| draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt | draft-ietf-i2nsf-sdn-ipsec-flow-protection-10.txt | |||
|---|---|---|---|---|
| I2NSF R. Marin-Lopez | I2NSF R. Marin-Lopez | |||
| Internet-Draft G. Lopez-Millan | Internet-Draft G. Lopez-Millan | |||
| Intended status: Standards Track University of Murcia | Intended status: Standards Track University of Murcia | |||
| Expires: April 15, 2021 F. Pereniguez-Garcia | Expires: April 24, 2021 F. Pereniguez-Garcia | |||
| University Defense Center | University Defense Center | |||
| October 12, 2020 | October 21, 2020 | |||
| Software-Defined Networking (SDN)-based IPsec Flow Protection | Software-Defined Networking (SDN)-based IPsec Flow Protection | |||
| draft-ietf-i2nsf-sdn-ipsec-flow-protection-09 | draft-ietf-i2nsf-sdn-ipsec-flow-protection-10 | |||
| Abstract | Abstract | |||
| This document describes how to provide IPsec-based flow protection | This document describes how to provide IPsec-based flow protection | |||
| (integrity and confidentiality) by means of an Interface to Network | (integrity and confidentiality) by means of an Interface to Network | |||
| Security Function (I2NSF) controller. It considers two main well- | Security Function (I2NSF) controller. It considers two main well- | |||
| known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to- | known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to- | |||
| host. The service described in this document allows the | host. The service described in this document allows the | |||
| configuration and monitoring of IPsec Security Associations (SAs) | configuration and monitoring of IPsec Security Associations (SAs) | |||
| from a I2NSF Controller to one or several flow-based Network Security | from a I2NSF Controller to one or several flow-based Network Security | |||
| skipping to change at page 1, line 45 ¶ | skipping to change at page 1, line 45 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 15, 2021. | This Internet-Draft will expire on April 24, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 51 ¶ | skipping to change at page 2, line 51 ¶ | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 26 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 26 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 29 | 10.2. Informative References . . . . . . . . . . . . . . . . . 29 | |||
| Appendix A. Common YANG model for IKE and IKE-less cases . . . . 31 | Appendix A. Common YANG model for IKE and IKE-less cases . . . . 31 | |||
| Appendix B. YANG model for IKE case . . . . . . . . . . . . . . 46 | Appendix B. YANG model for IKE case . . . . . . . . . . . . . . 46 | |||
| Appendix C. YANG model for IKE-less case . . . . . . . . . . . . 65 | Appendix C. YANG model for IKE-less case . . . . . . . . . . . . 65 | |||
| Appendix D. XML configuration example for IKE case (gateway-to- | Appendix D. XML configuration example for IKE case (gateway-to- | |||
| gateway) . . . . . . . . . . . . . . . . . . . . . . 76 | gateway) . . . . . . . . . . . . . . . . . . . . . . 76 | |||
| Appendix E. XML configuration example for IKE-less case (host- | Appendix E. XML configuration example for IKE-less case (host- | |||
| to-host) . . . . . . . . . . . . . . . . . . . . . . 79 | to-host) . . . . . . . . . . . . . . . . . . . . . . 80 | |||
| Appendix F. XML notification examples . . . . . . . . . . . . . 84 | Appendix F. XML notification examples . . . . . . . . . . . . . 84 | |||
| Appendix G. Operational use cases examples . . . . . . . . . . . 85 | Appendix G. Operational use cases examples . . . . . . . . . . . 86 | |||
| G.1. Example of IPsec SA establishment . . . . . . . . . . . . 85 | G.1. Example of IPsec SA establishment . . . . . . . . . . . . 86 | |||
| G.1.1. IKE case . . . . . . . . . . . . . . . . . . . . . . 86 | G.1.1. IKE case . . . . . . . . . . . . . . . . . . . . . . 86 | |||
| G.1.2. IKE-less case . . . . . . . . . . . . . . . . . . . . 88 | G.1.2. IKE-less case . . . . . . . . . . . . . . . . . . . . 88 | |||
| G.2. Example of the rekeying process in IKE-less case . . . . 90 | G.2. Example of the rekeying process in IKE-less case . . . . 90 | |||
| G.3. Example of managing NSF state loss in IKE-less case . . . 91 | G.3. Example of managing NSF state loss in IKE-less case . . . 91 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 | |||
| 1. Introduction | 1. Introduction | |||
| Software-Defined Networking (SDN) is an architecture that enables | Software-Defined Networking (SDN) is an architecture that enables | |||
| users to directly program, orchestrate, control and manage network | users to directly program, orchestrate, control and manage network | |||
| skipping to change at page 13, line 27 ¶ | skipping to change at page 13, line 27 ¶ | |||
| The definition of the PAD model has been extracted from the | The definition of the PAD model has been extracted from the | |||
| specification in section 4.4.3 in [RFC4301] (NOTE: We have observed | specification in section 4.4.3 in [RFC4301] (NOTE: We have observed | |||
| that many implementations integrate PAD configuration as part of the | that many implementations integrate PAD configuration as part of the | |||
| IKEv2 configuration). | IKEv2 configuration). | |||
| The data model for the IKE case is defined by YANG model "ietf-i2nsf- | The data model for the IKE case is defined by YANG model "ietf-i2nsf- | |||
| ike". Its structure is depicted in the following diagram, using the | ike". Its structure is depicted in the following diagram, using the | |||
| notation syntax for YANG tree diagrams ([RFC8340]). | notation syntax for YANG tree diagrams ([RFC8340]). | |||
| module: ietf-i2nsf-ike | module: ietf-i2nsf-ike | |||
| +--rw ipsec-ike | +--rw ipsec-ike | |||
| +--rw pad | +--rw pad | |||
| | +--rw pad-entry* [name] | | +--rw pad-entry* [name] | |||
| | +--rw name string | | +--rw name string | |||
| | +--rw (identity) | | +--rw (identity) | |||
| | | +--:(ipv4-address) | | | +--:(ipv4-address) | |||
| | | | +--rw ipv4-address? inet:ipv4-address | | | | +--rw ipv4-address? inet:ipv4-address | |||
| | | +--:(ipv6-address) | | | +--:(ipv6-address) | |||
| | | | +--rw ipv6-address? inet:ipv6-address | | | | +--rw ipv6-address? inet:ipv6-address | |||
| | | +--:(fqdn-string) | | | +--:(fqdn-string) | |||
| | | | +--rw fqdn-string? inet:domain-name | | | | +--rw fqdn-string? inet:domain-name | |||
| | | +--:(rfc822-address-string) | | | +--:(rfc822-address-string) | |||
| | | | +--rw rfc822-address-string? string | | | | +--rw rfc822-address-string? string | |||
| | | +--:(dnx509) | | | +--:(dnx509) | |||
| | | | +--rw dnx509? string | | | | +--rw dnx509? string | |||
| | | +--:(gnx509) | | | +--:(gnx509) | |||
| | | | +--rw gnx509? string | | | | +--rw gnx509? string | |||
| | | +--:(id-key) | | | +--:(id-key) | |||
| | | | +--rw id-key? string | | | | +--rw id-key? string | |||
| | | +--:(id-null) | | | +--:(id-null) | |||
| | | +--rw id-null? empty | | | +--rw id-null? empty | |||
| | +--rw auth-protocol? auth-protocol-type | | +--rw auth-protocol? auth-protocol-type | |||
| | +--rw peer-authentication | | +--rw peer-authentication | |||
| | +--rw auth-method? auth-method-type | | +--rw auth-method? auth-method-type | |||
| | +--rw eap-method | | +--rw eap-method | |||
| | | +--rw eap-type uint8 | | | +--rw eap-type uint8 | |||
| | +--rw pre-shared | | +--rw pre-shared | |||
| | | +--rw secret yang:hex-string | | | +--rw secret yang:hex-string | |||
| | +--rw digital-signature | | +--rw digital-signature | |||
| | +--rw ds-algorithm? uint8 | | +--rw ds-algorithm? uint8 | |||
| | +--rw (public-key) | | +--rw (public-key) | |||
| | | +--:(raw-public-key) | | | +--:(raw-public-key) | |||
| | | | +--rw raw-public-key? binary | | | | +--rw raw-public-key? binary | |||
| | | +--:(cert-data) | | | +--:(cert-data) | |||
| | | +--rw cert-data? ct:x509 | | | +--rw cert-data? ct:x509 | |||
| | +--rw private-key? binary | | +--rw private-key? binary | |||
| | +--rw ca-data* ct:x509 | | +--rw ca-data* ct:x509 | |||
| | +--rw crl-data? ct:crl | | +--rw crl-data? ct:crl | |||
| | +--rw crl-uri? inet:uri | | +--rw crl-uri? inet:uri | |||
| | +--rw oscp-uri? inet:uri | | +--rw oscp-uri? inet:uri | |||
| +--rw conn-entry* [name] | +--rw conn-entry* [name] | |||
| | +--rw name string | | +--rw name string | |||
| | +--rw autostartup? autostartup-type | | +--rw autostartup? autostartup-type | |||
| | +--rw initial-contact? boolean | | +--rw initial-contact? boolean | |||
| | +--rw version? auth-protocol-type | | +--rw version? auth-protocol-type | |||
| | +--rw fragmentation? boolean | | +--rw fragmentation? boolean | |||
| | +--rw ike-sa-lifetime-soft | | +--rw ike-sa-lifetime-soft | |||
| | | +--rw rekey-time? uint32 | | | +--rw rekey-time? uint32 | |||
| | | +--rw reauth-time? uint32 | | | +--rw reauth-time? uint32 | |||
| | +--rw ike-sa-lifetime-hard | | +--rw ike-sa-lifetime-hard | |||
| | | +--rw over-time? uint32 | | | +--rw over-time? uint32 | |||
| | +--rw authalg* ic:integrity-algorithm-type | | +--rw authalg* nsfikec:integrity-algorithm-type | |||
| | +--rw encalg* [id] | | +--rw encalg* [id] | |||
| | | +--rw id uint8 | | | +--rw id uint8 | |||
| | | +--rw algorithm-type? ic:encryption-algorithm-type | | | +--rw algorithm-type? nsfikec:encryption-algorithm-type | |||
| | | +--rw key-length? uint16 | | | +--rw key-length? uint16 | |||
| | +--rw dh-group? pfs-group | | +--rw dh-group? pfs-group | |||
