Network Working Group H. Wang Internet-Draft V. Nagaraj Intended status: Standards Track X. Chen Expires: November 23, 2015 Huawei Technologies May 22, 2015 Yang Data Model for IKE draft-wang-ipsecme-ike-yang-00 Abstract This document describes a YANG data model for the IKE (Internet Key Exchange) protocol. The model covers the IKE protocol configuration, operational state, remote procedural calls, and event notifications data. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 23, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Wang, et al. Expires November 23, 2015 [Page 1] Internet-Draft Yang Data Model for IKE May 2015 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. IKE YANG Model Organization . . . . . . . . . . . . . . . . . 3 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Configuration . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1. IPsec Global Configuration . . . . . . . . . . . . . 5 2.2.2. IPsec Proposal Configuration . . . . . . . . . . . . 5 2.2.3. IKE Proposal Configuration . . . . . . . . . . . . . 6 2.2.4. IKE Peer Configuration . . . . . . . . . . . . . . . 6 2.2.5. IPsec Policy Configuration . . . . . . . . . . . . . 7 2.2.6. IPsec Interface Map Configuration . . . . . . . . . . 9 2.3. Operational State . . . . . . . . . . . . . . . . . . . . 9 2.3.1. IKE SA Container State . . . . . . . . . . . . . . . 9 2.3.2. IPsec SA State . . . . . . . . . . . . . . . . . . . 10 2.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.4.1. IKE SA reset action . . . . . . . . . . . . . . . . . 10 2.4.2. IPsec SA reset action . . . . . . . . . . . . . . . . 11 2.5. Notifications . . . . . . . . . . . . . . . . . . . . . . 11 2.5.1. DPD failure . . . . . . . . . . . . . . . . . . . . . 12 2.5.2. Peer Authentication failure . . . . . . . . . . . . . 12 2.5.3. IKE Reauth failure . . . . . . . . . . . . . . . . . 12 2.5.4. IKE Rekey failure . . . . . . . . . . . . . . . . . . 12 2.5.5. IPsec Rekey failure . . . . . . . . . . . . . . . . . 12 3. IKE Yang Module . . . . . . . . . . . . . . . . . . . . . . . 13 3.1. IKE Basic Yang Module . . . . . . . . . . . . . . . . . . 13 3.2. IKE Algorithm Yang Module . . . . . . . . . . . . . . . . 30 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 5. Security Considerations . . . . . . . . . . . . . . . . . . . 33 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 7. Normative References . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 1. Introduction The Network Configuration Protocol (NETCONF) [RFC6241] is a network management protocol that defines mechanisms to manage network devices. YANG [RFC6020] is a modular language that represents data structures in an XML tree format, and is used as a data modeling language for the NETCONF. Wang, et al. Expires November 23, 2015 [Page 2] Internet-Draft Yang Data Model for IKE May 2015 This document introduces a YANG data model for the IKE (Internet Key Exchange) protocol. There are two IKE protocols defined in IETF namely IKEv1(IKE version 1) and IKEv2(IKE version 2). IKEv1 protocol is obsolete now. The model discussed in this document covers IKEv2 [RFC7296] and other generic enhancements that pertain to the base protocol operation. The data model is defined for following constructs that are used for managing the IKE protocol: configuration, operational state, remote procedural calls, and event notifications data. 2. IKE YANG Model Organization 2.1. Overview The model discussd in this document covers IKEv2 [RFC7296] and other generic enhancements that pertain to the base protocol operation. The cryptographic algorithms are deliberately separated from ietf-ike model so that these algorithms can be updated or replaced without affecting the standardization progress of the rest of the IKE yang model. IPsec yang model, basic cryptographic algorithms for IPsec and basic IPsec type defines will be left out of this model to support IPsec basic information defined in [RFC4301]. IPsec yang model will be defined in separate document. IKE data model has the following relationship with IPsec module and other modules. ^: import IPsec Crypto Module IPsec Type Module +--------------------+ +-------------------+ | ietf-ipsec-crypto | | ietf-ipsec-type | +--------------------+ +-------------------+ | | | | | | | | | | | | INET Basic Type | v IPsec Module v | IKE Crypto Module +----------------+ | +-----------------+ | +---------------+ |ietf-inet-types | | | ietf-ipsec | | |ietf-ike-crypto| +----------------+ | +-----------------+ | +---------------+ | | | | | | | | | | | v v v | | +---------------------------+ | +-------->| ietf-ike | <------+ +---------------------------+ Figure 1: Relationship of IKE with IPsec module and other modules This model aims to address only the core IKE parameters as per RFC 7296 [RFC7296]. Wang, et al. Expires November 23, 2015 [Page 3] Internet-Draft Yang Data Model for IKE May 2015 This model does not cover any applications running on top of IKE nor does it cover any OAM procedures for IKE. Current revision only