[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                           K. Tran
Internet Draft                                               D. Migault
Intended status: Standard Track                                Ericsson
Expires: September 18, 2016                                     H. Wang
                                                             V. Nagaraj
                                                                X. Chen
                                                    Huawei Technologies
                                                         March 18, 2016

                         Yang Data Model for IKEv2
                   draft-tran-ipsecme-ikev2-yang-00.txt


Abstract

   This document defines a YANG data model that can be used to
   configure and manage Internet Key Exchange version 2 (IKEv2).  The
   model covers the IKEv2 protocol configuration and operational state.



Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on November 18, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors. All rights reserved.





Tran, et al.          Expires September 18, 2016               [Page 1]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.



Table of Contents


   1. Introduction...................................................3
   2. Conventions used in this document..............................3
   3. IKEv2 protocol Overview........................................4
      3.1. IKEv2 Transport Attributes................................4
      3.2. IKEv2_INIT Exchange.......................................8
      IKEv2_INIT Exchange Configuration Attributes:..................9
      3.3. Creation of the IKE_SA...................................12
      3.4. IKE_AUTH Exchange........................................14
      3.5. IKEv2 Configuration Data Model...........................17
      3.6. IKEv2 Operation Data Model...............................24
   4. IKEv2 Crypto YANG Module......................................26
   5. IKEv2 YANG Module.............................................46
   6. Security Considerations.......................................75
   7. References....................................................75
      7.1. Normative References.....................................75
      7.2. Informative References...................................76


















Tran, et al.          Expires September 18, 2016               [Page 2]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


1. Introduction

   This document introduces a YANG data model for the Internet Exchange
   Key version 2 (IKEv2) protocol.  The model discussed in this
   document covers IKEv2 [RFC7296] and other generic enhancements that
   pertain to the base protocol operation.  The YANG data model is
   defined for the following constructs that are used for managing the
   IKEv2 protocol including configuration and operational state.



2. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119 [RFC2119].

   In this document, these words will appear with that interpretation
   only when in ALL CAPS. Lower case uses of these words are not to be
   interpreted as carrying RFC-2119 significance.

   In this document, the characters ">>" preceding an indented line(s)
   indicates a compliance requirement statement using the key words
   listed above. This convention aids reviewers in quickly identifying
   or finding the explicit compliance requirements of this RFC.
























Tran, et al.          Expires September 18, 2016               [Page 3]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


3. IKEv2 protocol Overview

   This section provides a high level overview of IKEv2 [RFC7296] to
   make the YANG model more comprehensive. The intent of this section
   is to fill the gap between the IKEv2 specifications and its
   associated YANG model. It is expected to clarify the YANG model, for
   those that are more familiar to the IKEv2 specifications, and
   provide some IKEv2 background for those that are more familiar to
   YANG models.

   Note that the purpose of IKEv2 standard is to provide
   interoperability whereas the YANG model provides an implementation
   independent way to configure IKEv2 daemons. With these different
   goals application-dependent parameters or parameters that
   interoperability-independent (like the life time of the IKE SA for
   example) are not mentioned in the IKEv2 standard but needs to be
   specified in the YANG model.

   IKEv2 can be designed as a single monolithic daemon that is
   configured in a single manner for all initiated and responding IKEv2
   negotiation. On the other hand, IKEv2 can also be view as a daemon
   that can enable some specific configuration for each peer. This
   would mean for example that the IKE_SA could be set differently
   according to the peer. In addition to these different levels of
   configuration granularities, the IKEv2 daemon is not always aware of
   the peer identity. When it acts as a responder, for example, the
   peer ID is only known during the IKE_AUTH exchange, which means that
   during the previous exchange (IKE_INIT) the IKEv2 daemon is likely
   not to apply a per peer policy.

   In order to address the multiple possible configurations the IKEv2
   configuration and variables are subdivided into different modules.
   An IKEv2 daemon needs to have all these modules to be specified,
   however, each module may be specified at different level in the
   tree. More specifically, module may be set for the global
   implementation or for each peer.

