idnits 2.17.1 draft-wang-ipsecme-ipsec-yang-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 27 instances of too long lines in the document, the longest one being 103 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (June 15, 2015) is 3238 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Wang 3 Internet-Draft V. Nagaraj 4 Intended status: Standards Track X. Chen 5 Expires: December 17, 2015 Huawei Technologies 6 June 15, 2015 8 Yang Data Model for IPsec 9 draft-wang-ipsecme-ipsec-yang-00 11 Abstract 13 This document describes a YANG data model for the IPsec(Internet 14 Protocol Security) protocol. The model covers the IPsec protocol 15 operational state and remote procedural calls. 17 Requirements Language 19 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 20 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 21 document are to be interpreted as described in [RFC2119]. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on December 17, 2015. 40 Copyright Notice 42 Copyright (c) 2015 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. IPsec YANG Model Organization . . . . . . . . . . . . . . . . 2 59 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2.2. Operational State . . . . . . . . . . . . . . . . . . . . 4 61 2.2.1. IPsec SAD State . . . . . . . . . . . . . . . . . . . 4 62 2.2.2. IPsec SPD State . . . . . . . . . . . . . . . . . . . 5 63 2.2.3. IPsec Global Statistics . . . . . . . . . . . . . . . 6 64 2.3. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.3.1. IPsec statistics reset action . . . . . . . . . . . . 8 66 3. IPsec Yang Module . . . . . . . . . . . . . . . . . . . . . . 8 67 3.1. IPsec Yang Module . . . . . . . . . . . . . . . . . . . . 8 68 3.2. IPsec Algorithm Yang Module . . . . . . . . . . . . . . . 19 69 3.3. IPsec Type Yang Module . . . . . . . . . . . . . . . . . 21 70 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 71 5. Security Considerations . . . . . . . . . . . . . . . . . . . 24 72 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 73 7. Normative References . . . . . . . . . . . . . . . . . . . . 24 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 76 1. Introduction 78 The Network Configuration Protocol (NETCONF) [RFC6241] is a network 79 management protocol that defines mechanisms to manage network 80 devices. YANG [RFC6020] is a modular language that represents data 81 structures in an XML tree format, and is used as a data modeling 82 language for the NETCONF. 84 This document introduces a YANG data model for the IPsec(Internet 85 Protocol Security) protocol[RFC4301]. The data model is defined for 86 following constructs that are used for managing the IPsec protocol: 87 operational state and remote procedural calls. 89 2. IPsec YANG Model Organization 91 2.1. Overview 93 The model discussed in this document covers IPsec[RFC4301] and other 94 generic enhancements that pertain to the base protocol operation. 95 The cryptographic algorithms are deliberately separated from ietf- 96 ipsec model so that these algorithms can be updated or replaced 97 without affecting the standardization progress of the rest of the 98 IPsec yang model. 100 ^: import 101 IPsec Crypto Module IPsec Type Module 102 +--------------------+ +-------------------+ 103 | ietf-ipsec-crypto | | ietf-ipsec-type | 104 +--------------------+ +-------------------+ 105 | | 106 | | 107 | | 108 v IPsec Module v 109 +-----------------+ 110 | ietf-ipsec | 111 +-----------------+ 113 Figure 1: Relationship of IPsec module and other modules 115 This model aims to address only the core IPsec parameters as per 116 [RFC4301]. This model does not cover any applications running on top 117 of IPsec nor does it cover any OAM procedures for IPsec. Current 118 revision only describes SAD and SPD, PAD will be covered in later 119 revision. 