describes one address family of type "ipv4". The "ipv6" specific IKE configuration will be covered in later revision. The figure below describes the overall structure of the IKE Yang model : module: ietf-ike +--rw ike-global-configuration | ... +--rw ipsec-proposal | ... +--rw ike-proposal | ... +--rw ike-peer | ... +--rw ipsec-policy | +--rw policy-entries* [policy-name sequence-number] | | ... | +--rw policy-template-entries* [policy-name sequence-number] | ... +--rw ipsec-interface-map | ... +--ro ike-sa | ... +--ro ipsec-sa ... rpcs: +---x reset-ike-sa | ... +---x reset-ipsec-sa ... notifications: +---n dpd-failure | ... +---n peer-authentication-failure | ... +---n ike-reauth-failure | ... +---n ike-rekey-failure | ... +---n ipsec-rekey-failure ... Wang, et al. Expires November 23, 2015 [Page 4] Internet-Draft Yang Data Model for IKE May 2015 2.2. Configuration This specification defines the configuration parameters for IKE protocols version2 (IKEv2). This specification only supports ipv4 address type for IKE. 2.2.1. IPsec Global Configuration The IKE global configuration includes some configuration that is common and applicable for all the IKE peers. This includes IKE local name, NAT-Keep-Alive interval, DPD Idle timeout, DPD interval, DPD retry count etc. +--rw ike-global-configuration +--rw (df-flag)? | +--:(set) | | +--rw set? empty | +--:(clear) | | +--rw clear? empty | +--:(copy) | +--rw copy? empty +--rw stateful-frag-check? boolean +--rw life-time-kb? uint32 +--rw life-time-second? uint32 +--rw (anti-replay)? | +--:(enable) | | +--rw enable? empty | | +--rw (anti-replay-windows-size)? | | +--:(size-32) | | +--:(size-64) | | +--:(size-128) | | +--:(size-256) | | +--:(size-512) | | +--:(size-1024) | +--:(disable) | +--rw disable? empty +--rw inbound-dscp? uint16 +--rw outbound-dscp? uint16 +--rw local-name? string +--rw nat-keepalive-interval? uint16 +--rw dpd-interval? uint16 2.2.2. IPsec Proposal Configuration The IPsec proposal container will be used to include the configuration items related to the IPsec tunnel like tunnel protocol (sp, ah), tunnel encapsulation mode (tunnel/transport), Wang, et al. Expires November 23, 2015 [Page 5] Internet-Draft Yang Data Model for IKE May 2015 authentication algorithm for ah/esp and encryption algorithm for esp etc +--rw ipsec-proposal +--rw ipsec-proposal-entries* [proposal-name] +--rw proposal-name string +--rw (protocol)? +--:(ah) | +--rw ah empty | +--rw ah-authentication-algorithm? ipsec-crypto:ipsec-authentication-algorithm +--:(esp) +--rw esp empty +--rw esp-authentication-algorithm? ipsec-crypto:ipsec-authentication-algorithm +--rw esp-encryption-algorithm? ipsec-crypto:ipsec-encryption-algorithm 2.2.3. IKE Proposal Configuration The IKE proposal container is mainly use to hold information related to the IKE SA establishment parameters. These parameters are mainly negotiated between the IKE peers at the time of SA establishment. The various parameters in this container are proposal number, authentication method, integrity algorithm, encryption algorithm, Psuedo-Random function (prf), dh group, reauth , rekey lifetime etc +--rw ike-proposal +--rw ike-proposal-entries* [proposal-number] +--rw proposal-number uint32 +--rw auth-method? ike-auth-method +--rw integrity-algorithm? ike-crypto:ike-integrity-algorithm +--rw encrypt-algorithm? ike-crypto:ike-encryption-algorithm +--rw prf-algorithm? ike-crypto:ike-prf-algorithm +--rw dh-group? ike-crypto:ike-dh-group +--rw reauth-interval? uint32 +--rw life-time? uint32 2.2.4. IKE Peer Configuration The IKE peer container will hold information about peer. The IKE peer is an entity that is going to establish security association with the remote peer. The main configuration parameters related to the IKE peer are: Key information, Name, proposal number, ID type, remote address, local address, certificate information etc Wang, et al. Expires November 23, 2015 [Page 6] Internet-Draft Yang Data Model for IKE May 2015 +--rw ike-peer +--rw ike-peer-entries* [peer-name] +--rw peer-name string +--rw ike-proposal-number? ike-proposal-number-ref +--rw PresharedKey? string +--rw nat-traversal? boolean +--rw (local-id-type)? | +--:(ip) | | +--rw ip? empty | +--:(fqdn) | | +--rw fqdn? empty | +--:(dn) | | +--rw dn? empty | +--:(user_fqdn) | +--rw user_fqdn? empty +--rw local-id? string +--rw remote-id? string +--rw low-remote-address? inet:ip-address +--rw high-remote-address? inet:ip-address +--rw certificate? string +--rw auth-address-begin? inet:ip-address +--rw auth-address-end? inet:ip-address 2.2.5. IPsec Policy Configuration The IPsec policy container will hold values related to the IPsec policy that is bound to an interface (tunnel or physical interface). The information contained in the IPsec policy will determine the characteristics of the tunnel that is going to be establishment. The main attributes related to IPsec policy are: ACL, PFS (to do an additional DH exchange), peer name, IPsec proposal number, policy name, sequence number, policy-mode (ISAKMP, Template etc) +--rw ipsec-policy +--rw policy-entries* [policy-name sequence-number] | +--rw policy-name string | +--rw sequence-number uint32 | +--rw (policy-mode)? | +--:(isakmp) | | +--rw isakmp? empty | | +--rw local-address? inet:ip-address | | +--rw binding-interface-name? string | | +--rw (acl)? | | | +--:(acl-number) | | | | +--rw acl-number? uint32 | | | +--:(advance-acl) | | | +--rw advance-acl? string | | +--rw pfs? ike-crypto:ike-dh-group Wang, et al. Expires November 23, 2015 [Page 7] Internet-Draft Yang Data Model for IKE May 2015 | | +--rw peer-name? ike-peer-name-ref | | +--rw (df-flag)? | | | +--:(set) | | | | +--rw set? empty | | | +--:(clear) | | | | +--rw clear? empty | | | +--:(copy) | | | +--rw copy? empty | | +--rw stateful-frag-check? boolean | | +--rw life-time-kb? uint32 | | +--rw life-time-second? uint32 | | +--rw (anti-replay)? | | | +--:(enable) | | | | +--rw enable? empty | | | | +--rw (anti-replay-windows-size)? | | | | +--:(size-32) | | | | +--:(size-64) | | | | +--:(size-128) | | | | +--:(size-256) | | | | +--:(size-512) | | | | +--:(size-1024) | | | +--:(disable) | | | +--rw disable? empty | | +--rw inbound-dscp? uint16 | | +--rw outbound-dscp? uint16 | | +--rw ipsec-proposal* [proposal-name] | | +--rw proposal-name ipsec-proposal-name-ref | +--:(template) | +--rw template? empty | +--rw template-name ipsec-policy-template-name-ref +--rw policy-template-entries* [policy-name sequence-number] +--rw policy-name string +--rw sequence-number uint32 +--rw local-address? inet:ip-address +--rw binding-interface-name? string +--rw (acl)? | +--:(acl-number) | | +--rw acl-number? uint32 | +--:(advance-acl) | +--rw advance-acl? string +--rw pfs? ike-crypto:ike-dh-group +--rw peer-name? ike-peer-name-ref +--rw (df-flag)? | +--:(set) | | +--rw set? empty | +--:(clear) | | +--rw clear? empty | +--:(copy) Wang, et al. Expires November 23, 2015 [Page 8] Internet-Draft Yang Data Model for IKE May 2015 | +--rw copy? empty +--rw stateful-frag-check? boolean +--rw life-time-kb? uint32 +--rw life-time-second? uint32 +--rw (anti-replay)? | +--:(enable) | | +--rw enable? empty | | +--rw (anti-replay-windows-size)? | | +--:(size-32) | | +--:(size-64) | | +--:(size-128) | | +--:(size-256) | | +--:(size-512) | | +--:(size-1024) | +--:(disable) | +--rw disable? empty +--rw inbound-dscp? uint16 +--rw outbound-dscp? uint16 +--rw ipsec-proposal* [proposal-name] +--rw proposal-name ipsec-proposal-name-ref 2.2.6. IPsec Interface Map Configuration The IPsec interface map container will have information related to the interface on which IPsec policy will be applied. It will have information like IPsec policy name, tunnel protocol, tunnel name , enable-disable UNR route generation etc +--rw ipsec-interface-map +--rw policy-interface* [interface-name] +--rw interface-name string +--rw policy-name ipsec-policy-name-ref +--rw generate-unr-route? boolean 2.3. Operational State The Operational state of the IKE SA or IPsec SA can be queried and obtained from the respective container. All the attributes/items in this container are read-only attributes and they reflect the run-time information of any established IKE SA. 2.3.1. IKE SA Container State The IKE SA container is used to maintain information related to the IKE SA established. This SA is a run-time data structure that is created and has information about established SA like SPI, local and remote address, established time, remaining life time, dh group, auth method, prf, encryption algorithm , integrity algorithm etc Wang, et al. Expires November 23, 2015 [Page 9] Internet-Draft Yang Data Model for IKE May 2015 +--ro ike-sa +--ro ike-sa-entries* [initiator-spi responder-spi] +--ro remote-address? inet:ip-address +--ro local-address? inet:ip-address +--ro initiator-spi uint64 +--ro responder-spi uint64 +--ro remote-id? string +--ro local-id? string +--ro auth-method? ike-auth-method +--ro integrity-algorithm? ike-crypto:ike-integrity-algorithm +--ro encryption-algorithm? ike-crypto:ike-encryption-algorithm +--ro prf-algorithm? ike-crypto:ike-prf-algorithm +--ro dh-group? ike-crypto:ike-dh-group +--ro sa-established-time? string +--ro remaining-time? uint32 2.3.2. IPsec SA State The IPsec SA container is used to maintain information related to the IPsec SA established. This is a run-time data structure that is created and has information about established SA like SPI, local and remote address, remaining life time, protocol etc +--ro ipsec-sa +--ro ipsec-sa-entries* +--ro remote-address? inet:ip-address +--ro local-address? inet:ip-address +--ro responder-spi? uint32 +--ro remaining-time? uint32 2.4. Actions This model defines a list of RPCs that allow performing an action or executing a command on the protocol. For example, it allows clearing (reset) IKE SAs, IPsec SAs, statistics etc. The model makes an effort to provide different level of control so that a user is able to either clear all, or clear all of a given type, or clear a specific entity. 