module hc2vpp-ietf-ipsec { namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec"; prefix "eipsec"; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } organization "Ericsson AB. Huawei Technologies India Pvt Ltd."; contact "Web: "; description "This YANG module defines the configuration and operational state data for Internet Protocol Security (IPSec) on IETF draft. Copyright (c) 2016 Ericsson AB. All rights reserved."; revision 2018-12-14 { description "HC2VPP modifications for use case with VPP. See https://jira.fd.io/browse/HC2VPP-399"; } revision 2016-03-09 { description "Third revision. Fix YANG compiling error because it used internal data model econtext and should be removed in the draft. Fix warnings. Run validation on http://www.netconfcentral.org/yangdumpresults"; reference "Update since second revision."; } revision 2015-09-13 { description "Second revision."; reference "updates since initial revision. combining: draft-tran-ipecme-yang-ipsec-00. draft-wang-ipsecme-ike-yang-00. draft-wang-ipsecme-ipsec-yang-00."; } revision 2015-05-14 { description "Initial revision."; reference "May 14, 2015 draft-tran-ipecme-yang-ipsec-00. May 22, 2015 draft-wang-ipsecme-ike-yang-00. June 15, 2015 draft-wang-ipsecme-ipsec-yang-00."; } /*--------------------*/ /* Feature */ /*--------------------*/ feature ikev1 { description "Feature IKEv1"; } feature ike-proposal-state { description "IKEv2 Proposal Operational State"; } feature ike-policy-state { description "IKEv1 Policy Operational State"; } feature ikev1-state { description "IKEv1 Operational State"; } feature ike-reauth-failure { description "IKEv1 Reauthorization Failure"; } feature ike-rekey-failure { description "IKEv1 Rekey Failure"; } feature ikev2 { description "Feature IKEv2"; } feature ikev2-global { description "Feature IKEv2 Global Parameters"; } feature ikev2-peer { description "Feature IKEv2 Peer"; } feature ikev2-proposal { description "Feature IKEv2 Proposal"; } feature ikev2-policy { description "Feature IKEv2 Policy"; } feature ikev2-proposal-state { description "IKEv2 Proposal Operational State"; } feature ikev2-state { description "IKEv2 Operational State"; } feature ipsec { description "Feature IPsec"; } feature ipsec-acl { description "Feature IPsec ACL"; } feature ipsec-sad { description "Feature IPsec SAD"; } feature ipsec-proposal { description "Feature IPsec Proposal"; } feature ipsec-spd { description "Feature IPsec SPD"; } feature ipsec-policy-state { description "IPsec Policy Operational State"; } feature ipsec-proposal-state { description "IPsec Proposal Operational State"; } feature ipsec-alarms-state { description "IPsec Alarm State Operational State"; } feature ipsec-sa-ah-state { description "IPsec SA AH Operational State"; } feature ipsec-sa-state { description "IPsec SA Operational State"; } feature ipsec-tunnel { description "IPsec Tunnel"; } feature ipsec-local-address-range { description "IPsec Local Address Range"; } feature ipsec-remote-address-range { description "IPsec Remote Address Range"; } feature ipsec-next-protocol-range { description "IPsec Next Protocol Range"; } feature ipsec-local-port-range { description "IPsec Local Port Range"; } feature ipsec-remote-port-range { description "IPsec Remote Port Range"; } feature ipsec-ah-authentication { description "IPsec AH Authentication"; } feature ipsec-esp-integrity { description "IPsec ESP Integrity"; } feature ipsec-esp-encrypt { description "IPsec ESP encryption"; } feature ipsec-stat { description "IPsec Stats"; } feature ipsec-state { description "IPsec Operational State"; } feature ipsec-rekey-failure { description "IPsec Rekey Failure"; } feature ipsec-redundancy { description "IPsec Redundancy State"; } feature sad { description "Security Association (SA) Database"; } feature spd { description "Security Policy Database"; } feature ipsec-global-stats { description "IPsec Global Stats"; } feature clear-ipsec-group { description "Clear IPsec group"; } feature clear-ike-group { description "Clear IKE group"; } feature clear-ikev2-group { description "Clear IKEv2 group"; } feature reset-ipv4 { description "Reset IPv4"; } feature reset-ipv6 { description "Reset IPv6"; } feature reset-global { description "Reset Global"; } feature peer-authentication-failure { description "Peer Authentication Failure"; } /*--------------------*/ /* Typedefs */ /*--------------------*/ typedef authentication-method-t { type enumeration { enum psk { value 0; description "Pre-Sharing Keys."; } enum certificate { value 1; description "Certificate."; } } description "Available authentication methods."; } /* IKEv2 Exchange Types (ET) */ typedef ikev2-exchange-type-t { type enumeration { enum ikev2-et-ike-sa-init { value 34; description "ikev2-et-ike-sa-init - RFC 7296."; } enum ikev2-et-ike-auth { value 35; description "ikev2-et-ike-auth - RFC 7296."; } enum ikev2-et-create-child-sa { value 36; description "ikev2-et-create-child-sa - RFC 7296."; } enum ikev2-et-informational { value 37; description "ikev2-et-informational - RFC 7296."; } enum ikev2-et-ike-session-resume { value 38; description "ikev2-et-ike-session-resume - RFC 7296."; } enum ikev2-et-gsa-auth { value 39; description "ikev2-et-gsa-auth - RFC 7296."; } enum ikev2-et-gsa-registration { value 40; description "ikev2-et-gsa-registration - RFC 7296."; } enum ikev2-et-gsa-rekey { value 41; description "ikev2-et-gsa-rekey - RFC 7296."; } } description "IKEv2 Exchange Types (ET)."; } /* Transform Type Values (TTV), RFC 7296 */ typedef transform-type-value-t { type enumeration { enum ttv-reserved-0 { value 0; description "ttv-reserved-0 - Transform Type Value Reserved "+ "(RFC 7296)."; } enum ttv-encr { value 1; description "ttv-encr - Transform Type Value 1, Encryption Algorithm "+ "(ENCR) used in IKE and ESP."; } enum ttv-prf { value 2; description "ttv-prf - Transform Type Value 2, "+ "Pseudo-Random Function(PRF) used in IKE."; } enum ttv-integ { value 3; description "ttv-integ - Transform Type Value 3, Integrity Algorithm"+ " (INTEG) used in IKE, AH, optional ESP."; } enum ttv-dh { value 4; description "ttv-dh - Transform Type Value 4, Diffie-Hellman (DH) "+ "used in IKE, optional AH and ESP."; } enum ttv-esn { value 5; description "ttv-esn - Transform Type Value 5, Extended Sequence "+ "Numbers (ESN) used in AH and ESP."; } } description "Transform Type Values (RFC 7296)."; } /* IKEv2 Transform Attribute Types (TAT) */ typedef ikev2-transform-attribute-type-t { type enumeration { enum ikev2-tat-reserved-0 { value 0; description "ikev2-tat-reserved-0 - IKEv2 Transform Attribute "+ "Type Reserved-0 (RFC 7296)."; } enum ikev2-tat-reserved-1 { value 1; description "ikev2-tat-reserved-1 - IKEv2 Transform Attribute "+ "Type Reserved-1 (RFC 7296)."; } enum ikev2-tat-reserved-13 { value 13; description "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+ "Type Reserved-13 (RFC 7296)."; } enum ikev2-tat-key-length { value 41; description "ikev2-tat-key-length - IKEv2 Transform Attribute "+ "Type KEY LENGTH (in bits) (RFC 7296)."; } } description "IKEv2 Transform Attribute Types (TAT) (RFC 7296)."; } /* Transform Type 1 (Encryption Algorithm Transform IDs) */ typedef ike-encryption-algorithm-t { type enumeration { enum encr-reserved-0 { value 0; description "encr-reserved-0 --> RFC_5996."; } enum encr-des-iv4 { value 1; description "encr-des-iv4 --> RFC_5996."; } enum encr-des { value 2; description "encr-des --> RFC_5996."; } enum encr-3des { value 3; description "encr-3des --> RFC_5996."; } enum encr-rc5 { value 4; description "encr-rc5 --> RFC_5996."; } enum encr-idea { value 5; description "encr-idea --> RFC_5996."; } enum encr-cast { value 6; description "encr-cast --> RFC_5996."; } enum encr-blowfish { value 7; description "encr-blowfish --> RFC_5996."; } enum encr-3idea { value 8; description "encr-3idea --> RFC_5996."; } enum encr-des-iv32 { value 9; description "encr-des-iv32 --> RFC_5996."; } enum encr-reserved-10 { value 10; description "encr-reserved-10 --> RFC_5996."; } enum encr-null { value 11; description "encr-null --> RFC_5996."; } enum encr-aes-cbc { value 12; description "encr-aes-cbc --> RFC_5996."; } enum encr-aes-ctr { value 13; description "encr-aes-ctr --> RFC_5996."; } enum encr-aes-ccm-8 { value 14; description "encr-aes-ccm-8 --> RFC_5996."; } enum encr-aes-ccm-12 { value 15; description "encr-aes-ccm-12 --> RFC_5996."; } enum encr-aes-ccm-16 { value 16; description "encr-aes-ccm-16 --> RFC_5996."; } enum encr-reserved-17 { value 17; description "encr-reserved-17 --> RFC_5996."; } enum encr-aes-gcm-8-icv { value 18; description "encr-aes-gcm-8-icv --> RFC_5996."; } enum encr-aes-gcm-12-icv { value 19; description "encr-aes-gcm-12-icv --> RFC_5996."; } enum encr-aes-gcm-16-icv { value 20; description "encr-aes-gcm-16-icv--> RFC_5996."; } enum encr-null-auth-aes-gmac { value 21; description "encr-null-auth-aes-gmac --> RFC_5996."; } enum encr-ieee-p1619-xts-aes { value 22; description "encr-ieee-p1619-xts-aes --> Reserved for "+ "IEEE P1619 XTS-AES."; } enum encr-camellia-cbc { value 23; description "encr-camellia-cbc --> RFC_5996."; } enum encr-camellia-ctr { value 24; description "encr-camellia-ctr --> RFC_5996."; } enum encr-camellia-ccm-8-icv { value 25; description "encr-camellia-ccm-8-icv --> RFC_5996."; } enum encr-camellia-ccm-12-icv { value 26; description "encr-camellia-ccm-12-icv --> RFC_5996."; } enum encr-camellia-ccm-16-icv { value 27; description "encr-camellia-ccm-16-icv --> RFC_5996."; } enum encr-aes-cbc-128 { value 1024; description "encr-aes-cbc-128 --> RFC_5996."; } enum encr-aes-cbc-192 { value 1025; description "encr-aes-cbc-192 --> RFC_5996."; } enum encr-aes-cbc-256 { value 1026; description "encr-aes-cbc-256 --> RFC_5996."; } enum encr-blowfish-128 { value 1027; description "encr-blowfish-128 --> RFC_5996."; } enum encr-blowfish-192 { value 1028; description "encr-blowfish-192 --> RFC_5996."; } enum encr-blowfish-256 { value 1029; description "encr-blowfish-256 --> RFC_5996."; } enum encr-blowfish-448 { value 1030; description "encr-blowfish-448 --> RFC_5996."; } enum encr-camellia-128 { value 1031; description "encr-camellia-128 --> RFC_5996."; } enum encr-camellia-192 { value 1032; description "encr-camellia-192 --> RFC_5996."; } enum encr-camellia-256 { value 1033; description "encr-camellia-256 --> RFC_5996."; } } description "Transform Type 1 - Internet Key Exchange (IKE) "+ "encryption algorithms."; } /* Transform Type 2 (Pseudo-Random Function PRF) */ typedef pseudo-random-function-t { type enumeration { enum prf-reserved-0 { value 0; description "prf-reserved-0 --> RFC_2104."; } enum prf-hmac-md5 { value 1; description "prf-hmac-md5 --> RFC_2104."; } enum prf-hmac-sha1 { value 2; description "prf-hmac-sha1 --> RFC2104."; } enum prf-hmac-tiger { value 3; description "prf-hmac-tiger --> RFC2104."; } enum prf-aes128-xcbc { value 4; description "prf-aes128-xcbc --> RFC_4434."; } enum prf-hmac-sha2-256 { value 5; description "prf-hmac-sha2-256 --> RFC_4434."; } enum prf-hmac-sha2-384 { value 6; description "prf-hmac-sha2-384 --> RFC_4434."; } enum prf-hmac-sha2-512 { value 7; description "prf-hmac-sha2-512 --> RFC_4434."; } enum prf-aes128-cmac { value 8; description "prf-aes128-cmac --> RFC_4615."; } } description "Available Pseudo-Random Functions (PRF)."; } /* Transform Type 3 (Integrity Algorithm) */ typedef ike-integrity-algorithm-t { type enumeration { enum auth-none { value 0; description "auth-none --> RFC_5996."; } enum auth-hmac-md5-96 { value 1; description "auth-hmac-md5-96 --> RFC_5996."; } enum auth-hmac-sha1-96 { value 2; description "auth-hmac-sha1-96 --> RFC_5996."; } enum auth-des-mac { value 3; description "auth-des-mac --> RFC_5996."; } enum auth-kpdk-md5 { value 4; description "auth-kpdk-md5 --> RFC_5996."; } enum auth-aes-xcbc-96 { value 5; description "auth-aes-xcbc-96 --> RFC_5996."; } enum auth-hmac-md5-128 { value 6; description "auth-hmac-md5-128 --> RFC_5996."; } enum auth-hmac-sha1-160 { value 7; description "auth-hmac-sha1-160 --> RFC_5996."; } enum auth-aes-cmac-96 { value 8; description "auth-aes-cmac-96 --> RFC_5996."; } enum auth-aes-128-gmac { value 9; description "auth-aes-128-gmac --> RFC_5996."; } enum auth-aes-192-gmac { value 10; description "auth-aes-192-gmac --> RFC_5996."; } enum auth-aes-256-gmac { value 11; description "auth-aes-256-gmac --> RFC_5996."; } enum auth-hmac-sha2-256-128 { value 12; description "auth-hmac-sha2-256-128 --> RFC_5996."; } enum auth-hmac-sha2-384-192 { value 13; description "auth-hmac-sha2-384-192 --> RFC_5996."; } enum auth-hmac-sha2-512-256 { value 14; description "auth-hmac-sha2-512-256 --> RFC_5996."; } enum auth-hmac-sha2-256-96 { value 1024; description "auth-hmac-sha2-256-96."; } } description "Transform Type 3 - Internet Key Exchange (IKE) "+ "Integrity Algorithms."; } /* Transform Type 4 (Diffie-Hellman Group) */ typedef diffie-hellman-group-t { type enumeration { enum group-none { value 0; description "group-none --> RFC_5996."; } enum modp-768-group-1 { value 1; description "modp-768-group-1 --> RFC_5996."; } enum modp-1024-group-2 { value 2; description "modp-1024-group-2 --> RFC_5996."; } enum modp-1536-group-5 { value 5; description "modp-1536-group-5 --> RFC_3526."; } enum modp-2048-group-14 { value 14; description "modp-2048-group-14 --> RFC_3526."; } enum modp-3072-group-15 { value 15; description "modp-3072-group-15 --> RFC_3526."; } enum modp-4096-group-16 { value 16; description "modp-4096-group-16 --> RFC_3526."; } enum modp-6144-group-17 { value 17; description "modp-6144-group-17 --> RFC_3526."; } enum modp-8192-group-18 { value 18; description "modp-8192-group-18 --> RFC_3526."; } enum recp-256-group-19 { value 19; description "recp-256-group-19 --> RFC_6989. 256-bit"+ " Random ECP Group."; } enum recp-384-group-20 { value 20; description "recp-384-group-20 --> RFC_6989. 384-bit"+ " Random ECP Group."; } enum recp-521-group-21 { value 21; description "recp-521-group-21 --> RFC_6989. 521-bit"+ " Random ECP Group."; } enum modp-1024-160-pos-group-22 { value 22; description "modp-1024-160-pos-group-22 --> RFC_6989."+ " 1024-bit MODP Group with"+ " 160-bit Prime Order Subgroup (POS)."; } enum modp-2048-224-pos-group-23 { value 23; description "modp-2048-224-pos-group-23 --> RFC_6989."+ " 2048-bit MODP Group with"+ " 224-bit Prime Order Subgroup (POS)."; } enum modp-2048-256-pos-group-24 { value 24; description "modp-2048-256-pos-group-24 --> RFC_6989."+ " 2048-bit MODP Group with"+ " 256-bit Prime Order Subgroup (POS)."; } enum recp-192-group-25 { value 25; description "recp-192-group-25 --> RFC_6989."+ " 192-bit Random ECP Group."; } enum recp-224-group-26 { value 26; description "recp-224-group-26 --> RFC_6989."+ " 224-bit Random ECP Group."; } } description "Diffie-Hellman Groups (RFC 5996)."; } /* Transform Type 5 (Extended Sequence Numbers Transform ESN IDs) */ typedef extended-sequence-number-t { type enumeration { enum esn-none { value 0; description "esn-none - Extended Sequence Number None --> RFC_7296."; } enum esn-1 { value 1; description "esn-1 - Extended Sequence Number --> RFC_7296."; } } description "Extended Sequence Number (RFC 7296)."; } typedef connection-type-t { type enumeration { enum initiator-only { value 0; description "initiator-only: ME will act as initiator for"+ " bringing up IKEv2"+ " session with its IKE peer."; } enum responder-only { value 1; description "responder-only: ME will act as responder for"+ " bringing up IKEv2"+ " session with its IKE peer."; } enum both { value 2; description "both: ME can act as initiator or responder."; } } description "Connection type for IKE session."; } typedef transport-protocol-name-t { type enumeration { enum tcp { value 1; description "Transmission Control Protocol (TCP) Transport Protocol."; } enum udp { value 2; description "User Datagram Protocol (UDP) Transport Protocol"; } enum sctp { value 3; description "Stream Control Transmission Protocol (SCTP) Transport "+ "Protocol"; } enum icmp { value 4; description "Internet Control Message Protocol (ICMP) Transport "+ "Protocol"; } } description "Enumeration of well known transport protocols."; } typedef preshared-key-t { type string; description "Derived string used as Pre-Shared Key."; } typedef pad-type-t { type enumeration { enum dns-name { value 1; description "DNS name (specific or partial)"; } enum distinguished-name { value 2; description "Distinguished Name (complete or sub-tree constrained)"; } enum rfc-822 { value 3; description "RFC 822 email address (complete or partially qualified)"; } enum ipv4-range { value 4; description "IPv4 Address Range"; } enum ipv6-range { value 5; description "IPv6 Address Range"; } enum key-id { value 6; description "Key ID (exact match only)"; } } description "PAD Type"; } /*-------------------------------------------------- */ /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-type */ /*-------------------------------------------------- */ typedef ipsec-mode { type enumeration { enum "transport" { description "Transport mode"; } enum "tunnel" { description "Tunnel mode"; } } description "type define of ipsec mode"; } typedef ipsec-protocol { type enumeration { enum "ah" { description "AH Protocol"; } enum "esp" { description "ESP Protocol"; } } description "type define of ipsec security protocol"; } typedef ipsec-spi { type uint32 { range "1..max"; } description "SPI"; } typedef ipsec-spd-name { type enumeration { enum id_rfc_822_addr { description "Fully qualified user name string."; } enum id_fqdn { description "Fully qualified DNS name."; } enum id_der_asn1_dn { description "X.500 distinguished name."; } enum id_key { description "IKEv2 Key ID."; } } description "IPsec SPD name type"; } typedef ipsec-traffic-direction { type enumeration { enum inbound { description "Inbound traffic"; } enum outbound { description "Outbound traffic"; } } description "IPsec traffic direction"; } typedef ipsec-spd-operation { type enumeration { enum protect { description "PROTECT the traffic with IPsec"; } enum bypass { description "BYPASS the traffic"; } enum discard { description "DISCARD the traffic"; } } description "The operation when traffic matches IPsec security policy"; } /*---------------------------------------------------- */ /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-crypto */ /*---------------------------------------------------- */ typedef ipsec-authentication-algorithm { type enumeration { enum "null" { value 0; description "null"; } enum "md5" { value 1; description "MD5 authentication algorithm"; } enum "sha1" { value 2; description "SHA1 authentication algorithm"; } enum "sha2-256" { value 3; description "SHA2-256 authentication algorithm"; } enum "sha2-384" { value 4; description "SHA2-384 authentication algorithm"; } enum "sha2-512" { value 5; description "SHA2-512 authentication algorithm"; } } description "typedef for ipsec authentication algorithm"; } typedef ipsec-encryption-algorithm { type enumeration { enum "null" { description "null"; } enum "des" { description "DES encryption algorithm"; } enum "3des" { description "3DES encryption algorithm"; } enum "aes-128" { description "AES-128 encryption algorithm"; } enum "aes-192" { description "AES-192 encryption algorithm"; } enum "aes-256" { description "AES-256 encryption algorithm"; } } description "typedef for ipsec encryption algorithm"; } /*-------------------------------------------------- */ /* draft-wang-ipsecme-ike-yang-00: ietf-ipsec-type */ /*-------------------------------------------------- */ typedef ike-integrity-algorithm { type enumeration { enum "hmac-md5-96" { description "HMAC-MD5-96 Integrity Algorithm"; } enum "hmac-sha1-96" { description "HMAC-SHA1-96 Integrity Algorithm"; } enum "hmac-sha2-256" { description "HMAC-SHA2-256 Integrity Algorithm"; } enum "hmac-sha2-384" { description "HMAC-SHA2-384 Integrity Algorithm"; } enum "hmac-sha2-512" { description "HMAC-SHA2-512 Integrity Algorithm"; } } description "typedef for ike integrity algorithm."; } typedef ike-encryption-algorithm { type enumeration { enum "des-cbc" { description "DES-CBC Encryption algorithm"; } enum "3des-cbc" { description "3DES-CBC Encryption algorithm"; } enum "aes-cbc-128" { description "AES-CBC-128 Encryption algorithm"; } enum "aes-cbc-192" { description "AES-CBC-192 Encryption algorithm"; } enum "aes-cbc-256" { description "AES-CBC-256 Encryption algorithm"; } } description "typedef for ike encryption algorithm."; } typedef ike-prf-algorithm { type enumeration { enum "hmac-md5-96" { description "HMAC-MD5-96 PRF Algorithm"; } enum "hmac-sha1-96" { description "HMAC-SHA1-96 PRF Algorithm"; } enum "hmac-sha2-256" { description "HMAC-SHA2-256 PRF Algorithm"; } enum "hmac-sha2-384" { description "HMAC-SHA2-384 PRF Algorithm"; } enum "hmac-sha2-512" { description "HMAC-SHA2-512 PRF Algorithm"; } } description "typedef for ike prf algorithm."; } typedef ike-dh-group { type enumeration { enum "dh-group-none" { description "None Diffie-Hellman group"; } enum "dh-group-1" { description "768 bits Diffie-Hellman group"; } enum "dh-group-2" { description "1024 bits Diffie-Hellman group"; } enum "dh-group-5" { description "1536 bits Diffie-Hellman group"; } enum "dh-group-14" { description "2048 bits Diffie-Hellman group"; } } description "typedef for ike dh group"; } typedef ike-peer-name-ref { type leafref { path "/ikev2/ike-peer/ike-peer-entries/peer-name"; } description "reference to ike peer name"; } typedef ike-proposal-number-ref { type leafref { path "/ikev2/proposal/name"; } description "reference to ike proposal name"; } typedef ipsec-proposal-name-ref{ type leafref { path "/ipsec/proposal/ipsec-proposal/name"; } description "reference to ike proposal name"; } typedef ike-auth-method { type enumeration { enum pre-share { description "Select pre-shared key message as the authentication method"; } enum rsa-digital-signature { description "Select rsa digital signature as the authentication method"; } enum dss-digital-signature { description "Select dss digital signature as the authentication method"; } } description "IKE authentication methods"; } /*--------------------*/ /* grouping */ /*--------------------*/ /* The following groupings are used in both configuration data and operational state data */ grouping name-grouping { description "This grouping provides a leaf identifying the name."; leaf name { type string; description "Name of a identifying."; } leaf description { type string; description "Specify the description."; } } grouping sequence-number-grouping { description "This grouping provides a leaf identifying a sequence number."; leaf sequence-number { type uint32 { range "1..4294967295"; } description "Specify the sequence number."; } } grouping description-grouping { description "description for free use."; leaf description { type string; description "description for free use."; } } grouping traffic-selector-grouping { description "Traffic selector to be used for SA negotiation."; leaf traffic-selector-id { type string; mandatory true; description "Traffic selector identifier."; } leaf protocol-name { type transport-protocol-name-t; description "Specifies the protocol selector."; } leaf address-range { type string; mandatory true; description "Specifies the IPv4 or IPv6 address range."; } } grouping ike-general-proposal-grouping { description "IKE proposal."; leaf name { type string; mandatory true; description "IKE Proposal identify."; } leaf description { type string; description "Specify the description."; } leaf dh-group { type diffie-hellman-group-t; mandatory true; description "Specifies a Diffie-Hellman group."; } container encryption { description "Specify IKE Proposal encryption configuration"; leaf algorithm { type ike-encryption-algorithm-t; description "Specifies an Encryption Algorithm."; } } } grouping ike-proposal-grouping { description "Configure the IKE Proposal"; uses ike-general-proposal-grouping; leaf lifetime { type uint32; mandatory true; description "Configure lifetime for IKE SAs 0: for no timeout. 300 .. 