idnits 2.17.1 draft-wang-ipsecme-ike-yang-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 48 instances of too long lines in the document, the longest one being 43 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 354 has weird spacing: '...al-name ips...' == Line 395 has weird spacing: '...al-name ips...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: leaf proposal-name { type string; mandatory true; description "Name of IPsec proposal."; } choice protocol { default esp; case ah { leaf ah { type empty; mandatory true; description "Choose AH as IPsec protocol"; } leaf ah-authentication-algorithm { type ipsec-crypto:ipsec-authentication-algorithm; must "ah-authentication-algorithm != 'null'" { error-message "AH authentication algorithm MUST not be null"; description "AH authentication algorithm MUST not be null"; -- The document date (May 22, 2015) is 3263 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Wang 3 Internet-Draft V. Nagaraj 4 Intended status: Standards Track X. Chen 5 Expires: November 23, 2015 Huawei Technologies 6 May 22, 2015 8 Yang Data Model for IKE 9 draft-wang-ipsecme-ike-yang-00 11 Abstract 13 This document describes a YANG data model for the IKE (Internet Key 14 Exchange) protocol. The model covers the IKE protocol configuration, 15 operational state, remote procedural calls, and event notifications 16 data. 18 Requirements Language 20 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 21 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 22 document are to be interpreted as described in [RFC2119]. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on November 23, 2015. 41 Copyright Notice 43 Copyright (c) 2015 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. IKE YANG Model Organization . . . . . . . . . . . . . . . . . 3 60 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.2. Configuration . . . . . . . . . . . . . . . . . . . . . . 5 62 2.2.1. IPsec Global Configuration . . . . . . . . . . . . . 5 63 2.2.2. IPsec Proposal Configuration . . . . . . . . . . . . 5 64 2.2.3. IKE Proposal Configuration . . . . . . . . . . . . . 6 65 2.2.4. IKE Peer Configuration . . . . . . . . . . . . . . . 6 66 2.2.5. IPsec Policy Configuration . . . . . . . . . . . . . 7 67 2.2.6. IPsec Interface Map Configuration . . . . . . . . . . 9 68 2.3. Operational State . . . . . . . . . . . . . . . . . . . . 9 69 2.3.1. IKE SA Container State . . . . . . . . . . . . . . . 9 70 2.3.2. IPsec SA State . . . . . . . . . . . . . . . . . . . 10 71 2.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 10 72 2.4.1. IKE SA reset action . . . . . . . . . . . . . . . . . 10 73 2.4.2. IPsec SA reset action . . . . . . . . . . . . . . . . 11 74 2.5. Notifications . . . . . . . . . . . . . . . . . . . . . . 11 75 2.5.1. DPD failure . . . . . . . . . . . . . . . . . . . . . 12 76 2.5.2. Peer Authentication failure . . . . . . . . . . . . . 12 77 2.5.3. IKE Reauth failure . . . . . . . . . . . . . . . . . 12 78 2.5.4. IKE Rekey failure . . . . . . . . . . . . . . . . . . 12 79 2.5.5. IPsec Rekey failure . . . . . . . . . . . . . . . . . 12 80 3. IKE Yang Module . . . . . . . . . . . . . . . . . . . . . . . 13 81 3.1. IKE Basic Yang Module . . . . . . . . . . . . . . . . . . 13 82 3.2. IKE Algorithm Yang Module . . . . . . . . . . . . . . . . 30 83 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 84 5. Security Considerations . . . . . . . . . . . . . . . . . . . 33 85 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 86 7. Normative References . . . . . . . . . . . . . . . . . . . . 34 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 89 1. Introduction 91 The Network Configuration Protocol (NETCONF) [RFC6241] is a network 92 management protocol that defines mechanisms to manage network 93 devices. YANG [RFC6020] is a modular language that represents data 94 structures in an XML tree format, and is used as a data modeling 95 language for the NETCONF. 97 This document introduces a YANG data model for the IKE (Internet Key 98 Exchange) protocol. There are two IKE protocols defined in IETF 99 namely IKEv1(IKE version 1) and IKEv2(IKE version 2). IKEv1 protocol 100 is obsolete now. The model discussed in this document covers IKEv2 101 [RFC7296] and other generic enhancements that pertain to the base 102 protocol operation. 104 The data model is defined for following constructs that are used for 105 managing the IKE protocol: configuration, operational state, remote 106 procedural calls, and event notifications data. 108 2. IKE YANG Model Organization 110 2.1. Overview 112 The model discussd in this document covers IKEv2 [RFC7296] and other 113 generic enhancements that pertain to the base protocol operation. 114 The cryptographic algorithms are deliberately separated from ietf-ike 115 model so that these algorithms can be updated or replaced without 116 affecting the standardization progress of the rest of the IKE yang 117 model. IPsec yang model, basic cryptographic algorithms for IPsec 118 and basic IPsec type defines will be left out of this model to 119 support IPsec basic information defined in [RFC4301]. IPsec yang 120 model will be defined in separate document. IKE data model has the 121 following relationship with IPsec module and other modules. 