| | +--rw half-open-ike-sa-timer? uint32 | | +--rw half-open-ike-sa-timer? uint32 | |||
| | +--rw half-open-ike-sa-cookie-threshold? uint32 | | +--rw half-open-ike-sa-cookie-threshold? uint32 | |||
| | +--rw local | | +--rw local | |||
| | | +--rw local-pad-entry-name string | | | +--rw local-pad-entry-name string | |||
| | +--rw remote | | +--rw remote | |||
| | | +--rw remote-pad-entry-name string | | | +--rw remote-pad-entry-name string | |||
| | +--rw encapsulation-type | | +--rw encapsulation-type | |||
| | | +--rw espencap? esp-encap | | | +--rw espencap? esp-encap | |||
| | | +--rw sport? inet:port-number | | | +--rw sport? inet:port-number | |||
| | | +--rw dport? inet:port-number | | | +--rw dport? inet:port-number | |||
| | | +--rw oaddr* inet:ip-address | | | +--rw oaddr* inet:ip-address | |||
| | +--rw spd | | +--rw spd | |||
| | | +--rw spd-entry* [name] | | | +--rw spd-entry* [name] | |||
| | | +--rw name string | | | +--rw name string | |||
| | | +--rw ipsec-policy-config | | | +--rw ipsec-policy-config | |||
| | | +--rw anti-replay-window? uint64 | | | +--rw anti-replay-window? uint64 | |||
| | | +--rw traffic-selector | | | +--rw traffic-selector | |||
| | | | +--rw local-subnet inet:ip-prefix | | | | +--rw local-subnet inet:ip-prefix | |||
| | | | +--rw remote-subnet inet:ip-prefix | | | | +--rw remote-subnet inet:ip-prefix | |||
| | | | +--rw inner-protocol? ipsec-inner-protocol | | | | +--rw inner-protocol? ipsec-inner-protocol | |||
| | | | +--rw local-ports* [start end] | | | | +--rw local-ports* [start end] | |||
| | | | | +--rw start inet:port-number | | | | | +--rw start inet:port-number | |||
| | | | | +--rw end inet:port-number | | | | | +--rw end inet:port-number | |||
| | | | +--rw remote-ports* [start end] | | | | +--rw remote-ports* [start end] | |||
| | | | +--rw start inet:port-number | | | | +--rw start inet:port-number | |||
| | | | +--rw end inet:port-number | | | | +--rw end inet:port-number | |||
| | | +--rw processing-info | | | +--rw processing-info | |||
| | | | +--rw action? ipsec-spd-action | | | |+--rw action? ipsec-spd-action | |||
| | | | +--rw ipsec-sa-cfg | | | |+--rw ipsec-sa-cfg | |||
| | | | +--rw pfp-flag? boolean | | | | +--rw pfp-flag? boolean | |||
| | | | +--rw ext-seq-num? boolean | | | | +--rw ext-seq-num? boolean | |||
| | | | +--rw seq-overflow? boolean | | | | +--rw seq-overflow? boolean | |||
| | | | +--rw stateful-frag-check? boolean | | | | +--rw stateful-frag-check? boolean | |||
| | | | +--rw mode? ipsec-mode | | | | +--rw mode? ipsec-mode | |||
| | | | +--rw protocol-parameters? ipsec-protocol-parameters | | | | +--rw protocol-parameters? ipsec-protocol-parameters | |||
| | | | +--rw esp-algorithms | | | | +--rw esp-algorithms | |||
| | | | | +--rw integrity* integrity-algorithm-type | | | | | +--rw integrity* integrity-algorithm-type | |||
| | | | | +--rw encryption* [id] | | | | | +--rw encryption* [id] | |||
| | | | | | +--rw id uint8 | | | | | | +--rw id uint8 | |||
| | | | | | +--rw algorithm-type? ic:encryption-algorithm-type | | | | | | +--rw algorithm-type? nsfikec:encryption-algorithm-type | |||
| | | | | | +--rw key-length? uint16 | | | | | | +--rw key-length? uint16 | |||
| | | | | +--rw tfc-pad? boolean | | | | | +--rw tfc-pad? boolean | |||
| | | | +--rw tunnel | | | | +--rw tunnel | |||
| | | | +--rw local inet:ip-address | | | | +--rw local inet:ip-address | |||
| | | | +--rw remote inet:ip-address | | | | +--rw remote inet:ip-address | |||
| | | | +--rw df-bit? enumeration | | | | +--rw df-bit? enumeration | |||
| | | | +--rw bypass-dscp? boolean | | | | +--rw bypass-dscp? boolean | |||
| | | | +--rw dscp-mapping? yang:hex-string | | | | +--rw dscp-mapping? yang:hex-string | |||
| | | | +--rw ecn? boolean | | | | +--rw ecn? boolean | |||
| | | +--rw spd-mark | | | +--rw spd-mark | |||
| | | +--rw mark? uint32 | | | +--rw mark? uint32 | |||
| | | +--rw mask? yang:hex-string | | | +--rw mask? yang:hex-string | |||
| | +--rw child-sa-info | | +--rw child-sa-info | |||
| | | +--rw pfs-groups* pfs-group | | | +--rw pfs-groups* pfs-group | |||
| | | +--rw child-sa-lifetime-soft | | | +--rw child-sa-lifetime-soft | |||
| | | | +--rw time? uint32 | | | | +--rw time? uint32 | |||
| | | | +--rw bytes? uint32 | | | | +--rw bytes? uint32 | |||
| | | | +--rw packets? uint32 | | | | +--rw packets? uint32 | |||
| | | | +--rw idle? uint32 | | | | +--rw idle? uint32 | |||
| | | | +--rw action? ic:lifetime-action | | | | +--rw action? nsfikec:lifetime-action | |||
| | | +--rw child-sa-lifetime-hard | | | +--rw child-sa-lifetime-hard | |||
| | | +--rw time? uint32 | | | +--rw time? uint32 | |||
| | | +--rw bytes? uint32 | | | +--rw bytes? uint32 | |||
| | | +--rw packets? uint32 | | | +--rw packets? uint32 | |||
| | | +--rw idle? uint32 | | | +--rw idle? uint32 | |||
| | +--ro state | | +--ro state | |||
| | +--ro initiator? boolean | | +--ro initiator? boolean | |||
| | +--ro initiator-ikesa-spi? ike-spi | | +--ro initiator-ikesa-spi? ike-spi | |||
| | +--ro responder-ikesa-spi? ike-spi | | +--ro responder-ikesa-spi? ike-spi | |||
| | +--ro nat-local? boolean | | +--ro nat-local? boolean | |||
| | +--ro nat-remote? boolean | | +--ro nat-remote? boolean | |||
| | +--ro encapsulation-type | | +--ro encapsulation-type | |||
| | | +--ro espencap? esp-encap | | | +--ro espencap? esp-encap | |||
| | | +--ro sport? inet:port-number | | | +--ro sport? inet:port-number | |||
| | | +--ro dport? inet:port-number | | | +--ro dport? inet:port-number | |||
| | | +--ro oaddr* inet:ip-address | | | +--ro oaddr* inet:ip-address | |||
| | +--ro established? uint64 | | +--ro established? uint64 | |||
| | +--ro current-rekey-time? uint64 | | +--ro current-rekey-time? uint64 | |||
| | +--ro current-reauth-time? uint64 | | +--ro current-reauth-time? uint64 | |||
| +--ro number-ike-sas | +--ro number-ike-sas | |||
| +--ro total? uint64 | +--ro total? uint64 | |||
| +--ro half-open? uint64 | +--ro half-open? uint64 | |||
| +--ro half-open-cookies? uint64 | +--ro half-open-cookies? uint64 | |||
| The data model consists of a unique "ipsec-ike" container defined as | The data model consists of a unique "ipsec-ike" container defined as | |||
| follows. Firstly, it contains a "pad" container that serves to | follows. Firstly, it contains a "pad" container that serves to | |||
| configure the Peer Authentication Database with authentication | configure the Peer Authentication Database with authentication | |||
| information about local and remote peers. More precisely, it | information about local and remote peers. More precisely, it | |||
| consists of a list of entries, each one indicating the identity, | consists of a list of entries, each one indicating the identity, | |||
| authentication method and credentials that will use a particular | authentication method and credentials that will use a particular | |||
| peer. | peer. | |||
| Next, we find a list "conn-entry" with information about the | Next, we find a list "conn-entry" with information about the | |||
| skipping to change at page 17, line 42 ¶ | skipping to change at page 17, line 42 ¶ | |||
| The definition of the SAD model has been mainly extracted from the | The definition of the SAD model has been mainly extracted from the | |||
| specification in section 4.4.2 in [RFC4301] though with some changes, | specification in section 4.4.2 in [RFC4301] though with some changes, | |||
| namely: | namely: | |||
| o Each IPsec SA (sad-entry) contains one traffic selector, instead | o Each IPsec SA (sad-entry) contains one traffic selector, instead | |||
| of a list of them. The reason is that we have observed actual | of a list of them. The reason is that we have observed actual | |||
| kernel implementations only admit a single traffic selector per | kernel implementations only admit a single traffic selector per | |||
| IPsec SA. | IPsec SA. | |||
| o Each IPsec SA contains a identifier (reqid) to relate the policy | o Each IPsec SA contains a identifier (reqid) to relate the IPsec SA | |||
| with the IPsec Policy. The reason is that we have observed real | with the IPsec Policy. The reason is that we have observed real | |||
| kernel implementations allow to include this value. | kernel implementations allow to include this value. | |||
| o Each IPsec SA has also a name in the same way as IPsec policies. | o Each IPsec SA has also a name in the same way as IPsec policies. | |||
| o Combined algorithm has been removed because encryption algorithm | o Combined algorithm has been removed because encryption algorithm | |||
| MAY include authenticated encryption with associated data (AEAD). | MAY include authenticated encryption with associated data (AEAD). | |||
| o Tunnel information has been extended with information about | o Tunnel information has been extended with information about | |||
| Differentiated Services Code Point (DSCP) mapping and Explicit | Differentiated Services Code Point (DSCP) mapping and Explicit | |||
| skipping to change at page 18, line 26 ¶ | skipping to change at page 18, line 26 ¶ | |||
| The notifications model has been defined using as reference the | The notifications model has been defined using as reference the | |||
| PF_KEYv2 standard in [RFC2367]. | PF_KEYv2 standard in [RFC2367]. | |||
| The data model for the IKE-less case is defined by YANG model "ietf- | The data model for the IKE-less case is defined by YANG model "ietf- | |||
