."; 2420 uses identity-grouping; 2421 } 2422 } 2423 } 2425 grouping ike-policy-mode-grouping { 2426 description 2427 "IKE Policy Mode"; 2428 container mode { 2429 description 2430 "Specify IKE mode configuration"; 2431 leaf aggressive { 2432 type empty; 2433 description 2434 "Set IKE Aggressive mode"; 2435 } 2436 leaf main { 2437 type empty; 2438 description 2439 "Set IKE Main mode"; 2440 } 2441 } 2442 } 2444 grouping ike-policy-profile-grouping { 2445 description 2446 "Configure IKE policy"; 2447 leaf name { 2448 type string; 2449 mandatory true; 2450 description 2451 "Specify an IKE policy name"; 2452 } 2453 uses ike-policy-mode-grouping; 2454 uses ike-general-policy-profile-grouping; 2455 } 2457 grouping ikev2-policy-profile-grouping { 2458 description 2459 "Common information for multiple IKE sessions 2460 to be instantiated on a managed element.; 2461 One or more Ikev2Session instances might refer 2462 to this instance."; 2463 leaf name { 2464 type string; 2465 mandatory true; 2466 description 2467 "Value component of the RDN."; 2468 } 2469 container authentication { 2470 description 2471 "Specify IKE Proposal authentication configuration"; 2472 leaf preshared-key { 2473 type empty; 2474 description 2475 "Use pre-shared key based authentication"; 2476 } 2477 leaf rsa-signature { 2478 type empty; 2479 description 2480 "Use signature based authentication by using 2481 PKI certificates"; 2482 } 2483 } 2484 leaf lifetime { 2485 type uint32; 2486 mandatory true; 2487 description 2488 "Configure lifetime for IKE SAs 2489 0: for no timeout. 2490 300 .. 99999999: IKE SA lifetime in seconds."; 2491 } 2493 container address-allocation { 2494 must "../connection-type = 'responder-only'" { 2495 description 2496 "address-allocation can be configured only with 2497 responder-only in ike2 policy"; 2498 } 2499 leaf aaa { 2500 type empty; 2501 description 2502 "IRAC address allocation by AAA"; 2503 } 2504 description 2505 "Specify IKE IRAS address allocation option"; 2506 } 2507 uses ike-general-policy-profile-grouping; 2509 leaf description { 2510 type string; 2511 description 2512 "Specify the description."; 2513 } 2514 } 2516 grouping ipsec-policy-grouping { 2517 description 2518 "Holds configuration information for IPSec policies."; 2519 leaf name { 2520 type string; 2521 mandatory true; 2522 description 2523 "IPSec Policy Identification"; 2524 } 2525 leaf description { 2526 type string; 2527 description 2528 "Specify the description."; 2529 } 2531 leaf anti-replay-window { 2532 type uint32 { 2533 range "0 | 32..1024"; 2534 } 2535 description 2536 "Configure replay window size 2537 0: to disable anti-replay-window 2538 32..1024: IPSec anti-replay-window size in multiple of 32"; 2539 } 2540 container perfect-forward-secrecy { 2541 description 2542 "Configure Perfect Forward Secrecy (PFS) for IPSec Policy"; 2543 leaf dh-group { 2544 type diffie-hellman-group-t; 2545 description 2546 "Configure Diffie-Hellman group for 2547 perfect-forward-secrecy"; 2548 } 2549 } 2550 list seq { 2551 key seq-id; 2552 description 2553 "Specify IPSEC proposal sequence number"; 2554 leaf seq-id { 2555 type uint32; 2556 description 2557 "Sequence ID"; 2558 } 2559 leaf description { 2560 type string; 2561 description 2562 "Specify the description."; 2563 } 2565 leaf proposal { 2566 type leafref { 2567 path "/eipsec:ipsec/"+ 2568 "eipsec:proposal/eipsec:ipsec-proposal/eipsec:name"; 2569 } 2570 description 2571 "IKE proposal reference."; 2572 } 2573 } 2574 } 2576 grouping key-string-grouping { 2577 description 2578 "Configure key for authentication algorithm"; 2579 leaf key-str { 2580 type union { 2581 type string { 2582 length "16"; 2583 } 2584 type yang:hex-string { 2585 length "40"; 2586 } 2587 } 2588 description 2589 "Key string input is either string value (length of 16) 2590 or hexadecimal (length of 40)"; 2591 } 2592 } 2594 grouping ipsec-sa-ah-grouping { 2595 description 2596 "Configure Authentication Header (AH) for 2597 Security Association (SA)"; 2598 container ah { 2599 description 2600 "Configure Authentication Header (AH) for SA"; 2601 choice authentication-algorithm { 2602 description 2603 "choice for authentication algorithm to set for AH"; 2604 case hmac-aes-xcbc { 2605 container hmac-aes-xcbc { 2606 description 2607 "Set the authentication algorithm to hmac-aes-xcbc"; 2608 uses key-string-grouping; 2609 } 2610 } 2611 case hmac-md5-96 { 2612 container hmac-md5-96 { 2613 description 2614 "Set the authentication algorithm to hmac-md5-96"; 2615 uses key-string-grouping; 2616 } 2617 } 2618 case hmac-sha1-96 { 2619 container hmac-sha1-96 { 2620 description 2621 "Set the authentication algorithm to hmac-sha1-96"; 2622 uses key-string-grouping; 2623 } 2624 } 2625 case key-string { 2626 container key-string { 2627 description 2628 "Configure key for authentication algorithm"; 2629 uses key-string-grouping; 2630 } 2631 } 2632 } 2633 } 2634 } 2636 grouping ipsec-sa-esp-grouping { 2637 description 2638 "Configure IPSec Encapsulation Security Payload (ESP)"; 2639 container esp { 2640 description 2641 "Set IPSec Encapsulation Security Payloer (ESP)"; 2642 container authentication { 2643 description 2644 "Configure authentication for IPSec 2645 Encapsulation Secutiry Payload (ESP)"; 2646 choice authentication-algorithm { 2647 description 2648 "choice for authentication algorithm to set"; 2650 case hmac-aes-xcbc { 2651 container hmac-aes-xcbc { 2652 description 2653 "Set the authentication algorithm to hmac-aes-xcbc"; 2654 uses key-string-grouping; 2655 } 2656 } 2657 case hmac-md5-96 { 2658 container hmac-md5-96 { 2659 description 2660 "Set the authentication algorithm to hmac-md5-96"; 2661 uses key-string-grouping; 2662 } 2663 } 2664 case hmac-sha1-96 { 2665 container hmac-sha1-96 { 2666 description 2667 "Set the authentication algorithm to hmac-sha1-96"; 2668 uses key-string-grouping; 2669 } 2670 } 2671 case key-string { 2672 container key-string { 2673 description 2674 "Configure key for authentication algorithm"; 2675 