123 ^: import 124 IPsec Crypto Module IPsec Type Module 125 +--------------------+ +-------------------+ 126 | ietf-ipsec-crypto | | ietf-ipsec-type | 127 +--------------------+ +-------------------+ 128 | | | | 129 | | | | 130 | | | | 131 INET Basic Type | v IPsec Module v | IKE Crypto Module 132 +----------------+ | +-----------------+ | +---------------+ 133 |ietf-inet-types | | | ietf-ipsec | | |ietf-ike-crypto| 134 +----------------+ | +-----------------+ | +---------------+ 135 | | | | | 136 | | | | | 137 | v v v | 138 | +---------------------------+ | 139 +-------->| ietf-ike | <------+ 140 +---------------------------+ 141 Figure 1: Relationship of IKE with IPsec module and other modules 143 This model aims to address only the core IKE parameters as per RFC 144 7296 [RFC7296]. 146 This model does not cover any applications running on top of IKE nor 147 does it cover any OAM procedures for IKE. Current revision only 148 describes one address family of type "ipv4". The "ipv6" specific IKE 149 configuration will be covered in later revision. 151 The figure below describes the overall structure of the IKE Yang 152 model : 154 module: ietf-ike 155 +--rw ike-global-configuration 156 | ... 157 +--rw ipsec-proposal 158 | ... 159 +--rw ike-proposal 160 | ... 161 +--rw ike-peer 162 | ... 163 +--rw ipsec-policy 164 | +--rw policy-entries* [policy-name sequence-number] 165 | | ... 166 | +--rw policy-template-entries* [policy-name sequence-number] 167 | ... 168 +--rw ipsec-interface-map 169 | ... 170 +--ro ike-sa 171 | ... 172 +--ro ipsec-sa 173 ... 174 rpcs: 175 +---x reset-ike-sa 176 | ... 177 +---x reset-ipsec-sa 178 ... 179 notifications: 180 +---n dpd-failure 181 | ... 182 +---n peer-authentication-failure 183 | ... 184 +---n ike-reauth-failure 185 | ... 186 +---n ike-rekey-failure 187 | ... 188 +---n ipsec-rekey-failure 189 ... 191 2.2. Configuration 193 This specification defines the configuration parameters for IKE 194 protocols version2 (IKEv2). This specification only supports ipv4 195 address type for IKE. 197 2.2.1. IPsec Global Configuration 199 The IKE global configuration includes some configuration that is 200 common and applicable for all the IKE peers. This includes IKE local 201 name, NAT-Keep-Alive interval, DPD Idle timeout, DPD interval, DPD 202 retry count etc. 204 +--rw ike-global-configuration 205 +--rw (df-flag)? 206 | +--:(set) 207 | | +--rw set? empty 208 | +--:(clear) 209 | | +--rw clear? empty 210 | +--:(copy) 211 | +--rw copy? empty 212 +--rw stateful-frag-check? boolean 213 +--rw life-time-kb? uint32 214 +--rw life-time-second? uint32 215 +--rw (anti-replay)? 216 | +--:(enable) 217 | | +--rw enable? empty 218 | | +--rw (anti-replay-windows-size)? 219 | | +--:(size-32) 220 | | +--:(size-64) 221 | | +--:(size-128) 222 | | +--:(size-256) 223 | | +--:(size-512) 224 | | +--:(size-1024) 225 | +--:(disable) 226 | +--rw disable? empty 227 +--rw inbound-dscp? uint16 228 +--rw outbound-dscp? uint16 229 +--rw local-name? string 230 +--rw nat-keepalive-interval? uint16 231 +--rw dpd-interval? uint16 233 2.2.2. IPsec Proposal Configuration 235 The IPsec proposal container will be used to include the 236 configuration items related to the IPsec tunnel like tunnel protocol 237 (sp, ah), tunnel encapsulation mode (tunnel/transport), 238 authentication algorithm for ah/esp and encryption algorithm for esp 239 etc 241 +--rw ipsec-proposal 242 +--rw ipsec-proposal-entries* [proposal-name] 243 +--rw proposal-name string 244 +--rw (protocol)? 245 +--:(ah) 246 | +--rw ah empty 247 | +--rw ah-authentication-algorithm? ipsec-crypto:ipsec-authentication-algorithm 248 +--:(esp) 249 +--rw esp empty 250 +--rw esp-authentication-algorithm? ipsec-crypto:ipsec-authentication-algorithm 251 +--rw esp-encryption-algorithm? ipsec-crypto:ipsec-encryption-algorithm 253 2.2.3. IKE Proposal Configuration 255 The IKE proposal container is mainly use to hold information related 256 to the IKE SA establishment parameters. These parameters are mainly 257 negotiated between the IKE peers at the time of SA establishment. 258 The various parameters in this container are proposal number, 259 authentication method, integrity algorithm, encryption algorithm, 260 Psuedo-Random function (prf), dh group, reauth , rekey lifetime etc 262 +--rw ike-proposal 263 +--rw ike-proposal-entries* [proposal-number] 264 +--rw proposal-number uint32 265 +--rw auth-method? ike-auth-method 266 +--rw integrity-algorithm? ike-crypto:ike-integrity-algorithm 267 +--rw encrypt-algorithm? ike-crypto:ike-encryption-algorithm 268 +--rw prf-algorithm? ike-crypto:ike-prf-algorithm 269 +--rw dh-group? ike-crypto:ike-dh-group 270 +--rw reauth-interval? uint32 271 +--rw life-time? uint32 273 2.2.4. IKE Peer Configuration 275 The IKE peer container will hold information about peer. The IKE 276 peer is an entity that is going to establish security association 277 with the remote peer. The main configuration parameters related to 278 the IKE peer are: Key information, Name, proposal number, ID type, 279 remote address, local address, certificate information etc 280 +--rw ike-peer 281 +--rw ike-peer-entries* [peer-name] 282 +--rw peer-name string 283 +--rw ike-proposal-number? ike-proposal-number-ref 284 +--rw PresharedKey? string 285 +--rw nat-traversal? boolean 286 +--rw (local-id-type)? 287 | +--:(ip) 288 | | +--rw ip? empty 289 | +--:(fqdn) 290 | | +--rw fqdn? empty 291 | +--:(dn) 292 | | +--rw dn? empty 293 | +--:(user_fqdn) 294 | +--rw user_fqdn? empty 295 +--rw local-id? string 296 +--rw remote-id? string 297 +--rw low-remote-address? inet:ip-address 298 +--rw high-remote-address? inet:ip-address 299 +--rw certificate? string 300 +--rw auth-address-begin? inet:ip-address 301 +--rw auth-address-end? inet:ip-address 303 2.2.5. IPsec Policy Configuration 305 The IPsec policy container will hold values related to the IPsec 306 policy that is bound to an interface (tunnel or physical interface). 