| i2nsf-ikeless". Its structure is depicted in the following diagram, | i2nsf-ikeless". Its structure is depicted in the following diagram, | |||
| using the notation syntax for YANG tree diagrams ([RFC8340]). | using the notation syntax for YANG tree diagrams ([RFC8340]). | |||
| module: ietf-i2nsf-ikeless | module: ietf-i2nsf-ikeless | |||
| +--rw ipsec-ikeless | +--rw ipsec-ikeless | |||
| +--rw spd | +--rw spd | |||
| | +--rw spd-entry* [name] | | +--rw spd-entry* [name] | |||
| | +--rw name string | | +--rw name string | |||
| | +--rw direction ic:ipsec-traffic-direction | | +--rw direction nsfikec:ipsec-traffic-direction | |||
| | +--rw reqid? uint64 | | +--rw reqid? uint64 | |||
| | +--rw ipsec-policy-config | | +--rw ipsec-policy-config | |||
| | +--rw anti-replay-window? uint64 | | +--rw anti-replay-window? uint64 | |||
| | +--rw traffic-selector | | +--rw traffic-selector | |||
| | | +--rw local-subnet inet:ip-prefix | | | +--rw local-subnet inet:ip-prefix | |||
| | | +--rw remote-subnet inet:ip-prefix | | | +--rw remote-subnet inet:ip-prefix | |||
| | | +--rw inner-protocol? ipsec-inner-protocol | | | +--rw inner-protocol? ipsec-inner-protocol | |||
| | | +--rw local-ports* [start end] | | | +--rw local-ports* [start end] | |||
| | | | +--rw start inet:port-number | | | | +--rw start inet:port-number | |||
| | | | +--rw end inet:port-number | | | | +--rw end inet:port-number | |||
| | | +--rw remote-ports* [start end] | | | +--rw remote-ports* [start end] | |||
| | | +--rw start inet:port-number | | | +--rw start inet:port-number | |||
| | | +--rw end inet:port-number | | | +--rw end inet:port-number | |||
| | +--rw processing-info | | +--rw processing-info | |||
| | | +--rw action? ipsec-spd-action | | | +--rw action? ipsec-spd-action | |||
| | | +--rw ipsec-sa-cfg | | | +--rw ipsec-sa-cfg | |||
| | | +--rw pfp-flag? boolean | | | +--rw pfp-flag? boolean | |||
| | | +--rw ext-seq-num? boolean | | | +--rw ext-seq-num? boolean | |||
| | | +--rw seq-overflow? boolean | | | +--rw seq-overflow? boolean | |||
| | | +--rw stateful-frag-check? boolean | | | +--rw stateful-frag-check? boolean | |||
| | | +--rw mode? ipsec-mode | | | +--rw mode? ipsec-mode | |||
| | | +--rw protocol-parameters? ipsec-protocol-parameters | | | +--rw protocol-parameters? ipsec-protocol-parameters | |||
| | | +--rw esp-algorithms | | | +--rw esp-algorithms | |||
| | | | +--rw integrity* integrity-algorithm-type | | | | +--rw integrity* integrity-algorithm-type | |||
| | | | +--rw encryption* [id] | | | | +--rw encryption* [id] | |||
| | | | | +--rw id uint8 | | | | |+--rw id uint8 | |||
| | | | | +--rw algorithm-type?ic:encryption-algorithm-type | | | | |+--rw algorithm-type? nsfikec:encryption-algorithm-type | |||
| | | | | +--rw key-length? uint16 | | | | |+--rw key-length? uint16 | |||
| | | | +--rw tfc-pad? boolean | | | | +--rw tfc-pad? boolean | |||
| | | +--rw tunnel | | | +--rw tunnel | |||
| | | +--rw local inet:ip-address | | | +--rw local inet:ip-address | |||
| | | +--rw remote inet:ip-address | | | +--rw remote inet:ip-address | |||
| | | +--rw df-bit? enumeration | | | +--rw df-bit? enumeration | |||
| | | +--rw bypass-dscp? boolean | | | +--rw bypass-dscp? boolean | |||
| | | +--rw dscp-mapping? yang:hex-string | | | +--rw dscp-mapping? yang:hex-string | |||
| | | +--rw ecn? boolean | | | +--rw ecn? boolean | |||
| | +--rw spd-mark | | +--rw spd-mark | |||
| | +--rw mark? uint32 | | +--rw mark? uint32 | |||
| | +--rw mask? yang:hex-string | | +--rw mask? yang:hex-string | |||
| +--rw sad | +--rw sad | |||
| +--rw sad-entry* [name] | +--rw sad-entry* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw reqid? uint64 | +--rw reqid? uint64 | |||
| +--rw ipsec-sa-config | +--rw ipsec-sa-config | |||
| | +--rw spi uint32 | | +--rw spi uint32 | |||
| | +--rw ext-seq-num? boolean | | +--rw ext-seq-num? boolean | |||
| | +--rw seq-number-counter? uint64 | | +--rw seq-number-counter? uint64 | |||
| | +--rw seq-overflow? boolean | | +--rw seq-overflow? boolean | |||
| | +--rw anti-replay-window? uint32 | | +--rw anti-replay-window? uint32 | |||
| | +--rw traffic-selector | | +--rw traffic-selector | |||
| | | +--rw local-subnet inet:ip-prefix | | | +--rw local-subnet inet:ip-prefix | |||
| | | +--rw remote-subnet inet:ip-prefix | | | +--rw remote-subnet inet:ip-prefix | |||
| | | +--rw inner-protocol? ipsec-inner-protocol | | | +--rw inner-protocol? ipsec-inner-protocol | |||
| | | +--rw local-ports* [start end] | | | +--rw local-ports* [start end] | |||
| | | | +--rw start inet:port-number | | | | +--rw start inet:port-number | |||
| | | | +--rw end inet:port-number | | | | +--rw end inet:port-number | |||
| | | +--rw remote-ports* [start end] | | | +--rw remote-ports* [start end] | |||
| | | +--rw start inet:port-number | | | +--rw start inet:port-number | |||
| | | +--rw end inet:port-number | | | +--rw end inet:port-number | |||
| | +--rw protocol-parameters? ic:ipsec-protocol-parameters | | +--rw protocol-parameters? nsfikec:ipsec-protocol-parameters | |||
| | +--rw mode? ic:ipsec-mode | | +--rw mode? nsfikec:ipsec-mode | |||
| | +--rw esp-sa | | +--rw esp-sa | |||
| | | +--rw encryption | | | +--rw encryption | |||
| | | | +--rw encryption-algorithm? ic:encryption-algorithm-type | | | |+--rw encryption-algorithm? nsfikec:encryption-algorithm-type | |||
| | | | +--rw key? yang:hex-string | | | |+--rw key? yang:hex-string | |||
| | | | +--rw iv? yang:hex-string | | | |+--rw iv? yang:hex-string | |||
| | | +--rw integrity | | | +--rw integrity | |||
| | | +--rw integrity-algorithm? ic:integrity-algorithm-type | | | +--rw integrity-algorithm? nsfikec:integrity-algorithm-type | |||
| | | +--rw key? yang:hex-string | | | +--rw key? yang:hex-string | |||
| | +--rw sa-lifetime-hard | | +--rw sa-lifetime-hard | |||
| | | +--rw time? uint32 | | | +--rw time? uint32 | |||
| | | +--rw bytes? uint32 | | | +--rw bytes? uint32 | |||
| | | +--rw packets? uint32 | | | +--rw packets? uint32 | |||
| | | +--rw idle? uint32 | | | +--rw idle? uint32 | |||
| | +--rw sa-lifetime-soft | | +--rw sa-lifetime-soft | |||
| | | +--rw time? uint32 | | | +--rw time? uint32 | |||
| | | +--rw bytes? uint32 | | | +--rw bytes? uint32 | |||
| | | +--rw packets? uint32 | | | +--rw packets? uint32 | |||
| | | +--rw idle? uint32 | | | +--rw idle? uint32 | |||
| | | +--rw action? ic:lifetime-action | | | +--rw action? nsfikec:lifetime-action | |||
| | +--rw tunnel | | +--rw tunnel | |||
| | | +--rw local inet:ip-address | | | +--rw local inet:ip-address | |||
| | | +--rw remote inet:ip-address | | | +--rw remote inet:ip-address | |||
| | | +--rw df-bit? enumeration | | | +--rw df-bit? enumeration | |||
| | | +--rw bypass-dscp? boolean | | | +--rw bypass-dscp? boolean | |||
| | | +--rw dscp-mapping? yang:hex-string | | | +--rw dscp-mapping? yang:hex-string | |||
| | | +--rw ecn? boolean | | | +--rw ecn? boolean | |||
| | +--rw encapsulation-type | | +--rw encapsulation-type | |||
| | +--rw espencap? esp-encap | | +--rw espencap? esp-encap | |||
| | +--rw sport? inet:port-number | | +--rw sport? inet:port-number | |||
| | +--rw dport? inet:port-number | | +--rw dport? inet:port-number | |||
| | +--rw oaddr* inet:ip-address | | +--rw oaddr* inet:ip-address | |||
| +--ro ipsec-sa-state | +--ro ipsec-sa-state | |||
| +--ro sa-lifetime-current | +--ro sa-lifetime-current | |||
| | +--ro time? uint32 | | +--ro time? uint32 | |||
| | +--ro bytes? uint32 | | +--ro bytes? uint32 | |||
| | +--ro packets? uint32 | | +--ro packets? uint32 | |||
| | +--ro idle? uint32 | | +--ro idle? uint32 | |||
| +--ro replay-stats | +--ro replay-stats | |||
| +--ro replay-window? uint64 | +--ro replay-window? uint64 | |||
| +--ro packet-dropped? uint64 | +--ro packet-dropped? uint64 | |||
| +--ro failed? uint32 | +--ro failed? uint32 | |||
| +--ro seq-number-counter? uint64 | +--ro seq-number-counter? uint64 | |||
| notifications: | notifications: | |||
| +---n sadb-acquire | +---n sadb-acquire {ikeless-notification}? | |||
| | +--ro ipsec-policy-name string | | +--ro ipsec-policy-name string | |||
| | +--ro traffic-selector | | +--ro traffic-selector | |||
| | +--ro local-subnet inet:ip-prefix | | +--ro local-subnet inet:ip-prefix | |||
| | +--ro remote-subnet inet:ip-prefix | | +--ro remote-subnet inet:ip-prefix | |||
| | +--ro inner-protocol? ipsec-inner-protocol | | +--ro inner-protocol? ipsec-inner-protocol | |||
| | +--ro local-ports* [start end] | | +--ro local-ports* [start end] | |||
| | | +--ro start inet:port-number | | | +--ro start inet:port-number | |||
| | | +--ro end inet:port-number | | | +--ro end inet:port-number | |||
| | +--ro remote-ports* [start end] | | +--ro remote-ports* [start end] | |||
| | +--ro start inet:port-number | | +--ro start inet:port-number | |||
| | +--ro end inet:port-number | | +--ro end inet:port-number | |||
| +---n sadb-expire | +---n sadb-expire {ikeless-notification}? | |||
| | +--ro ipsec-sa-name string | | +--ro ipsec-sa-name string | |||
| | +--ro soft-lifetime-expire? boolean | | +--ro soft-lifetime-expire? boolean | |||
| | +--ro lifetime-current | | +--ro lifetime-current | |||
| | +--ro time? uint32 | | +--ro time? uint32 | |||
| | +--ro bytes? uint32 | | +--ro bytes? uint32 | |||
| | +--ro packets? uint32 | | +--ro packets? uint32 | |||
| | +--ro idle? uint32 | | +--ro idle? uint32 | |||
| +---n sadb-seq-overflow | +---n sadb-seq-overflow {ikeless-notification}? | |||