uses key-string-grouping; 2676 } 2677 } 2678 } 2679 } 2680 container encryption { 2681 description 2682 "Configure encryption for IPSec 2683 Encapsulation Secutiry Payload (ESP)"; 2684 choice encryption-algorithm { 2685 description 2686 "type of encryption"; 2687 case des3-cbc { 2688 container des3-cbd { 2689 description 2690 "Set the encryption algorithm to des3-cbc"; 2691 uses key-string-grouping; 2692 } 2693 } 2694 case aes-128-cbc { 2695 container aes-128-cbc { 2696 description 2697 "Set the encryption algorithm to aes-128-cbc"; 2698 uses key-string-grouping; 2700 } 2701 } 2702 case aes-192-cbc { 2703 container aes-192-cbc { 2704 description 2705 "Set the encryption algorithm to aes-192-cbc"; 2706 uses key-string-grouping; 2707 } 2708 } 2709 case aes-256-cbc { 2710 container aes-256-cbc { 2711 description 2712 "Set the encryption algorithm to aes-256-cbc"; 2713 uses key-string-grouping; 2714 } 2715 } 2716 case des-cbc { 2717 container des-cbc { 2718 description 2719 "Set the encryption algorithm to des-cbc"; 2720 uses key-string-grouping; 2721 } 2722 } 2723 case key-string { 2724 container key-string { 2725 description 2726 "Configure key for encryption algorithm"; 2727 uses key-string-grouping; 2728 } 2729 } 2730 } 2731 } 2732 } 2733 } 2735 grouping ipsec-acl-dest-grouping { 2736 description 2737 "IPSEC ACL destination."; 2738 /* For destination */ 2739 choice dest-address { 2740 description 2741 "destination address."; 2742 case dest-ipv4-address { 2743 leaf destination-ipv4-address { 2744 type inet:ipv4-address; 2745 description 2746 "Destination IPv4 Address A.B.C.D/0..32."; 2747 } 2748 } 2749 case dest-any { 2750 leaf dest-any { 2751 type empty; 2752 description 2753 "Match Any Destination IPv4 Address."; 2754 } 2755 } 2756 } 2757 } 2759 grouping ipsec-acl-seq-protocol-number-grouping { 2760 description 2761 "IPSec ACL Sequence protocol number."; 2762 leaf number { 2763 type uint16 { 2764 range "0..255"; 2765 } 2766 description 2767 "Specify protocol number."; 2768 } 2769 choice argument { 2770 description 2771 "Source IPv4 address."; 2772 case source-ipv4-address { 2773 leaf source-ipv4-address { 2774 type inet:ipv4-address; 2775 description 2776 "Source IPv4 Address A.B.C.D/0..32."; 2777 } 2778 } 2779 case any { 2780 /* For source */ 2781 leaf source-any { 2782 type empty; 2783 description 2784 "Match Any Source IPv4 Address."; 2785 } 2786 } 2787 } 2788 } 2790 grouping ipsec-acl-seq-ip-address-grouping { 2791 description 2792 "IPSec ACL Sequence IP Address."; 2793 leaf source-ipv4-address { 2794 type inet:ipv4-address; 2795 description 2796 "Source is IPv4 Address A.B.C.D/0..32."; 2797 } 2799 } 2801 grouping ipsec-acl-seq-any-grouping { 2802 description 2803 "IPSec ACL Sequence Any."; 2804 leaf any { 2805 type empty; 2806 description 2807 "Source is Any."; 2808 } 2809 } 2811 grouping ipsec-acl-seq-tcp-grouping { 2812 description 2813 "IPSec ACL Sequence TCP."; 2814 leaf tcp { 2815 type empty; 2816 description 2817 "Source is TCP protocol."; 2818 } 2819 } 2821 grouping ipsec-acl-seq-udp-grouping { 2822 description 2823 "IPSec ACL Sequence for UDP."; 2824 leaf udp { 2825 type empty; 2826 description 2827 "Source is UDP protocol."; 2828 } 2829 } 2831 grouping ipsec-acl-grouping { 2832 description 2833 "IPSec ACL"; 2834 list access-list { 2835 if-feature ipsec-acl; 2836 key "name sequence-number"; 2837 uses name-grouping; 2838 uses sequence-number-grouping; 2839 description 2840 "Configure the IPSec access-list."; 2841 choice protocol { 2842 description 2843 "IPSec ACL protocol."; 2844 case number { 2845 uses ipsec-acl-seq-protocol-number-grouping; 2846 } 2847 case source-ipv4-address { 2848 uses ipsec-acl-seq-ip-address-grouping; 2849 } 2850 case any { 2851 uses ipsec-acl-seq-any-grouping; 2852 } 2853 case tcp { 2854 uses ipsec-acl-seq-tcp-grouping; 2855 } 2856 case udp { 2857 uses ipsec-acl-seq-udp-grouping; 2858 } 2859 } 2860 uses ipsec-acl-dest-grouping; 2861 } 2862 } 2864 grouping ipsec-df-bit-grouping { 2865 description 2866 "IPSec Dont Fragment (DF) bit for IP header."; 2867 container df-bit { 2868 description 2869 "Configure Don't Fragment (DF) bit for IP Header."; 2870 leaf clear { 2871 type empty; 2872 description 2873 "Clear DF bit for outer IP header."; 2874 } 2875 leaf propagate { 2876 type empty; 2877 description 2878 "Propagate DF bit for outer IP header."; 2879 } 2880 leaf set { 2881 type empty; 2882 description 2883 "Set DF bit for outer IP header."; 2884 } 2885 } 2886 } 2888 grouping ipsec-profile-grouping { 2889 description 2890 "IPSec profile."; 2891 list profile { 2892 key "name"; 2893 uses name-grouping; 2894 uses ipsec-df-bit-grouping; 2895 description 2896 "Configure the IPSec Profile."; 2898 leaf mtu { 2899 type uint32 { 2900 range "256..1600"; 2901 } 2902 description 2903 "Set the MTU."; 2904 } 2905 list seq { 2906 key "sequence-number"; 2907 uses sequence-number-grouping; 2908 description 2909 "IPSec Access List sequence number."; 2910 leaf policy { 2911 type leafref { 2912 path "/eipsec:ipsec/eipsec:policy"+ 2913 "/eipsec:ipsec-policy/eipsec:name"; 2914 } 2915 description 2916 "Specify IPSec policy name."; 2917 } 2918 } 2919 } 2920 } 2922 grouping ip-address-grouping { 2923 description 2924 "IP Address grouping"; 2926 choice ip-address { 2927 description 2928 "Choice of IPv4 or IPv6."; 2929 leaf ipv4-address { 2930 type inet:ipv4-address; 2931 description 2932 "Specifies the identity as a single four (4) 2933 octet IPv4 address. 