module ietf-ipsec-ikeless {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless";
prefix "ikeless";
import ietf-yang-types { prefix yang; }
import ietf-ipsec-common {
prefix ic;
reference
"Common Data model for SDN-based IPSec
configuration.";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control
Model.";
}
organization "IETF I2NSF Working Group";
contact
"WG Web:
WG List:
Author: Rafael Marin-Lopez
Author: Gabriel Lopez-Millan
Author: Fernando Pereniguez-Garcia
";
description
"Data model for IKE-less case in the SDN-base IPsec flow
protection service.
Copyright (c) 2019 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the
Simplified BSD License set forth in Section 4.c of the
IETF Trust's Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX;;
see the RFC itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here.";
revision "2019-07-07" {
description "Revision 05";
reference "RFC XXXX: YANG model for IKE case.";
}
container ipsec-ikeless {
description
"Container for configuration of the IKE-less
case. The container contains two additional
containers: 'spd' and 'sad'. The first allows the
Security Controller to configure IPsec policies in
the Security Policy Database SPD, and the second
allows to configure IPsec Security Associations
(IPsec SAs) in the Security Association Database
(SAD).";
reference "RFC 4301.";
container spd {
description
"Configuration of the Security Policy Database
(SPD.)";
reference "Section 4.4.1.2 in RFC 4301.";
list spd-entry {
key "name";
ordered-by user;
leaf name {
type string;
mandatory true;
description
"SPD entry unique name to identify this
entry.";
}
leaf direction {
type ic:ipsec-traffic-direction;
description
"Inbound traffic or outbound
traffic. In the IKE-less case the
Security Controller needs to
specify the policy direction to be
applied in the NSF. In the IKE case
this direction does not need to be
specified since IKE
will determine the direction that
IPsec policy will require.";
}
leaf reqid {
type uint64;
default 0;
description
"This value allows to link this
IPsec policy with IPsec SAs with the
same reqid. It is only required in
the IKE-less model since, in the IKE
case this link is handled internally
by IKE.";
}
container ipsec-policy-config {
description
"This container carries the
configuration of a IPsec policy.";
uses ic:ipsec-policy-grouping;
}
description
"The SPD is represented as a list of SPD
entries, where each SPD entry represents an
IPsec policy.";
} /*list spd-entry*/
} /*container spd*/
container sad {
description
"Configuration of the IPSec Security Association
Database (SAD)";
reference "Section 4.4.2.1 in RFC 4301.";
list sad-entry {
key "name";
ordered-by user;
leaf name {
type string;
description
"SAD entry unique name to identify this
entry.";
}
leaf reqid {
type uint64;
default 0;
description
"This value allows to link this
IPsec SA with an IPsec policy with
the same reqid.";
}
container ipsec-sa-config {
description
"This container allows configuring
details of an IPsec SA.";
leaf spi {
type uint32 { range "0..max"; }
mandatory true;
description
"Security Parameter Index (SPI)'s
IPsec SA.";
}
leaf ext-seq-num {
type boolean;
default true;
description
"True if this IPsec SA is using
extended sequence numbers. True 64
bit counter, FALSE 32 bit.";
}
leaf seq-number-counter {
type uint64;
default 0;
description
"A 64-bit counter when this IPsec
SA is using Extended Sequence
Number or 32-bit counter when it
is not. It used to generate the
initial Sequence Number field
in ESP headers.";
}
leaf seq-overflow {
type boolean;
default false;
description
"The flag indicating whether
overflow of the sequence number
counter should prevent transmission
of additional packets on the IPsec
SA (false) and, therefore needs to
be rekeyed, or whether rollover is
permitted (true). If Authenticated
Encryption with Associated Data
(AEAD) is used this flag MUST BE
false.";
}
leaf anti-replay-window {
type uint32;
default 32;
description
"A 32-bit counter and a bit-map (or
equivalent) used to determine
whether an inbound ESP packet is a
replay. If set to 0 no anti-replay
mechanism is performed.";
}
container traffic-selector {
uses ic:selector-grouping;
description
"The IPsec SA traffic selector.";
}
leaf protocol-parameters {
type ic:ipsec-protocol-parameters;
default esp;
description
"Security protocol of IPsec SA: Only
ESP so far.";
}
leaf mode {
type ic:ipsec-mode;
description
"Tunnel or transport mode.";
}
container esp-sa {
when "../protocol-parameters =
'esp'";
description
"In case the IPsec SA is
Encapsulation Security Payload
(ESP), it is required to specify
encryption and integrity
algorithms, and key material.";
container encryption {
description
"Configuration of encryption or
AEAD algorithm for IPSec
Encapsulation Security Payload
(ESP).";
leaf encryption-algorithm {
type ic:encryption-algorithm-type;
description
"Configuration of ESP
encryption. With AEAD
algorithms, the integrity
node is not used.";
}
leaf key {
nacm:default-deny-all;
type yang:hex-string;
description
"ESP encryption key value.";
}
leaf iv {