| | +--ro ipsec-sa-name string | | +--ro ipsec-sa-name string | |||
| +---n sadb-bad-spi | +---n sadb-bad-spi {ikeless-notification}? | |||
| +--ro spi uint32 | +--ro spi uint32 | |||
| The data model consists of a unique "ipsec-ikeless" container which, | The data model consists of a unique "ipsec-ikeless" container which, | |||
| in turn, is integrated by two additional containers: "spd" and "sad". | in turn, is integrated by two additional containers: "spd" and "sad". | |||
| The "spd" container consists of a list of entries that conform the | The "spd" container consists of a list of entries that conform the | |||
| Security Policy Database. Compared to the IKE case data model, this | Security Policy Database. Compared to the IKE case data model, this | |||
| part specifies a few additional parameters necessary due to the | part specifies a few additional parameters necessary due to the | |||
| absence of an IKE software in the NSF: traffic direction to apply the | absence of an IKE software in the NSF: traffic direction to apply the | |||
| IPsec policy, and a value to link an IPsec policy with its associated | IPsec policy, and a value to link an IPsec policy with its associated | |||
| IPsec SAs. The "sad" container is a list of entries that conform the | IPsec SAs. The "sad" container is a list of entries that conform the | |||
| skipping to change at page 22, line 23 ¶ | skipping to change at page 22, line 23 ¶ | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless | URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless | |||
| Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| This document registers three YANG modules in the "YANG Module Names" | This document registers three YANG modules in the "YANG Module Names" | |||
| registry [RFC6020]. Following the format in [RFC6020], the following | registry [RFC6020]. Following the format in [RFC6020], the following | |||
| registrations are requested: | registrations are requested: | |||
| Name: ietf-i2nsf-ikec | Name: ietf-i2nsf-ikec | |||
| Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec | Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec | |||
| Prefix: ic | Prefix: nsfikec | |||
| Reference: RFC XXXX | Reference: RFC XXXX | |||
| Name: ietf-i2nsf-ike | Name: ietf-i2nsf-ike | |||
| Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike | Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike | |||
| Prefix: ike | Prefix: nsfike | |||
| Reference: RFC XXXX | Reference: RFC XXXX | |||
| Name: ietf-i2nsf-ikeless | Name: ietf-i2nsf-ikeless | |||
| Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless | Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless | |||
| Prefix: ikeless | Prefix: nsfikels | |||
| Reference: RFC XXXX | Reference: RFC XXXX | |||
| 8. Security Considerations | 8. Security Considerations | |||
| First of all, this document shares all the security issues of SDN | First of all, this document shares all the security issues of SDN | |||
| that are specified in the "Security Considerations" section of | that are specified in the "Security Considerations" section of | |||
| [ITU-T.Y.3300] and [RFC7426]. | [ITU-T.Y.3300] and [RFC7426]. | |||
| On the one hand, it is important to note that there MUST exist a | On the one hand, it is important to note that there MUST exist a | |||
| security association between the I2NSF Controller and the NSFs to | security association between the I2NSF Controller and the NSFs to | |||
| skipping to change at page 24, line 30 ¶ | skipping to change at page 24, line 30 ¶ | |||
| any other entity (including the I2NSF Controller itself) once they | any other entity (including the I2NSF Controller itself) once they | |||
| have been applied (i.e. write only operations) into the NSFs. | have been applied (i.e. write only operations) into the NSFs. | |||
| Nevertheless, if the attacker has access to the I2NSF Controller | Nevertheless, if the attacker has access to the I2NSF Controller | |||
| during the period of time that key material is generated, it may | during the period of time that key material is generated, it may | |||
| obtain these values. In other words, the attacker might be able to | obtain these values. In other words, the attacker might be able to | |||
| observe the IPsec traffic and decrypt, or even modify and re-encrypt, | observe the IPsec traffic and decrypt, or even modify and re-encrypt, | |||
| the traffic between peers. | the traffic between peers. | |||
| 8.3. YANG modules | 8.3. YANG modules | |||
| The YANG modules specified in this document defines a schema for data | The YANG modules specified in this document define a schema for data | |||
| that is designed to be accessed via network management protocols such | that is designed to be accessed via network management protocols such | |||
| as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer | as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer | |||
| is the secure transport layer, and the mandatory-to-implement secure | is the secure transport layer, and the mandatory-to-implement secure | |||
| transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer | transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer | |||
| is HTTPS, and the mandatory-to-implement secure transport is TLS | is HTTPS, and the mandatory-to-implement secure transport is TLS | |||
| [RFC8446]. | [RFC8446]. | |||
| The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
| provides the means to restrict access for particular NETCONF or | provides the means to restrict access for particular NETCONF or | |||
| RESTCONF users to a preconfigured subset of all available NETCONF or | RESTCONF users to a preconfigured subset of all available NETCONF or | |||
| skipping to change at page 25, line 42 ¶ | skipping to change at page 25, line 42 ¶ | |||
| /ipsec-ike/pad: This container includes sensitive information | /ipsec-ike/pad: This container includes sensitive information | |||
| to read operations. This information should never be returned | to read operations. This information should never be returned | |||
| to a client. For example, cryptographic material configured in | to a client. For example, cryptographic material configured in | |||
| the NSFs: peer-authentication/pre-shared/secret and peer- | the NSFs: peer-authentication/pre-shared/secret and peer- | |||
| authentication/digital-signature/private-key are already | authentication/digital-signature/private-key are already | |||
| protected by the NACM extension "default-deny-all" in this | protected by the NACM extension "default-deny-all" in this | |||
| document. | document. | |||
| For the IKE-less case (ietf-i2nsf-ikeless): | For the IKE-less case (ietf-i2nsf-ikeless): | |||
| /ipsec-ikeless/sad/ipsec-sa-config/esp-sa: This container | /ipsec-ikeless/sad/sad-entry/ipsec-sa-config/esp-sa: This | |||
| includes symmetric keys for the IPsec SAs. For example, | container includes symmetric keys for the IPsec SAs. For | |||
| encryption/key contains a ESP encryption key value and | example, encryption/key contains a ESP encryption key value and | |||
| encryption/iv contains a initialization vector value. | encryption/iv contains a initialization vector value. | |||
| Similarly, integrity/key has ESP integrity key value. Those | Similarly, integrity/key has ESP integrity key value. Those | |||
| values must not be read by anyone and are protected by the NACM | values must not be read by anyone and are protected by the NACM | |||
| extension "default-deny-all" in this document. | extension "default-deny-all" in this document. | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| Authors want to thank Paul Wouters, Valery Smyslov, Sowmini Varadhan, | Authors want to thank Paul Wouters, Valery Smyslov, Sowmini Varadhan, | |||
| David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham | David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham | |||
| Bartlett, Sandeep Kampati, Linda Dunbar, Mohit Sethi, Martin | Bartlett, Sandeep Kampati, Linda Dunbar, Mohit Sethi, Martin | |||
| skipping to change at page 31, line 15 ¶ | skipping to change at page 31, line 15 ¶ | |||
| Appendix A. Common YANG model for IKE and IKE-less cases | Appendix A. Common YANG model for IKE and IKE-less cases | |||
| This Appendix is Normative. | This Appendix is Normative. | |||
| This YANG module has normative references to [RFC3947], [RFC4301], | This YANG module has normative references to [RFC3947], [RFC4301], | |||
| [RFC4303], [RFC8174], [RFC8221] and [IKEv2-Parameters]. | [RFC4303], [RFC8174], [RFC8221] and [IKEv2-Parameters]. | |||
| This YANG module has informative references to [RFC3948] and | This YANG module has informative references to [RFC3948] and | |||
| [RFC8229]. | [RFC8229]. | |||
| <CODE BEGINS> file "ietf-i2nsf-ikec@2020-10-12.yang" | <CODE BEGINS> file "ietf-i2nsf-ikec@2020-10-21.yang" | |||
| module ietf-i2nsf-ikec { | module ietf-i2nsf-ikec { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec"; | namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec"; | |||
| prefix "ic"; | prefix "nsfikec"; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference "RFC 6991: Common YANG Data Types"; | reference "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference "RFC 6991: Common YANG Data Types"; | reference "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| skipping to change at page 32, line 24 ¶ | skipping to change at page 32, line 24 ¶ | |||
