module ietf-i2nsf-ikec {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec";
prefix nsfikec;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types.";
}
organization
"IETF I2NSF Working Group";
contact
"WG Web:
WG List:
Author: Rafael Marin-Lopez
Author: Gabriel Lopez-Millan
Author: Fernando Pereniguez-Garcia
";
description
"Common data model for the IKE and IKE-less cases
defined by the SDN-based IPsec flow protection service.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here.
Copyright (c) 2021 IETF Trust and the persons
identified as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 9061; see
the RFC itself for full legal notices.";
revision 2021-07-14 {
description
"Initial version.";
reference
"RFC 9061: A YANG Data Model for IPsec Flow Protection
Based on Software-Defined Networking (SDN).";
}
typedef encr-alg-t {
type uint16;
description
"The encryption algorithm is specified with a 16-bit
number extracted from the IANA registry. The acceptable
values MUST follow the requirement levels for
encryption algorithms for ESP and IKEv2.";
reference
"IANA: Internet Key Exchange Version 2 (IKEv2) Parameters,
IKEv2 Transform Attribute Types, Transform Type 1 -
Encryption Algorithm Transform IDs
RFC 8221: Cryptographic Algorithm Implementation
Requirements and Usage Guidance for Encapsulating
Security Payload (ESP) and Authentication Header
(AH)
RFC 8247: Algorithm Implementation Requirements and Usage
Guidance for the Internet Key Exchange Protocol
Version 2 (IKEv2).";
}
typedef intr-alg-t {
type uint16;
description
"The integrity algorithm is specified with a 16-bit
number extracted from the IANA registry.
The acceptable values MUST follow the requirement
levels for integrity algorithms for ESP and IKEv2.";
reference
"IANA: Internet Key Exchange Version 2 (IKEv2) Parameters,
IKEv2 Transform Attribute Types, Transform Type 3 -
Integrity Algorithm Transform IDs
RFC 8221: Cryptographic Algorithm Implementation
Requirements and Usage Guidance for Encapsulating
Security Payload (ESP) and Authentication Header
(AH)
RFC 8247: Algorithm Implementation Requirements and Usage
Guidance for the Internet Key Exchange Protocol
Version 2 (IKEv2).";
}
typedef ipsec-mode {
type enumeration {
enum transport {
description
"IPsec transport mode. No Network Address
Translation (NAT) support.";
}
enum tunnel {
description
"IPsec tunnel mode.";
}
}
description
"Type definition of IPsec mode: transport or
tunnel.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 3.2.";
}
typedef esp-encap {
type enumeration {
enum espintcp {
description
"ESP in TCP encapsulation.";
reference
"RFC 8229: TCP Encapsulation of IKE and
IPsec Packets.";
}
enum espinudp {
description
"ESP in UDP encapsulation.";
reference
"RFC 3948: UDP Encapsulation of IPsec ESP
Packets.";
}
enum none {
description
"No ESP encapsulation.";
}
}
description
"Types of ESP encapsulation when Network Address
Translation (NAT) may be present between two NSFs.";
reference
"RFC 8229: TCP Encapsulation of IKE and IPsec Packets
RFC 3948: UDP Encapsulation of IPsec ESP Packets.";
}
typedef ipsec-protocol-params {
type enumeration {
enum esp {
description
"IPsec ESP protocol.";
}
}
description
"Only the Encapsulation Security Protocol (ESP) is
supported, but it could be extended in the future.";
reference
"RFC 4303: IP Encapsulating Security Payload (ESP).";
}
typedef lifetime-action {
type enumeration {
enum terminate-clear {
description
"Terminates the IPsec SA and allows the
packets through.";
}
enum terminate-hold {
description
"Terminates the IPsec SA and drops the
packets.";
}
enum replace {
description
"Replaces the IPsec SA with a new one:
rekey.";
}
}
description
"When the lifetime of an IPsec SA expires, an action
needs to be performed for the IPsec SA that
reached the lifetime. There are three possible
options: terminate-clear, terminate-hold, and
replace.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.5.";
}
typedef ipsec-traffic-direction {
type enumeration {
enum inbound {
description
"Inbound traffic.";
}
enum outbound {
description
"Outbound traffic.";
}
}
description
"IPsec traffic direction is defined in
two directions: inbound and outbound.