99999999: IKE SA lifetime in seconds."; } container authentication { description "Specify IKE Proposal authentication configuration"; leaf algorithm { type ike-integrity-algorithm-t; description "Specify the authentication algorithm"; } leaf preshared-key { type empty; description "Use pre-shared key based authentication"; } leaf rsa-signature { type empty; description "Use signature based authentication by using PKI certificates"; } } } grouping ikev2-proposal-grouping { description "Holds an IKEv2 transform proposal used during "+ "IKEv2 SA negotiation. Multiple IKEv2 Transforms "+ " can be proposed during an IKEv2 session initiation "+ "in an ordered list."; uses ike-general-proposal-grouping; leaf pseudo-random-function { type pseudo-random-function-t; mandatory true; description "Specifies Pseudo Random Function for IKEv2 key exchange"; } container authentication { description "Specify IKEv2 Proposal authentication configuration"; leaf algorithm { type ike-integrity-algorithm-t; description "Specify the authentication algorithm"; } } } grouping ipsec-proposal-grouping { description "Configure IPSec Proposal"; leaf name { type string; mandatory true; description "IPSec proposal identifier."; } leaf ah { type ike-integrity-algorithm-t; description "Configure Authentication Header (AH)."; } container esp { description "Configure Encapsulating Security Payload (ESP)."; leaf authentication { type ike-integrity-algorithm-t; description "Configure ESP authentication"; } leaf encryption { type ike-encryption-algorithm-t; description "Configure ESP encryption"; } } leaf ip-comp{ type empty; description "Enable IPSec proposal IP-COMP which uses the IP Payload "+ "compression protocol to compress IP Security (IPSec) "+ "packets before encryption"; } container lifetime { description "Configure lifetime for IPSEC SAs"; leaf kbytes { type uint32 { range "128..2147483647"; } description "Enter lifetime kbytes for IPSEC SAs"; } leaf seconds { type uint32 { range "300..99999999"; } description "Enter lifetime seconds for IPSEC SAs 0: lifetime of 0 for no timeout 300..99999999: IPSec SA lifetime in seconds"; } } } grouping identity-grouping { description "Identification type. It is an union identity, "+ "possible type as follows: "+ "a) ID_FQDN: A fully-qualified domain name string. "+ " An example of a ID_FQDN is, example.com. "+ " The string MUST not contain any terminators "+ "(e.g., NULL, CR, etc.). "+ "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+ " address string, An example of a ID_RFC822_ADDR is, "+ " jsmith@example.com. The string MUST not contain "+ " any terminators. "+ "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+ "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+ "e) DN_X509: Distinguished name in the X.509 tradition."; choice identity { description "Choice of identity."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) "+ "octet IPv6 address. "+ "An example is, "+ "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } leaf fqdn-string { type inet:domain-name; description "Specifies the identity as a Fully-Qualified Domain Name (FQDN) string. An example is: example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf rfc822-address-string { type string; description "Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST not contain any terminators (e.g., NULL, CR, etc.)."; } leaf dnX509 { type string; description "Specifies the identity as a distinguished name in the X.509 tradition."; } } } /* grouping identity-grouping */ grouping ike-general-policy-profile-grouping { description "IKE policy."; leaf connection-type { type connection-type-t; mandatory true; description "Specify the IKE connection type"; } leaf pre-shared-key { type union { type string { length "16"; } /* TODO HC2VPP-399: Removed length from hex-string which caused failures when building using ODL yangtools */ type yang:hex-string; } description "Specify IKE pre-shared-key value"; } leaf validate-certificate-identity { type empty; description "Validate Remote-ID payload against the ID's available in the certificate"; } list seq { key seq-id; description "list of sequence of policy."; leaf seq-id { type uint32 { range "1..429496729"; } description "Sequence Number"; } leaf proposal { type leafref { path "/eipsec:ikev1/eipsec:proposal"+ "/eipsec:name"; } description "IKE Proposal reference."; } } container identity { description "Specify IKE identity value"; container local { description "Specify the identity of the local IP Security (IPSec) tunnel endpoint in an Internet Key Exchange (IKE) policy to use when negotiating IKE request with a remote peer."; uses identity-grouping; } container remote { description "Specify the identity of the remote IP Security (IPSec) tunnel endpoint in an Internet Key Exchange (IKE) policy to use when negotiating IKE request with a remote peer."; uses identity-grouping; } } } grouping ike-policy-mode-grouping { description "IKE Policy Mode"; container mode { description "Specify IKE mode configuration"; leaf aggressive { type empty; description "Set IKE Aggressive mode"; } leaf main { type empty; description "Set IKE Main mode"; } } } grouping ike-policy-profile-grouping { description "Configure IKE policy"; leaf name { type string; mandatory true; description "Specify an IKE policy name"; } uses ike-policy-mode-grouping; uses ike-general-policy-profile-grouping; } grouping ikev2-policy-profile-grouping { description "Common information for multiple IKE sessions to be instantiated on a managed element.; One or more Ikev2Session instances might refer to this instance."; leaf name { type string; mandatory true; description "Value component of the RDN."; } container authentication { description "Specify IKE Proposal authentication configuration"; leaf preshared-key { type empty; description "Use pre-shared key based authentication"; } leaf rsa-signature { type empty; description "Use signature based authentication by using PKI certificates"; } } leaf lifetime { type uint32; mandatory true; description "Configure lifetime for IKE SAs 0: for no timeout. 300 .. 99999999: IKE SA lifetime in seconds."; } container address-allocation { must "../connection-type = 'responder-only'" { description "address-allocation can be configured only with responder-only in ike2 policy"; } leaf aaa { type empty; description "IRAC address allocation by AAA"; } description "Specify IKE IRAS address allocation option"; } uses ike-general-policy-profile-grouping; leaf description { type string; description "Specify the description."; } } grouping ipsec-policy-grouping { description "Holds configuration information for IPSec policies."; leaf name { type string; mandatory true; description "IPSec Policy Identification"; } leaf description { type string; description "Specify the description."; } leaf anti-replay-window { type uint32 { range "0 | 32..1024"; } description "Configure replay window size 0: to disable anti-replay-window 32..1024: IPSec anti-replay-window size in multiple of 32"; } container perfect-forward-secrecy { description "Configure Perfect Forward Secrecy (PFS) for IPSec Policy"; leaf dh-group { type diffie-hellman-group-t; description "Configure Diffie-Hellman group for perfect-forward-secrecy"; } } list seq { key seq-id; description "Specify IPSEC proposal sequence number"; leaf seq-id { type uint32; description "Sequence ID"; } leaf description { type string; description "Specify the description."; } leaf proposal { type leafref { path "/eipsec:ipsec/"+ "eipsec:proposal/eipsec:ipsec-proposal/eipsec:name"; } description "IKE proposal reference."; } } } grouping key-string-grouping { description "Configure key for authentication algorithm"; leaf key-str { type union { type string { length "16"; } /* TODO HC2VPP-399: Removed length from hex-string which caused failures when building using ODL yangtools */ type yang:hex-string; } description "Key string input is either string value (length of 16) or hexadecimal (length of 40)"; } } grouping ipsec-sa-ah-grouping { description "Configure Authentication Header (AH) for Security Association (SA)"; container ah { description "Configure Authentication Header (AH) for SA"; choice authentication-algorithm { description "choice for authentication algorithm to set for AH"; case hmac-aes-xcbc { container hmac-aes-xcbc { description "Set the authentication algorithm to hmac-aes-xcbc"; uses key-string-grouping; } } case hmac-md5-96 { container hmac-md5-96 { description "Set the authentication algorithm to hmac-md5-96"; uses key-string-grouping; } } case hmac-sha1-96 { container hmac-sha1-96 { description "Set the authentication algorithm to hmac-sha1-96"; uses key-string-grouping; } } case key-string { container key-string { description "Configure key for authentication algorithm"; uses key-string-grouping; } } } } } grouping ipsec-sa-esp-grouping { description "Configure IPSec Encapsulation Security Payload (ESP)"; container esp { description "Set IPSec Encapsulation Security Payloer (ESP)"; container authentication { description "Configure authentication for IPSec Encapsulation Secutiry Payload (ESP)"; choice authentication-algorithm { description "choice for authentication algorithm to set"; case hmac-aes-xcbc { container hmac-aes-xcbc { description "Set the authentication algorithm to hmac-aes-xcbc"; uses key-string-grouping; } } case hmac-md5-96 { container hmac-md5-96 { description "Set the authentication algorithm to hmac-md5-96"; uses key-string-grouping; } } case hmac-sha1-96 { container hmac-sha1-96 { description "Set the authentication algorithm to hmac-sha1-96"; uses key-string-grouping; } } case key-string { container key-string { description "Configure key for authentication algorithm"; uses key-string-grouping; } } } } container encryption { description "Configure encryption for IPSec Encapsulation Secutiry Payload (ESP)"; choice encryption-algorithm { description "type of encryption"; case des3-cbc { container des3-cbd { description "Set the encryption algorithm to des3-cbc"; uses key-string-grouping; } } case aes-128-cbc { container aes-128-cbc { description "Set the encryption algorithm to aes-128-cbc"; uses key-string-grouping; } } case aes-192-cbc { container aes-192-cbc { description "Set the encryption algorithm to aes-192-cbc"; uses key-string-grouping; } } case aes-256-cbc { container aes-256-cbc { description "Set the encryption algorithm to aes-256-cbc"; uses key-string-grouping; } } case des-cbc { container des-cbc { description "Set the encryption algorithm to des-cbc"; uses key-string-grouping; } } case key-string { container key-string { description "Configure key for encryption algorithm"; uses key-string-grouping; } } } } } } grouping ipsec-acl-dest-grouping { description "IPSEC ACL destination."; /* For destination */ choice dest-address { description "destination address."; case dest-ipv4-address { leaf destination-ipv4-address { type inet:ipv4-address; description "Destination IPv4 Address A.B.C.D/0..32."; } } case dest-any { leaf dest-any { type empty; description "Match Any Destination IPv4 Address."; } } } } grouping ipsec-acl-seq-protocol-number-grouping { description "IPSec ACL Sequence protocol number."; leaf number { type uint16 { range "0..255"; } description "Specify protocol number."; } choice argument { description "Source IPv4 address."; case source-ipv4-address { leaf source-ipv4-address { type inet:ipv4-address; description "Source IPv4 Address A.B.C.D/0..32."; } } case any { /* For source */ leaf source-any { type empty; description "Match Any Source IPv4 Address."; } } } } grouping ipsec-acl-seq-ip-address-grouping { description "IPSec ACL Sequence IP Address."; leaf source-ipv4-address { type inet:ipv4-address; description "Source is IPv4 Address A.B.C.D/0..32."; } } grouping ipsec-acl-seq-any-grouping { description "IPSec ACL Sequence Any."; leaf any { type empty; description "Source is Any."; } } grouping ipsec-acl-seq-tcp-grouping { description "IPSec ACL Sequence TCP."; leaf tcp { type empty; description "Source is TCP protocol."; } } grouping ipsec-acl-seq-udp-grouping { description "IPSec ACL Sequence for UDP."; leaf udp { type empty; description "Source is UDP protocol."; } } grouping ipsec-acl-grouping { description "IPSec ACL"; list access-list { if-feature ipsec-acl; key "name sequence-number"; uses name-grouping; uses sequence-number-grouping; description "Configure the IPSec access-list."; choice protocol { description "IPSec ACL protocol."; case number { uses ipsec-acl-seq-protocol-number-grouping; } case source-ipv4-address { uses ipsec-acl-seq-ip-address-grouping; } case any { uses ipsec-acl-seq-any-grouping; } case tcp { uses ipsec-acl-seq-tcp-grouping; } case udp { uses ipsec-acl-seq-udp-grouping; } } uses ipsec-acl-dest-grouping; } } grouping ipsec-df-bit-grouping { description "IPSec Dont Fragment (DF) bit for IP header."; container df-bit { description "Configure Don't Fragment (DF) bit for IP Header."; leaf clear { type empty; description "Clear DF bit for outer IP header."; } leaf propagate { type empty; description "Propagate DF bit for outer IP header."; } leaf set { type empty; description "Set DF bit for outer IP header."; } } } grouping ipsec-profile-grouping { description "IPSec profile."; list profile { key "name"; uses name-grouping; uses ipsec-df-bit-grouping; description "Configure the IPSec Profile."; leaf mtu { type uint32 { range "256..1600"; } description "Set the MTU."; } list seq { key "sequence-number"; uses sequence-number-grouping; description "IPSec Access List sequence number."; leaf policy { type leafref { //TODO: fixed path (HC2VPP-399) path "/eipsec:ipsec/eipsec:spd/"+ "eipsec:spd-entries/eipsec:name"; } description "Specify IPSec policy name."; } } } } grouping ip-address-grouping { description "IP Address grouping"; choice ip-address { description "Choice of IPv4 or IPv6."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description "Specifies the identity as a single sixteen (16) "+ "octet IPv6 address. "+ "An example is, "+ "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } } } grouping ipsec-sa-grouping { description "Configure Security Association (SA)"; leaf spi { type uint32; description "Specify Security Parameter Index"; } leaf anti-replay-window { type uint16 { range "0 | 32..1024"; } description "Specify replay window size"; } leaf ip-comp { type empty; description "Enables IPCOMP, which uses the IP payload compression protocol to compress IP security (IPsec) packets before encryption"; } container local-peer { description "Specify the local peer IP address"; uses ip-address-grouping; } container remote-peer { description "Specify the remote peer IP address"; uses ip-address-grouping; } leaf sa-mode { type ipsec-mode; description "SA Mode: tunnel or transport mode"; } leaf security-protocol { type ipsec-protocol; description "Security protocol of IPsec SA: Either AH or ESP."; } leaf sequence-number { type uint64; description "Current sequence number of IPsec packet."; } leaf sequence-number-overflow-flag { type boolean; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted."; } leaf path-mtu { type uint16; description "maximum size of an IPsec packet that can be transmitted without fragmentation"; } container life-time { leaf life-time-in-seconds { type uint32; description "SA life time in seconds"; } leaf remain-life-time-in-seconds { type uint32; description "Remain SA life time in seconds"; } leaf life-time-in-byte { type uint32; description "SA life time in bytes"; } leaf remain-life-time-in-byte { type uint32; description "Remain SA life time in bytes"; } description "SA life time information"; } leaf upper-protocol { type string; description "Upper-layer protocol to be used"; } leaf direction { type ipsec-traffic-direction; description "It indicates whether the SA is inbound SA or out bound SA."; } container source-address { description "Specify the source IP address and port of protected traffic"; uses ip-address-grouping; leaf port-number { type uint32; description "port of protected traffic"; } } container destination-address { description "Specify the destination IP address and port of protected traffic"; uses ip-address-grouping; leaf port-number { type uint32; description "port of protected traffic"; } } leaf nat-traversal-flag { type boolean; description "Whether the SA is used to protect traffic that needs nat traversal"; } uses ipsec-sa-ah-grouping; uses ipsec-sa-esp-grouping; } /* draft-wang-ipsecme-ike-yang-00 */ grouping ipsec-common-configuration { choice df-flag { default copy; case set { leaf set { type empty; description "Set the df bit when encapsulate IPsec tunnel."; } } case clear { leaf clear { type empty; description "Clear the df bit when encapsulate IPsec tunnel."; } } case copy { leaf copy { type empty; description "Copy the inner IP header df bit."; } } description "It indicates how to process the df bit when encapsulate IPsec tunnel."; } leaf stateful-frag-check { type boolean; default false; description "Whether stateful fragment checking applies."; } leaf life-time-kb { type uint32; units "KB"; default 2000000; description "IPsec SA Life time in KB."; } leaf life-time-second { type uint32; units "Second"; default 18400; description "IPsec SA Life time in Seconds"; } choice anti-replay { default enable; case enable { leaf enable { type empty; description "Enable Anti-replay"; } choice anti-replay-windows-size { case size-32; case size-64; case size-128; case size-256; case size-512; case size-1024; default size-1024; description "It indicate the size of anti-replay window"; } } case disable { leaf disable { type empty; description "Disable Anti-replay"; } } description "Whether enable or disable anti-replay"; } leaf inbound-dscp { type uint16 { range "0..63"; } default 0; description "Inbound DSCP value"; } leaf outbound-dscp { type uint16 { range "0..63"; } default 0; description "Outbound DSCP value"; } description "Common IPsec configurations"; } /*--------------------*/ /* Configuration Data */ /*--------------------*/ container ikev1 { if-feature ikev1; description "Configuration IPSec IKEv1"; /* The following is for */ list proposal { key "name"; uses ike-proposal-grouping; description "Configure IKE proposal"; } leaf keepalive { type empty; description "Enables sending Dead Peer Detection (DPD) messages "+ "to Internet Key Exchange (IKE) peers."; } list policy { key "name"; uses ike-policy-profile-grouping; description "Configure IKE Policy Profile."; } } container ikev2 { if-feature ikev2; description "Configuration IPSec IKEv2"; /* The following is for */ /* draft-wang-ipsecme-ike-yang-00 */ container ike-global-configuration { if-feature ikev2-global; description "Global IKE configurations"; uses ipsec-common-configuration; leaf local-name { type string; description "Global local name configuration, if it is not configed, ip address will be used as default. If configing special local name for special peer, it will overwrite the global name configuration when negotion with that peer."; } leaf nat-keepalive-interval { type uint16 { range "5..300"; } units "Seconds"; default 20; description "Global nat keepalive interval"; } leaf dpd-interval { type uint16 { range "10..3600"; } units "Seconds"; default 30; description "Global DPD interval"; } } container ike-peer { if-feature ikev2-peer; description "IKE peer information"; list ike-peer-entries { key "peer-name"; description "IKE peer information"; leaf peer-name { type string; mandatory true; description "Name of IKE peer"; } leaf ike-proposal-number { type ike-proposal-number-ref; description "IKE proposal number referenced by IKE peer"; } leaf PresharedKey { type string; description "Preshare key"; } leaf nat-traversal { type boolean; default false; description "Enable/Disable nat traversal"; } choice local-id-type { default ip; case ip { leaf ip { type empty; description "IP address"; } } case fqdn { leaf fqdn { type empty; description "Fully Qualifed Domain name "; } } case dn { leaf dn { type empty; description "Domain name"; } } case user_fqdn { leaf user_fqdn { type empty; description "User FQDN"; } } description "Local ID type"; } leaf local-id { type string; description "Local ID Name. When IP is used as local ID type, it is ignored. If it is not configurated, global local name will be used."; } leaf remote-id { type "string"; description "ID of IKE peer"; } leaf low-remote-address { type inet:ip-address; description "Low range of remote address"; } leaf high-remote-address { type inet:ip-address; description "High range of remote address"; } leaf certificate { type string; description "Certificate file name"; } leaf auth-address-begin { type inet:ip-address; description "The begin range of authenticated peer address"; } leaf auth-address-end { type inet:ip-address; description "The end range of authenticated peer address"; } } }//End of IKEPeerEntries list proposal { if-feature ikev2-proposal; key "name"; uses ikev2-proposal-grouping; description "Configure IKEv2 proposal"; } list policy { if-feature ikev2-policy; key "name"; uses ikev2-policy-profile-grouping; description "IKEv2 Policy Profile"; } } container ipsec { if-feature ipsec; description "Configuration IPsec"; container sad { if-feature ipsec-sad; description "Configure the IPSec Security Association Database (SAD)"; list sad-entries { key "spi direction"; description "Configure IPsec Security Association Database(SAD)"; uses ipsec-sa-grouping; } } container proposal { if-feature ipsec-proposal; description "IPSec Proposal Profile"; list ipsec-proposal { key "name"; uses ipsec-proposal-grouping; description "Configure the IP Security (IPSec) proposal"; } } /* TODO HC2VPP-399: modified spd container to list to support multiple spds for VPP */ list spd { key "spd-id"; if-feature ipsec-spd; description "List of Security Policy Databases (SPD)"; leaf spd-id { type int32; } list spd-entries { key "name"; ordered-by user; uses ipsec-policy-grouping; description "Specify an IPSec policy name"; } } container pad { description "Configure Peer Authorization Database (PAD)"; list pad-entries { key "pad-type pad-id"; ordered-by user; uses identity-grouping; description "Peer Authorization Database (PAD)"; leaf pad-id { type uint32; description "PAD identity"; } leaf pad-type { type pad-type-t; description " PAD type"; } leaf ike-peer-name { type string; description "IKE Peer Name"; } container peer-authentication { description "Specify IKE peer authentication configuration"; leaf algorithm { type ike-integrity-algorithm-t; description "Specify the authentication algorithm"; } leaf preshared-key { type empty; description "Use pre-shared key based authentication"; } leaf rsa-signature { type empty; description "Use signature based authentication by using PKI certificates"; } } } } } /*--------------------------*/ /* Operational State Data */ /*--------------------------*/ grouping ike-proposal-state-components { description "IKE Proposal operational state"; list proposal { if-feature ike-proposal-state; description "Operational data for IKE Proposal"; leaf name { type string { length "1..50"; } description "Name of the IKE proposal."; } leaf lifetime { type uint32; units "seconds"; description "lifetime"; } leaf encryption { type ike-encryption-algorithm-t; description "Encryption algorithm"; } leaf dh-group { type diffie-hellman-group-t; description "Diffie-Hellman group."; } leaf authentication { type ike-integrity-algorithm-t; description "authentication"; } } } grouping ike-policy-state-grouping { description "IKE Policy State."; list policy { if-feature ike-policy-state; description "Operational data for IKE policy"; leaf name { type string { length "1..50"; } description "Name of the IKE Policy."; } leaf description { type string; description "Description for IKE Policy."; } leaf mode { type enumeration { enum aggressive { description "Aggressive mode."; } enum main { description "Main mode."; } } description "IKE policy mode."; } leaf connection-type { type connection-type-t; description "IKE policy connection type."; } leaf local-identity { type inet:ipv4-address-no-zone; description "IP address of the local identity."; } leaf remote-identity { type inet:ipv4-address-no-zone; description "IP address of the remote identity."; } leaf pre-shared-key { type string; description "Pre-shared key"; } leaf seq { type uint32; description "sequence number"; } leaf proposal { type string; description "proposal name"; } } } grouping ikev2-proposal-state-components { description "IKEv2 Operational state"; list proposal { if-feature ikev2-proposal-state; description "IKEv2 proposal operational data"; leaf name { type string; description "Name of IKEv2 