307 The information contained in the IPsec policy will determine the 308 characteristics of the tunnel that is going to be establishment. The 309 main attributes related to IPsec policy are: ACL, PFS (to do an 310 additional DH exchange), peer name, IPsec proposal number, policy 311 name, sequence number, policy-mode (ISAKMP, Template etc) 313 +--rw ipsec-policy 314 +--rw policy-entries* [policy-name sequence-number] 315 | +--rw policy-name string 316 | +--rw sequence-number uint32 317 | +--rw (policy-mode)? 318 | +--:(isakmp) 319 | | +--rw isakmp? empty 320 | | +--rw local-address? inet:ip-address 321 | | +--rw binding-interface-name? string 322 | | +--rw (acl)? 323 | | | +--:(acl-number) 324 | | | | +--rw acl-number? uint32 325 | | | +--:(advance-acl) 326 | | | +--rw advance-acl? string 327 | | +--rw pfs? ike-crypto:ike-dh-group 328 | | +--rw peer-name? ike-peer-name-ref 329 | | +--rw (df-flag)? 330 | | | +--:(set) 331 | | | | +--rw set? empty 332 | | | +--:(clear) 333 | | | | +--rw clear? empty 334 | | | +--:(copy) 335 | | | +--rw copy? empty 336 | | +--rw stateful-frag-check? boolean 337 | | +--rw life-time-kb? uint32 338 | | +--rw life-time-second? uint32 339 | | +--rw (anti-replay)? 340 | | | +--:(enable) 341 | | | | +--rw enable? empty 342 | | | | +--rw (anti-replay-windows-size)? 343 | | | | +--:(size-32) 344 | | | | +--:(size-64) 345 | | | | +--:(size-128) 346 | | | | +--:(size-256) 347 | | | | +--:(size-512) 348 | | | | +--:(size-1024) 349 | | | +--:(disable) 350 | | | +--rw disable? empty 351 | | +--rw inbound-dscp? uint16 352 | | +--rw outbound-dscp? uint16 353 | | +--rw ipsec-proposal* [proposal-name] 354 | | +--rw proposal-name ipsec-proposal-name-ref 355 | +--:(template) 356 | +--rw template? empty 357 | +--rw template-name ipsec-policy-template-name-ref 358 +--rw policy-template-entries* [policy-name sequence-number] 359 +--rw policy-name string 360 +--rw sequence-number uint32 361 +--rw local-address? inet:ip-address 362 +--rw binding-interface-name? string 363 +--rw (acl)? 364 | +--:(acl-number) 365 | | +--rw acl-number? uint32 366 | +--:(advance-acl) 367 | +--rw advance-acl? string 368 +--rw pfs? ike-crypto:ike-dh-group 369 +--rw peer-name? ike-peer-name-ref 370 +--rw (df-flag)? 371 | +--:(set) 372 | | +--rw set? empty 373 | +--:(clear) 374 | | +--rw clear? empty 375 | +--:(copy) 376 | +--rw copy? empty 377 +--rw stateful-frag-check? boolean 378 +--rw life-time-kb? uint32 379 +--rw life-time-second? uint32 380 +--rw (anti-replay)? 381 | +--:(enable) 382 | | +--rw enable? empty 383 | | +--rw (anti-replay-windows-size)? 384 | | +--:(size-32) 385 | | +--:(size-64) 386 | | +--:(size-128) 387 | | +--:(size-256) 388 | | +--:(size-512) 389 | | +--:(size-1024) 390 | +--:(disable) 391 | +--rw disable? empty 392 +--rw inbound-dscp? uint16 393 +--rw outbound-dscp? uint16 394 +--rw ipsec-proposal* [proposal-name] 395 +--rw proposal-name ipsec-proposal-name-ref 397 2.2.6. IPsec Interface Map Configuration 399 The IPsec interface map container will have information related to 400 the interface on which IPsec policy will be applied. It will have 401 information like IPsec policy name, tunnel protocol, tunnel name , 402 enable-disable UNR route generation etc 404 +--rw ipsec-interface-map 405 +--rw policy-interface* [interface-name] 406 +--rw interface-name string 407 +--rw policy-name ipsec-policy-name-ref 408 +--rw generate-unr-route? boolean 410 2.3. Operational State 412 The Operational state of the IKE SA or IPsec SA can be queried and 413 obtained from the respective container. All the attributes/items in 414 this container are read-only attributes and they reflect the run-time 415 information of any established IKE SA. 417 2.3.1. IKE SA Container State 419 The IKE SA container is used to maintain information related to the 420 IKE SA established. This SA is a run-time data structure that is 421 created and has information about established SA like SPI, local and 422 remote address, established time, remaining life time, dh group, auth 423 method, prf, encryption algorithm , integrity algorithm etc 424 +--ro ike-sa 425 +--ro ike-sa-entries* [initiator-spi responder-spi] 426 +--ro remote-address? inet:ip-address 427 +--ro local-address? inet:ip-address 428 +--ro initiator-spi uint64 429 +--ro responder-spi uint64 430 +--ro remote-id? string 431 +--ro local-id? string 432 +--ro auth-method? ike-auth-method 433 +--ro integrity-algorithm? ike-crypto:ike-integrity-algorithm 434 +--ro encryption-algorithm? ike-crypto:ike-encryption-algorithm 435 +--ro prf-algorithm? ike-crypto:ike-prf-algorithm 436 +--ro dh-group? ike-crypto:ike-dh-group 437 +--ro sa-established-time? string 438 +--ro remaining-time? uint32 440 2.3.2. IPsec SA State 442 The IPsec SA container is used to maintain information related to the 443 IPsec SA established. This is a run-time data structure that is 444 created and has information about established SA like SPI, local and 445 remote address, remaining life time, protocol etc 447 +--ro ipsec-sa 448 +--ro ipsec-sa-entries* 449 +--ro remote-address? inet:ip-address 450 +--ro local-address? inet:ip-address 451 +--ro responder-spi? uint32 452 +--ro remaining-time? uint32 454 2.4. Actions 456 This model defines a list of RPCs that allow performing an action or 457 executing a command on the protocol. For example, it allows clearing 458 (reset) IKE SAs, IPsec SAs, statistics etc. The model makes an 459 effort to provide different level of control so that a user is able 460 to either clear all, or clear all of a given type, or clear a 461 specific entity. 