2.4.1. IKE SA reset action This operation type is executed when the user wants to delete IKE SAs. The command gives a flexibility to delete all SAs or a particular SA only based on remote address, connection-id etc. Wang, et al. Expires November 23, 2015 [Page 10] Internet-Draft Yang Data Model for IKE May 2015 +---x reset-ike-sa +---w input | +---w (peer-info)? | +--:(peer-id) | | +---w peer-id? string | +--:(peer-address) | +---w peer-address? inet:ip-address +--ro output +--ro status? string 2.4.2. IPsec SA reset action This operation type is executed when the user wants to delete IPsec SAs. The command gives a flexibility to delete all SAs or a particular SA only based on remote address, policy sequence number, remote peer address etc. +---x reset-ipsec-sa +---w input | +---w (sa-info)? | +--:(parameters) | | +---w (peer-info) | | | +--:(peer-id) | | | | +---w peer-id? string | | | +--:(peer-address) | | | +---w peer-address? inet:ip-address | | +---w protocol ipsec-type:ipsec-protocol | | +---w spi ipsec-type:ipsec-spi | +--:(remote-peer) | | +---w remote-peer | | +---w (peer-info)? | | +--:(peer-id) | | | +---w peer-id? string | | +--:(peer-address) | | +---w peer-address? inet:ip-address | +--:(policy) | +---w policy? ipsec-policy-name-ref +--ro output +--ro status? string 2.5. Notifications This model defines a list of notifications to inform client of important events detected during the protocol operation. These events include events related to changes in the operational state of an IKE SA, IPsec SA, Statistics etc. Wang, et al. Expires November 23, 2015 [Page 11] Internet-Draft Yang Data Model for IKE May 2015 2.5.1. DPD failure This notification type is reported to the NETCONF client when there is a peer that is not responding to the DPD Keep Alive messages. +---n dpd-failure +--ro peer-id? string 2.5.2. Peer Authentication failure This notification type is reported to the NETCONF client when the peer authentication has failed due to either invalid key, certificate, invalid id etc +---n peer-authentication-failure +--ro peer-id? string 2.5.3. IKE Reauth failure This notification type is reported to the NETCONF client when the re- authentication of the peer has failed. Reauth can fail due to many reasons like proposal mismatch during re-auth procedure, packet drop, dead peer etc +---n ike-reauth-failure +--ro peer-id? string 2.5.4. IKE Rekey failure This notification type is reported to the NETCONF client when the IKE SA rekey has failed. The rekey is an operation used to refresh the IKE SA keys. It can fail due to proposal mismatch during rekey procedure, packet drop, dead peer etc +---n ike-rekey-failure +--ro peer-id? string +--ro old-i-spi? uint64 +--ro old-r-spi? uint64 2.5.5. IPsec Rekey failure This notification type is reported to the NETCONF client when the IKE SA rekey has failed. The rekey is an operation used to refresh the IPsec SA keys. It can fail due to proposal mismatch during rekey procedure, packet drop, dead peer etc Wang, et al. Expires November 23, 2015 [Page 12] Internet-Draft Yang Data Model for IKE May 2015 +---n ipsec-rekey-failure +--ro peer-id? string +--ro old-inbound-spi? ipsec-type:ipsec-spi +--ro old-outbound-spi? ipsec-type:ipsec-spi 3. IKE Yang Module To support separately upgrade the algorithm part, the base data model and the algorithm part are defined as two separately parts. 3.1. IKE Basic Yang Module module ietf-ike { namespace "urn:ietf:params:xml:ns:yang:ietf-ike"; // replace with IANA namespace when assigned prefix "ike"; import "ietf-ipsec-crypto" { prefix "ipsec-crypto"; } import "ietf-ike-crypto" { prefix "ike-crypto"; } import "ietf-inet-types" { prefix "inet"; } import "ietf-ipsec-type" { prefix "ipsec-type"; } import "ietf-ipsec" { prefix "ipsec"; } organization "Huawei Technologies India Pvt Ltd"; contact "stonewater.wang@huawei.com"; description "IKE Yang module define"; revision 2015-04-18 { description "Initial revision."; reference "RFC XXXX: IKE Yang Modules"; } Wang, et al. Expires November 23, 2015 [Page 13] Internet-Draft Yang Data Model for IKE May 2015 grouping ipsec-common-configuration { choice df-flag { default copy; case set { leaf set { type empty; description "Set the df bit when encapsulate IPsec tunnel."; } } case clear { leaf clear { type empty; description "Clear the df bit when encapsulate IPsec tunnel."; } } case copy { leaf copy { type empty; description "Copy the inner IP header df bit."; } } description "It indicates how to process the df bit when encapsulate IPsec tunnel."; } leaf stateful-frag-check { type boolean; default false; description "Whether stateful fragment checking applies."; } leaf life-time-kb { type uint32; units "KB"; default 2000000; description "IPsec SA Life time in KB."; } leaf life-time-second { type uint32; units "Second"; default 18400; description "IPsec SA Life time in Seconds"; } choice anti-replay { default enable; Wang, et al. Expires November 23, 2015 [Page 14] Internet-Draft Yang Data Model for IKE May 2015 case enable { leaf enable { type empty; description "Enable Anti-replay"; } choice