From an NSF perspective, inbound and
outbound are defined as mentioned
in Section 3.1 in RFC 4301.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 3.1.";
}
typedef ipsec-spd-action {
type enumeration {
enum protect {
description
"PROTECT the traffic with IPsec.";
}
enum bypass {
description
"BYPASS the traffic. The packet is forwarded
without IPsec protection.";
}
enum discard {
description
"DISCARD the traffic. The IP packet is
discarded.";
}
}
description
"The action when traffic matches an IPsec security
policy. According to RFC 4301, there are three
possible values: BYPASS, PROTECT, and DISCARD.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.";
}
typedef ipsec-inner-protocol {
type union {
type uint8;
type enumeration {
enum any {
value 256;
description
"Any IP protocol number value.";
}
}
}
default "any";
description
"IPsec protection can be applied to specific IP
traffic and Layer 4 traffic (TCP, UDP, SCTP, etc.)
or ANY protocol in the IP packet payload.
The IP protocol number is specified with a uint8
or ANY defining an enumerate with value 256 to
indicate the protocol number. Note that in case
of IPv6, the protocol in the IP packet payload
is indicated in the Next Header field of the IPv6
packet.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.1
IANA: Protocol Numbers.";
}
grouping encap {
description
"This group of nodes allows defining of the type of
encapsulation in case NAT traversal is
required and includes port information.";
leaf espencap {
type esp-encap;
default "none";
description
"ESP in TCP, ESP in UDP, or ESP in TLS.";
}
leaf sport {
type inet:port-number;
default "4500";
description
"Encapsulation source port.";
}
leaf dport {
type inet:port-number;
default "4500";
description
"Encapsulation destination port.";
}
leaf-list oaddr {
type inet:ip-address;
description
"If required, this is the original address that
was used before NAT was applied over the packet.";
}
reference
"RFC 3947: Negotiation of NAT-Traversal in the IKE
RFC 8229: TCP Encapsulation of IKE and IPsec Packets.";
}
grouping lifetime {
description
"Different lifetime values limited to an IPsec SA.";
leaf time {
type uint32;
units "seconds";
default "0";
description
"Time in seconds since the IPsec SA was added.
For example, if this value is 180 seconds, it
means the IPsec SA expires in 180 seconds since
it was added. The value 0 implies infinite.";
}
leaf bytes {
type uint64;
default "0";
description
"If the IPsec SA processes the number of bytes
expressed in this leaf, the IPsec SA expires and
SHOULD be rekeyed. The value 0 implies
infinite.";
}
leaf packets {
type uint32;
default "0";
description
"If the IPsec SA processes the number of packets
expressed in this leaf, the IPsec SA expires and
SHOULD be rekeyed. The value 0 implies
infinite.";
}
leaf idle {
type uint32;
units "seconds";
default "0";
description
"When an NSF stores an IPsec SA, it
consumes system resources. For an idle IPsec SA, this
is a waste of resources. If the IPsec SA is idle
during this number of seconds, the IPsec SA
SHOULD be removed. The value 0 implies
infinite.";
}
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.2.1.";
}
grouping port-range {
description
"This grouping defines a port range, such as that
expressed in RFC 4301, for example, 1500 (Start
Port Number)-1600 (End Port Number).