3.1. IKEv2 Transport Attributes

   This section provides the attributes used to enable the transport of
   the IKEv2 messages between the initiator and the peer. The transport
   often needs configuration attributes that define the behavior of the
   IKEv2 daemon according to operational attributes (or counters).

   IKEv2 Header defines the attributes that identifies the IKE session
   between the peers. Although the configuration attributes may be
   common for the whole implementation, it is expected that the


Tran, et al.          Expires September 18, 2016               [Page 4]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   operational attributes are defines from each session, that is for
   each IKE_SA. These attributes are provided in the header and are
   described in [RFC7296] section 3.1. Although the IKE header contains
   also attributes such as Message IDs, and flags for example that
   indicate if corresponds to a query or a response, these headers
   attributes are not considers as operational attributes of the IKE
   header, instead, these are considered as operational attribute of
   the Anti-Replay Mechanism. The attributes associated to the IKEv2
   Header are thus:

     . MjVer: defines the major version. As defined in [RFC7296]
        section 3.1 implementations that of [RFC7296] MUST set this
        attribute to 2.
     . MnVer: defines the minor version. As defined in [RFC7296]
        section 3.1 implementations that of [RFC7296] MUST set this
        attribute to 0.
     . SPI-generation-policies: defines how the SPI are expected to be
        generated. Most likely SPIs will randomly generate. On the
        other hand, it may be needed for some deployment such as
        clusters to be able to reduce the spectrum of these SPIs.
     . Initiator SPI: defines the SPI assigned by the Initiator to
        index the inbound messages to the appropriated IKE_SA. The SPIs
        are agreed between the peers after the IKE_INIT exchange and
        are not part of the configuration parameters.
     . Responder SPI: defines the SPI assigned by the Responder to
        index the inbound messages to the appropriated IKE_SA.

   IKEv2 Header Configuration Attributes # [RFC7296] section 3.1
       - MjVer: The IKEv2 Major version (set to 2)
       - MnVer: The IKEv2 Minor version (set to 0)
       - SPI-generation-policies

   IKEv2 Header Operational Attributes (1 per IKE_SA)
       - Initiator SPI
       - Responder SPI


   Anti-Replay Mechanism describes when message should be rejected or
   considered by the IKEv2 daemon. The anti-replay mechanism is defined
   for each session. Although the configuration attributed may be
   shared for the whole IKEv2 daemon, the operational attributes are
   expected to be duplicated for each IKE_SA. The following attributes
   are thus considered.

     . Window Size defines how much parallel exchange can be performed
        between the peers. By default this value is set to 1. When
        greater than 1, as defined in [RFC7296] section 2.3, a


Tran, et al.          Expires September 18, 2016               [Page 5]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


        SET_WINDOW_SIZE Notify Payloads will be sent by the peer to
        agree with the other peer on the Window Size. After this
        exchange succeeds, the operational attribute that defines the
        Window Size used by the IKE_SA, will be updated with the value
        agreed by the peers.
     . Optional Enable INVALID_MESSAGE_ID defines whether an optional
        INVALID_MESSAGE_ID Notify Payload is sent when the IKEv2
        message received is outside the Operational Window Size.
     . Operational Window Size defines the Window size considered by
        the IKE_SA. When the IKE_SA is created, it is set to 1. This
        value is updated only once the peers have agreed on another
        Window Size value with the SET_WINDOW_SIZE informational
        exchange.
     . Peer Request MESSAGE ID stores the Message ID of the last
        request received by the peer.
     . Peer Request MESSAGE ID stores the Message ID of the last
        response received by the peer.
     . Local Request MESSAGE ID stores the Message ID of the last
        request received by the local host.
     . Local Request MESSAGE ID stores the Message ID of the last
        response received by the local host.