nacm:default-deny-all;
type yang:hex-string;
description
"ESP encryption IV value.";
}
}
container integrity {
description
"Configuration of integrity for
IPSec Encapsulation Security
Payload (ESP). This container
allows to configure integrity
algorithm when no AEAD
algorithms are used, and
integrity is required.";
leaf integrity-algorithm {
type ic:integrity-algorithm-type;
description
"Message Authentication Code
(MAC) algorithm to provide
integrity in ESP.";
}
leaf key {
nacm:default-deny-all;
type yang:hex-string;
description
"ESP integrity key value.";
}
}
} /*container esp-sa*/
container sa-lifetime-hard {
description
"IPsec SA hard lifetime. The action
associated is terminate and
hold.";
uses ic:lifetime;
}
container sa-lifetime-soft {
description
"IPSec SA soft lifetime.";
uses ic:lifetime;
leaf action {
type ic:lifetime-action;
description
"Action lifetime:
terminate-clear,
terminate-hold or replace.";
}
}
container tunnel {
when "../mode = 'tunnel'";
uses ic:tunnel-grouping;
description
"Endpoints of the IPsec tunnel.";
}
container encapsulation-type
{
uses ic:encap;
description
"This container carries
configuration information about
the source and destination ports
which will be used for ESP
encapsulation that ESP packets the
type of encapsulation when NAT
traversal is in place.";
}
} /*ipsec-sa-config*/
container ipsec-sa-state {
config false;
description
"Container describing IPsec SA state
data.";
container sa-lifetime-current {
uses ic:lifetime;
description
"SAD lifetime current.";
}
container replay-stats {
description
"State data about the anti-replay
window.";
leaf replay-window {
type uint64;
description
"Current state of the replay
window.";
}
leaf packet-dropped {
type uint64;
description
"Packets detected out of the
replay window and dropped
because they are replay
packets.";
}
leaf failed {
type uint32;
description
"Number of packets detected out
of the replay window.";
}
leaf seq-number-counter {
type uint64;
description
"A 64-bit counter when this
IPsec SA is using Extended
Sequence Number or 32-bit
counter when it is not.
Current value of sequence
number.";
}
} /* container replay-stats*/
} /*ipsec-sa-state*/
description
"List of SAD entries that conforms the SAD.";
} /*list sad-entry*/
} /*container sad*/
}/*container ipsec-ikeless*/
/* Notifications */
notification sadb-acquire {
description
"An IPsec SA is required. The traffic-selector
container contains information about the IP packet
that triggers the acquire notification.";
leaf ipsec-policy-name {
type string;
mandatory true;
description
"It contains the SPD entry name (unique) of
the IPsec policy that hits the IP packet
required IPsec SA. It is assumed the
Security Controller will have a copy of the
information of this policy so it can
extract all the information with this
unique identifier. The type of IPsec SA is
defined in the policy so the Security
Controller can also know the type of IPsec
SA that must be generated.";
}
container traffic-selector {
description
"The IP packet that triggered the acquire
and requires an IPsec SA. Specifically it
will contain the IP source/mask and IP
destination/mask; protocol (udp, tcp,
etc...); and source and destination
ports.";
uses ic:selector-grouping;
}
}
notification sadb-expire {
description "An IPsec SA expiration (soft or hard).";
leaf ipsec-sa-name {
type string;
mandatory true;
description
"It contains the SAD entry name (unique) of
the IPsec SA that has expired. It is assumed
the Security Controller will have a copy of the
IPsec SA information (except the cryptographic
material and state data) indexed by this name
(unique identifier) so it can know all the
information (crypto algorithms, etc.) about
the IPsec SA that has expired in order to
perform a rekey (soft lifetime) or delete it
(hard lifetime) with this unique identifier.";
}
leaf soft-lifetime-expire {
type boolean;
default true;
description
"If this value is true the lifetime expired is
soft. If it is false is hard.";
}
container lifetime-current {
description
"IPsec SA current lifetime. If
soft-lifetime-expired is true this container is
set with the lifetime information about current
soft lifetime.";
uses ic:lifetime;
}
}
notification sadb-seq-overflow {
description "Sequence overflow notification.";
leaf ipsec-sa-name {
type string;
mandatory true;
description
"It contains the SAD entry name (unique) of
the IPsec SA that is about to have sequence
number overflow and rollover is not permitted.
It is assumed the Security Controller will have
a copy of the IPsec SA information (except the
cryptographic material and state data) indexed
by this name (unique identifier) so the it can
know all the information (crypto algorithms,
etc.) about the IPsec SA that has expired in
order to perform a rekey of the IPsec SA.";
}
}
notification sadb-bad-spi {
description
"Notify when the NSF receives a packet with an
incorrect SPI (i.e. not present in the SAD).";
leaf spi {
type uint32 { range "0..max"; }
mandatory true;
description
"SPI number contained in the erroneous IPsec
packet.";
}
}
}/*module ietf-ipsec*/