A port range is used in the Traffic Selector.";
leaf start {
type inet:port-number;
description
"Start port number.";
}
leaf end {
type inet:port-number;
must '. >= ../start' {
error-message
"The end port number MUST be equal or greater
than the start port number.";
}
description
"End port number. To express a single port, set
the same value as start and end.";
}
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.2.";
}
grouping tunnel-grouping {
description
"The parameters required to define the IP tunnel
endpoints when IPsec SA requires tunnel mode. The
tunnel is defined by two endpoints: the local IP
address and the remote IP address.";
leaf local {
type inet:ip-address;
mandatory true;
description
"Local IP address' tunnel endpoint.";
}
leaf remote {
type inet:ip-address;
mandatory true;
description
"Remote IP address' tunnel endpoint.";
}
leaf df-bit {
type enumeration {
enum clear {
description
"Disable the Don't Fragment (DF) bit
in the outer header. This is the
default value.";
}
enum set {
description
"Enable the DF bit in the outer header.";
}
enum copy {
description
"Copy the DF bit to the outer header.";
}
}
default "clear";
description
"Allow configuring the DF bit when encapsulating
tunnel mode IPsec traffic. RFC 4301 describes
three options to handle the DF bit during
tunnel encapsulation: clear, set, and copy from
the inner IP header. This MUST be ignored or
has no meaning when the local/remote
IP addresses are IPv6 addresses.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 8.1.";
}
leaf bypass-dscp {
type boolean;
default "true";
description
"If true, to copy the Differentiated Services Code
Point (DSCP) value from inner header to outer header.
If false, to map DSCP values
from an inner header to values in an outer header
following ../dscp-mapping.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.2.";
}
list dscp-mapping {
must '../bypass-dscp = "false"';
key "id";
ordered-by user;
leaf id {
type uint8;
description
"The index of list with the
different mappings.";
}
leaf inner-dscp {
type inet:dscp;
description
"The DSCP value of the inner IP packet. If this
leaf is not defined, it means ANY inner DSCP value.";
}
leaf outer-dscp {
type inet:dscp;
default "0";
description
"The DSCP value of the outer IP packet.";
}
description
"A list that represents an array with the mapping from the
inner DSCP value to outer DSCP value when bypass-dscp is
false. To express a default mapping in the list where any
other inner dscp value is not matching a node in the list,
a new node has to be included at the end of the list where
the leaf inner-dscp is not defined (ANY) and the leaf
outer-dscp includes the value of the mapping. If there is
no value set in the leaf outer-dscp, the default value for
this leaf is 0.";
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.2 and Appendix C.";
}
}
grouping selector-grouping {
description
"This grouping contains the definition of a Traffic
Selector, which is used in the IPsec policies and
IPsec SAs.";
leaf local-prefix {
type inet:ip-prefix;
mandatory true;
description
"Local IP address prefix.";
}
leaf remote-prefix {
type inet:ip-prefix;
mandatory true;
description
"Remote IP address prefix.";
}
leaf inner-protocol {
type ipsec-inner-protocol;
default "any";
description
"Inner protocol that is going to be
protected with IPsec.";
}
list local-ports {
key "start end";
uses port-range;
description
"List of local ports. When the inner
protocol is ICMP, this 16-bit value
represents code and type.
If this list is not defined,
it is assumed that start and
end are 0 by default (any port).";
}
list remote-ports {
key "start end";
uses port-range;
description
"List of remote ports. When the upper layer
protocol is ICMP, this 16-bit value represents
code and type. If this list is not defined,
it is assumed that start and end are 0 by
default (any port).";
}
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.2.";
}
grouping ipsec-policy-grouping {
description
"Holds configuration information for an IPsec SPD
entry.";
leaf anti-replay-window-size {
type uint32;
default "64";
description
"To set the anti-replay window size.