   Anti-Replay Mechanism Configuration Attributes
       - Window Size                        # [RFC7296] section 2.3
       - Optional Enable INVALID_MESSAGE_ID # [RFC7296] section 2.3

   Anti-Replay Mechanism Operational Attributes (1 per IKE_SA)
       - Operational Window Size = 1 # [RFC7296] section 2.3
       - Peer Request MESSAGE ID     # [RFC7296] section 2.2
       - Peer Response MESSAGE_ID    # [RFC7296] section 2.2
       - Local Request MESSAGE_ID    # [RFC7296] section 2.2
       - Local Response MESSAGE_ID   # [RFC7296] section 2.2

















Tran, et al.          Expires September 18, 2016               [Page 6]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


IKEv2 Retransmission defines the necessary attributes to manage the
retransmission of message by the IKEv2 daemon. Such attributes are not
necessary for interoperability and as such are not defined in
[RFC7296]. However, retransmission mechanism is described in [RFC7296]
section 2.1. Although the configuration mechanism may be common to the
IKEv2 daemon, the operational attributes are expected to be defined for
each IKE_SA exchange. The number of parallel IKEv2 exchange is defined
by Window Size.

     . Max Retries: [RFC7256] section 2.1 mentions that when
        retransmission fails, all states associated to the IKE SA MUST
        be removed.
     . Initial Retransmission Timeout: [RFC7256] section 2.1 mentions
        the retransmission timeout is not expected to be a fix value,
        but instead it should depend on the on number of retries. How
        the retransmission-timer value is set depends on the
        Retransmission Timer Policy.
     . Retransmission Timer Policy: defines of the Retransmission
        Timer should be computed.
     . Response Buffer Timeout: (section 2.1 of RFC7256). This timer
        set when the response buffer can be clean when the message ID
        is not being updated. It value is expected to be in the order
        of several minutes.
     . Retries: Defines the number of retries for a given exchange.
        The number of exchange is defined by the Window Size.
     . Retransmission Timeout: is an operational attribute that set
        how long the IKEv2 daemon should wait until a retransmission
        occurs. This attribute is derived from the Retransmission Timer
        Policy and the Initial Retransmission Timeout.
     . Retransmission Timer: is an operational attribute that defines
        the time the response is being waited for. When its value
        reaches, Retransmission Timeout, a retransmission occurs. This
        Timer is set for each exchange.
     . Response Buffer Timer: is an operational value that counts the
        time each Message ID is stored. There is a timer associated to
        each Message ID.


   IKEv2 Retransmission Configuration Attributes
       - Max Retries                    # [RFC7296] section 2.1
       - Initial Retransmission Timeout # [RFC7296] section 2.1
       - Retransmission Timeout Policy
       - Max Response Buffer Timeout    # [RFC7296] section 2.1
       - Keep-Alive Timeout
       - NAT Keep-Alive Timeout




Tran, et al.          Expires September 18, 2016               [Page 7]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   IKEv2 Retransmission Operational Attributes (Window Size per IKE_SA)
       - Retries
       - Retransmission Timeout
       - Retransmission Timer
       - Response Buffer Timer
       - Keep-Alive Timer
       - NAT Keep-Alive Timer


   IKEv2 COOKIE MECHANISM Configuration Attributes
       - COOKIE Lifetime
       - Half Open IKE_SA Threshold

   IKEv2 COOKIE MECHANISM Operational Attributes (Window Size per
   IKE_SA)
       - Half Open IKE_SA Counter


   IKEv2 VENDOR ID Configuration Attributes

      - OPAQUE VALUES



3.2. IKEv2_INIT Exchange

   This section provides the necessary configuration attributes so the
   IKE_INIT exchange can be performed.

   Authorized DH is an ordered list that contains DH Transform. DH
   Transforms are ordered by preference. Such ordering avoids setting
   an additional preference field. The Initiator will choose the first
   and most preferred DH Transform to initiate the IKE_INIT. The DH
   public key will be generated and the chosen DH Transform will be
   included into the Transform Type 4 of the SAi1. If the DH Transform
   is not accepted by the Responder, the Initiator may check the
   acceptable DH Transform of the responder is acceptable by the
   initiator.