2934 An example is, 10.10.10.10. "; 2935 } 2936 leaf ipv6-address { 2937 type inet:ipv6-address; 2938 description 2939 "Specifies the identity as a single sixteen (16) "+ 2940 "octet IPv6 address. "+ 2941 "An example is, "+ 2942 "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; 2943 } 2944 } 2945 } 2946 grouping ipsec-sa-grouping { 2947 description 2948 "Configure Security Association (SA)"; 2949 leaf spi { 2950 type uint32; 2951 description 2952 "Specify Security Parameter Index"; 2953 } 2954 leaf anti-replay-window { 2955 type uint16 { 2956 range "0 | 32..1024"; 2957 } 2958 description 2959 "Specify replay window size"; 2960 } 2961 leaf ip-comp { 2962 type empty; 2963 description 2964 "Enables IPCOMP, which uses the IP payload compression 2965 protocol to compress IP security (IPsec) packets 2966 before encryption"; 2967 } 2969 container local-peer { 2970 description 2971 "Specify the local peer IP address"; 2972 uses ip-address-grouping; 2973 } 2974 container remote-peer { 2975 description 2976 "Specify the remote peer IP address"; 2977 uses ip-address-grouping; 2978 } 2979 leaf sa-mode { 2980 type ipsec-mode; 2981 description 2982 "SA Mode: tunnel or transport mode"; 2983 } 2984 leaf security-protocol { 2985 type ipsec-protocol; 2986 description 2987 "Security protocol of IPsec SA: Either AH or ESP."; 2988 } 2989 leaf sequence-number { 2990 type uint64; 2991 description 2992 "Current sequence number of IPsec packet."; 2993 } 2994 leaf sequence-number-overflow-flag { 2995 type boolean; 2996 description 2997 "The flag indicating whether overflow of the sequence 2998 number counter should prevent transmission of additional 2999 packets on the SA, or whether rollover is permitted."; 3000 } 3001 leaf path-mtu { 3002 type uint16; 3003 description 3004 "maximum size of an IPsec packet that can be transmitted 3005 without fragmentation"; 3006 } 3007 container life-time { 3008 leaf life-time-in-seconds { 3009 type uint32; 3010 description 3011 "SA life time in seconds"; 3012 } 3013 leaf remain-life-time-in-seconds { 3014 type uint32; 3015 description 3016 "Remain SA life time in seconds"; 3017 } 3018 leaf life-time-in-byte { 3019 type uint32; 3020 description 3021 "SA life time in bytes"; 3022 } 3023 leaf remain-life-time-in-byte { 3024 type uint32; 3025 description 3026 "Remain SA life time in bytes"; 3027 } 3028 description 3029 "SA life time information"; 3030 } 3031 leaf upper-protocol { 3032 type string; 3033 description 3034 "Upper-layer protocol to be used"; 3035 } 3036 leaf direction { 3037 type ipsec-traffic-direction; 3038 description 3039 "It indicates whether the SA is inbound SA or 3040 out bound SA."; 3041 } 3042 container source-address { 3043 description 3044 "Specify the source IP address and 3045 port of protected traffic"; 3046 uses ip-address-grouping; 3047 leaf port-number { 3048 type uint32; 3049 description 3050 "port of protected traffic"; 3051 } 3052 } 3053 container destination-address { 3054 description 3055 "Specify the destination IP address and 3056 port of protected traffic"; 3057 uses ip-address-grouping; 3058 leaf port-number { 3059 type uint32; 3060 description 3061 "port of protected traffic"; 3062 } 3063 } 3064 leaf nat-traversal-flag { 3065 type boolean; 3066 description 3067 "Whether the SA is used to protect traffic that needs 3068 nat traversal"; 3069 } 3070 uses ipsec-sa-ah-grouping; 3071 uses ipsec-sa-esp-grouping; 3072 } 3074 /* draft-wang-ipsecme-ike-yang-00 */ 3075 grouping ipsec-common-configuration { 3076 choice df-flag { 3077 default copy; 3078 case set { 3079 leaf set { 3080 type empty; 3081 description 3082 "Set the df bit when encapsulate IPsec tunnel."; 3083 } 3084 } 3085 case clear { 3086 leaf clear { 3087 type empty; 3088 description 3089 "Clear the df bit when encapsulate IPsec tunnel."; 3090 } 3092 } 3093 case copy { 3094 leaf copy { 3095 type empty; 3096 description 3097 "Copy the inner IP header df bit."; 3098 } 3099 } 3100 description 3101 "It indicates how to process the df bit when encapsulate 3102 IPsec tunnel."; 3103 } 3104 leaf stateful-frag-check { 3105 type boolean; 3106 default false; 3107 description "Whether stateful fragment checking applies."; 3108 } 3109 leaf life-time-kb { 3110 type uint32; 3111 units "KB"; 3112 default 2000000; 3113 description "IPsec SA Life time in KB."; 3114 } 3115 leaf life-time-second { 3116 type uint32; 3117 units "Second"; 3118 default 18400; 3119 description "IPsec SA Life time in Seconds"; 3120 } 3121 choice anti-replay { 3122 default enable; 3123 case enable { 3124 leaf enable { 3125 type empty; 3126 description "Enable Anti-replay"; 3127 } 3128 choice anti-replay-windows-size { 3129 case size-32; 3130 case size-64; 3131 case size-128; 3132 case size-256; 3133 case size-512; 3134 case size-1024; 3135 default size-1024; 3136 description "It indicate the size of anti-replay window"; 3137 } 3138 } 3139 case disable { 3140 leaf disable { 3141 type empty; 3142 description "Disable Anti-replay"; 3143 } 3144 } 3145 description "Whether enable or disable anti-replay"; 3146 } 3147 leaf inbound-dscp { 3148 type uint16 { 3149 range "0..63"; 3150 } 3151 default 0; 3152 description "Inbound DSCP value"; 3153 } 3154 leaf outbound-dscp { 3155 type uint16 { 3156 range "0..63"; 3157 } 3158 default 0; 3159 description "Outbound DSCP value"; 3160 } 3161 description "Common IPsec configurations"; 3162 } 3164 /*--------------------*/ 3165 /* Configuration Data */ 3166 /*--------------------*/ 3167 container ikev1 { 3168 if-feature ikev1; 3169 description 3170 "Configuration IPSec IKEv1"; 3171 /* The following is for */ 3172 list proposal { 3173 key "name"; 3174 uses ike-proposal-grouping; 3175 description 3176 "Configure IKE proposal"; 3177 } 3178 leaf keepalive { 3179 type empty; 3180 description 3181 "Enables sending Dead Peer Detection (DPD) messages "+ 3182 "to Internet Key Exchange (IKE) peers."; 3183 } 3184 list policy { 3185 key "name"; 3186 uses ike-policy-profile-grouping; 3187 description 3188 "Configure IKE Policy Profile."; 3189 } 3191 } 3193 container ikev2 { 3194 if-feature ikev2; 3195 description 3196 "Configuration IPSec IKEv2"; 3197 /* The following is for */ 3198 /* draft-wang-ipsecme-ike-yang-00 */ 3199 container ike-global-configuration { 3200 if-feature ikev2-global; 3201 description "Global IKE configurations"; 3202 uses ipsec-common-configuration; 3203 leaf local-name { 3204 type string; 3205 description 3206 "Global local name configuration, if it is not configed, 3207 ip address will be used as default. If configing