463 2.4.1. IKE SA reset action 465 This operation type is executed when the user wants to delete IKE 466 SAs. The command gives a flexibility to delete all SAs or a 467 particular SA only based on remote address, connection-id etc. 469 +---x reset-ike-sa 470 +---w input 471 | +---w (peer-info)? 472 | +--:(peer-id) 473 | | +---w peer-id? string 474 | +--:(peer-address) 475 | +---w peer-address? inet:ip-address 476 +--ro output 477 +--ro status? string 479 2.4.2. IPsec SA reset action 481 This operation type is executed when the user wants to delete IPsec 482 SAs. The command gives a flexibility to delete all SAs or a 483 particular SA only based on remote address, policy sequence number, 484 remote peer address etc. 486 +---x reset-ipsec-sa 487 +---w input 488 | +---w (sa-info)? 489 | +--:(parameters) 490 | | +---w (peer-info) 491 | | | +--:(peer-id) 492 | | | | +---w peer-id? string 493 | | | +--:(peer-address) 494 | | | +---w peer-address? inet:ip-address 495 | | +---w protocol ipsec-type:ipsec-protocol 496 | | +---w spi ipsec-type:ipsec-spi 497 | +--:(remote-peer) 498 | | +---w remote-peer 499 | | +---w (peer-info)? 500 | | +--:(peer-id) 501 | | | +---w peer-id? string 502 | | +--:(peer-address) 503 | | +---w peer-address? inet:ip-address 504 | +--:(policy) 505 | +---w policy? ipsec-policy-name-ref 506 +--ro output 507 +--ro status? string 509 2.5. Notifications 511 This model defines a list of notifications to inform client of 512 important events detected during the protocol operation. These 513 events include events related to changes in the operational state of 514 an IKE SA, IPsec SA, Statistics etc. 516 2.5.1. DPD failure 518 This notification type is reported to the NETCONF client when there 519 is a peer that is not responding to the DPD Keep Alive messages. 521 +---n dpd-failure 522 +--ro peer-id? string 524 2.5.2. Peer Authentication failure 526 This notification type is reported to the NETCONF client when the 527 peer authentication has failed due to either invalid key, 528 certificate, invalid id etc 530 +---n peer-authentication-failure 531 +--ro peer-id? string 533 2.5.3. IKE Reauth failure 535 This notification type is reported to the NETCONF client when the re- 536 authentication of the peer has failed. Reauth can fail due to many 537 reasons like proposal mismatch during re-auth procedure, packet drop, 538 dead peer etc 540 +---n ike-reauth-failure 541 +--ro peer-id? string 543 2.5.4. IKE Rekey failure 545 This notification type is reported to the NETCONF client when the IKE 546 SA rekey has failed. The rekey is an operation used to refresh the 547 IKE SA keys. It can fail due to proposal mismatch during rekey 548 procedure, packet drop, dead peer etc 550 +---n ike-rekey-failure 551 +--ro peer-id? string 552 +--ro old-i-spi? uint64 553 +--ro old-r-spi? uint64 555 2.5.5. IPsec Rekey failure 557 This notification type is reported to the NETCONF client when the IKE 558 SA rekey has failed. The rekey is an operation used to refresh the 559 IPsec SA keys. It can fail due to proposal mismatch during rekey 560 procedure, packet drop, dead peer etc 561 +---n ipsec-rekey-failure 562 +--ro peer-id? string 563 +--ro old-inbound-spi? ipsec-type:ipsec-spi 564 +--ro old-outbound-spi? ipsec-type:ipsec-spi 566 3. IKE Yang Module 568 To support separately upgrade the algorithm part, the base data model 569 and the algorithm part are defined as two separately parts. 571 3.1. IKE Basic Yang Module 573 module ietf-ike { 574 namespace "urn:ietf:params:xml:ns:yang:ietf-ike"; 575 // replace with IANA namespace when assigned 576 prefix "ike"; 578 import "ietf-ipsec-crypto" { 579 prefix "ipsec-crypto"; 580 } 582 import "ietf-ike-crypto" { 583 prefix "ike-crypto"; 584 } 586 import "ietf-inet-types" { 587 prefix "inet"; 588 } 590 import "ietf-ipsec-type" { 591 prefix "ipsec-type"; 592 } 594 import "ietf-ipsec" { 595 prefix "ipsec"; 596 } 598 organization "Huawei Technologies India Pvt Ltd"; 599 contact "stonewater.wang@huawei.com"; 600 description "IKE Yang module define"; 602 revision 2015-04-18 { 603 description "Initial revision."; 604 reference "RFC XXXX: IKE Yang Modules"; 605 } 606 grouping ipsec-common-configuration { 607 choice df-flag { 608 default copy; 609 case set { 610 leaf set { 611 type empty; 612 description 613 "Set the df bit when encapsulate IPsec tunnel."; 614 } 615 } 616 case clear { 617 leaf clear { 618 type empty; 619 description 620 "Clear the df bit when encapsulate IPsec tunnel."; 621 } 622 } 623 case copy { 624 leaf copy { 625 type empty; 626 description 627 "Copy the inner IP header df bit."; 628 } 629 } 631 description 632 "It indicates how to process the df bit when encapsulate IPsec tunnel."; 633 } 634 leaf stateful-frag-check { 635 type boolean; 636 default false; 637 description "Whether stateful fragment checking applies."; 638 } 639 leaf life-time-kb { 640 type uint32; 641 units "KB"; 642 default 2000000; 644 description "IPsec SA Life time in KB."; 645 } 646 leaf life-time-second { 647 type uint32; 648 units "Second"; 649 default 18400; 650 description "IPsec SA Life time in Seconds"; 651 } 652 choice anti-replay { 653 default enable; 654 case enable { 655 leaf enable { 656 type empty; 657 description "Enable Anti-replay"; 658 } 659 choice anti-replay-windows-size { 661 case size-32; 662 case size-64; 663 case size-128; 664 case size-256; 665 case size-512; 666 case size-1024; 667 default size-1024; 668 description "It indicate the size of anti-replay window"; 669 } 670 } 671 case disable { 672 leaf disable { 673 type empty; 674 description "Disable Anti-replay"; 675 } 676 } 677 description "Whether enable or disable anti-replay"; 678 } 680 