121 Different IPsec implements may have different behaviors, e.g. a host 122 may directly bind IPsec SA with socket, then SPD is not necessary; 123 while a gateway may supply interfaces for IKE[RFC7296] to modify 124 IPsec SPD entries. So we defined only the basic prototype of the 125 data model, and all the databases are defined as read only. Any 126 other extension and augment of the data model are left for 127 implements. 129 The figure below describes the overall structure of the IPsec Yang 130 model: 132 module: ietf-ipsec 133 +--ro sad 134 | ... 135 +--ro spd 136 | ... 137 +--ro ipsec-global-statistics 138 +--ro ipv4 139 | ... 140 +--ro ipv6 141 | ... 142 +--ro global 143 ... 144 rpcs: 145 +---x reset-ipv4 146 | ... 147 +---x reset-ipv6 148 | ... 149 +---x reset-global 150 ... 152 2.2. Operational State 154 The Operational state of the IPsec can be queried and obtained from 155 the respective container. All the attributes/items in this container 156 are read-only attributes and they reflect the run-time information of 157 IPsec database. 159 2.2.1. IPsec SAD State 161 The IPsec SAD(Security Association Database) container maintains 162 information related to the IPSEC SAs established in a system. This 163 is a run-time data structure that is created upon the first SA being 164 established. The key for fetching SA in this database is the 165 triplet: SPI, Protocol and Destination address of the SA to be 166 fetched form the SA database. 168 The SAD entries also contain information about the IPSEC tunnel like 169 direction, SA-type (manual or VPN SA), sequence number, anti-replay 170 window size, protocol mode, ipsec algorithm info, life time in 171 Seconds/Bytes etc, NAT traversal info, path-mtu, dscp etc. 173 +--ro sad 174 +--ro sad-entries* [spi security-protocol direction] 175 +--ro spi ipsec-type:ipsec-spi 176 +--ro security-protocol ipsec-type:ipsec-protocol 177 +--ro direction ipsec-type:ipsec-traffic-direction 178 +--ro sa-type? enumeration 179 +--ro sequence-number? uint64 180 +--ro sequence-number-overflow-flag? boolean 181 +--ro anti-replay-enable-flag? boolean 182 +--ro anti-replay-window-size? uint64 183 +--ro ah-auth-algorithm? ipsec-crypto:ipsec-authentication-algorithm 184 +--ro esp-integrity-algorithm? ipsec-crypto:ipsec-authentication-algorithm 185 +--ro esp-encrypt-algorithm? ipsec-crypto:ipsec-encryption-algorithm 186 +--ro life-time 187 | +--ro life-time-in-seconds? uint32 188 | +--ro remain-life-time-in-seconds? uint32 189 | +--ro life-time-in-byte? uint32 190 | +--ro remain-life-time-in-byte? uint32 191 +--ro protocol-mode? ipsec-type:ipsec-mode 192 +--ro tunnel-mode-process-info 193 | +--ro local-address? string 194 | +--ro remote-address? string 195 | +--ro bypass-df? enumeration 196 | +--ro dscp-flag? boolean 197 | +--ro stateful-frag-check-flag? boolean 198 +--ro dscp* uint8 199 +--ro path-mtu? uint16 200 +--ro nat-traversal-flag? boolean 202 2.2.2. IPsec SPD State 204 The IPSEC SPD(Security Policy Database) container maintains policy 205 information related to the IPSEC SAs established in a system. This 206 is a run-time data structure that is created when the first IPSEC 207 policy is created. 209 The SPD entries also contain information about the traffic selectors, 210 protect action (permit, deny), protocol information etc as shown 211 below. Based on these information the IPSEC module processes the 212 outbound and inbound traffic. 