| This version of this YANG module is part of RFC XXXX;; | This version of this YANG module is part of RFC XXXX;; | |||
| see the RFC itself for full legal notices. | see the RFC itself for full legal notices. | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this | |||
| document are to be interpreted as described in BCP 14 | document are to be interpreted as described in BCP 14 | |||
| (RFC 2119) (RFC 8174) when, and only when, they appear | (RFC 2119) (RFC 8174) when, and only when, they appear | |||
| in all capitals, as shown here."; | in all capitals, as shown here."; | |||
| revision "2020-10-12" { | revision "2020-10-21" { | |||
| description "Initial version."; | description "Initial version."; | |||
| reference "RFC XXXX: Software-Defined Networking | reference "RFC XXXX: Software-Defined Networking | |||
| (SDN)-based IPsec Flow Protection."; | (SDN)-based IPsec Flow Protection."; | |||
| } | } | |||
| typedef encryption-algorithm-type { | typedef encryption-algorithm-type { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The encryption algorithm is specified with a 16-bit | "The encryption algorithm is specified with a 16-bit | |||
| number extracted from IANA Registry. The acceptable | number extracted from IANA Registry. The acceptable | |||
| skipping to change at page 44, line 17 ¶ | skipping to change at page 44, line 17 ¶ | |||
| key id; | key id; | |||
| ordered-by user; | ordered-by user; | |||
| leaf id { | leaf id { | |||
| type uint8; | type uint8; | |||
| description | description | |||
| "The index of list with the | "The index of list with the | |||
| different encryption algorithms and | different encryption algorithms and | |||
| its key-length (if required)."; | its key-length (if required)."; | |||
| } | } | |||
| leaf algorithm-type { | leaf algorithm-type { | |||
| type ic:encryption-algorithm-type; | type nsfikec:encryption-algorithm-type; | |||
| default 20; | default 20; | |||
| description | description | |||
| "Default value 20 | "Default value 20 (ENCR_AES_GCM_16)"; | |||
| (ENCR_AES_GCM_16)"; | ||||
| } | } | |||
| leaf key-length { | leaf key-length { | |||
| type uint16; | type uint16; | |||
| default 128; | default 128; | |||
| description | description | |||
| "By default key length is 128 | "By default key length is 128 | |||
| bits"; | bits"; | |||
| } | } | |||
| description | description | |||
| "Encryption or AEAD algorithm for the | "Encryption or AEAD algorithm for the | |||
| skipping to change at page 46, line 16 ¶ | skipping to change at page 46, line 16 ¶ | |||
| This Appendix is Normative. | This Appendix is Normative. | |||
| This YANG module has normative references to [RFC2247], [RFC5280], | This YANG module has normative references to [RFC2247], [RFC5280], | |||
| [RFC4301], [RFC5280], [RFC5915], [RFC6991], [RFC7296], [RFC7383], | [RFC4301], [RFC5280], [RFC5915], [RFC6991], [RFC7296], [RFC7383], | |||
| [RFC7427], [RFC7619], [RFC8017], [RFC8174], [RFC8341], [ITU-T.X.690], | [RFC7427], [RFC7619], [RFC8017], [RFC8174], [RFC8341], [ITU-T.X.690], | |||
| [I-D.draft-ietf-netconf-crypto-types] and [IKEv2-Parameters]. | [I-D.draft-ietf-netconf-crypto-types] and [IKEv2-Parameters]. | |||
| This YANG module has informative references to [RFC8229]. | This YANG module has informative references to [RFC8229]. | |||
| <CODE BEGINS> file "ietf-i2nsf-ike@2020-10-12.yang" | <CODE BEGINS> file "ietf-i2nsf-ike@2020-10-21.yang" | |||
| module ietf-i2nsf-ike { | module ietf-i2nsf-ike { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; | namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; | |||
| prefix "nsfike"; | prefix "nsfike"; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference "RFC 6991: Common YANG Data Types"; | reference "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| skipping to change at page 46, line 40 ¶ | skipping to change at page 46, line 40 ¶ | |||
| reference "RFC 6991: Common YANG Data Types"; | reference "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| import ietf-crypto-types { | import ietf-crypto-types { | |||
| prefix ct; | prefix ct; | |||
| reference "RFC XXXX: YANG Data Types and Groupings | reference "RFC XXXX: YANG Data Types and Groupings | |||
| for Cryptography."; | for Cryptography."; | |||
| } | } | |||
| import ietf-i2nsf-ikec { | import ietf-i2nsf-ikec { | |||
| prefix ic; | prefix nsfikec; | |||
| reference | reference | |||
| "Common Data model for SDN-based IPsec | "Common Data model for SDN-based IPsec | |||
| configuration."; | configuration."; | |||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| reference | reference | |||
| "RFC 8341: Network Configuration Access Control | "RFC 8341: Network Configuration Access Control | |||
| Model."; | Model."; | |||
| skipping to change at page 47, line 49 ¶ | skipping to change at page 47, line 49 ¶ | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices. | the RFC itself for full legal notices. | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this | |||
| document are to be interpreted as described in BCP 14 | document are to be interpreted as described in BCP 14 | |||
| (RFC 2119) (RFC 8174) when, and only when, they appear | (RFC 2119) (RFC 8174) when, and only when, they appear | |||
| in all capitals, as shown here."; | in all capitals, as shown here."; | |||
| revision "2020-10-12" { | revision "2020-10-21" { | |||
| description "Initial version."; | description "Initial version."; | |||
| reference "RFC XXXX: Software-Defined Networking | reference "RFC XXXX: Software-Defined Networking | |||
| (SDN)-based IPsec Flow Protection."; | (SDN)-based IPsec Flow Protection."; | |||
| } | } | |||
| typedef ike-spi { | typedef ike-spi { | |||
| type uint64 { range "0..max"; } | type uint64 { range "0..max"; } | |||
| description | description | |||
| "Security Parameter Index (SPI)'s IKE SA."; | "Security Parameter Index (SPI)'s IKE SA."; | |||
| skipping to change at page 59, line 17 ¶ | skipping to change at page 59, line 17 ¶ | |||
| type uint32; | type uint32; | |||
| default 0; | default 0; | |||
| description | description | |||
| "Time in seconds before the IKE SA is | "Time in seconds before the IKE SA is | |||
| removed. The value 0 means infinite."; | removed. The value 0 means infinite."; | |||
| } | } | |||
| reference | reference | |||
| "RFC 7296."; | "RFC 7296."; | |||
| } | } | |||
| leaf-list authalg { | leaf-list authalg { | |||
| type ic:integrity-algorithm-type; | type nsfikec:integrity-algorithm-type; | |||
| default 12; | default 12; | |||
| ordered-by user; | ordered-by user; | |||
| description | description | |||
| "Authentication algorithm for establishing | "Authentication algorithm for establishing | |||
| the IKE SA. This list is ordered following | the IKE SA. This list is ordered following | |||
| from the higher priority to lower priority. | from the higher priority to lower priority. | |||
| First node of the list will be the algorithm | First node of the list will be the algorithm | |||
| with higher priority."; | with higher priority."; | |||
| } | } | |||
| skipping to change at page 59, line 41 ¶ | skipping to change at page 59, line 41 ¶ | |||
| ordered-by user; | ordered-by user; | |||
| leaf id { | leaf id { | |||
| type uint8; | type uint8; | |||
| description | description | |||
| "The index of the list with the | "The index of the list with the | |||
| different encryption algorithms and its | different encryption algorithms and its | |||
| key-length (if required). E.g. AES-CBC, | key-length (if required). E.g. AES-CBC, | |||
| 128 bits"; | 128 bits"; | |||
| } | } | |||
| leaf algorithm-type { | leaf algorithm-type { | |||
| type ic:encryption-algorithm-type; | type nsfikec:encryption-algorithm-type; | |||
| default 12; | default 12; | |||
| description | description | |||
| "Default value 12 (ENCR_AES_CBC)"; | "Default value 12 (ENCR_AES_CBC)"; | |||
| } | } | |||
| leaf key-length { | leaf key-length { | |||
| type uint16; | type uint16; | |||
| default 128; | default 128; | |||
| description | description | |||
| "By default key length is 128 bits"; | "By default key length is 128 bits"; | |||
| } | } | |||
| skipping to change at page 61, line 23 ¶ | skipping to change at page 61, line 23 ¶ | |||
| the PAD where the authorization | the PAD where the authorization | |||
| information about this particular | information about this particular | |||
| remote peer is stored. It MUST match a | remote peer is stored. It MUST match a | |||
| pad-entry-name."; | pad-entry-name."; | |||
| } | } | |||
| description | description | |||
| "Remote peer authentication information."; | "Remote peer authentication information."; | |||
| } | } | |||
| container encapsulation-type | container encapsulation-type | |||
| { | { | |||
| uses ic:encap; | uses nsfikec:encap; | |||
| description | description | |||
| "This container carries configuration | "This container carries configuration | |||
| information about the source and destination | information about the source and destination | |||
| ports of encapsulation that IKE should use | ports of encapsulation that IKE should use | |||
| and the type of encapsulation that | and the type of encapsulation that | |||
| should use when NAT traversal is required. | should use when NAT traversal is required. | |||
| However, this is just a best effort since | However, this is just a best effort since | |||