anti-replay-windows-size { case size-32; case size-64; case size-128; case size-256; case size-512; case size-1024; default size-1024; description "It indicate the size of anti-replay window"; } } case disable { leaf disable { type empty; description "Disable Anti-replay"; } } description "Whether enable or disable anti-replay"; } leaf inbound-dscp { type uint16 { range "0..63"; } default 0; description "Inbound DSCP value"; } leaf outbound-dscp { type uint16 { range "0..63"; } default 0; description "Outbound DSCP value"; } description "Common IPsec configurations"; } grouping choose-ipsec-peer { choice peer-info { case peer-id { leaf peer-id { type string; Wang, et al. Expires November 23, 2015 [Page 15] Internet-Draft Yang Data Model for IKE May 2015 description "Peer ID"; } } case peer-address { leaf peer-address { type inet:ip-address; description "Peer IP Address"; } } description "Reset according to peer information"; } description "IKE peer information when do reset operation"; } typedef ike-peer-name-ref { type leafref { path "/ike-peer/ike-peer-entries/peer-name"; } description "reference to ike peer name"; } typedef ike-proposal-number-ref { type leafref { path "/ike-proposal/ike-proposal-entries/proposal-number"; } description "reference to ike proposal number"; } typedef ipsec-proposal-name-ref{ type leafref { path "/ipsec-proposal/ipsec-proposal-entries/proposal-name"; } description "reference to ike proposal name"; } typedef ipsec-policy-template-name-ref { type leafref { path "/ipsec-policy/policy-template-entries/policy-name"; } description "reference to ipsec policy template name"; } typedef ike-auth-method { type enumeration { enum pre-share { description "Select pre-shared key message as the authentication method"; } enum rsa-digital-signature { Wang, et al. Expires November 23, 2015 [Page 16] Internet-Draft Yang Data Model for IKE May 2015 description "Select rsa digital signature as the authentication method"; } enum dss-digital-signature { description "Select dss digital signature as the authentication method"; } } description "IKE authentication methods"; } typedef ipsec-policy-name-ref { type leafref { path "/ipsec-policy/policy-entries/policy-name"; } description "reference to ipsec policy name"; } container ike-global-configuration { description "Global IKE configurations"; uses ipsec-common-configuration; leaf local-name { type string; description "Global local name configuration, if it is not configed, ip address will be used as default. If configing special local name for special peer, it will overwrite the global name configuration when negotion with that peer."; } leaf nat-keepalive-interval { type uint16 { range "5..300"; } units "Seconds"; default 20; description "Global nat keepalive interval"; } leaf dpd-interval { type uint16 { range "10..3600"; } units "Seconds"; default 30; description "Global DPD interval"; } } Wang, et al. Expires November 23, 2015 [Page 17] Internet-Draft Yang Data Model for IKE May 2015 container ipsec-proposal { description "IPsec proposal information"; list ipsec-proposal-entries { key "proposal-name"; description "IPsec proposal information"; leaf proposal-name { type string; mandatory true; description "Name of IPsec proposal."; } choice protocol { default esp; case ah { leaf ah { type empty; mandatory true; description "Choose AH as IPsec protocol"; } leaf ah-authentication-algorithm { type ipsec-crypto:ipsec-authentication-algorithm; must "ah-authentication-algorithm != 'null'" { error-message "AH authentication algorithm MUST not be null"; description "AH authentication algorithm MUST not be null"; } default sha2-256; description "IPsec authentication algorithm for AH"; } description "Choose AH as IPsec protocol"; } case esp { leaf esp { type empty; description "Choose ESP as IPsec protocol"; } leaf esp-authentication-algorithm { type ipsec-crypto:ipsec-authentication-algorithm; default sha2-256; description "IPsec authentication algorithm for ESP"; } leaf esp-encryption-algorithm { type ipsec-crypto:ipsec-encryption-algorithm; default aes-256; description "IPsec encryption algorithm for ESP"; Wang, et al. Expires November 23, 2015 [Page 18] Internet-Draft Yang Data Model for IKE May 2015 } must "esp-authentication-algorithm != 'null' or esp-encryption-algorithm != 'null'" { error-message "ESP authentication algorithm and encryption algorithm can not be both null"; description "ESP authentication algorithm and encryption algorithm can not be both null"; } description "Choose ESP as IPsec protocol"; } description "Choose IPsec protocol"; } } //End of IPsecProposalEntries }//End of IPsec Proposal container ike-proposal { description "IKE proposal information"; list ike-proposal-entries { key "proposal-number"; description "IKE proposal information"; leaf proposal-number { type uint32; mandatory true; description "Proposal seq-number of ike proposal"; } leaf auth-method { type ike-auth-method; default pre-share; description "authentication method of ike peer"; } leaf