   IKE_SA Proposals defines the proposals similarly to the proposals
   structure of SA1i. Note that the IKEv2 daemon is expected to place
   the appropriated Transform of Type 4, that it the chosen DH
   Transform. In addition, the IKEv2 daemons associates each transform
   to an ID to build SA1i.





Tran, et al.          Expires September 18, 2016               [Page 8]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   Optional IKE_INIT Responder CERTREQ indicates whether the
   Certification authority supported by the responder should be added
   into the response.

   Authorized Certification Authorities lists the CA considered by the
   responder.

   Supported IKEv2 Options defines the option supported by the IKEv2
   daemon. Some options should be considered in the IKE_INIT exchange,
   other should be considered in the IKE_AUTH exchange. To avoid
   duplication of the supported IKEv2 Options, they are all indicated
   here. Each Option may be associated some specific configuration and
   operational attributes detailed.



   IKEv2_INIT Exchange Configuration Attributes:

   ## Attributes Model is common to object so it is defined as
   ## a preambule
   Attributes [list]
       - Attribute
           - Attribute Type
           - Attribute Value

   ## Ordered list of the authorized DH
   Authorized DH [list]
       - DH Transform
           - Name
           - Attributes

   ## Ordered list of proposals, the preference is indicated by the Num
   IKE_SA Proposals [list]
       - IKE_SA Proposal
           - Proposal Num  # specify the order the proposals are sent.
                           # Need to check there are no two identical
                           # numbers
           - Protocol: IKE # It has a fix value
           - Transform Type 1: Encryption Algorithm [list]
               - ENCR Transform
                   - Name
                   - Attributes
           - Transform Type 2: PRF [list]
               - PRF Transform
                   - Name
           - Transform Type 3: Integrity check Algorithm [list]
               - INTEG Transform


Tran, et al.          Expires September 18, 2016               [Page 9]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


                   - Name
                   - Attributes
           ##- Transform Type 4: Diffie Hellman Group
           ## RFC7296 this MUST be the DH Transform used in the KEi


   ## lists the authorized Certification Authorities
   Authorized Certification_Authorities [list]
       - Certification Authority
           - Cert Encoding
           - Cert Value

   Optional IKE_INIT Responder CERTREQ

   ## IKEv2 options
   Supported IKEv2 Options
       ## sent during the IKE_INIT
       - NAT_DETECTION_SOURCE_IP
       - NAT_DETECTION_DESTINATION_IP
       - REDIRECT_SUPPORTED
       - IKEV2_FRAGMENTATION_SUPPORTED
       ## sent during the IKE_AUTH
       - MOBIKE_SUPPORTED
       - ROHC_SUPPORTED
       - CHILDLESS_IKEV2_SUPPORTED
       - IKEV2_MESSAGE_ID_SYNC_SUPPORTED
       - IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED
       - ERX_SUPPORTED
       - CLONE_IKE_SA_SUPPORTED




   Section 1 of [RFC7296] provides a description of the IKEv2
   exchanges. The purpose of the first exchange is that the initiator
   and the responder are able to set a IKE SA. The IKE SA can be seen
   as a control channel between the initiator and the responder that
   will be used for further negotiations. To reach an agreement on the
   IKE SA, the initiator and the responder must agree on the SKEYSEED
   (KEi, Ni KEr, Nr payloads) that is a Diffie Hellman value and nonces
   used to derived the cryptographic keys for the IKE SA and further
   IPsec SA or Child SA. In addition, the initiator and the respond
   must agree on how the IKE SA will use the cryptographic material
   (SAi1, SAr1).





Tran, et al.          Expires September 18, 2016              [Page 10]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   The IKE_INIT exchange is represented below:

   Initiator                         Responder
   -------------------------------------------------------------------
   HDR, SAi1, KEi, Ni  -->
                               <--  HDR, SAr1, KEr, Nr, [CERTREQ]

   All header of the IKEv2 payloads have a header which is built from
   the IKEv2 Header values as well as the IKE_SA for the SPI values.