| the IKE implementation may need to use a | the IKE implementation may need to use a | |||
| different encapsulation as | different encapsulation as | |||
| described in RFC 8229."; | described in RFC 8229."; | |||
| skipping to change at page 62, line 7 ¶ | skipping to change at page 62, line 7 ¶ | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "SPD entry unique name to identify | "SPD entry unique name to identify | |||
| the IPsec policy."; | the IPsec policy."; | |||
| } | } | |||
| container ipsec-policy-config { | container ipsec-policy-config { | |||
| description | description | |||
| "This container carries the | "This container carries the | |||
| configuration of a IPsec policy."; | configuration of a IPsec policy."; | |||
| uses ic:ipsec-policy-grouping; | uses nsfikec:ipsec-policy-grouping; | |||
| } | } | |||
| description | description | |||
| "List of entries which will constitute | "List of entries which will constitute | |||
| the representation of the SPD. Since we | the representation of the SPD. Since we | |||
| have IKE in this case, it is only | have IKE in this case, it is only | |||
| required to send a IPsec policy from | required to send a IPsec policy from | |||
| this NSF where 'local' is this NSF and | this NSF where 'local' is this NSF and | |||
| 'remote' the other NSF. The IKE | 'remote' the other NSF. The IKE | |||
| implementation will install IPsec | implementation will install IPsec | |||
| policies in the NSF's kernel in both | policies in the NSF's kernel in both | |||
| skipping to change at page 62, line 46 ¶ | skipping to change at page 62, line 46 ¶ | |||
| priority to lower priority. First node | priority to lower priority. First node | |||
| of the list will be the algorithm | of the list will be the algorithm | |||
| with higher priority."; | with higher priority."; | |||
| } | } | |||
| container child-sa-lifetime-soft { | container child-sa-lifetime-soft { | |||
| description | description | |||
| "Soft IPsec SA lifetime soft. | "Soft IPsec SA lifetime soft. | |||
| After the lifetime the action is | After the lifetime the action is | |||
| defined in this container | defined in this container | |||
| in the leaf action."; | in the leaf action."; | |||
| uses ic:lifetime; | uses nsfikec:lifetime; | |||
| leaf action { | leaf action { | |||
| type ic:lifetime-action; | type nsfikec:lifetime-action; | |||
| default replace; | default replace; | |||
| description | description | |||
| "When the lifetime of an IPsec SA | "When the lifetime of an IPsec SA | |||
| expires an action needs to be | expires an action needs to be | |||
| performed over the IPsec SA that | performed over the IPsec SA that | |||
| reached the lifetime. There are | reached the lifetime. There are | |||
| three possible options: | three possible options: | |||
| terminate-clear, terminate-hold and | terminate-clear, terminate-hold and | |||
| replace."; | replace."; | |||
| reference | reference | |||
| "Section 4.5 in RFC 4301 and Section 2.8 | "Section 4.5 in RFC 4301 and Section 2.8 | |||
| in RFC 7296."; | in RFC 7296."; | |||
| } | } | |||
| } | } | |||
| container child-sa-lifetime-hard { | container child-sa-lifetime-hard { | |||
| description | description | |||
| "IPsec SA lifetime hard. The action will | "IPsec SA lifetime hard. The action will | |||
| be to terminate the IPsec SA."; | be to terminate the IPsec SA."; | |||
| uses ic:lifetime; | uses nsfikec:lifetime; | |||
| reference | reference | |||
| "Section 2.8 in RFC 7296."; | "Section 2.8 in RFC 7296."; | |||
| } | } | |||
| description | description | |||
| "Specific information for IPsec SAs | "Specific information for IPsec SAs | |||
| SAs. It includes PFS group and IPsec SAs | SAs. It includes PFS group and IPsec SAs | |||
| rekey lifetimes."; | rekey lifetimes."; | |||
| } | } | |||
| container state { | container state { | |||
| config false; | config false; | |||
| skipping to change at page 64, line 15 ¶ | skipping to change at page 64, line 15 ¶ | |||
| } | } | |||
| leaf nat-remote { | leaf nat-remote { | |||
| type boolean; | type boolean; | |||
| description | description | |||
| "True, if remote endpoint is behind | "True, if remote endpoint is behind | |||
| a NAT."; | a NAT."; | |||
| } | } | |||
| container encapsulation-type | container encapsulation-type | |||
| { | { | |||
| uses ic:encap; | uses nsfikec:encap; | |||
| description | description | |||
| "This container provides information | "This container provides information | |||
| about the source and destination | about the source and destination | |||
| ports of encapsulation that IKE is | ports of encapsulation that IKE is | |||
| using, and the type of encapsulation | using, and the type of encapsulation | |||
| when NAT traversal is required."; | when NAT traversal is required."; | |||
| reference | reference | |||
| "RFC 8229."; | "RFC 8229."; | |||
| } | } | |||
| leaf established { | leaf established { | |||
| skipping to change at page 65, line 34 ¶ | skipping to change at page 65, line 34 ¶ | |||
| <CODE ENDS> | <CODE ENDS> | |||
| Appendix C. YANG model for IKE-less case | Appendix C. YANG model for IKE-less case | |||
| This Appendix is Normative. | This Appendix is Normative. | |||
| This YANG module has normative references to [RFC4301], [RFC6991], | This YANG module has normative references to [RFC4301], [RFC6991], | |||
| [RFC8174] and [RFC8341]. | [RFC8174] and [RFC8341]. | |||
| <CODE BEGINS> file "ietf-i2nsf-ikeless@2020-10-12.yang" | <CODE BEGINS> file "ietf-i2nsf-ikeless@2020-10-21.yang" | |||
| module ietf-i2nsf-ikeless { | module ietf-i2nsf-ikeless { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"; | namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"; | |||
| prefix "nsfikels"; | prefix "nsfikels"; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference "RFC 6991: Common YANG Data Types"; | reference "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| import ietf-i2nsf-ikec { | import ietf-i2nsf-ikec { | |||
| prefix ic; | prefix nsfikec; | |||
| reference | reference | |||
| "Common Data model for SDN-based IPsec | "Common Data model for SDN-based IPsec | |||
| configuration."; | configuration."; | |||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| reference | reference | |||
| "RFC 8341: Network Configuration Access Control | "RFC 8341: Network Configuration Access Control | |||
| Model."; | Model."; | |||
| skipping to change at page 67, line 9 ¶ | skipping to change at page 67, line 9 ¶ | |||
| This version of this YANG module is part of RFC XXXX;; | This version of this YANG module is part of RFC XXXX;; | |||
| see the RFC itself for full legal notices. | see the RFC itself for full legal notices. | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this | |||
| document are to be interpreted as described in BCP 14 | document are to be interpreted as described in BCP 14 | |||
| (RFC 2119) (RFC 8174) when, and only when, they appear | (RFC 2119) (RFC 8174) when, and only when, they appear | |||
| in all capitals, as shown here."; | in all capitals, as shown here."; | |||
| revision "2020-10-12" { | revision "2020-10-21" { | |||
| description "Initial version."; | description "Initial version."; | |||
| reference "RFC XXXX: Software-Defined Networking | reference "RFC XXXX: Software-Defined Networking | |||
| (SDN)-based IPsec Flow Protection."; | (SDN)-based IPsec Flow Protection."; | |||
| } | } | |||
| feature ikeless-notification { | ||||
| description | ||||
| "To ensure broader applicability of this module, | ||||
| the notifications are marked as a feature. | ||||
| For the implementation of ikeless case, | ||||
| the NSF is expected to implement this | ||||
| feature."; | ||||
| } | ||||
| container ipsec-ikeless { | container ipsec-ikeless { | |||
| description | description | |||
| "Container for configuration of the IKE-less | "Container for configuration of the IKE-less | |||
| case. The container contains two additional | case. The container contains two additional | |||
| containers: 'spd' and 'sad'. The first allows the | containers: 'spd' and 'sad'. The first allows the | |||
| I2NSF Controller to configure IPsec policies in | I2NSF Controller to configure IPsec policies in | |||
| the Security Policy Database SPD, and the second | the Security Policy Database SPD, and the second | |||
| allows to configure IPsec Security Associations | allows to configure IPsec Security Associations | |||
| (IPsec SAs) in the Security Association Database | (IPsec SAs) in the Security Association Database | |||
| (SAD)."; | (SAD)."; | |||
| skipping to change at page 67, line 42 ¶ | skipping to change at page 67, line 51 ¶ | |||
| list spd-entry { | list spd-entry { | |||
| key "name"; | key "name"; | |||
| ordered-by user; | ordered-by user; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "SPD entry unique name to identify this | "SPD entry unique name to identify this | |||
| entry."; | entry."; | |||
| } | } | |||
| leaf direction { | leaf direction { | |||
| type ic:ipsec-traffic-direction; | type nsfikec:ipsec-traffic-direction; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Inbound traffic or outbound | "Inbound traffic or outbound | |||
| traffic. In the IKE-less case the | traffic. In the IKE-less case the | |||
| I2NSF Controller needs to | I2NSF Controller needs to | |||
| specify the policy direction to be | specify the policy direction to be | |||