214 +--ro spd 215 +--ro spd-entries* 216 +--ro name* 217 | +--ro name-type? ipsec-type:ipsec-spd-name 218 | +--ro name-string? string 219 | +--ro name-binary? binary 220 +--ro pfp-flag? boolean 221 +--ro traffic-selector* 222 | +--ro local-address-low? inet:ip-address 223 | +--ro local-address-high? inet:ip-address 224 | +--ro remote-address-low? inet:ip-address 225 | +--ro remote-address-high? inet:ip-address 226 | +--ro next-protocol-low? uint16 227 | +--ro next-protocol-high? uint16 228 | +--ro local-port-low? inet:port-number 229 | +--ro local-port-high? inet:port-number 230 | +--ro remote-port-high? inet:port-number 231 | +--ro remote-port-low? inet:port-number 232 +--ro operation? ipsec-type:ipsec-spd-operation 233 +--ro protect-operation 234 +--ro spd-ipsec-mode? ipsec-type:ipsec-mode 235 +--ro esn-flag? boolean 236 +--ro spd-ipsec-protocol? ipsec-type:ipsec-protocol 237 +--ro tunnel-mode-additional 238 | +--ro local-address? string 239 | +--ro remote-address? string 240 | +--ro bypass-df? enumeration 241 | +--ro dscp-flag? boolean 242 | +--ro stateful-frag-check-flag? boolean 243 +--ro spd-algorithm* 244 +--ro ah-auth-algorithm? ipsec-crypto:ipsec-authentication-algorithm 245 +--ro esp-integrity-algorithm? ipsec-crypto:ipsec-authentication-algorithm 246 +--ro esp-encrypt-algorithm? ipsec-crypto:ipsec-encryption-algorithm 248 2.2.3. IPsec Global Statistics 250 The IPSEC Global Statistics container is used to maintain information 251 related to all the IPSEC tunnels established in the system. These 252 could be related to IPv4 IPSEC tunnels or IPv6 IPSEC tunnels. 254 The information maintained includes: traffic sent/received on an 255 IPSEC tunnel like number of outbound/inbound packets, number of 256 outbound/inbound bytes, number of packets dropped, number of replayed 257 packets, number of packet authentication failures, number of packets 258 dropped due to queue full, number of packets dropped due to deny 259 policy, number of packet dropped due to being malformed, number of 260 packets dropped due to being too large. 262 +--ro ipsec-global-statistics 263 +--ro ipv4 264 | +--ro inbound-packets? uint64 265 | +--ro outbound-packets? uint64 266 | +--ro inbound-bytes? uint64 267 | +--ro outbound-bytes? uint64 268 | +--ro inbound-drop-packets? uint64 269 | +--ro outbound-drop-packets? uint64 270 | +--ro dropped-packet-detail 271 | +--ro sa-non-exist? uint64 272 | +--ro queue-full? uint64 273 | +--ro auth-failure? uint64 274 | +--ro malform? uint64 275 | +--ro replay? uint64 276 | +--ro large-packet? uint64 277 | +--ro invalid-sa? uint64 278 | +--ro policy-deny? uint64 279 | +--ro other-reason? uint64 280 +--ro ipv6 281 | +--ro inbound-packets? uint64 282 | +--ro outbound-packets? uint64 283 | +--ro inbound-bytes? uint64 284 | +--ro outbound-bytes? uint64 285 | +--ro inbound-drop-packets? uint64 286 | +--ro outbound-drop-packets? uint64 287 | +--ro dropped-packet-detail 288 | +--ro sa-non-exist? uint64 289 | +--ro queue-full? uint64 290 | +--ro auth-failure? uint64 291 | +--ro malform? uint64 292 | +--ro replay? uint64 293 | +--ro large-packet? uint64 294 | +--ro invalid-sa? uint64 295 | +--ro policy-deny? uint64 296 | +--ro other-reason? uint64 297 +--ro global 298 +--ro inbound-packets? uint64 299 +--ro outbound-packets? uint64 300 +--ro inbound-bytes? uint64 301 +--ro outbound-bytes? uint64 302 +--ro inbound-drop-packets? uint64 303 +--ro outbound-drop-packets? uint64 304 +--ro dropped-packet-detail 305 +--ro sa-non-exist? uint64 306 +--ro queue-full? uint64 307 +--ro auth-failure? uint64 308 +--ro malform? uint64 309 +--ro replay? uint64 310 +--ro large-packet? uint64 311 +--ro invalid-sa? uint64 312 +--ro policy-deny? uint64 313 +--ro other-reason? uint64 315 2.3. Actions 317 This model defines a list of RPCs that allow performing an action or 318 executing a command on the protocol. In current version of this 319 document, we only defined how to reset IPsec statistics, other 320 actions are left for later version of this document. 322 2.3.1. IPsec statistics reset action 324 This operation type is executed when the user wants to reset IPSEC SA 325 statistics. The operation will reset the global IPSEC4 statistics in 326 the system. 