integrity-algorithm { type ike-crypto:ike-integrity-algorithm; default hmac-sha2-256; description "integrity algorithm of ike protocol"; } leaf encrypt-algorithm { type ike-crypto:ike-encryption-algorithm; default aes-cbc-256; description "Encryption algorithm of ike protocol"; } leaf prf-algorithm { type ike-crypto:ike-prf-algorithm; default hmac-sha2-256; Wang, et al. Expires November 23, 2015 [Page 19] Internet-Draft Yang Data Model for IKE May 2015 description "Prf algorithm of ike protocol"; } leaf dh-group { type ike-crypto:ike-dh-group; must "dh-group != 'dh-group-none'" { error-message "DH Group MUST be configurated"; description "DH Group MUST be configurated"; } default dh-group-2; description "DH group of ike protocol"; } leaf reauth-interval { type uint32 { range "60..604800"; } units "Seconds"; default 86400; description "Reauth interval time of IKE protocol"; } leaf life-time { type uint32 { range "60..604800"; } units "Seconds"; default 86400; description "IKE SA life time"; } } //End of IKEProposal } container ike-peer { description "IKE peer information"; list ike-peer-entries { key "peer-name"; description "IKE peer information"; leaf peer-name { type string; mandatory true; description "Name of IKE peer"; } leaf ike-proposal-number { Wang, et al. Expires November 23, 2015 [Page 20] Internet-Draft Yang Data Model for IKE May 2015 type ike-proposal-number-ref; description "IKE proposal number referenced by IKE peer"; } leaf PresharedKey { type string; description "Preshare key"; } leaf nat-traversal { type boolean; default false; description "Enable/Disable nat traversal"; } choice local-id-type { default ip; case ip { leaf ip { type empty; description "IP address"; } } case fqdn { leaf fqdn { type empty; description "Fully Qualifed Domain name "; } } case dn { leaf dn { type empty; description "Domain name"; } } case user_fqdn { leaf user_fqdn { type empty; description "User FQDN"; } } description "Local ID type"; } leaf local-id { type string; description "Local ID Name. When IP is used as local ID type, it is ignored. If it is not configurated, global local name will be used."; Wang, et al. Expires November 23, 2015 [Page 21] Internet-Draft Yang Data Model for IKE May 2015 } leaf remote-id { type "string"; description "ID of IKE peer"; } leaf low-remote-address { type inet:ip-address; description "Low range of remote address"; } leaf high-remote-address { type inet:ip-address; description "High range of remote address"; } leaf certificate { type string; description "Certificate file name"; } leaf auth-address-begin { type inet:ip-address; description "The begin range of authenticated peer address"; } leaf auth-address-end { type inet:ip-address; description "The end range of authenticated peer address"; } } }//End of IKEPeerEntries container ipsec-policy { description "IPsec policy information"; grouping policy-content { leaf local-address { type inet:ip-address; description "Local address used by IKE when negotiate with peer, if it is not configed, the interface address with bind this ipsec policy will be used."; } leaf binding-interface-name { type string; description "The interface that the policy is already bind with"; } choice acl { case acl-number { leaf acl-number { type uint32 { range "3000..3999"; Wang, et al. Expires November 23, 2015 [Page 22] Internet-Draft Yang Data Model for IKE May 2015 } description "Config common acl as IPsec traffic selector"; } } case advance-acl { leaf advance-acl { type string { length "1..32"; } description "Config advance acl as IPsec traffic selector"; } } description "Config acl as IPsec traffic selector"; } leaf pfs { type ike-crypto:ike-dh-group; default dh-group-none; description "Whether choose different DH group with IKE SA when create ipsec SA to increase perfect forwarding security"; } leaf peer-name { type ike-peer-name-ref; description "The ike peer binding with this policy"; } uses ipsec-common-configuration { description "The common configuration of IPsec SA"; } list ipsec-proposal { key "proposal-name"; max-elements "6"; description "The ipsec-proposals binding with the policy"; leaf proposal-name { type ipsec-proposal-name-ref; description "The ipsec-proposals binding with the policy"; } } description "IPsec policy content"; } list policy-entries { Wang, et al. Expires November 23, 2015 [Page 23] Internet-Draft Yang Data Model for IKE May 2015 key "policy-name sequence-number"; description "IPsec policy information"; leaf policy-name { type string; mandatory true; description "IPsec policy group name"; } leaf sequence-number { type uint32; mandatory true; description "IPsec policy sequence number"; } choice policy-mode { case isakmp { leaf isakmp { type empty; description "Common ISAKMP IPsec policy"; } uses policy-content { description "common ipsec policy content"; } } case template { leaf template { type empty; description "ISAKMP IPsec policy created using template"; } leaf template-name { type ipsec-policy-template-name-ref; mandatory true; description "The IPsec policy template