special 3208 local name for special peer, it will overwrite the global 3209 name configuration when negotion with that peer."; 3210 } 3211 leaf nat-keepalive-interval { 3212 type uint16 { 3213 range "5..300"; 3214 } 3215 units "Seconds"; 3216 default 20; 3217 description "Global nat keepalive interval"; 3218 } 3219 leaf dpd-interval { 3220 type uint16 { 3221 range "10..3600"; 3222 } 3223 units "Seconds"; 3224 default 30; 3225 description "Global DPD interval"; 3226 } 3227 } 3228 container ike-peer { 3229 if-feature ikev2-peer; 3230 description "IKE peer information"; 3231 list ike-peer-entries { 3232 key "peer-name"; 3233 description "IKE peer information"; 3234 leaf peer-name { 3235 type string; 3236 mandatory true; 3237 description "Name of IKE peer"; 3238 } 3239 leaf ike-proposal-number { 3240 type ike-proposal-number-ref; 3241 description "IKE proposal number referenced by IKE peer"; 3242 } 3243 leaf PresharedKey { 3244 type string; 3245 description "Preshare key"; 3246 } 3247 leaf nat-traversal { 3248 type boolean; 3249 default false; 3250 description "Enable/Disable nat traversal"; 3251 } 3252 choice local-id-type { 3253 default ip; 3254 case ip { 3255 leaf ip { 3256 type empty; 3257 description "IP address"; 3258 } 3259 } 3260 case fqdn { 3261 leaf fqdn { 3262 type empty; 3263 description "Fully Qualifed Domain name "; 3264 } 3265 } 3266 case dn { 3267 leaf dn { 3268 type empty; 3269 description "Domain name"; 3270 } 3271 } 3272 case user_fqdn { 3273 leaf user_fqdn { 3274 type empty; 3275 description "User FQDN"; 3276 } 3277 } 3278 description "Local ID type"; 3279 } 3280 leaf local-id { 3281 type string; 3282 description 3283 "Local ID Name. When IP is used as local ID type, 3284 it is ignored. If it is not configurated, 3285 global local name will be used."; 3286 } 3287 leaf remote-id { 3288 type "string"; 3289 description "ID of IKE peer"; 3290 } 3291 leaf low-remote-address { 3292 type inet:ip-address; 3293 description "Low range of remote address"; 3294 } 3295 leaf high-remote-address { 3296 type inet:ip-address; 3297 description "High range of remote address"; 3298 } 3299 leaf certificate { 3300 type string; 3301 description "Certificate file name"; 3302 } 3303 leaf auth-address-begin { 3304 type inet:ip-address; 3305 description 3306 "The begin range of authenticated peer address"; 3307 } 3308 leaf auth-address-end { 3309 type inet:ip-address; 3310 description 3311 "The end range of authenticated peer address"; 3312 } 3313 } 3314 }//End of IKEPeerEntries 3316 list proposal { 3317 if-feature ikev2-proposal; 3318 key "name"; 3319 uses ikev2-proposal-grouping; 3320 description 3321 "Configure IKEv2 proposal"; 3322 } 3323 list policy { 3324 if-feature ikev2-policy; 3325 key "name"; 3326 uses ikev2-policy-profile-grouping; 3327 description 3328 "IKEv2 Policy Profile"; 3329 } 3330 } 3332 container ipsec { 3333 if-feature ipsec; 3334 description 3335 "Configuration IPsec"; 3336 container sad { 3337 if-feature ipsec-sad; 3338 description 3339 "Configure the IPSec Security Association Database (SAD)"; 3340 list sad-entries { 3341 key "spi direction"; 3342 description 3343 "Configure IPsec Security Association Database(SAD)"; 3344 uses ipsec-sa-grouping; 3345 } 3346 } 3347 container proposal { 3348 if-feature ipsec-proposal; 3349 description 3350 "IPSec Proposal Profile"; 3351 list ipsec-proposal { 3352 key "name"; 3353 uses ipsec-proposal-grouping; 3354 description 3355 "Configure the IP Security (IPSec) proposal"; 3356 } 3357 } 3358 container spd { 3359 if-feature ipsec-spd; 3360 description 3361 "Configure the Security Policy Database (SPD)"; 3362 list spd-entries { 3363 key "name"; 3364 ordered-by user; 3365 uses ipsec-policy-grouping; 3366 description 3367 "Specify an IPSec policy name"; 3368 } 3369 } 3370 container pad { 3371 description 3372 "Configure Peer Authorization Database (PAD)"; 3373 list pad-entries { 3374 key "pad-type pad-id"; 3375 ordered-by user; 3376 uses identity-grouping; 3377 description 3378 "Peer Authorization Database (PAD)"; 3379 leaf pad-id { 3380 type uint32; 3381 description 3382 "PAD identity"; 3383 } 3384 leaf pad-type { 3385 type pad-type-t; 3386 description 3387 " PAD type"; 3388 } 3389 leaf ike-peer-name { 3390 type string; 3391 description 3392 "IKE Peer Name"; 3393 } 3394 container peer-authentication { 3395 description 3396 "Specify IKE peer authentication configuration"; 3397 leaf algorithm { 3398 type ike-integrity-algorithm-t; 3399 description 3400 "Specify the authentication algorithm"; 3401 } 3402 leaf preshared-key { 3403 type empty; 3404 description 3405 "Use pre-shared key based authentication"; 3406 } 3407 leaf rsa-signature { 3408 type empty; 3409 description 3410 "Use signature based authentication by using 3411 PKI certificates"; 3412 } 3413 } 3414 } 3415 } 3416 } 3418 /*--------------------------*/ 3419 /* Operational State Data */ 3420 /*--------------------------*/ 3421 grouping ike-proposal-state-components { 3422 description 3423 "IKE Proposal operational state"; 3424 list proposal { 3425 if-feature ike-proposal-state; 3426 description 3427 "Operational data for IKE Proposal"; 3428 leaf name { 3429 type string { 3430 length "1..50"; 3431 } 3432 description 3433 "Name of the IKE proposal."; 3434 } 3435 leaf lifetime { 3436 type uint32; 3437 units "seconds"; 3438 description 3439 "lifetime"; 3440 } 3441 leaf encryption { 3442 type ike-encryption-algorithm-t; 3443 description 3444 "Encryption algorithm"; 3445 } 3446 leaf dh-group { 3447 type diffie-hellman-group-t; 3448 description 3449 "Diffie-Hellman group."; 3450 } 3451 leaf authentication { 3452 type ike-integrity-algorithm-t; 3453 description 3454 "authentication"; 3455 } 3456 } 3457 } 3459 grouping ike-policy-state-grouping { 3460 description 3461 "IKE Policy State."; 3462 list policy { 3463 if-feature ike-policy-state; 3464 description 3465 "Operational data for IKE policy"; 3466 leaf name { 3467 type string { 3468 length "1..50"; 3469 } 3470 description 3471 "Name of the