328 rpcs: 329 +---x reset-ipv4 330 | +---w input 331 | | +---w ipv4? empty 332 | +--ro output 333 | +--ro status? string 334 +---x reset-ipv6 335 | +---w input 336 | | +---w ipv6? empty 337 | +--ro output 338 | +--ro status? string 339 +---x reset-global 340 +---w input 341 | +---w ipv6? empty 342 +--ro output 343 +--ro status? string 345 3. IPsec Yang Module 347 To support separately upgrade the algorithm part, the algorithm part 348 is defined as separately part. 350 3.1. IPsec Yang Module 352 module ietf-ipsec { 353 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; 354 prefix ipsec; 356 import ietf-ipsec-crypto { 357 prefix ipsec-crypto; 359 } 360 import ietf-inet-types { 361 prefix inet; 362 } 363 import ietf-ipsec-type { 364 prefix ipsec-type; 365 } 367 organization "Huawei Technologies India Pvt Ltd"; 368 contact 369 "stonewater.wang@huawei.com"; 370 description 371 "IPsec Yang"; 373 revision 2015-04-18 { 374 description 375 "Initial revision."; 376 reference "RFC XXX: IPsec Yang Modules"; 377 } 379 grouping ipsec-tunnel-mode-info { 380 description 381 "common infomations when using IPsec tunnel mode"; 382 leaf local-address { 383 type string; 384 description 385 "Local address of IPsec tunnel mode"; 386 } 387 leaf remote-address { 388 type string; 389 description 390 "Remote address of IPsec tunnel mode"; 391 } 392 leaf bypass-df { 393 type enumeration { 394 enum "set" { 395 description 396 "Set the df bit"; 397 } 398 enum "clear" { 399 description 400 "Clear the df bit"; 401 } 402 enum "copy" { 403 description 404 "Copy the df bit from inner header"; 405 } 406 } 407 description 408 "This flag indicates how to process tunnel mode df flag"; 409 } 410 leaf dscp-flag { 411 type boolean; 412 description 413 "This flag indicate whether bypass DSCP or map to unprotected DSCP values (array) if needed to restrict bypass of DSCP values."; 414 } 415 leaf stateful-frag-check-flag { 416 type boolean; 417 description 418 "This flag indicates whether stateful fragment checking will be used."; 419 } 420 } 422 grouping traffic-selector { 423 description 424 "IPsec traffic selector information"; 425 leaf local-address-low { 426 type inet:ip-address; 427 description 428 "Low range of local address"; 429 } 430 leaf local-address-high { 431 type inet:ip-address; 432 description 433 "High range of local address"; 434 } 435 leaf remote-address-low { 436 type inet:ip-address; 437 description 438 "Low range of remote address"; 439 } 440 leaf remote-address-high { 441 type inet:ip-address; 442 description 443 "High range of remote address"; 444 } 445 leaf next-protocol-low { 446 type uint16; 447 description 448 "Low range of next protocol"; 449 } 450 leaf next-protocol-high { 451 type uint16; 452 description 453 "High range of next protocol"; 454 } 455 leaf local-port-low { 456 type inet:port-number; 457 description 458 "Low range of local port"; 459 } 460 leaf local-port-high { 461 type inet:port-number; 462 description 463 "High range of local port"; 464 } 465 leaf remote-port-high { 466 type inet:port-number; 467 description 468 "Low range of remote port"; 469 } 470 leaf remote-port-low { 471 type inet:port-number; 472 description 473 "High range of remote port"; 474 } 475 } 477 grouping ipsec-algorithm-info { 478 description 479 "IPsec algorithm information used by SPD and SAD"; 480 leaf ah-auth-algorithm { 481 type ipsec-crypto:ipsec-authentication-algorithm; 482 description 483 "Authentication algorithm used by AH"; 484 } 485 leaf esp-integrity-algorithm { 486 type ipsec-crypto:ipsec-authentication-algorithm; 487 description 488 "Integrity algorithm used by ESP"; 489 } 490 leaf esp-encrypt-algorithm { 491 type ipsec-crypto:ipsec-encryption-algorithm; 492 description 493 "Encryption algorithm used by ESP"; 494 } 495 } 497 grouping ipsec-stat { 498 leaf inbound-packets { 500 type uint64; 501 config false; 502 description "Inbound Packet count"; 504 } 505 leaf outbound-packets { 506 type uint64; 507 config false; 508 description "Outbound Packet count"; 509 } 510 leaf inbound-bytes { 511 type uint64; 512 config false; 513 description "Inbound Packet bytes"; 514 } 515 leaf outbound-bytes { 516 type uint64; 517 config false; 518 description "Outbound Packet bytes"; 519 } 521 leaf inbound-drop-packets { 522 type uint64; 523 config false; 524 description "Inbound dropped packets count"; 525 } 526 leaf outbound-drop-packets { 527 type uint64; 528 config false; 529 description "Outbound dropped packets count"; 530 } 531 container dropped-packet-detail { 532 description "The detail information of dropped packets"; 533 leaf sa-non-exist { 534 type uint64; 535 config false; 536 description "The dropped packets counts caused by SA non-exist."; 537 } 538 leaf queue-full { 539 type uint64; 540 config false; 541 description "The dropped packets counts caused by full processing queue"; 542 } 544 leaf auth-failure { 545 type uint64; 546 config false; 547 description "The dropped packets counts caused by authentication failure"; 548 } 550 leaf malform { 551 type uint64; 552 config false; 553 description "The dropped packets counts of malform"; 554 } 555 leaf replay { 556 type uint64; 557 config false; 558 description "The dropped packets counts of replay"; 559 } 560 leaf large-packet { 561 type uint64; 562 config false; 563 description "The dropped packets counts of too large"; 564 } 565 leaf invalid-sa { 566 type uint64; 567 config false; 568 description "The dropped packets counts of invalid SA"; 569 } 570 leaf policy-deny { 571 type uint64; 572 config false; 573 description "The dropped packets counts of denyed by policy"; 574 } 575 leaf other-reason { 576 type uint64; 577 config false; 578 description "The dropped packets counts of other reason"; 579 } 580 } 581 description "IPsec statistics information"; 583 } 585 container sad { 587 config false; 589 description 590 "The IPsec SA database"; 592 list sad-entries { 593 key "spi security-protocol direction"; 594 description 595 "The SA entries information"; 596 leaf spi { 597 type ipsec-type:ipsec-spi; 598 description 599 "Security parameter index of SA entry."; 601 } 602 leaf security-protocol { 603 type ipsec-type:ipsec-protocol; 604 description 605 "Security protocol of IPsec SA."; 606 } 607 leaf direction { 608 type ipsec-type:ipsec-traffic-direction; 609 description 610 "It indicates whether the SA is inbound SA or out bound SA."; 611 } 612 leaf sa-type { 613 type enumeration { 614 enum "manual" { 615 description 616 "Manual IPsec SA"; 617 } 618 enum "isakmp" { 619 description 620 "ISAKMP IPsec SA"; 621 } 622 } 623 description 624 "It indicates whether the SA is created by manual or by dynamic protocol."; 625 } 626 leaf sequence-number { 627 type uint64; 628 description 629 "Current sequence number of IPsec packet."; 630 } 631 leaf sequence-number-overflow-flag { 632 type boolean; 633 description 634 "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted."; 635 } 636 leaf anti-replay-enable-flag { 637 type boolean; 638 description 639 "It indicates whether anti-replay is enable or disable."; 640 } 641 leaf anti-replay-window-size { 642 type uint64; 643 description 644 "The size of anti-replay window."; 645 } 646 uses ipsec-algorithm-info; 647 container life-time { 648 leaf life-time-in-seconds { 649 type uint32; 650 description 651 "SA life time in seconds"; 652 } 653 leaf remain-life-time-in-seconds { 654 type uint32; 655 description 656 "Remain SA life time in seconds"; 657 } 658 leaf life-time-in-byte { 659 type uint32; 660 description 661 "SA life time in bytes"; 662 } 663 leaf remain-life-time-in-byte { 664 type uint32; 665 description 666 "Remain SA life time in bytes"; 667 } 668 description 669 "SA life time information"; 670 } 671 