The default value is set
to 64, following the recommendation in RFC 4303.";
reference
"RFC 4303: IP Encapsulating Security Payload (ESP),
Section 3.4.3.";
}
container traffic-selector {
description
"Packets are selected for
processing actions based on Traffic Selector
values, which refer to IP and inner protocol
header information.";
uses selector-grouping;
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.4.1.";
}
container processing-info {
description
"SPD processing. If the required processing
action is protect, it contains the required
information to process the packet.";
leaf action {
type ipsec-spd-action;
default "discard";
description
"If bypass or discard, container
ipsec-sa-cfg is empty.";
}
container ipsec-sa-cfg {
when "../action = 'protect'";
description
"IPsec SA configuration included in the SPD
entry.";
leaf pfp-flag {
type boolean;
default "false";
description
"Each selector has a Populate From
Packet (PFP) flag. If asserted for a
given selector X, the flag indicates
that the IPsec SA to be created should
take its value (local IP address,
remote IP address, Next Layer
Protocol, etc.) for X from the value
in the packet. Otherwise, the IPsec SA
should take its value(s) for X from
the value(s) in the SPD entry.";
}
leaf ext-seq-num {
type boolean;
default "false";
description
"True if this IPsec SA is using extended
sequence numbers. If true, the 64-bit
extended sequence number counter is used;
if false, the normal 32-bit sequence
number counter is used.";
}
leaf seq-overflow {
type boolean;
default "false";
description
"The flag indicating whether
overflow of the sequence number
counter should prevent transmission
of additional packets on the IPsec
SA (false) and, therefore, needs to
be rekeyed or whether rollover is
permitted (true). If Authenticated
Encryption with Associated Data
(AEAD) is used (leaf
esp-algorithms/encryption/algorithm-type),
this flag MUST be false. Setting this
flag to true is strongly discouraged.";
}
leaf stateful-frag-check {
type boolean;
default "false";
description
"Indicates whether (true) or not (false)
stateful fragment checking applies to
the IPsec SA to be created.";
}
leaf mode {
type ipsec-mode;
default "transport";
description
"IPsec SA has to be processed in
transport or tunnel mode.";
}
leaf protocol-parameters {
type ipsec-protocol-params;
default "esp";
description
"Security protocol of the IPsec SA.
Only ESP is supported, but it could be
extended in the future.";
}
container esp-algorithms {
when "../protocol-parameters = 'esp'";
description
"Configuration of Encapsulating
Security Payload (ESP) parameters and
algorithms.";
leaf-list integrity {
type intr-alg-t;
default "0";
ordered-by user;
description
"Configuration of ESP authentication
based on the specified integrity
algorithm. With AEAD encryption
algorithms, the integrity node is
not used.";
reference
"RFC 4303: IP Encapsulating Security Payload (ESP),
Section 3.2.";
}
list encryption {
key "id";
ordered-by user;
leaf id {
type uint16;
description
"An identifier that unequivocally identifies each
entry of the list, i.e., an encryption algorithm
and its key length (if required).";
}
leaf algorithm-type {
type encr-alg-t;
default "20";
description
"Default value 20 (ENCR_AES_GCM_16).";
}
leaf key-length {
type uint16;
default "128";
description
"By default, key length is 128
bits.";
}
description
"Encryption or AEAD algorithm for the
IPsec SAs. This list is ordered
following from the higher priority to
lower priority. First node of the
list will be the algorithm with
higher priority. In case the list
is empty, then no encryption algorithm
is applied (NULL).";
reference
"RFC 4303: IP Encapsulating Security Payload (ESP),
Section 3.2.";
}
leaf tfc-pad {
type boolean;
default "false";
description
"If Traffic Flow Confidentiality
(TFC) padding for ESP encryption
can be used (true) or not (false).";
reference
"RFC 4303: IP Encapsulating Security Payload (ESP),
Section 2.7.";
}
reference
"RFC 4303: IP Encapsulating Security Payload (ESP).";
}
container tunnel {
when "../mode = 'tunnel'";
uses tunnel-grouping;
description
"IPsec tunnel endpoints definition.";
}
}
reference
"RFC 4301: Security Architecture for the Internet Protocol,
Section 4.4.1.2.";
}
}
}