| applied in the NSF. In the IKE case | applied in the NSF. In the IKE case | |||
| this direction does not need to be | this direction does not need to be | |||
| specified since IKE | specified since IKE | |||
| will determine the direction that | will determine the direction that | |||
| skipping to change at page 68, line 23 ¶ | skipping to change at page 68, line 32 ¶ | |||
| same reqid. It is only required in | same reqid. It is only required in | |||
| the IKE-less model since, in the IKE | the IKE-less model since, in the IKE | |||
| case this link is handled internally | case this link is handled internally | |||
| by IKE."; | by IKE."; | |||
| } | } | |||
| container ipsec-policy-config { | container ipsec-policy-config { | |||
| description | description | |||
| "This container carries the | "This container carries the | |||
| configuration of a IPsec policy."; | configuration of a IPsec policy."; | |||
| uses ic:ipsec-policy-grouping; | uses nsfikec:ipsec-policy-grouping; | |||
| } | } | |||
| description | description | |||
| "The SPD is represented as a list of SPD | "The SPD is represented as a list of SPD | |||
| entries, where each SPD entry represents an | entries, where each SPD entry represents an | |||
| IPsec policy."; | IPsec policy."; | |||
| } /*list spd-entry*/ | } /*list spd-entry*/ | |||
| } /*container spd*/ | } /*container spd*/ | |||
| container sad { | container sad { | |||
| description | description | |||
| skipping to change at page 70, line 15 ¶ | skipping to change at page 70, line 24 ¶ | |||
| type uint32; | type uint32; | |||
| default 32; | default 32; | |||
| description | description | |||
| "A 32-bit counter and a bit-map (or | "A 32-bit counter and a bit-map (or | |||
| equivalent) used to determine | equivalent) used to determine | |||
| whether an inbound ESP packet is a | whether an inbound ESP packet is a | |||
| replay. If set to 0 no anti-replay | replay. If set to 0 no anti-replay | |||
| mechanism is performed."; | mechanism is performed."; | |||
| } | } | |||
| container traffic-selector { | container traffic-selector { | |||
| uses ic:selector-grouping; | uses nsfikec:selector-grouping; | |||
| description | description | |||
| "The IPsec SA traffic selector."; | "The IPsec SA traffic selector."; | |||
| } | } | |||
| leaf protocol-parameters { | leaf protocol-parameters { | |||
| type ic:ipsec-protocol-parameters; | type nsfikec:ipsec-protocol-parameters; | |||
| default esp; | default esp; | |||
| description | description | |||
| "Security protocol of IPsec SA: Only | "Security protocol of IPsec SA: Only | |||
| ESP so far."; | ESP so far."; | |||
| } | } | |||
| leaf mode { | leaf mode { | |||
| type ic:ipsec-mode; | type nsfikec:ipsec-mode; | |||
| default transport; | default transport; | |||
| description | description | |||
| "Tunnel or transport mode."; | "Tunnel or transport mode."; | |||
| } | } | |||
| container esp-sa { | container esp-sa { | |||
| when "../protocol-parameters = | when "../protocol-parameters = | |||
| 'esp'"; | 'esp'"; | |||
| description | description | |||
| "In case the IPsec SA is | "In case the IPsec SA is | |||
| Encapsulation Security Payload | Encapsulation Security Payload | |||
| (ESP), it is required to specify | (ESP), it is required to specify | |||
| encryption and integrity | encryption and integrity | |||
| algorithms, and key material."; | algorithms, and key material."; | |||
| container encryption { | container encryption { | |||
| description | description | |||
| "Configuration of encryption or | "Configuration of encryption or | |||
| AEAD algorithm for IPsec | AEAD algorithm for IPsec | |||
| Encapsulation Security Payload | Encapsulation Security Payload | |||
| (ESP)."; | (ESP)."; | |||
| leaf encryption-algorithm { | leaf encryption-algorithm { | |||
| type ic:encryption-algorithm-type; | type nsfikec:encryption-algorithm-type; | |||
| default 12; | default 12; | |||
| description | description | |||
| "Configuration of ESP | "Configuration of ESP | |||
| encryption. With AEAD | encryption. With AEAD | |||
| algorithms, the integrity | algorithms, the integrity | |||
| leaf is not used."; | leaf is not used."; | |||
| } | } | |||
| leaf key { | leaf key { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| type yang:hex-string; | type yang:hex-string; | |||
| description | description | |||
| "ESP encryption key value. | "ESP encryption key value. | |||
| If this leaf is not defined | If this leaf is not defined | |||
| the key is not defined | the key is not defined | |||
| (e.g. encryption is NULL). | (e.g. encryption is NULL). | |||
| The key length is | The key length is | |||
| determined by the | determined by the | |||
| length of the key set in | length of the key set in | |||
| this leaf. By default is | this leaf. By default is | |||
| 128 bits."; | 128 bits."; | |||
| } | } | |||
| leaf iv { | leaf iv { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| type yang:hex-string; | type yang:hex-string; | |||
| description | description | |||
| "ESP encryption IV value. If | "ESP encryption IV value. If | |||
| this leaf is not defined the | this leaf is not defined the | |||
| IV is not defined (e.g. | IV is not defined (e.g. | |||
| encryption is NULL)"; | encryption is NULL)"; | |||
| } | ||||
| } | } | |||
| container integrity { | } | |||
| description | ||||
| container integrity { | ||||
| description | ||||
| "Configuration of integrity for | "Configuration of integrity for | |||
| IPsec Encapsulation Security | IPsec Encapsulation Security | |||
| Payload (ESP). This container | Payload (ESP). This container | |||
| allows to configure integrity | allows to configure integrity | |||
| algorithm when no AEAD | algorithm when no AEAD | |||
| algorithms are used, and | algorithms are used, and | |||
| integrity is required."; | integrity is required."; | |||
| leaf integrity-algorithm { | leaf integrity-algorithm { | |||
| type ic:integrity-algorithm-type; | type nsfikec:integrity-algorithm-type; | |||
| default 12; | default 12; | |||
| description | description | |||
| "Message Authentication Code | "Message Authentication Code | |||
| (MAC) algorithm to provide | (MAC) algorithm to provide | |||
| integrity in ESP | integrity in ESP | |||
| (default | (default | |||
| AUTH_HMAC_SHA2_256_128). | AUTH_HMAC_SHA2_256_128). | |||
| With AEAD algorithms, | With AEAD algorithms, | |||
| the integrity leaf is not | the integrity leaf is not | |||
| used."; | used."; | |||
| } | } | |||
| leaf key { | leaf key { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| type yang:hex-string; | type yang:hex-string; | |||
| description | description | |||
| "ESP integrity key value. | "ESP integrity key value. | |||
| If this leaf is not defined | If this leaf is not defined | |||
| the key is not defined (e.g. | the key is not defined (e.g. | |||
| AEAD algorithm is chosen and | AEAD algorithm is chosen and | |||
| integrity algorithm is not | integrity algorithm is not | |||
| required). The key length is | required). The key length is | |||
| determined by the length of | determined by the length of | |||
| the key configured."; | the key configured."; | |||
| } | ||||
| } | } | |||
| } | ||||
| } /*container esp-sa*/ | } /*container esp-sa*/ | |||
| container sa-lifetime-hard { | container sa-lifetime-hard { | |||
| description | description | |||
| "IPsec SA hard lifetime. The action | "IPsec SA hard lifetime. The action | |||
| associated is terminate and | associated is terminate and | |||
| hold."; | hold."; | |||
| uses ic:lifetime; | uses nsfikec:lifetime; | |||
| } | } | |||
| container sa-lifetime-soft { | container sa-lifetime-soft { | |||
| description | description | |||
| "IPsec SA soft lifetime."; | "IPsec SA soft lifetime."; | |||
| uses ic:lifetime; | uses nsfikec:lifetime; | |||
| leaf action { | leaf action { | |||
| type ic:lifetime-action; | type nsfikec:lifetime-action; | |||
| description | description | |||
| "Action lifetime: | "Action lifetime: | |||
| terminate-clear, | terminate-clear, | |||
| terminate-hold or replace."; | terminate-hold or replace."; | |||
| } | } | |||
| } | } | |||
| container tunnel { | container tunnel { | |||
| when "../mode = 'tunnel'"; | when "../mode = 'tunnel'"; | |||
| uses ic:tunnel-grouping; | uses nsfikec:tunnel-grouping; | |||
| description | description | |||
| "Endpoints of the IPsec tunnel."; | "Endpoints of the IPsec tunnel."; | |||
| } | } | |||
| container encapsulation-type | container encapsulation-type | |||
| { | { | |||
| uses ic:encap; | uses nsfikec:encap; | |||
| description | description | |||
| "This container carries | "This container carries | |||
| configuration information about | configuration information about | |||
| the source and destination ports | the source and destination ports | |||
| which will be used for ESP | which will be used for ESP | |||
| encapsulation that ESP packets the | encapsulation that ESP packets the | |||
| type of encapsulation when NAT | type of encapsulation when NAT | |||
| traversal is in place."; | traversal is in place."; | |||
| } | } | |||
| } /*ipsec-sa-config*/ | } /*ipsec-sa-config*/ | |||
| container ipsec-sa-state { | container ipsec-sa-state { | |||
| config false; | config false; | |||
| description | description | |||
| "Container describing IPsec SA state | "Container describing IPsec SA state | |||
| data."; | data."; | |||