leaf protocol-mode { 672 type ipsec-type:ipsec-mode; 673 description 674 "It indicates whether tunnel mode or transport mode will be used."; 675 } 676 container tunnel-mode-process-info { 677 when "protocol-mode = 'tunnel'" { 678 description 679 "External information of SA when SA works in tunnel mode."; 680 } 681 uses ipsec-tunnel-mode-info; 682 description 683 "External information of SA when SA works in tunnel mode."; 684 } 685 leaf-list dscp { 686 type uint8 { 687 range "0..63"; 688 } 689 description 690 "When traffic matchs SPD, the DSCP values used to filter traffic"; 691 } 692 leaf path-mtu { 693 type uint16; 694 description 695 "Path MTU valie"; 696 } 697 leaf nat-traversal-flag { 698 type boolean; 699 description 700 "Whethe the SA is used to protect traffic that nedds nat traversal"; 701 } 702 } 703 } 704 container spd { 705 config false; 706 description 707 "IPsec security policy database information"; 709 list spd-entries { 710 description 711 "IPsec SPD entry information"; 712 list name { 713 description 714 "SPD name information."; 715 leaf name-type { 716 type ipsec-type:ipsec-spd-name; 717 description 718 "SPD name type."; 719 } 720 leaf name-string { 721 when "name-type = 'id_rfc_822_addr' or name-type = 'id_fqdn'" { 722 description 723 "when name type is id_rfc_822_addr or id_fqdn, the name are saved in string"; 724 } 725 type string; 726 description 727 "SPD name content"; 728 } 729 leaf name-binary { 730 when "name-type = 'id_der_asn1_dn' or name-type = 'id_key'" { 731 description 732 "when name type is id_der_asn1_dn or id_key, the name are saved in binary"; 733 } 734 type binary; 735 description 736 "SPD name content"; 737 } 738 } 739 leaf pfp-flag { 740 type boolean; 741 description 742 "populate from packet flag"; 743 } 744 list traffic-selector { 745 min-elements 1; 746 uses traffic-selector; 747 description 748 "Traffic selectors of SAD entry"; 749 } 750 leaf operation { 751 type ipsec-type:ipsec-spd-operation; 752 description 753 "It indicates how to process the traffic when it matches the security policy."; 754 } 755 container protect-operation { 756 when "operation = 'protect'" { 757 description 758 "How to protect the traffic when the SPD operation is protect"; 759 } 760 leaf spd-ipsec-mode { 761 type ipsec-type:ipsec-mode; 762 description 763 "It indicates which mode is chosen when the traffic need be protected by IPsec."; 764 } 765 leaf esn-flag { 766 type boolean; 767 description 768 "It indicates whether ESN is used."; 769 } 770 leaf spd-ipsec-protocol { 771 type ipsec-type:ipsec-protocol; 772 description 773 "It indicates which protocol (AH or ESP) is chosen."; 774 } 775 container tunnel-mode-additional { 776 when "spd-ipsec-mode = 'tunnel'" { 777 description 778 "Additional informations when choose tunnel mode"; 779 } 780 uses ipsec-tunnel-mode-info; 781 description 782 "When use tunnel mode, the additional information of SPD."; 783 } 784 list spd-algorithm { 785 min-elements 1; 786 uses ipsec-algorithm-info; 787 description 788 "Algorithms defined in SPD, ordered by decreasing priority."; 789 } 790 description 791 "How to protect the traffic when the SPD operation is protect"; 792 } 794 } 795 } 797 container ipsec-global-statistics { 798 config false; 799 description "IPsec global statistics"; 801 container ipv4 { 802 description "IPsec statistics of IPv4"; 803 uses ipsec-stat; 804 } 806 container ipv6 { 807 description "IPsec statistics of IPv6"; 808 uses ipsec-stat; 809 } 811 container global { 812 description "IPsec statistics of global"; 813 uses ipsec-stat; 814 } 815 } 817 rpc reset-ipv4 { 818 description "Reset IPsec IPv4 statistics"; 819 input { 820 leaf ipv4 { 821 type empty; 822 description "Reset IPsec IPv4 statistics"; 823 } 824 } 825 output { 826 leaf status { 827 type string; 828 description "Operation status"; 829 } 830 } 