leaf inbound-dscp { 681 type uint16 { 682 range "0..63"; 683 } 684 default 0; 685 description "Inbound DSCP value"; 686 } 687 leaf outbound-dscp { 688 type uint16 { 689 range "0..63"; 690 } 691 default 0; 692 description "Outbound DSCP value"; 693 } 694 description "Common IPsec configurations"; 695 } 697 grouping choose-ipsec-peer { 698 choice peer-info { 699 case peer-id { 700 leaf peer-id { 701 type string; 702 description "Peer ID"; 703 } 704 } 705 case peer-address { 706 leaf peer-address { 707 type inet:ip-address; 708 description "Peer IP Address"; 709 } 710 } 711 description "Reset according to peer information"; 712 } 713 description "IKE peer information when do reset operation"; 714 } 716 typedef ike-peer-name-ref { 717 type leafref { 718 path "/ike-peer/ike-peer-entries/peer-name"; 719 } 720 description "reference to ike peer name"; 721 } 723 typedef ike-proposal-number-ref { 724 type leafref { 725 path "/ike-proposal/ike-proposal-entries/proposal-number"; 726 } 727 description "reference to ike proposal number"; 728 } 730 typedef ipsec-proposal-name-ref{ 731 type leafref { 732 path "/ipsec-proposal/ipsec-proposal-entries/proposal-name"; 733 } 734 description "reference to ike proposal name"; 735 } 737 typedef ipsec-policy-template-name-ref { 738 type leafref { 739 path "/ipsec-policy/policy-template-entries/policy-name"; 740 } 741 description "reference to ipsec policy template name"; 742 } 744 typedef ike-auth-method { 745 type enumeration { 746 enum pre-share { 747 description "Select pre-shared key message as the authentication method"; 748 } 749 enum rsa-digital-signature { 750 description "Select rsa digital signature as the authentication method"; 751 } 752 enum dss-digital-signature { 753 description "Select dss digital signature as the authentication method"; 754 } 755 } 756 description "IKE authentication methods"; 757 } 759 typedef ipsec-policy-name-ref { 760 type leafref { 761 path "/ipsec-policy/policy-entries/policy-name"; 762 } 763 description "reference to ipsec policy name"; 764 } 766 container ike-global-configuration { 767 description "Global IKE configurations"; 769 uses ipsec-common-configuration; 771 leaf local-name { 772 type string; 773 description "Global local name configuration, if it is not configed, 774 ip address will be used as default. If configing special 775 local name for special peer, it will overwrite the global 776 name configuration when negotion with that peer."; 777 } 778 leaf nat-keepalive-interval { 780 type uint16 { 781 range "5..300"; 782 } 783 units "Seconds"; 784 default 20; 785 description "Global nat keepalive interval"; 786 } 787 leaf dpd-interval { 788 type uint16 { 789 range "10..3600"; 790 } 792 units "Seconds"; 793 default 30; 794 description "Global DPD interval"; 795 } 796 } 797 container ipsec-proposal { 798 description "IPsec proposal information"; 800 list ipsec-proposal-entries { 801 key "proposal-name"; 802 description "IPsec proposal information"; 804 leaf proposal-name { 805 type string; 806 mandatory true; 807 description "Name of IPsec proposal."; 808 } 809 choice protocol { 810 default esp; 811 case ah { 812 leaf ah { 813 type empty; 814 mandatory true; 815 description "Choose AH as IPsec protocol"; 816 } 817 leaf ah-authentication-algorithm { 818 type ipsec-crypto:ipsec-authentication-algorithm; 819 must "ah-authentication-algorithm != 'null'" { 820 error-message "AH authentication algorithm MUST not be null"; 821 description "AH authentication algorithm MUST not be null"; 823 } 824 default sha2-256; 825 description "IPsec authentication algorithm for AH"; 826 } 827 description "Choose AH as IPsec protocol"; 828 } 829 case esp { 830 leaf esp { 831 type empty; 832 description "Choose ESP as IPsec protocol"; 833 } 834 leaf esp-authentication-algorithm { 835 type ipsec-crypto:ipsec-authentication-algorithm; 836 default sha2-256; 837 description "IPsec authentication algorithm for ESP"; 838 } 840 leaf esp-encryption-algorithm { 841 type ipsec-crypto:ipsec-encryption-algorithm; 842 default aes-256; 843 description "IPsec encryption algorithm for ESP"; 845 } 846 must "esp-authentication-algorithm != 'null' or esp-encryption-algorithm != 'null'" { 848 error-message "ESP authentication algorithm and encryption algorithm can not be both null"; 849 description "ESP authentication algorithm and encryption algorithm can not be both null"; 850 } 851 description "Choose ESP as IPsec protocol"; 852 } 853 description "Choose IPsec protocol"; 854 } 856 } //End of IPsecProposalEntries 857 }//End of IPsec Proposal 859 container ike-proposal { 860 description "IKE proposal information"; 862 list ike-proposal-entries { 864 key "proposal-number"; 865 description "IKE proposal information"; 867 leaf proposal-number { 868 type uint32; 869 mandatory true; 870 description "Proposal seq-number of ike proposal"; 871 } 872 leaf auth-method { 874 type ike-auth-method; 875 default pre-share; 876 description "authentication method of ike peer"; 877 } 878 leaf integrity-algorithm { 880 type ike-crypto:ike-integrity-algorithm; 881 default hmac-sha2-256; 882 description "integrity algorithm of ike protocol"; 883 } 884 leaf encrypt-algorithm { 886 type ike-crypto:ike-encryption-algorithm; 887 default aes-cbc-256; 888 description "Encryption algorithm of ike protocol"; 889 } 890 leaf prf-algorithm { 891 type ike-crypto:ike-prf-algorithm; 892 default hmac-sha2-256; 893 description "Prf algorithm of ike protocol"; 894 } 895 leaf dh-group { 897 type ike-crypto:ike-dh-group; 898 must "dh-group != 'dh-group-none'" { 899 error-message "DH Group MUST be configurated"; 900 description "DH Group MUST be configurated"; 901 } 902 default dh-group-2; 904 description "DH group of ike protocol"; 905 } 906 leaf reauth-interval { 908 type uint32 { 909 range "60..604800"; 910 } 911 units "Seconds"; 912 default 86400; 913 description "Reauth interval time of IKE protocol"; 914 } 915 leaf life-time { 916 type uint32 { 917 range "60..604800"; 918 } 919 units "Seconds"; 920 default 86400; 921 description "IKE SA life time"; 922 } 924 } //End of IKEProposal 925 } 926 container ike-peer { 927 description "IKE peer information"; 929 list ike-peer-entries { 931 key "peer-name"; 932 description "IKE peer information"; 934 leaf peer-name { 935 type string; 936 mandatory true; 937 description "Name of IKE peer"; 938 } 940 leaf ike-proposal-number { 941 type ike-proposal-number-ref; 942 description "IKE proposal number referenced by IKE peer"; 943 } 945 leaf PresharedKey { 946 type string; 947 description "Preshare key"; 948 } 950 leaf nat-traversal { 951 type boolean; 952 default false; 953 description "Enable/Disable nat traversal"; 954 } 956 choice local-id-type { 957 default ip; 958 case ip { 959 leaf ip { 960 type empty; 961 description "IP address"; 962 } 963 } 964 case fqdn { 965 leaf fqdn { 966 type empty; 967 description "Fully Qualifed Domain name "; 968 } 969 } 970 case dn { 971 leaf dn { 972 type empty; 973 description "Domain name"; 974 } 975 } 976 case user_fqdn { 977 leaf user_fqdn { 978 type empty; 979 description "User FQDN"; 980 } 981 } 982 description "Local ID type"; 983 } 984 leaf local-id { 985 type string; 986 description "Local ID Name. When IP is used as local ID type, 987 it is ignored. If it is not configurated, 988 global local name will be used."; 990 } 991 leaf remote-id { 992 type "string"; 993 description "ID of IKE peer"; 994 } 995 leaf low-remote-address { 996 type inet:ip-address; 997 description "Low range of remote address"; 998 } 999 leaf high-remote-address { 1000 type inet:ip-address; 1001 description "High range of remote address"; 1002 } 1003 leaf certificate { 1004 type string; 1005 description "Certificate file name"; 1006 } 1007 leaf auth-address-begin { 1008 type inet:ip-address; 1009 description "The begin range of authenticated peer address"; 1010 } 1011 leaf auth-address-end { 1012 type inet:ip-address; 1013 description "The end range of authenticated peer address"; 1014 } 1015 } 1017 }//End of IKEPeerEntries 1018 container ipsec-policy { 1019 description "IPsec policy information"; 1021 grouping policy-content { 1022 leaf local-address { 1023 type inet:ip-address; 1024 description 1025 "Local address used by IKE when negotiate with peer, 1026 if it is not configed, the interface address with bind 1027 this ipsec policy will be used."; 1028 } 1029 leaf binding-interface-name { 1030 type string; 1031 description "The interface that the policy is already bind with"; 1032 } 1033 choice acl { 1034 case acl-number { 1035 leaf acl-number { 1036 type uint32 { 1037 range "3000..3999"; 1039 } 1040 description "Config common acl as IPsec traffic selector"; 1041 } 1043 } 1044 case advance-acl { 1045 leaf advance-acl { 1046 type string { 1047 length "1..32"; 1048 } 1049 description "Config advance acl as IPsec traffic selector"; 1050 } 1051 } 1052 description "Config acl as IPsec traffic selector"; 1053 } 1055 leaf pfs { 1056 type ike-crypto:ike-dh-group; 1057 default dh-group-none; 1058 description 1059 "Whether choose different DH group with IKE SA when create 1060 ipsec SA to increase perfect forwarding security"; 1061 } 1063 leaf peer-name { 1064 type ike-peer-name-ref; 1065 description "The ike peer binding with this policy"; 1066 } 1068 uses ipsec-common-configuration { 1069 description "The common configuration of IPsec SA"; 1070 } 1072 list ipsec-proposal { 1073 key "proposal-name"; 1074 max-elements "6"; 1075 description "The ipsec-proposals binding with the policy"; 1077 leaf proposal-name { 1078 type ipsec-proposal-name-ref; 1079 description "The ipsec-proposals binding with the policy"; 1080 } 1081 } 1082 description "IPsec policy content"; 1083 } 1085 list policy-entries { 1086 key "policy-name sequence-number"; 1087 description "IPsec policy information"; 1089 leaf policy-name { 1090 type string; 1091 mandatory true; 1092 description "IPsec policy group name"; 1094 } 1095 leaf sequence-number { 1096 type uint32; 1097 mandatory true; 1098 description "IPsec policy sequence number"; 1099 } 1100 choice policy-mode { 1102 case isakmp { 1103 leaf isakmp { 1104 type empty; 1105 description "Common ISAKMP IPsec policy"; 1106 } 1107 uses policy-content { 1108 description "common ipsec policy content"; 1109 } 1110 } 1111 case template { 1112 leaf template { 1113 type empty; 1114 description "ISAKMP IPsec policy created using template"; 1115 } 1116 leaf template-name { 1117 type ipsec-policy-template-name-ref; 1118 mandatory true; 1119 description 1120 "The IPsec policy template name which is used to create this policy"; 1121 } 1122 } 1123 default isakmp; 1124 description "IPsec policy mode"; 1126 } 1128 } 1130 list policy-template-entries { 1131 key "policy-name sequence-number"; 1132 description "IPsec policy template define"; 1133 leaf policy-name { 1134 type string { 1135 length "1..15"; 1136 } 1137 mandatory true; 1138 description "IPsec policy template name"; 1139 } 1140 leaf sequence-number { 1141 type uint32; 1142 mandatory true; 1143 description "Sequence number of policy template"; 1145 } 1146 uses policy-content { 1147 description "common ipsec policy content"; 1148 } 1149 } 1151 } 1152 container ipsec-interface-map { 1153 description "The map information between