name which is used to create this policy"; } } default isakmp; description "IPsec policy mode"; } } list policy-template-entries { key "policy-name sequence-number"; description "IPsec policy template define"; Wang, et al. Expires November 23, 2015 [Page 24] Internet-Draft Yang Data Model for IKE May 2015 leaf policy-name { type string { length "1..15"; } mandatory true; description "IPsec policy template name"; } leaf sequence-number { type uint32; mandatory true; description "Sequence number of policy template"; } uses policy-content { description "common ipsec policy content"; } } } container ipsec-interface-map { description "The map information between IPsec policy and interface"; list policy-interface { key "interface-name"; description "The map information between IPsec policy and interface"; leaf interface-name { type string; mandatory true; description "Interface name which will bind IPsec policy"; } leaf policy-name { type ipsec-policy-name-ref; mandatory true; description "IPsec policy name"; } leaf generate-unr-route { type boolean; default false; description "Whether generate UNR route"; } } } container ike-sa { config false; description "IKE SA informations"; Wang, et al. Expires November 23, 2015 [Page 25] Internet-Draft Yang Data Model for IKE May 2015 list ike-sa-entries { key "initiator-spi responder-spi"; description "IKE SA informations"; leaf remote-address { type inet:ip-address; description "The IP address of the remote peer"; } leaf local-address { type inet:ip-address; description "The IP address of local"; } leaf initiator-spi { type uint64; description "The SPI of initiator"; } leaf responder-spi { type uint64; description "The SPI of responder"; } leaf remote-id { type string; description "The ID of the remote peer"; } leaf local-id { type string; description "The ID of local"; } leaf auth-method { type ike-auth-method; description "The authentication method of IKE peer"; } leaf integrity-algorithm { type ike-crypto:ike-integrity-algorithm; description "The integrity algorithm chosen by IKE negotiation"; } leaf encryption-algorithm { type ike-crypto:ike-encryption-algorithm; description "The encryption algorithm chosen by IKE negotiation"; } leaf prf-algorithm { type ike-crypto:ike-prf-algorithm; description "The PRF algorithm chosen by IKE negotiation"; } leaf dh-group { type ike-crypto:ike-dh-group; Wang, et al. Expires November 23, 2015 [Page 26] Internet-Draft Yang Data Model for IKE May 2015 description "The DH group chosen by IKE negotiation"; } leaf sa-established-time { type string; description "The establish time of the IKE SA"; } leaf remaining-time { type uint32; description "The remain life time of IKE SA"; } } } container ipsec-sa { config false; description "IPsec SA information"; list ipsec-sa-entries { description "IPsec SA information"; leaf remote-address { type inet:ip-address; description "The IP address of the remote tunnel end-point"; } leaf local-address { type inet:ip-address; description "The IP address of local tunnel end-point"; } leaf responder-spi { type uint32; description "The SPI of responder"; } leaf remaining-time { type uint32; description "The remain life time of IPsec SA"; } } } rpc reset-ike-sa { description "Reset IKE SA"; input { Wang, et al. Expires November 23, 2015 [Page 27] Internet-Draft Yang Data Model for IKE May 2015 uses choose-ipsec-peer; description "Reset IKE SA"; } output { leaf status { type string; description "Operation status"; } } } rpc reset-ipsec-sa { description "Reset IPsec SA"; input { choice sa-info { case parameters { uses choose-ipsec-peer { refine "peer-info" { mandatory true; } } leaf protocol { type ipsec-type:ipsec-protocol; mandatory true; description "SA protocol"; } leaf spi { type ipsec-type:ipsec-spi; mandatory true; description "SA SPI"; } description "Reset according to special parameters"; } case remote-peer { container remote-peer { uses choose-ipsec-peer; description "Reset according to remote peer"; } } case policy { leaf policy { type ipsec-policy-name-ref; description "Reset according to IPsec policy name"; } } description "Reset according to special information"; Wang, et al. Expires November 23, 2015 [Page 28] Internet-Draft Yang Data Model for IKE May 2015 } } output { leaf status { type string; description "Operation status"; } } } notification dpd-failure{ description "IKE peer DPD detect failure"; leaf peer-id { type string; description "Peer ID"; } } notification peer-authentication-failure { description "Peer authentication fail when negotication"; leaf peer-id { type string; description "The ID of remote peer"; } } notification ike-reauth-failure { description "IKE peer reauthentication fail"; leaf peer-id { type string; description "The ID of remote peer"; } } notification ike-rekey-failure { description "IKE SA rekey failure"; leaf peer-id { type string; description "The ID of remote peer"; } leaf old-i-spi { type uint64; description "old SPI"; } leaf old-r-spi { type uint64; description "old SPI"; Wang, et al. Expires November 