Proposal."; } leaf pseudo-random-function { type pseudo-random-function-t; description "Pseudo Random Function for IKEv2."; } leaf authentication { type ike-integrity-algorithm-t; description "authentication"; } leaf encryption { type ike-encryption-algorithm-t; description "Encryption algorithm"; } leaf dh-group { type diffie-hellman-group-t; mandatory true; description "Diffie-Hellman group."; } } } grouping ipsec-policy-state-grouping { description "IPSec operational state"; list policy { if-feature ipsec-policy-state; description "IPSec policy operational data"; leaf name { type string; description "IPSec Policy name."; } leaf anti-replay-window { type uint32; description "replay window size"; } leaf perfect-forward-secrecy { type diffie-hellman-group-t; description "Diffie-Hellman group for perfect-forward-secrecy"; } list seq { description "Sequence number"; leaf seq-id { type uint32; description "Sequence number"; } leaf proposal-name { type string; description "IPSec proposal name"; } } } } grouping ipsec-proposal-state-grouping { description "IPSec proposal operational data"; list proposal { if-feature ipsec-proposal-state; description "IPSec proposal operational data"; leaf name { type string; description "IPSec Proposal name"; } leaf ah { type ike-integrity-algorithm-t; description "Authentication Header (AH)."; } container esp { description "Encapsulating Security Payload (ESP)."; leaf authentication { type ike-integrity-algorithm-t; description "ESP authentication"; } leaf encryption { type ike-encryption-algorithm-t; description "ESP encryption"; } } leaf ip-comp{ type empty; description "IPSec proposal IP-COMP which uses the IP Payload "+ "compression protocol to compress IP Security (IPSec) "+ "packets before encryption"; } container lifetime { description "lifetime for IPSEC SAs"; leaf kbytes { type uint32; description "lifetime kbytes for IPSEC SAs"; } leaf seconds { type uint32; description "lifetime seconds for IPSEC SAs"; } } } } grouping ipsec-alarms-state-grouping { description "IPSec alarms operational data"; leaf hold-down { if-feature ipsec-alarms-state; type uint32; description "Hold-down value"; } } grouping ipsec-sa-ah-state-grouping { description "IPSec SA's AH operational data"; leaf spi { if-feature ipsec-sa-ah-state; type uint32; description "Security Parameter Index (SPI) value"; } leaf description { if-feature ipsec-sa-ah-state; type string; description "the description."; } leaf authentication-algorithm { if-feature ipsec-sa-ah-state; type ike-integrity-algorithm-t; description "Authentication algorithm"; } leaf encryption-algorithm { if-feature ipsec-sa-ah-state; type ike-encryption-algorithm-t; description "Encryption algorithm"; } } grouping ipsec-sa-state-grouping { description "IPSec Security Association Operational data"; list sa { if-feature ipsec-sa-state; description "IPSec SA operational data"; leaf name { type string; description "Specify IPSec Security Association (SA) name"; } leaf anti-replay-window { type uint16; description "replay window size"; } leaf ip-comp { type empty; description "Enables IPCOMP, which uses the IP payload compression protocol to compress IP security (IPsec) packets before encryption"; } uses ipsec-sa-ah-state-grouping; } } /* draft-wang-ipsecme-ipsec-yang-00 */ grouping ipsec-tunnel-mode-info { description "common infomations when using IPsec tunnel mode"; leaf local-address { if-feature ipsec-tunnel; type string; description "Local address of IPsec tunnel mode"; } leaf remote-address { if-feature ipsec-tunnel; type string; description "Remote address of IPsec tunnel mode"; } leaf bypass-df { if-feature ipsec-tunnel; type enumeration { enum "set" { description "Set the df bit"; } enum "clear" { description "Clear the df bit"; } enum "copy" { description "Copy the df bit from inner header"; } } description "This flag indicates how to process tunnel mode df flag"; } leaf dscp-flag { if-feature ipsec-tunnel; type boolean; description "This flag indicate whether bypass DSCP or map to unprotected DSCP values (array) if needed to restrict bypass of DSCP values."; } leaf stateful-frag-check-flag { if-feature ipsec-tunnel; type boolean; description "This flag indicates whether stateful fragment checking will be used."; } } grouping traffic-selector { description "IPsec traffic selector information"; leaf local-address-low { if-feature ipsec-local-address-range; type inet:ip-address; description "Low range of local address"; } leaf local-address-high { if-feature ipsec-local-address-range; type inet:ip-address; description "High range of local address"; } leaf remote-address-low { if-feature ipsec-remote-address-range; type inet:ip-address; description "Low range of remote address"; } leaf remote-address-high { if-feature ipsec-remote-address-range; type inet:ip-address; description "High range of remote address"; } leaf next-protocol-low { if-feature ipsec-next-protocol-range; type uint16; description "Low range of next protocol"; } leaf next-protocol-high { if-feature ipsec-next-protocol-range; type uint16; description "High range of next protocol"; } leaf local-port-low { if-feature ipsec-local-port-range; type inet:port-number; description "Low range of local port"; } leaf local-port-high { if-feature ipsec-local-port-range; type inet:port-number; description "High range of local port"; } leaf remote-port-high { if-feature ipsec-remote-port-range; type inet:port-number; description "Low range of remote port"; } leaf remote-port-low { if-feature ipsec-remote-port-range; type inet:port-number; description "High range of remote port"; } } grouping ipsec-algorithm-info { description "IPsec algorithm information used by SPD and SAD"; leaf ah-auth-algorithm { if-feature ipsec-ah-authentication; type ipsec-authentication-algorithm; description "Authentication algorithm used by AH"; } leaf esp-integrity-algorithm { if-feature ipsec-esp-integrity; type ipsec-authentication-algorithm; description "Integrity algorithm used by ESP"; } leaf esp-encrypt-algorithm { if-feature ipsec-esp-encrypt; type ipsec-encryption-algorithm; description "Encryption algorithm used by ESP"; } } grouping ipsec-stat { leaf inbound-packets { if-feature ipsec-stat; type uint64; config false; description "Inbound Packet count"; } leaf outbound-packets { if-feature ipsec-stat; type uint64; config false; description "Outbound Packet count"; } leaf inbound-bytes { if-feature ipsec-stat; type uint64; config false; description "Inbound Packet bytes"; } leaf outbound-bytes { if-feature ipsec-stat; type uint64; config false; description "Outbound Packet bytes"; } leaf inbound-drop-packets { if-feature ipsec-stat; type uint64; config false; description "Inbound dropped packets count"; } leaf outbound-drop-packets { if-feature ipsec-stat; type uint64; config false; description "Outbound dropped packets count"; } container dropped-packet-detail { if-feature ipsec-stat; description "The detail information of dropped packets"; leaf sa-non-exist { type uint64; config false; description "The dropped packets counts caused by SA non-exist."; } leaf queue-full { type uint64; config false; description "The dropped packets counts caused by full processing queue"; } leaf auth-failure { type uint64; config false; description "The dropped packets counts caused by authentication failure"; } leaf malform { type uint64; config false; description "The dropped packets counts of malform"; } leaf replay { type uint64; config false; description "The dropped packets counts of replay"; } leaf large-packet { type uint64; config false; description "The dropped packets counts of too large"; } leaf invalid-sa { type uint64; config false; description "The dropped packets counts of invalid SA"; } leaf policy-deny { type uint64; config false; description "The dropped packets counts of denyed by policy"; } leaf other-reason { type uint64; config false; description "The dropped packets counts of other reason"; } } description "IPsec statistics information"; } container ike-state { if-feature ikev1-state; config "false"; uses ike-proposal-state-components; uses ike-policy-state-grouping; description "Contain the operational data for IKE."; } container ikev2-state { if-feature ikev2-state; config "false"; uses ikev2-proposal-state-components; uses ike-policy-state-grouping; description "Contain the operational data for IKEv2."; } container ipsec-state { if-feature ipsec-state; config "false"; uses ipsec-policy-state-grouping; uses ipsec-proposal-state-grouping; uses ipsec-alarms-state-grouping; uses ipsec-sa-state-grouping; container redundancy { if-feature ipsec-redundancy; description "Configure redundancy for IPSec"; leaf inter-chassis { type empty; description "Set redundancy at chassis level"; } } description "Contain the operational data for IPSec."; } /* draft-wang-ipsecme-ipsec-yang-00 */ container sad { if-feature sad; config false; description "The IPsec SA database"; list sad-entries { key "spi security-protocol direction"; description "The SA entries information"; leaf spi { type ipsec-spi; description "Security parameter index of SA entry."; } leaf security-protocol { type ipsec-protocol; description "Security protocol of IPsec SA."; } leaf direction { type ipsec-traffic-direction; description "It indicates whether the SA is inbound SA or out bound SA."; } leaf sa-type { type enumeration { enum "manual" { description "Manual IPsec SA"; } enum "isakmp" { description "ISAKMP IPsec SA"; } } description "It indicates whether the SA is created by manual or by dynamic protocol."; } leaf sequence-number { type uint64; description "Current sequence number of IPsec packet."; } leaf sequence-number-overflow-flag { type boolean; description "The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on the SA, or whether rollover is permitted."; } leaf anti-replay-enable-flag { type boolean; description "It indicates whether anti-replay is enable or disable."; } leaf anti-replay-window-size { type uint64; description "The size of anti-replay window."; } uses ipsec-algorithm-info; container life-time { leaf life-time-in-seconds { type uint32; description "SA life time in seconds"; } leaf remain-life-time-in-seconds { type uint32; description "Remain SA life time in seconds"; } leaf life-time-in-byte { type uint32; description "SA life time in bytes"; } leaf remain-life-time-in-byte { type uint32; description "Remain SA life time in bytes"; } description "SA life time information"; } leaf protocol-mode { type ipsec-mode; description "It indicates whether tunnel mode or transport mode will be used."; } container tunnel-mode-process-info { when "../protocol-mode = 'tunnel'" { description "External information of SA when SA works in tunnel mode."; } uses ipsec-tunnel-mode-info; description "External information of SA when SA works in tunnel mode."; } leaf-list dscp { type uint8 { range "0..63"; } description "When traffic matchs SPD, the DSCP values used to filter traffic"; } leaf path-mtu { type uint16; description "Path MTU valie"; } leaf nat-traversal-flag { type boolean; description "Whether the SA is used to protect traffic that needs nat traversal"; } } } container spd { if-feature spd; config false; description "IPsec security policy database information"; list spd-entries { description "IPsec SPD entry information"; list name { description "SPD name information."; leaf name-type { type ipsec-spd-name; description "SPD name type."; } leaf name-string { when "../name-type = 'id_rfc_822_addr' or ../name-type = 'id_fqdn'" { description "when name type is id_rfc_822_addr or id_fqdn, the name are saved in string"; } type string; description "SPD name content"; } leaf name-binary { when "../name-type = 'id_der_asn1_dn' or ../name-type = 'id_key'" { description "when name type is id_der_asn1_dn or id_key, the name are saved in binary"; } type binary; description "SPD name content"; } } leaf pfp-flag { type boolean; description "populate from packet flag"; } list traffic-selector { min-elements 1; uses traffic-selector; description "Traffic selectors of SAD entry"; } leaf operation { type ipsec-spd-operation; description "It indicates how to process the traffic when it matches the security policy."; } container protect-operation { when "../operation = 'protect'" { description "How to protect the traffic when the SPD operation is protect"; } leaf spd-ipsec-mode { type ipsec-mode; description "It indicates which mode is chosen when the traffic need be protected by IPsec."; } leaf esn-flag { type boolean; description "It indicates whether ESN is used."; } leaf spd-ipsec-protocol { type ipsec-protocol; description "It indicates which protocol (AH or ESP) is chosen."; } container tunnel-mode-additional { when "../spd-ipsec-mode = 'tunnel'" { description "Additional informations when choose tunnel mode"; } uses ipsec-tunnel-mode-info; description "When use tunnel mode, the additional information of SPD."; } list spd-algorithm { min-elements 1; uses ipsec-algorithm-info; description "Algorithms defined in SPD, ordered by decreasing priority."; } description "How to protect the traffic when the SPD operation is protect"; } } } container ipsec-global-statistics { if-feature ipsec-global-stats; config false; description "IPsec global statistics"; container ipv4 { description "IPsec statistics of IPv4"; uses ipsec-stat; } container ipv6 { description "IPsec statistics of IPv6"; uses ipsec-stat; } container global { description "IPsec statistics of global"; uses ipsec-stat; } } /*--------------------*/ /* RPC */ /*--------------------*/ rpc clear-ipsec-group { if-feature clear-ipsec-group; description "RPC for clear ipsec states"; input { leaf alarm-hold-down { type uint8; description "IPSec alarm hold-down"; } leaf ipsec-policy-name { type leafref { path "/eipsec:ipsec/eipsec:spd/"+ "eipsec:spd-entries/eipsec:name"; } description "IPSec Policy name."; } } } rpc clear-ike-group { if-feature clear-ike-group; description "RPC for clear IKE states"; input { leaf proposal { type leafref { path "/eipsec:ikev1/eipsec:proposal/"+ "eipsec:name"; } description "IPSec IKE Proposal name."; } } } rpc clear-ikev2-group { if-feature clear-ikev2-group; description "RPC for clear IKEv2 states"; input { leaf proposal { type leafref { path "/eipsec:ikev2/eipsec:proposal/"+ "eipsec:name"; } description "IPSec IKEv2 Proposal name."; } } } /* draft-wang-ipsecme-ipsec-yang-00 */ rpc reset-ipv4 { if-feature reset-ipv4; description "Reset IPsec IPv4 statistics"; input { leaf ipv4 { type empty; description "Reset IPsec IPv4 statistics"; } } output { leaf status { type string; description "Operation status"; } } } rpc reset-ipv6 { if-feature reset-ipv6; description "Reset IPsec IPv6 statistics"; input { leaf ipv6 { type empty; description "Reset IPsec IPv6 statistics"; } } output { leaf status { type string; description "Operation status"; } } } rpc reset-global { if-feature reset-global; description "Reset IPsec global statistics"; input { leaf ipv6 { type empty; description "Reset IPsec global statistics"; } } output { leaf status { type string; description "Operation status"; } } } notification dpd-failure{ description "IKE peer DPD detect failure"; leaf peer-id { type string; description "Peer ID"; } } notification peer-authentication-failure { if-feature peer-authentication-failure; description "Peer authentication fail when negotication"; leaf peer-id { type string; description "The ID of remote peer"; } } notification ike-reauth-failure { if-feature ike-reauth-failure; description "IKE peer reauthentication fail"; leaf peer-id { type string; description "The ID of remote peer"; } } notification ike-rekey-failure { if-feature ike-rekey-failure; description "IKE SA rekey failure"; leaf peer-id { type string; description "The ID of remote peer"; } leaf old-i-spi { type uint64; description "old SPI"; } leaf old-r-spi { type uint64; description "old SPI"; } } notification ipsec-rekey-failure { if-feature ipsec-rekey-failure; description "IPsec SA rekey failure"; leaf peer-id { type string; description "The ID of remote peer"; } leaf old-inbound-spi { type ipsec-spi; description "old inbound SPI"; } leaf old-outbound-spi { type ipsec-spi; description "old outbound SPI"; } } } /* module ericsson-ipsec */