IPsec policy and interface"; 1155 list policy-interface { 1156 key "interface-name"; 1157 description "The map information between IPsec policy and interface"; 1159 leaf interface-name { 1160 type string; 1161 mandatory true; 1162 description "Interface name which will bind IPsec policy"; 1163 } 1164 leaf policy-name { 1165 type ipsec-policy-name-ref; 1166 mandatory true; 1167 description "IPsec policy name"; 1168 } 1169 leaf generate-unr-route { 1170 type boolean; 1171 default false; 1172 description "Whether generate UNR route"; 1173 } 1174 } 1175 } 1177 container ike-sa { 1178 config false; 1179 description "IKE SA informations"; 1180 list ike-sa-entries { 1182 key "initiator-spi responder-spi"; 1184 description "IKE SA informations"; 1186 leaf remote-address { 1187 type inet:ip-address; 1188 description "The IP address of the remote peer"; 1189 } 1190 leaf local-address { 1191 type inet:ip-address; 1192 description "The IP address of local"; 1193 } 1194 leaf initiator-spi { 1195 type uint64; 1196 description "The SPI of initiator"; 1197 } 1198 leaf responder-spi { 1199 type uint64; 1200 description "The SPI of responder"; 1201 } 1202 leaf remote-id { 1203 type string; 1204 description "The ID of the remote peer"; 1205 } 1206 leaf local-id { 1207 type string; 1208 description "The ID of local"; 1209 } 1210 leaf auth-method { 1211 type ike-auth-method; 1212 description "The authentication method of IKE peer"; 1213 } 1214 leaf integrity-algorithm { 1215 type ike-crypto:ike-integrity-algorithm; 1216 description "The integrity algorithm chosen by IKE negotiation"; 1217 } 1218 leaf encryption-algorithm { 1219 type ike-crypto:ike-encryption-algorithm; 1220 description "The encryption algorithm chosen by IKE negotiation"; 1221 } 1222 leaf prf-algorithm { 1223 type ike-crypto:ike-prf-algorithm; 1224 description "The PRF algorithm chosen by IKE negotiation"; 1225 } 1226 leaf dh-group { 1227 type ike-crypto:ike-dh-group; 1228 description "The DH group chosen by IKE negotiation"; 1229 } 1230 leaf sa-established-time { 1231 type string; 1232 description "The establish time of the IKE SA"; 1233 } 1234 leaf remaining-time { 1235 type uint32; 1236 description "The remain life time of IKE SA"; 1237 } 1239 } 1241 } 1242 container ipsec-sa { 1243 config false; 1244 description "IPsec SA information"; 1246 list ipsec-sa-entries { 1248 description "IPsec SA information"; 1250 leaf remote-address { 1251 type inet:ip-address; 1252 description "The IP address of the remote tunnel end-point"; 1253 } 1254 leaf local-address { 1255 type inet:ip-address; 1256 description "The IP address of local tunnel end-point"; 1257 } 1258 leaf responder-spi { 1259 type uint32; 1260 description "The SPI of responder"; 1261 } 1263 leaf remaining-time { 1264 type uint32; 1265 description "The remain life time of IPsec SA"; 1266 } 1268 } 1270 } 1272 rpc reset-ike-sa { 1273 description "Reset IKE SA"; 1274 input { 1275 uses choose-ipsec-peer; 1276 description "Reset IKE SA"; 1277 } 1278 output { 1279 leaf status { 1280 type string; 1281 description "Operation status"; 1282 } 1283 } 1284 } 1285 rpc reset-ipsec-sa { 1286 description "Reset IPsec SA"; 1287 input { 1288 choice sa-info { 1289 case parameters { 1290 uses choose-ipsec-peer { 1291 refine "peer-info" { 1292 mandatory true; 1293 } 1294 } 1295 leaf protocol { 1296 type ipsec-type:ipsec-protocol; 1297 mandatory true; 1298 description "SA protocol"; 1299 } 1300 leaf spi { 1302 type ipsec-type:ipsec-spi; 1303 mandatory true; 1304 description "SA SPI"; 1305 } 1306 description "Reset according to special parameters"; 1307 } 1309 case remote-peer { 1310 container remote-peer { 1311 uses choose-ipsec-peer; 1312 description "Reset according to remote peer"; 1313 } 1314 } 1315 case policy { 1316 leaf policy { 1317 type ipsec-policy-name-ref; 1318 description "Reset according to IPsec policy name"; 1319 } 1320 } 1321 description "Reset according to special information"; 1323 } 1325 } 1326 output { 1327 leaf status { 1328 type string; 1329 description "Operation status"; 1330 } 1331 } 1332 } 1334 notification dpd-failure{ 1335 description "IKE peer DPD detect failure"; 1336 leaf peer-id { 1337 type string; 1338 description "Peer ID"; 1339 } 1340 } 1342 notification peer-authentication-failure { 1343 description "Peer authentication fail when negotication"; 1344 leaf peer-id { 1345 type string; 1346 description "The ID of remote peer"; 1347 } 1348 } 1350 notification ike-reauth-failure { 1351 description "IKE peer reauthentication fail"; 1352 leaf peer-id { 1353 type string; 1354 description "The ID of remote peer"; 1355 } 1356 } 1358 notification ike-rekey-failure { 1359 description "IKE SA rekey failure"; 1360 leaf peer-id { 1361 type string; 1362 description "The ID of remote peer"; 1363 } 1364 leaf old-i-spi { 1365 type uint64; 1366 description "old SPI"; 1367 } 1368 leaf old-r-spi { 1369 type uint64; 1370 description "old SPI"; 1372 } 1373 } 1375 notification ipsec-rekey-failure { 1376 description "IPsec SA rekey failure"; 1377 leaf peer-id { 1378 type string; 1379 description "The ID of remote peer"; 1380 } 1381 leaf old-inbound-spi { 1382 type ipsec-type:ipsec-spi; 1383 description "old inbound SPI"; 1384 } 1385 leaf old-outbound-spi { 1386 type ipsec-type:ipsec-spi; 1387 description "old outbound SPI"; 1388 } 1389 } 1391 } 1393 3.2. IKE Algorithm Yang Module 1395 module ietf-ike-crypto { 1396 namespace "urn:ietf:params:xml:ns:yang:ietf-ike-crypto"; 1397 prefix ike-crypto; 1399 organization "Huawei Technologies India Pvt Ltd"; 1400 contact 1401 "stonewater.wang@huawei.com"; 1402 description 1403 "IKE