23, 2015 [Page 29] Internet-Draft Yang Data Model for IKE May 2015 } } notification ipsec-rekey-failure { description "IPsec SA rekey failure"; leaf peer-id { type string; description "The ID of remote peer"; } leaf old-inbound-spi { type ipsec-type:ipsec-spi; description "old inbound SPI"; } leaf old-outbound-spi { type ipsec-type:ipsec-spi; description "old outbound SPI"; } } } 3.2. IKE Algorithm Yang Module module ietf-ike-crypto { namespace "urn:ietf:params:xml:ns:yang:ietf-ike-crypto"; prefix ike-crypto; organization "Huawei Technologies India Pvt Ltd"; contact "stonewater.wang@huawei.com"; description "IKE Crypto Yang"; reference "RFC 7296: Internet Key Exchange Protocol Version 2"; revision 2015-04-18 { description "Initial revision."; reference "RFC 7296: Internet Key Exchange Protocol Version 2"; } typedef ike-integrity-algorithm { type enumeration { enum "hmac-md5-96" { description "HMAC-MD5-96 Integrity Algorithm"; } enum "hmac-sha1-96" { Wang, et al. Expires November 23, 2015 [Page 30] Internet-Draft Yang Data Model for IKE May 2015 description "HMAC-SHA1-96 Integrity Algorithm"; } enum "hmac-sha2-256" { description "HMAC-SHA2-256 Integrity Algorithm"; } enum "hmac-sha2-384" { description "HMAC-SHA2-384 Integrity Algorithm"; } enum "hmac-sha2-512" { description "HMAC-SHA2-512 Integrity Algorithm"; } } description "typedef for ike integrity algorithm."; } typedef ike-encryption-algorithm { type enumeration { enum "des-cbc" { description "DES-CBC Encryption algorithm"; } enum "3des-cbc" { description "3DES-CBC Encryption algorithm"; } enum "aes-cbc-128" { description "AES-CBC-128 Encryption algorithm"; } enum "aes-cbc-192" { description "AES-CBC-192 Encryption algorithm"; } enum "aes-cbc-256" { description "AES-CBC-256 Encryption algorithm"; } } description "typedef for ike encryption algorithm."; } typedef ike-prf-algorithm { Wang, et al. Expires November 23, 2015 [Page 31] Internet-Draft Yang Data Model for IKE May 2015 type enumeration { enum "hmac-md5-96" { description "HMAC-MD5-96 PRF Algorithm"; } enum "hmac-sha1-96" { description "HMAC-SHA1-96 PRF Algorithm"; } enum "hmac-sha2-256" { description "HMAC-SHA2-256 PRF Algorithm"; } enum "hmac-sha2-384" { description "HMAC-SHA2-384 PRF Algorithm"; } enum "hmac-sha2-512" { description "HMAC-SHA2-512 PRF Algorithm"; } } description "typedef for ike prf algorithm."; } typedef ike-dh-group { type enumeration { enum "dh-group-none" { description "None Diffie-Hellman group"; } enum "dh-group-1" { description "768 bits Diffie-Hellman group"; } enum "dh-group-2" { description "1024 bits Diffie-Hellman group"; } enum "dh-group-5" { description "1536 bits Diffie-Hellman group"; } enum "dh-group-14" { description "2048 bits Diffie-Hellman group"; } Wang, et al. Expires November 23, 2015 [Page 32] Internet-Draft Yang Data Model for IKE May 2015 } description "typedef for ike dh group"; } } 4. IANA Considerations This document registers the following URIs in the IETF XML registry [RFC3688]. Following the format in [RFC3688], the following registration is requested to be made. URI: urn:ietf:params:xml:ns:yang:ietf-ike XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-ike-crypto XML: N/A, the requested URI is an XML namespace. This document registers a YANG module in the YANG Module Names registry [RFC6020]. name: ietf-ike namespace: urn:ietf:params:xml:ns:yang:ietf-ike prefix: ike reference: [RFC7296] name: ietf-ike-crypto namespace: urn:ietf:params:xml:ns:yang:ietf- ike-crypto prefix: ike-crypto reference: [RFC7296] 5. Security Considerations The YANG module defined in this memo is designed to be accessed via the NETCONF protocol[RFC6241]. The lowest NETCONF layer is the secure transport layer and the mandatory-to-implement secure transport is SSH [RFC6242]. The NETCONF access control model [RFC6536] provides means to restrict access for particular NETCONF users to a pre-configured subset of all available NETCONF protocol operations and content. There are a number of data nodes defined in the YANG module which are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., ) to these data nodes without proper protection can have a negative effect on network operations. 6. Acknowledgements Wang, et al. Expires November 23, 2015 [Page 33] Internet-Draft Yang Data Model for IKE May 2015 7. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011. [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, June 2011. [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, March 2012. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, October 2014. Authors' Addresses Honglei Wang Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: stonewater.wang@huawei.com Vijay Kumar Nagaraj Huawei Technologies Huawei Technologies India Pvt Ltd Bangalore 560008 India Email: vijay.kn@huawei.com Wang, et al. Expires November 23, 2015 [Page 34] Internet-Draft Yang Data Model for IKE May 2015 Xia Chen Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: xiachen@huawei.com Wang, et al. Expires November 23, 2015 [Page 35]