| container sa-lifetime-current { | container sa-lifetime-current { | |||
| uses ic:lifetime; | uses nsfikec:lifetime; | |||
| description | description | |||
| "SAD lifetime current."; | "SAD lifetime current."; | |||
| } | } | |||
| container replay-stats { | container replay-stats { | |||
| description | description | |||
| "State data about the anti-replay | "State data about the anti-replay | |||
| window."; | window."; | |||
| leaf replay-window { | leaf replay-window { | |||
| type uint64; | type uint64; | |||
| description | description | |||
| skipping to change at page 74, line 23 ¶ | skipping to change at page 74, line 33 ¶ | |||
| } /*ipsec-sa-state*/ | } /*ipsec-sa-state*/ | |||
| description | description | |||
| "List of SAD entries that conforms the SAD."; | "List of SAD entries that conforms the SAD."; | |||
| } /*list sad-entry*/ | } /*list sad-entry*/ | |||
| } /*container sad*/ | } /*container sad*/ | |||
| }/*container ipsec-ikeless*/ | }/*container ipsec-ikeless*/ | |||
| /* Notifications */ | /* Notifications */ | |||
| notification sadb-acquire { | notification sadb-acquire { | |||
| if-feature ikeless-notification; | ||||
| description | description | |||
| "An IPsec SA is required. The traffic-selector | "An IPsec SA is required. The traffic-selector | |||
| container contains information about the IP packet | container contains information about the IP packet | |||
| that triggers the acquire notification."; | that triggers the acquire notification."; | |||
| leaf ipsec-policy-name { | leaf ipsec-policy-name { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "It contains the SPD entry name (unique) of | "It contains the SPD entry name (unique) of | |||
| the IPsec policy that hits the IP packet | the IPsec policy that hits the IP packet | |||
| skipping to change at page 74, line 41 ¶ | skipping to change at page 75, line 4 ¶ | |||
| "It contains the SPD entry name (unique) of | "It contains the SPD entry name (unique) of | |||
| the IPsec policy that hits the IP packet | the IPsec policy that hits the IP packet | |||
| required IPsec SA. It is assumed the | required IPsec SA. It is assumed the | |||
| I2NSF Controller will have a copy of the | I2NSF Controller will have a copy of the | |||
| information of this policy so it can | information of this policy so it can | |||
| extract all the information with this | extract all the information with this | |||
| unique identifier. The type of IPsec SA is | unique identifier. The type of IPsec SA is | |||
| defined in the policy so the Security | defined in the policy so the Security | |||
| Controller can also know the type of IPsec | Controller can also know the type of IPsec | |||
| SA that must be generated."; | SA that must be generated."; | |||
| } | } | |||
| container traffic-selector { | container traffic-selector { | |||
| description | description | |||
| "The IP packet that triggered the acquire | "The IP packet that triggered the acquire | |||
| and requires an IPsec SA. Specifically it | and requires an IPsec SA. Specifically it | |||
| will contain the IP source/mask and IP | will contain the IP source/mask and IP | |||
| destination/mask; protocol (udp, tcp, | destination/mask; protocol (udp, tcp, | |||
| etc...); and source and destination | etc...); and source and destination | |||
| ports."; | ports."; | |||
| uses ic:selector-grouping; | uses nsfikec:selector-grouping; | |||
| } | } | |||
| } | } | |||
| notification sadb-expire { | notification sadb-expire { | |||
| if-feature ikeless-notification; | ||||
| description "An IPsec SA expiration (soft or hard)."; | description "An IPsec SA expiration (soft or hard)."; | |||
| leaf ipsec-sa-name { | leaf ipsec-sa-name { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "It contains the SAD entry name (unique) of | "It contains the SAD entry name (unique) of | |||
| the IPsec SA that has expired. It is assumed | the IPsec SA that has expired. It is assumed | |||
| the I2NSF Controller will have a copy of the | the I2NSF Controller will have a copy of the | |||
| IPsec SA information (except the cryptographic | IPsec SA information (except the cryptographic | |||
| material and state data) indexed by this name | material and state data) indexed by this name | |||
| skipping to change at page 75, line 37 ¶ | skipping to change at page 75, line 49 ¶ | |||
| description | description | |||
| "If this value is true the lifetime expired is | "If this value is true the lifetime expired is | |||
| soft. If it is false is hard."; | soft. If it is false is hard."; | |||
| } | } | |||
| container lifetime-current { | container lifetime-current { | |||
| description | description | |||
| "IPsec SA current lifetime. If | "IPsec SA current lifetime. If | |||
| soft-lifetime-expired is true this container is | soft-lifetime-expired is true this container is | |||
| set with the lifetime information about current | set with the lifetime information about current | |||
| soft lifetime."; | soft lifetime."; | |||
| uses ic:lifetime; | uses nsfikec:lifetime; | |||
| } | } | |||
| } | } | |||
| notification sadb-seq-overflow { | notification sadb-seq-overflow { | |||
| if-feature ikeless-notification; | ||||
| description "Sequence overflow notification."; | description "Sequence overflow notification."; | |||
| leaf ipsec-sa-name { | leaf ipsec-sa-name { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "It contains the SAD entry name (unique) of | "It contains the SAD entry name (unique) of | |||
| the IPsec SA that is about to have sequence | the IPsec SA that is about to have sequence | |||
| number overflow and rollover is not permitted. | number overflow and rollover is not permitted. | |||
| It is assumed the I2NSF Controller will have | It is assumed the I2NSF Controller will have | |||
| a copy of the IPsec SA information (except the | a copy of the IPsec SA information (except the | |||
| cryptographic material and state data) indexed | cryptographic material and state data) indexed | |||
| by this name (unique identifier) so the it can | by this name (unique identifier) so the it can | |||
| know all the information (crypto algorithms, | know all the information (crypto algorithms, | |||
| etc.) about the IPsec SA that has expired in | etc.) about the IPsec SA that has expired in | |||
| order to perform a rekey of the IPsec SA."; | order to perform a rekey of the IPsec SA."; | |||
| } | } | |||
| } | } | |||
| notification sadb-bad-spi { | notification sadb-bad-spi { | |||
| if-feature ikeless-notification; | ||||
| description | description | |||
| "Notify when the NSF receives a packet with an | "Notify when the NSF receives a packet with an | |||
| incorrect SPI (i.e. not present in the SAD)."; | incorrect SPI (i.e. not present in the SAD)."; | |||
| leaf spi { | leaf spi { | |||
| type uint32 { range "0..max"; } | type uint32 { range "0..max"; } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "SPI number contained in the erroneous IPsec | "SPI number contained in the erroneous IPsec | |||
| packet."; | packet."; | |||
| } | } | |||
| skipping to change at page 90, line 50 ¶ | skipping to change at page 90, line 50 ¶ | |||
| removing any new inbound SA that had been successfully installed | removing any new inbound SA that had been successfully installed | |||
| during step 1. | during step 1. | |||
| If step 1 is successful but some of the operations in step 2 fails | If step 1 is successful but some of the operations in step 2 fails | |||
| (e.g. the NSF A reports an error when the I2NSF Controller is trying | (e.g. the NSF A reports an error when the I2NSF Controller is trying | |||
| to install the new outbound IPsec SA), the I2NSF Controller must | to install the new outbound IPsec SA), the I2NSF Controller must | |||
| perform a rollback operation by deleting any new outbound SA that had | perform a rollback operation by deleting any new outbound SA that had | |||
| been successfully installed during step 2 and by deleting the inbound | been successfully installed during step 2 and by deleting the inbound | |||
| SAs created in step 1. | SAs created in step 1. | |||
| If the steps 1 an 2 are successful and the step 3 fails, the I2NSF | If the steps 1 and 2 are successful but the step 3 fails, the I2NSF | |||
| Controller will avoid any rollback of the operations carried out in | Controller will avoid any rollback of the operations carried out in | |||
| step 1 and step 2 since new and valid IPsec SAs were created and are | step 1 and step 2 since new and valid IPsec SAs were created and are | |||
| functional. The I2NSF Controller may reattempt to remove the old | functional. The I2NSF Controller may reattempt to remove the old | |||
| inbound and outbound SAs in NSF A and NSF B several times until it | inbound and outbound SAs in NSF A and NSF B several times until it | |||
| receives a success or it gives up. In the last case, the old IPsec | receives a success or it gives up. In the last case, the old IPsec | |||
| SAs will be removed when their corresponding hard lifetime is | SAs will be removed when their corresponding hard lifetime is | |||
| reached. | reached. | |||
| G.3. Example of managing NSF state loss in IKE-less case | G.3. Example of managing NSF state loss in IKE-less case | |||
| End of changes. 71 change blocks. | ||||
| 325 lines changed or deleted | 339 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||