IKE Policy."; 3472 } 3473 leaf description { 3474 type string; 3475 description 3476 "Description for IKE Policy."; 3477 } 3478 leaf mode { 3479 type enumeration { 3480 enum aggressive { 3481 description 3482 "Aggressive mode."; 3483 } 3484 enum main { 3485 description 3486 "Main mode."; 3487 } 3488 } 3489 description 3490 "IKE policy mode."; 3491 } 3492 leaf connection-type { 3493 type connection-type-t; 3494 description 3495 "IKE policy connection type."; 3496 } 3497 leaf local-identity { 3498 type inet:ipv4-address-no-zone; 3499 description 3500 "IP address of the local identity."; 3501 } 3502 leaf remote-identity { 3503 type inet:ipv4-address-no-zone; 3504 description 3505 "IP address of the remote identity."; 3506 } 3507 leaf pre-shared-key { 3508 type string; 3509 description 3510 "Pre-shared key"; 3511 } 3512 leaf seq { 3513 type uint32; 3514 description 3515 "sequence number"; 3516 } 3517 leaf proposal { 3518 type string; 3519 description 3520 "proposal name"; 3521 } 3522 } 3523 } 3525 grouping ikev2-proposal-state-components { 3526 description 3527 "IKEv2 Operational state"; 3528 list proposal { 3529 if-feature ikev2-proposal-state; 3530 description 3531 "IKEv2 proposal operational data"; 3532 leaf name { 3533 type string; 3534 description 3535 "Name of IKEv2 Proposal."; 3536 } 3537 leaf pseudo-random-function { 3538 type pseudo-random-function-t; 3539 description 3540 "Pseudo Random Function for IKEv2."; 3541 } 3542 leaf authentication { 3543 type ike-integrity-algorithm-t; 3544 description 3545 "authentication"; 3546 } 3547 leaf encryption { 3548 type ike-encryption-algorithm-t; 3549 description 3550 "Encryption algorithm"; 3551 } 3552 leaf dh-group { 3553 type diffie-hellman-group-t; 3554 mandatory true; 3555 description 3556 "Diffie-Hellman group."; 3557 } 3558 } 3559 } 3561 grouping ipsec-policy-state-grouping { 3562 description 3563 "IPSec operational state"; 3564 list policy { 3565 if-feature ipsec-policy-state; 3566 description 3567 "IPSec policy operational data"; 3568 leaf name { 3569 type string; 3570 description 3571 "IPSec Policy name."; 3572 } 3573 leaf anti-replay-window { 3574 type uint32; 3575 description 3576 "replay window size"; 3577 } 3578 leaf perfect-forward-secrecy { 3579 type diffie-hellman-group-t; 3580 description 3581 "Diffie-Hellman group for perfect-forward-secrecy"; 3582 } 3583 list seq { 3584 description 3585 "Sequence number"; 3586 leaf seq-id { 3587 type uint32; 3588 description 3589 "Sequence number"; 3590 } 3591 leaf proposal-name { 3592 type string; 3593 description 3594 "IPSec proposal name"; 3595 } 3596 } 3597 } 3598 } 3599 grouping ipsec-proposal-state-grouping { 3600 description 3601 "IPSec proposal operational data"; 3602 list proposal { 3603 if-feature ipsec-proposal-state; 3604 description 3605 "IPSec proposal operational data"; 3606 leaf name { 3607 type string; 3608 description 3609 "IPSec Proposal name"; 3610 } 3611 leaf ah { 3612 type ike-integrity-algorithm-t; 3613 description 3614 "Authentication Header (AH)."; 3615 } 3616 container esp { 3617 description 3618 "Encapsulating Security Payload (ESP)."; 3619 leaf authentication { 3620 type ike-integrity-algorithm-t; 3621 description 3622 "ESP authentication"; 3623 } 3624 leaf encryption { 3625 type ike-encryption-algorithm-t; 3626 description 3627 "ESP encryption"; 3628 } 3630 } 3631 leaf ip-comp{ 3632 type empty; 3633 description 3634 "IPSec proposal IP-COMP which uses the IP Payload "+ 3635 "compression protocol to compress IP Security (IPSec) "+ 3636 "packets before encryption"; 3637 } 3638 container lifetime { 3639 description 3640 "lifetime for IPSEC SAs"; 3641 leaf kbytes { 3642 type uint32; 3643 description 3644 "lifetime kbytes for IPSEC SAs"; 3646 } 3647 leaf seconds { 3648 type uint32; 3649 description 3650 "lifetime seconds for IPSEC SAs"; 3651 } 3652 } 3653 } 3654 } 3656 grouping ipsec-alarms-state-grouping { 3657 description 3658 "IPSec alarms operational data"; 3659 leaf hold-down { 3660 if-feature ipsec-alarms-state; 3661 type uint32; 3662 description 3663 "Hold-down value"; 3664 } 3665 } 3667 grouping ipsec-sa-ah-state-grouping { 3668 description 3669 "IPSec SA's AH operational data"; 3671 leaf spi { 3672 if-feature ipsec-sa-ah-state; 3673 type uint32; 3674 description 3675 "Security Parameter Index (SPI) value"; 3676 } 3677 leaf description { 3678 if-feature ipsec-sa-ah-state; 3679 type string; 3680 description 3681 "the description."; 3682 } 3683 leaf authentication-algorithm { 3684 if-feature ipsec-sa-ah-state; 3685 type ike-integrity-algorithm-t; 3686 description 3687 "Authentication algorithm"; 3688 } 3689 leaf encryption-algorithm { 3690 if-feature ipsec-sa-ah-state; 3691 type ike-encryption-algorithm-t; 3692 description 3693 "Encryption algorithm"; 3694 } 3695 } 3697 grouping ipsec-sa-state-grouping { 3698 description 3699 "IPSec Security Association Operational data"; 3700 list sa { 3701 if-feature ipsec-sa-state; 3702 description 3703 "IPSec SA operational data"; 3704 leaf name { 3705 type string; 3706 description 3707 "Specify IPSec Security Association (SA) name"; 3708 } 3709 leaf anti-replay-window { 3710 type uint16; 3711 description 3712 "replay window size"; 3713 } 3714 leaf ip-comp { 3715 type empty; 3716 description 3717 "Enables IPCOMP, which uses the IP payload compression 3718 protocol to compress IP security (IPsec) packets before 3719 encryption"; 3720 } 3721 uses ipsec-sa-ah-state-grouping; 3722 } 3723 } 3725 /* draft-wang-ipsecme-ipsec-yang-00 */ 3726 grouping ipsec-tunnel-mode-info { 3727 description 3728 "common infomations when using IPsec tunnel mode"; 3729 leaf local-address { 3730 if-feature ipsec-tunnel; 3731 type string; 3732 description 3733 "Local address of IPsec tunnel mode"; 3734 } 3735 leaf remote-address { 3736 if-feature ipsec-tunnel; 3737 type string; 3738 description 3739 "Remote address of IPsec tunnel mode"; 3740 } 3741 leaf bypass-df { 3742 if-feature ipsec-tunnel; 3743 type enumeration { 3744 enum "set" { 3745 description 3746 "Set the df bit"; 3747 } 3748 enum "clear" { 3749 description 3750 "Clear the df bit"; 3751 } 3752 enum "copy" { 3753 description 3754 "Copy the df bit from inner header"; 3755 } 3756 } 3757 description 3758 "This flag indicates how to process tunnel mode df flag"; 3759 } 3760 leaf dscp-flag { 3761 if-feature ipsec-tunnel; 3762 type boolean; 3763 description 3764 "This flag indicate whether bypass DSCP or map to 3765 unprotected DSCP values (array) if needed to 3766 restrict bypass of DSCP values."; 3767 } 3768 leaf stateful-frag-check-flag { 3769 if-feature ipsec-tunnel; 3770 type boolean; 3771 description 3772 "This flag indicates whether stateful fragment checking 3773 will be used."; 3774 } 3775 } 3776 grouping traffic-selector { 3777 description 3778 "IPsec traffic selector information"; 3779 leaf local-address-low { 3780 if-feature ipsec-local-address-range; 3781 type inet:ip-address; 3782 description 3783 "Low range of local address"; 3784 } 3785 leaf local-address-high { 3786 if-feature ipsec-local-address-range; 3787 type inet:ip-address; 3788 description 3789 "High range of local address"; 3790 } 3791 leaf remote-address-low { 3792 if-feature ipsec-remote-address-range; 3793 type inet:ip-address; 3794 description 3795 "Low range of remote address"; 3796 } 3797 leaf remote-address-high { 3798 if-feature ipsec-remote-address-range; 3799 type inet:ip-address; 3800 description 3801 "High range of remote address"; 3802 } 3803 leaf next-protocol-low { 3804 if-feature ipsec-next-protocol-range; 3805 type uint16; 3806 description 3807 "Low range of next protocol"; 3808 } 3809 leaf next-protocol-high { 3810 if-feature ipsec-next-protocol-range; 3811 type uint16; 3812 description 3813 "High range of next protocol"; 3814 } 3815 leaf local-port-low { 3816 if-feature ipsec-local-port-range; 3817 type inet:port-number; 3818 description 3819 "Low range of local port"; 3820 } 3821 leaf local-port-high { 3822 if-feature ipsec-local-port-range; 3823 type inet:port-number; 3824 description 3825 "High range of local port"; 3827 } 3828 leaf remote-port-high { 3829 if-feature ipsec-remote-port-range; 3830 type inet:port-number; 3831 description 3832 "Low range of remote port"; 3833 } 3834 leaf remote-port-low { 3835 if-feature ipsec-remote-port-range; 3836 type inet:port-number; 3837 description 3838 "High range of remote port"; 3839 } 3840 } 3841 grouping ipsec-algorithm-info { 3842 description 3843 "IPsec algorithm information used by SPD and SAD"; 3844 leaf ah-auth-algorithm { 3845 if-feature ipsec-ah-authentication; 3846 type ipsec-authentication-algorithm; 3847 description 3848 "Authentication algorithm used by AH"; 3849 } 3850 leaf esp-integrity-algorithm { 3851 if-feature ipsec-esp-integrity; 3852 type ipsec-authentication-algorithm; 3853 description 3854 "Integrity algorithm used by ESP"; 3855 } 3856 leaf esp-encrypt-algorithm { 3857 if-feature ipsec-esp-encrypt; 3858 type ipsec-encryption-algorithm; 3859 description 3860 "Encryption algorithm used by ESP"; 3861 } 3862 } 3863 grouping ipsec-stat { 3864 leaf inbound-packets { 3865 if-feature ipsec-stat; 3866 type uint64; 3867 config false; 3868 description "Inbound Packet count"; 3869 } 3870 leaf outbound-packets { 3871 if-feature ipsec-stat; 3872 type uint64; 3873 config false; 3874 description "Outbound Packet count"; 3875 } 3876 leaf inbound-bytes { 3877 if-feature ipsec-stat; 3878 type uint64; 3879 config false; 3880 description "Inbound Packet bytes"; 3881 } 3882 leaf outbound-bytes { 3883 if-feature ipsec-stat; 3884 type uint64; 3885 config false; 3886 description "Outbound Packet bytes"; 3887 } 3888 leaf inbound-drop-packets { 3889 if-feature ipsec-stat; 3890 type uint64; 3891 config false; 3892 description "Inbound dropped packets count"; 3893 } 3894 leaf outbound-drop-packets { 3895 if-feature ipsec-stat; 3896 type uint64; 3897 config false; 3898 description "Outbound dropped packets count"; 3899 } 3900 container dropped-packet-detail { 3901 if-feature ipsec-stat; 3902 description "The detail information of dropped packets"; 3903 leaf sa-non-exist { 3904 type uint64; 3905 config false; 3906 description 3907 "The dropped packets counts caused by SA non-exist."; 3908 } 3909 leaf queue-full { 3910 type uint64; 3911 config false; 3912 description 3913 "The dropped packets counts caused by full processing 3914 queue"; 3915 } 3916 leaf auth-failure { 3917 type uint64; 3918 config false; 3919 description 3920 "The dropped packets counts caused by authentication 3921 failure"; 3922 } 3923 leaf malform { 3924 type uint64; 3925 config false; 3926 description "The dropped packets counts of malform"; 3927 } 3928 leaf replay { 3929 type uint64; 3930 config false; 3931 description "The dropped packets counts of replay"; 3932 } 3933 leaf large-packet { 3934 type uint64; 3935 config false; 3936 description "The dropped packets counts of too large"; 3937 } 3938 leaf invalid-sa { 3939 type uint64; 3940 config false; 3941 description "The dropped packets counts of invalid SA"; 3942 } 3943 leaf policy-deny { 3944 type uint64; 3945 config false; 3946 description 3947 "The dropped packets counts of denyed by policy"; 3948 } 3949 leaf other-reason { 3950 type uint64; 3951 config false; 3952 description 3953 "The dropped packets counts of other reason"; 3954 } 3955 } 3956 description "IPsec statistics information"; 3957 } 3959 container ike-state { 3960 if-feature ikev1-state; 3961 config "false"; 3962 uses ike-proposal-state-components; 3963 uses ike-policy-state-grouping; 3964 description 3965 "Contain the operational data for IKE."; 3966 } 3967 container ikev2-state { 3968 if-feature ikev2-state; 3969 config "false"; 3970 uses ikev2-proposal-state-components; 3971 uses ike-policy-state-grouping; 3972 description 3973 "Contain the operational data for IKEv2."; 3974 } 3975 container ipsec-state { 3976 if-feature ipsec-state; 3977 config "false"; 3978 uses ipsec-policy-state-grouping; 3979 uses ipsec-proposal-state-grouping; 3980 uses ipsec-alarms-state-grouping; 