832 } 833 rpc reset-ipv6 { 834 description "Reset IPsec IPv6 statistics"; 835 input { 836 leaf ipv6 { 837 type empty; 838 description "Reset IPsec IPv6 statistics"; 839 } 840 } 841 output { 842 leaf status { 843 type string; 844 description "Operation status"; 845 } 846 } 848 } 849 rpc reset-global { 850 description "Reset IPsec global statistics"; 851 input { 852 leaf ipv6 { 853 type empty; 854 description "Reset IPsec global statistics"; 855 } 856 } 857 output { 858 leaf status { 859 type string; 860 description "Operation status"; 861 } 862 } 864 } 866 } 868 3.2. IPsec Algorithm Yang Module 870 module ietf-ipsec-crypto { 871 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-crypto"; 872 prefix ipsec-crypto; 874 organization "Huawei Technologies India Pvt Ltd"; 875 contact 876 "stonewater.wang@huawei.com"; 877 description 878 "IPsec Crypto Yang"; 879 reference 880 "RFC 4301: Security Architecture for the Internet Protocol"; 882 revision 2015-04-18 { 883 description 884 "Initial revision."; 885 reference 886 "RFC 4301: Security Architecture for the Internet Protocol"; 887 } 888 typedef ipsec-authentication-algorithm { 889 type enumeration { 890 enum "null" { 891 value 0; 892 description 893 "null"; 894 } 895 enum "md5" { 896 value 1; 897 description 898 "MD5 authentication algorithm"; 899 } 900 enum "sha1" { 901 value 2; 902 description 903 "SHA1 authentication algorithm"; 904 } 905 enum "sha2-256" { 906 value 3; 907 description 908 "SHA2-256 authentication algorithm"; 909 } 910 enum "sha2-384" { 911 value 4; 912 description 913 "SHA2-384 authentication algorithm"; 914 } 915 enum "sha2-512" { 916 value 5; 917 description 918 "SHA2-512 authentication algorithm"; 919 } 920 } 921 description 922 "typedef for ipsec authentication algorithm"; 923 } 925 typedef ipsec-encryption-algorithm { 926 type enumeration { 927 enum "null" { 928 description 929 "null"; 930 } 931 enum "des" { 932 description 933 "DES encryption algorithm"; 934 } 935 enum "3des" { 936 description 937 "3DES encryption algorithm"; 938 } 939 enum "aes-128" { 940 description 941 "AES-128 encryption algorithm"; 942 } 943 enum "aes-192" { 944 description 945 "AES-192 encryption algorithm"; 946 } 947 enum "aes-256" { 948 description 949 "AES-256 encryption algorithm"; 950 } 951 } 952 description 953 "typedef for ipsec encryption algorithm"; 954 } 955 } 957 3.3. IPsec Type Yang Module 959 module ietf-ipsec-type { 960 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-type"; 961 prefix ipsec-type; 963 organization "Huawei Technologies India Pvt Ltd"; 964 contact 965 "stonewater.wang@huawei.com"; 966 description 967 "common type define for ipsec protocol Yang"; 968 reference "RFC 4301: Security Architecture for the Internet Protocol"; 970 revision 2015-04-18 { 971 description 972 "Initial revision."; 973 reference "RFC 4301: Security Architecture for the Internet Protocol"; 974 } 976 typedef ipsec-mode { 977 type enumeration { 978 enum "transport" { 979 description 980 "Transport mode"; 981 } 982 enum "tunnel" { 983 description 984 "Tunnel mode"; 985 } 986 } 987 description 988 "type define of ipsec mode"; 989 } 991 typedef ipsec-protocol { 992 type enumeration { 993 enum "ah" { 994 description 995 "AH Protocol"; 996 } 997 enum "esp" { 998 description 999 "ESP Protocol"; 1000 } 1001 } 1002 description 1003 "type define of ipsec security protocol"; 1004 } 1006 typedef ipsec-spi { 1007 type uint32 { 1008 range "1..max"; 1009 } 1010 description 1011 "SPI"; 1012 } 1014 typedef ipsec-spd-name { 1015 type enumeration { 1016 enum id_rfc_822_addr { 1017 description 1018 "Fully qualified user name string."; 1019 } 1020 enum id_fqdn { 1021 description 1022 "Fully qualified DNS name."; 1023 } 1024 enum id_der_asn1_dn { 1025 description 1026 "X.500 distinguished name."; 1027 } 1028 enum id_key { 1029 description 1030 "IKEv2 Key ID."; 1031 } 1033 } 1034 description 1035 "IPsec SPD name type"; 1036 } 1038 typedef ipsec-traffic-direction { 1039 type enumeration { 1040 enum inbound { 1041 description 1042 "Inbound traffic"; 1043 } 1044 enum outbound { 1045 description 1046 "Outbound traffic"; 1047 } 1048 } 1049 description 1050 "IPsec traffic direction"; 1051 } 1053 typedef ipsec-spd-operation { 1054 type enumeration { 1055 enum protect { 1056 description 1057 "PROTECT the traffic with IPsec"; 1058 } 1059 enum bypass { 1060 description 1061 "BYPASS the traffic"; 1062 } 1063 enum discard { 1064 description 1065 "DISCARD the traffic"; 1066 } 1067 } 1068 description 1069 "The operation when traffic matches IPsec security policy"; 1070 } 1072 } 1074 4. IANA Considerations 1076 This document registers the following URIs in the IETF XML registry 1077 [RFC3688]. Following the format in [RFC3688], the following 1078 registration is requested to be made. 1080 URI: urn:ietf:params:xml:ns:yang:ietf-ipsec XML: N/A, the requested 1081 URI is an XML namespace. 1083 URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-crypto XML: N/A, the 1084 requested URI is an XML namespace. 1086 URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-type XML: N/A, the 1087 requested URI is an XML namespace. 1089 This document registers a YANG module in the YANG Module Names 1090 registry [RFC6020]. 1092 name: ietf-ipsec namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec 1093 prefix: ipsec reference: [RFC4301] 1095 5. Security Considerations 1097 The YANG module defined in this memo is designed to be accessed via 1098 the NETCONF protocol[RFC6241]. The lowest NETCONF layer is the 1099 secure transport layer and the mandatory-to-implement secure 1100 transport is SSH [RFC6242]. The NETCONF access control model 1101 [RFC6536] provides means to restrict access for particular NETCONF 1102 users to a pre-configured subset of all available NETCONF protocol 1103 operations and content. There are a number of data nodes defined in 1104 the YANG module which are writable/creatable/deletable (i.e., config 1105 true, which is the default). These data nodes may be considered 1106 sensitive or vulnerable in some network environments. Write 1107 operations (e.g., ) to these data nodes without proper 1108 protection can have a negative effect on network operations. 1110 6. Acknowledgements 1112 7. Normative References 1114 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1115 Requirement Levels", BCP 14, RFC 2119, March 1997. 1117 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1118 January 2004. 1120 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1121 Internet Protocol", RFC 4301, December 2005. 1123 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1124 Network Configuration Protocol (NETCONF)", RFC 6020, 1125 October 2010. 1127 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 1128 Bierman, "Network Configuration Protocol (NETCONF)", RFC 1129 6241, June 2011. 1131 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1132 Shell (SSH)", RFC 6242, June 2011. 1134 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1135 Protocol (NETCONF) Access Control Model", RFC 6536, March 1136 2012. 1138 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1139 Kivinen, "Internet Key Exchange Protocol Version 2 1140 (IKEv2)", STD 79, RFC 7296, October 2014. 1142 Authors' Addresses 1144 Honglei Wang 1145 Huawei Technologies 1146 Huawei Bld., No.156 Beiqing Rd. 1147 Beijing 100095 1148 China 1150 Email: stonewater.wang@huawei.com 1152 Vijay Kumar Nagaraj 1153 Huawei Technologies 1154 Huawei Technologies India Pvt Ltd 1155 Bangalore 560008 1156 India 1158 Email: vijay.kn@huawei.com 1160 Xia Chen 1161 Huawei Technologies 1162 Huawei Bld., No.156 Beiqing Rd. 1163 Beijing 100095 1164 China 1166 Email: xiachen@huawei.com