   KEi is derived from Authorized DH that is an ordered list of DH
   parameters. The public key is not stored into the model and is
   computed by the initiator. The chosen transform MUST be inserted in
   Transform 4 of IKE_SA Proposal in SA1i.

   KEr is able to determine whether KEi is acceptable from the
   Authorized DH. In case the the KEi is not acceptable, the responder
   responds with an INVALID_KE_PAYLOAD.



   SAi1 is derived from IKE_SA Proposals and KEi

   SAr1: is derived by comparing the proposals from SA1i and the IKE_SA
   Proposals. The responder is able to chose the appropriated IKE
   proposal as well as to define whether none of the SAi1 is
   acceptable.

   Optional IKE_INIT Responder CERTREQ indicates whether the responder
   sends CERTREQ payloads, the following attribute should be defined.
   When set to true, one CERTREQ payload is provided per Certification
   Authority in the Authorized Certification Authority.

   When the NAT_DETECTION_SOURCE_IP, NAT_DETECTION_DESTINATION_IP,
   REDIRECT_SUPPORTED or IKEV2_FRAGMENTATION_SUPPORTED have been
   enabled, then additional notify payloads are added by the initiator.
   Unless not supported by the responder, the responder responds to
   them with an additional Notify payload.











Tran, et al.          Expires September 18, 2016              [Page 11]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


3.3. Creation of the IKE_SA

   In this model, it is assumed that the IKE_SA represents the relation
   between the initiator and the responder. It is expected that the
   IKE_SA model is created as soon as a peer initiates a IKE_INIT
   exchange as well as a peer receives a new IKE_INIT request. Of
   course this is implementation dependent, but the model relies on
   this assumption.



   The IKE_SA information model is represented with the following
   attributes:

      - Role: defines if the local peer acts as an initiator or as a
        responder.
      - Local IP address: defines the IP address used by the local
        peer.
      - Remote IP address: defines the IP address of the remote peer.
      - Cryptographic material is derived after the IKE_INIT exchange.
        The IKE_SA may keep the original material SKEYSEED and Nonces
        Ni, Nr used to generate the necessary keys SK_d, SK_ai, SK_ar,
        SK_ei, SK_er, SK_pi, SK_pr. The following keys are used to
        protect the exchange.
      - IKE SA Proposal: the agreed IKE_SA proposal.
      - IKEv2 Header: the header with the agreed SPI values.
      - IKEv2 Anti Replay Mechanism which contains the agreed (or to be
        agreed Window Size) and current Message IDs. According to
        RFC7296 section 2.2 Message IDs of the INKE_INIT exchange are
        set to 0 during the IKE_INIT exchange.
      - IKEv2 Retransmission CTX that contains the element to enable
        retransmission for all ongoing exchange.
      - IDi/IDr, Credentials are defined during the IKE_AUTH exchange.
      - Vendor IDs.
      - Supported IKEv2 Option CTX contains all necessary context
        associated to the different IKEv2 Options.













Tran, et al.          Expires September 18, 2016              [Page 12]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   IKE_SA Operational Attributes

   IKE_SA
       - Role
       - Local IP address
       - Remote IP address
       - Cryptographic material
           - SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi, SK_pr
           - SKEYSEED, Nonces
       - IKE_SA lifetime
       - IKE SA Proposal                 ## cf IKE_INIT section
       - IKEv2 Header                    ## cf Transport section
       - IKEv2 Anti Replay Mechanism     ## cf Transport section
       - IKEv2 Retransmission CTX [list Window Size] ## cf Transport
                                                        section
           - IKEv2 Retransmission
       - IDi                             ## cf IKE_AUTH section
       - IDr                             ## cf IKE_AUTH section
       - Credentials                     ## fc IKE_AUTH section
       - Vendor ID
       - Supported IKEv2 Option CTX [list]




























Tran, et al.          Expires September 18, 2016              [Page 13]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


3.4. IKE_AUTH Exchange



   This section provides the attributes associated to the IKE_AUTH
   exchange.