3981 uses ipsec-sa-state-grouping; 3982 container redundancy { 3983 if-feature ipsec-redundancy; 3984 description 3985 "Configure redundancy for IPSec"; 3986 leaf inter-chassis { 3987 type empty; 3988 description 3989 "Set redundancy at chassis level"; 3990 } 3991 } 3993 description 3994 "Contain the operational data for IPSec."; 3995 } 3997 /* draft-wang-ipsecme-ipsec-yang-00 */ 3998 container sad { 3999 if-feature sad; 4000 config false; 4001 description 4002 "The IPsec SA database"; 4003 list sad-entries { 4004 key "spi security-protocol direction"; 4005 description 4006 "The SA entries information"; 4007 leaf spi { 4008 type ipsec-spi; 4009 description 4010 "Security parameter index of SA entry."; 4011 } 4012 leaf security-protocol { 4013 type ipsec-protocol; 4014 description 4015 "Security protocol of IPsec SA."; 4016 } 4017 leaf direction { 4018 type ipsec-traffic-direction; 4019 description 4020 "It indicates whether the SA is inbound SA or 4021 out bound SA."; 4023 } 4024 leaf sa-type { 4025 type enumeration { 4026 enum "manual" { 4027 description 4028 "Manual IPsec SA"; 4029 } 4030 enum "isakmp" { 4031 description 4032 "ISAKMP IPsec SA"; 4033 } 4034 } 4035 description 4036 "It indicates whether the SA is created by manual 4037 or by dynamic protocol."; 4038 } 4039 leaf sequence-number { 4040 type uint64; 4041 description 4042 "Current sequence number of IPsec packet."; 4043 } 4044 leaf sequence-number-overflow-flag { 4045 type boolean; 4046 description 4047 "The flag indicating whether overflow of the sequence 4048 number counter should prevent transmission of additional 4049 packets on the SA, or whether rollover is permitted."; 4050 } 4051 leaf anti-replay-enable-flag { 4052 type boolean; 4053 description 4054 "It indicates whether anti-replay is enable or disable."; 4055 } 4056 leaf anti-replay-window-size { 4057 type uint64; 4058 description 4059 "The size of anti-replay window."; 4060 } 4061 uses ipsec-algorithm-info; 4062 container life-time { 4063 leaf life-time-in-seconds { 4064 type uint32; 4065 description 4066 "SA life time in seconds"; 4067 } 4068 leaf remain-life-time-in-seconds { 4069 type uint32; 4070 description 4071 "Remain SA life time in seconds"; 4073 } 4074 leaf life-time-in-byte { 4075 type uint32; 4076 description 4077 "SA life time in bytes"; 4078 } 4079 leaf remain-life-time-in-byte { 4080 type uint32; 4081 description 4082 "Remain SA life time in bytes"; 4083 } 4084 description 4085 "SA life time information"; 4086 } 4087 leaf protocol-mode { 4088 type ipsec-mode; 4089 description 4090 "It indicates whether tunnel mode or transport mode 4091 will be used."; 4092 } 4093 container tunnel-mode-process-info { 4094 when "../protocol-mode = 'tunnel'" { 4095 description 4096 "External information of SA when SA works in 4097 tunnel mode."; 4098 } 4099 uses ipsec-tunnel-mode-info; 4100 description 4101 "External information of SA when SA works in 4102 tunnel mode."; 4103 } 4104 leaf-list dscp { 4105 type uint8 { 4106 range "0..63"; 4107 } 4108 description 4109 "When traffic matchs SPD, the DSCP values used to 4110 filter traffic"; 4111 } 4112 leaf path-mtu { 4113 type uint16; 4114 description 4115 "Path MTU valie"; 4116 } 4117 leaf nat-traversal-flag { 4118 type boolean; 4119 description 4120 "Whether the SA is used to protect traffic that needs 4121 nat traversal"; 4123 } 4124 } 4125 } 4126 container spd { 4127 if-feature spd; 4128 config false; 4129 description 4130 "IPsec security policy database information"; 4131 list spd-entries { 4132 description 4133 "IPsec SPD entry information"; 4134 list name { 4135 description 4136 "SPD name information."; 4137 leaf name-type { 4138 type ipsec-spd-name; 4139 description 4140 "SPD name type."; 4141 } 4142 leaf name-string { 4143 when "../name-type = 'id_rfc_822_addr' or ../name-type = 4144 'id_fqdn'" { 4145 description 4146 "when name type is id_rfc_822_addr or id_fqdn, the 4147 name are saved in string"; 4148 } 4149 type string; 4150 description 4151 "SPD name content"; 4152 } 4153 leaf name-binary { 4154 when "../name-type = 'id_der_asn1_dn' or ../name-type = 4155 'id_key'" { 4156 description 4157 "when name type is id_der_asn1_dn or id_key, the name 4158 are saved in binary"; 4159 } 4160 type binary; 4161 description 4162 "SPD name content"; 4163 } 4164 } 4165 leaf pfp-flag { 4166 type boolean; 4167 description 4168 "populate from packet flag"; 4169 } 4170 list traffic-selector { 4171 min-elements 1; 4172 uses traffic-selector; 4173 description 4174 "Traffic selectors of SAD entry"; 4175 } 4176 leaf operation { 4177 type ipsec-spd-operation; 4178 description 4179 "It indicates how to process the traffic when it matches 4180 the security policy."; 4181 } 4182 container protect-operation { 4183 when "../operation = 'protect'" { 4184 description 4185 "How to protect the traffic when the SPD operation 4186 is protect"; 4187 } 4188 leaf spd-ipsec-mode { 4189 type ipsec-mode; 4190 description 4191 "It indicates which mode is chosen when the traffic need 4192 be protected by IPsec."; 4193 } 4194 leaf esn-flag { 4195 type boolean; 4196 description 4197 "It indicates whether ESN is used."; 4198 } 4199 leaf spd-ipsec-protocol { 4200 type ipsec-protocol; 4201 description 4202 "It indicates which protocol (AH or ESP) is chosen."; 4203 } 4204 container tunnel-mode-additional { 4205 when "../spd-ipsec-mode = 'tunnel'" { 4206 description 4207 "Additional informations when choose tunnel mode"; 4208 } 4209 uses ipsec-tunnel-mode-info; 4210 description 4211 "When use tunnel mode, the additional information of 4212 SPD."; 4213 } 4214 list spd-algorithm { 4215 min-elements 1; 4216 uses ipsec-algorithm-info; 4217 description 4218 "Algorithms defined in SPD, ordered by decreasing 4219 priority."; 4220 } 4221 description 4222 "How to protect the traffic when the SPD operation is 4223 protect"; 4224 } 4225 } 4226 } 4228 container ipsec-global-statistics { 4229 if-feature ipsec-global-stats; 4230 config false; 4231 description "IPsec global