Crypto Yang"; 1404 reference "RFC 7296: Internet Key Exchange Protocol Version 2"; 1406 revision 2015-04-18 { 1407 description 1408 "Initial revision."; 1409 reference "RFC 7296: Internet Key Exchange Protocol Version 2"; 1410 } 1412 typedef ike-integrity-algorithm { 1413 type enumeration { 1414 enum "hmac-md5-96" { 1415 description 1416 "HMAC-MD5-96 Integrity Algorithm"; 1417 } 1418 enum "hmac-sha1-96" { 1419 description 1420 "HMAC-SHA1-96 Integrity Algorithm"; 1421 } 1422 enum "hmac-sha2-256" { 1423 description 1424 "HMAC-SHA2-256 Integrity Algorithm"; 1425 } 1426 enum "hmac-sha2-384" { 1427 description 1428 "HMAC-SHA2-384 Integrity Algorithm"; 1429 } 1430 enum "hmac-sha2-512" { 1431 description 1432 "HMAC-SHA2-512 Integrity Algorithm"; 1433 } 1434 } 1435 description 1436 "typedef for ike integrity algorithm."; 1437 } 1439 typedef ike-encryption-algorithm { 1440 type enumeration { 1441 enum "des-cbc" { 1442 description 1443 "DES-CBC Encryption algorithm"; 1444 } 1445 enum "3des-cbc" { 1446 description 1447 "3DES-CBC Encryption algorithm"; 1448 } 1449 enum "aes-cbc-128" { 1450 description 1451 "AES-CBC-128 Encryption algorithm"; 1452 } 1453 enum "aes-cbc-192" { 1454 description 1455 "AES-CBC-192 Encryption algorithm"; 1456 } 1457 enum "aes-cbc-256" { 1458 description 1459 "AES-CBC-256 Encryption algorithm"; 1460 } 1461 } 1462 description 1463 "typedef for ike encryption algorithm."; 1464 } 1466 typedef ike-prf-algorithm { 1467 type enumeration { 1468 enum "hmac-md5-96" { 1469 description 1470 "HMAC-MD5-96 PRF Algorithm"; 1471 } 1472 enum "hmac-sha1-96" { 1473 description 1474 "HMAC-SHA1-96 PRF Algorithm"; 1475 } 1476 enum "hmac-sha2-256" { 1477 description 1478 "HMAC-SHA2-256 PRF Algorithm"; 1479 } 1480 enum "hmac-sha2-384" { 1481 description 1482 "HMAC-SHA2-384 PRF Algorithm"; 1483 } 1484 enum "hmac-sha2-512" { 1485 description 1486 "HMAC-SHA2-512 PRF Algorithm"; 1487 } 1488 } 1489 description 1490 "typedef for ike prf algorithm."; 1491 } 1493 typedef ike-dh-group { 1494 type enumeration { 1495 enum "dh-group-none" { 1496 description 1497 "None Diffie-Hellman group"; 1498 } 1499 enum "dh-group-1" { 1500 description 1501 "768 bits Diffie-Hellman group"; 1502 } 1503 enum "dh-group-2" { 1504 description 1505 "1024 bits Diffie-Hellman group"; 1506 } 1507 enum "dh-group-5" { 1508 description 1509 "1536 bits Diffie-Hellman group"; 1510 } 1511 enum "dh-group-14" { 1512 description 1513 "2048 bits Diffie-Hellman group"; 1514 } 1516 } 1517 description 1518 "typedef for ike dh group"; 1519 } 1520 } 1522 4. IANA Considerations 1524 This document registers the following URIs in the IETF XML registry 1525 [RFC3688]. Following the format in [RFC3688], the following 1526 registration is requested to be made. 1528 URI: urn:ietf:params:xml:ns:yang:ietf-ike XML: N/A, the requested URI 1529 is an XML namespace. 1531 URI: urn:ietf:params:xml:ns:yang:ietf-ike-crypto XML: N/A, the 1532 requested URI is an XML namespace. 1534 This document registers a YANG module in the YANG Module Names 1535 registry [RFC6020]. 1537 name: ietf-ike namespace: urn:ietf:params:xml:ns:yang:ietf-ike 1538 prefix: ike reference: [RFC7296] 1540 name: ietf-ike-crypto namespace: urn:ietf:params:xml:ns:yang:ietf- 1541 ike-crypto prefix: ike-crypto reference: [RFC7296] 1543 5. Security Considerations 1545 The YANG module defined in this memo is designed to be accessed via 1546 the NETCONF protocol[RFC6241]. The lowest NETCONF layer is the 1547 secure transport layer and the mandatory-to-implement secure 1548 transport is SSH [RFC6242]. The NETCONF access control model 1549 [RFC6536] provides means to restrict access for particular NETCONF 1550 users to a pre-configured subset of all available NETCONF protocol 1551 operations and content. There are a number of data nodes defined in 1552 the YANG module which are writable/creatable/deletable (i.e., config 1553 true, which is the default). These data nodes may be considered 1554 sensitive or vulnerable in some network environments. Write 1555 operations (e.g., ) to these data nodes without proper 1556 protection can have a negative effect on network operations. 1558 6. Acknowledgements 1559 7. Normative References 1561 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1562 Requirement Levels", BCP 14, RFC 2119, March 1997. 1564 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1565 January 2004. 1567 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1568 Internet Protocol", RFC 4301, December 2005. 1570 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1571 Network Configuration Protocol (NETCONF)", RFC 6020, 1572 October 2010. 1574 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 1575 Bierman, "Network Configuration Protocol (NETCONF)", RFC 1576 6241, June 2011. 1578 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1579 Shell (SSH)", RFC 6242, June 2011. 1581 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1582 Protocol (NETCONF) Access Control Model", RFC 6536, March 1583 2012. 1585 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1586 Kivinen, "Internet Key Exchange Protocol Version 2 1587 (IKEv2)", STD 79, RFC 7296, October 2014. 1589 Authors' Addresses 1591 Honglei Wang 1592 Huawei Technologies 1593 Huawei Bld., No.156 Beiqing Rd. 1594 Beijing 100095 1595 China 1597 Email: stonewater.wang@huawei.com 1599 Vijay Kumar Nagaraj 1600 Huawei Technologies 1601 Huawei Technologies India Pvt Ltd 1602 Bangalore 560008 1603 India 1605 Email: vijay.kn@huawei.com 1606 Xia Chen 1607 Huawei Technologies 1608 Huawei Bld., No.156 Beiqing Rd. 1609 Beijing 100095 1610 China 1612 Email: xiachen@huawei.com