statistics"; 4232 container ipv4 { 4233 description "IPsec statistics of IPv4"; 4234 uses ipsec-stat; 4235 } 4236 container ipv6 { 4237 description "IPsec statistics of IPv6"; 4238 uses ipsec-stat; 4239 } 4240 container global { 4241 description "IPsec statistics of global"; 4242 uses ipsec-stat; 4243 } 4244 } 4246 /*--------------------*/ 4247 /* RPC */ 4248 /*--------------------*/ 4249 rpc clear-ipsec-group { 4250 if-feature clear-ipsec-group; 4251 description 4252 "RPC for clear ipsec states"; 4253 input { 4254 leaf alarm-hold-down { 4255 type uint8; 4256 description 4257 "IPSec alarm hold-down"; 4258 } 4259 leaf ipsec-policy-name { 4260 type leafref { 4261 path "/eipsec:ipsec/eipsec:spd/"+ 4262 "eipsec:spd-entries/eipsec:name"; 4263 } 4264 description 4265 "IPSec Policy name."; 4266 } 4267 } 4268 } 4269 rpc clear-ike-group { 4270 if-feature clear-ike-group; 4271 description 4272 "RPC for clear IKE states"; 4273 input { 4274 leaf proposal { 4275 type leafref { 4276 path "/eipsec:ikev1/eipsec:proposal/"+ 4277 "eipsec:name"; 4278 } 4279 description 4280 "IPSec IKE Proposal name."; 4281 } 4282 } 4283 } 4285 rpc clear-ikev2-group { 4286 if-feature clear-ikev2-group; 4287 description 4288 "RPC for clear IKEv2 states"; 4289 input { 4290 leaf proposal { 4291 type leafref { 4292 path "/eipsec:ikev2/eipsec:proposal/"+ 4293 "eipsec:name"; 4294 } 4295 description 4296 "IPSec IKEv2 Proposal name."; 4297 } 4298 } 4299 } 4301 /* draft-wang-ipsecme-ipsec-yang-00 */ 4302 rpc reset-ipv4 { 4303 if-feature reset-ipv4; 4304 description "Reset IPsec IPv4 statistics"; 4305 input { 4306 leaf ipv4 { 4307 type empty; 4308 description "Reset IPsec IPv4 statistics"; 4309 } 4310 } 4311 output { 4312 leaf status { 4313 type string; 4314 description "Operation status"; 4315 } 4316 } 4318 } 4319 rpc reset-ipv6 { 4320 if-feature reset-ipv6; 4321 description "Reset IPsec IPv6 statistics"; 4322 input { 4323 leaf ipv6 { 4324 type empty; 4325 description "Reset IPsec IPv6 statistics"; 4326 } 4327 } 4328 output { 4329 leaf status { 4330 type string; 4331 description "Operation status"; 4332 } 4333 } 4334 } 4335 rpc reset-global { 4336 if-feature reset-global; 4337 description "Reset IPsec global statistics"; 4338 input { 4339 leaf ipv6 { 4340 type empty; 4341 description "Reset IPsec global statistics"; 4342 } 4343 } 4344 output { 4345 leaf status { 4346 type string; 4347 description "Operation status"; 4348 } 4349 } 4350 } 4352 notification dpd-failure{ 4353 description "IKE peer DPD detect failure"; 4354 leaf peer-id { 4355 type string; 4356 description "Peer ID"; 4357 } 4358 } 4360 notification peer-authentication-failure { 4361 if-feature peer-authentication-failure; 4362 description "Peer authentication fail when negotication"; 4363 leaf peer-id { 4364 type string; 4365 description "The ID of remote peer"; 4366 } 4368 } 4370 notification ike-reauth-failure { 4371 if-feature ike-reauth-failure; 4372 description "IKE peer reauthentication fail"; 4373 leaf peer-id { 4374 type string; 4375 description "The ID of remote peer"; 4376 } 4377 } 4379 notification ike-rekey-failure { 4380 if-feature ike-rekey-failure; 4381 description "IKE SA rekey failure"; 4382 leaf peer-id { 4383 type string; 4384 description "The ID of remote peer"; 4385 } 4386 leaf old-i-spi { 4387 type uint64; 4388 description "old SPI"; 4389 } 4390 leaf old-r-spi { 4391 type uint64; 4392 description "old SPI"; 4393 } 4394 } 4396 notification ipsec-rekey-failure { 4397 if-feature ipsec-rekey-failure; 4398 description "IPsec SA rekey failure"; 4399 leaf peer-id { 4400 type string; 4401 description "The ID of remote peer"; 4402 } 4403 leaf old-inbound-spi { 4404 type ipsec-spi; 4405 description "old inbound SPI"; 4406 } 4407 leaf old-outbound-spi { 4408 type ipsec-spi; 4409 description "old outbound SPI"; 4410 } 4411 } 4412 } /* module ericsson-ipsec */ 4413 4415 5. Security Considerations 4417 The configuration, state, and action data defined in this document 4418 are designed to be accessed via the NETCONF protocol [RFC6241]. The 4419 data model by itself does not create any security implications. The 4420 security considerations for the NETCONF protocol are applicable. 4421 The NETCONF protocol used for sending the data supports 4422 authentication and encryption. 4424 6. References 4426 6.1. Normative References 4428 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4429 Requirement Levels", BCP 14, RFC 2119, March 1997. 4431 [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for 4432 Syntax Specifications: ABNF", RFC 2234, Internet Mail 4433 Consortium and Demon Internet Ltd., November 1997. 4435 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 4436 Network Configuration Protocol (NETCONF)", RFC 6020, 4437 October 2010. 4439 [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, 4440 October 2010. 4442 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 4443 Bierman, "Network Configuration Protocol (NETCONF)", RFC 4444 6241, June 2011. 4446 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, 4447 T., "Internet Key Exchange Protocol Version 2 (IKEv2)", 4448 RFC 5996, October 2014. 4450 [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPsec) and 4451 Internet Key Exchange (IKE) Document Roadmap", February 4452 2011. 4454 6.2. Informative References 4456 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 4457 Data Model Documents", RFC 6087, January 2011. 4459 Authors' Addresses 4461 Khanh Tran 4462 Ericsson 4463 300 Holger Way 4464 San Jose, CA 95134 4465 USA 4466 Email: khanh.x.tran@ericsson.com 4468 Honglei Wang 4469 Huawei Technologies 4470 Huawei Bld., No.156 Beiqing Rd. 4471 Beijing 100095 4472 China 4473 Email: stonewater.wang@huawei.com 4475 Vijay Kumar Nagaraj 4476 Huawei Technologies 4477 Huawei Technologies India Pvt Ltd 4478 Bangalore 560008 4479 India 4480 Email: vijay.kn@huawei.com 4482 Xia Chen 4483 Huawei Technologies 4484 Huawei Bld., No.156 Beiqing Rd. 4485 Beijing 100095 4486 China 4487 Email: xiachen@huawei.com