   The IKE_AUTH and CREATE_CHILD_SA exchange is represented below.
   The IKE_AUTH exchange goal is to authenticate the respective
   peers and the CREATE_CHILD_SA exchange intends to creates the
   PIsec SA.


   HDR, SK {IDi, [CERT,] [CERTREQ,]
     [IDr,] AUTH, SAi2,
     TSi, TSr}  -->
                              <--  HDR, SK {IDr, [CERT,] AUTH,
                                       SAr2, TSi, TSr}




   Authentication is performed by providing an identity as well as a
   proof of ownership associated to that identity. The Initiator and
   Responder may have multiple identities and choose one. The Initiator
   may choose a specific identity according to the expected responder,
   and vise versa, the responder may choose a specific identity
   according to the initiator identity (IDi) as well as the acceptable
   Certificate Authorities of the initiator (CERTREQ) or the
   Certificate Authority of the initiator, that is the one used in its
   Certificate (CERT).

   Available Signing Capabilities defines the signing capabilities of
   the IKEv2 daemon. A Signing capability is defined by a method and
   some Authentication Material such as a public key for example, or a
   certificate.

   Available Hash Capabilities and and Available Signature Verification
   defines which are the acceptable authentication method provided by
   the remote peer. In other words, outside these Signature
   Verification and Hash Capabilities the peer will not be able to be
   authenticated. The difference with Available Signing Capabilities is
   that in this case, no credentials are required. For example a RSA
   signature may be checked without the peer own a RSA private key. Has
   and Signature are placed in different attributes as a signature


Tran, et al.          Expires September 18, 2016              [Page 14]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   verification often results in a combination of these two structures.
   The authentication life time indicates when re-authentication needs
   to be performed. The minimum of the two values should be considered.

   Local IDs lists the various IDs the Local IKEv2 daemon may use to
   identify itself. The Preference field indicates which one should be
   used preferably, but in most cases, it is expected that the Local Id
   to use will depend on teh remote peer.

   Peer is the database of the Peer attributes. A Peer is defined by a
   list of IDr and a role. Once the Peer has been identified, it may be
   associated to some specific attributes to proceed the IKE_AUTH
   exchange.  For example, suppose that the Local Peer want to set an
   IKE session with a Remote Peer, and both Peers have multiple IDs.
   When the Local Peer wants to reach the Remote Peer, it may use a
   specific IDi and request a specific IDr for that session. In
   addition, it can also redefine all configuration attributes
   previously defined for the IKE-Transport, IKE_INIT and IKE_AUTH.

   Note that The definition of the Preferred IDr is only mandatory when
   the Local Peer initiates the exchange, so when the Remote Peer is a
   responder. In that case, the IDi and IDr will be use to provide the
   appropriated parameters for the CREATE_CHILD_SA exchange. As
   detailed in Section 4.4.3 of RFC4301, the PAD use used to provide
   such binding.

   Optional attributes defines whether the optional payloads should be
   added or if an additional notification payload should be exchanged.



   IKEv2_AUTH Configuration Attributes

   Available Signing Capabilities [list]
       - Authentication Method
       - Authentication Method Name
       - Authentication Material
           - Authentication Material Type
           - Authentication Material Data

   ## CERT Authentication Material
       - Authentication Material Type = CERT
       - Authentication Material Data
           - Cert Encoding
           - Cert Value




Tran, et al.          Expires September 18, 2016              [Page 15]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


   Available Hash Capabilities [list]
        - Hash Method
        - Authentication Life Time

   Available Signature Verification [list]
       - Authentication Method Name
       - Authentication Life Time

   Local IDs [list]
      - Local ID
          - preference
            - ID type
            - ID value


   Peers [list]
       - Peer
           - PeerIDs [list] # use to identify the peer
               - IDr
           - Role initiator / responder / any # this is only to make
   sure we can have different policies depending on who initiates the
   communication.
           - Sessions [list]
               - Session
                   - Session Label
                   - IDi
                   ## When initiating an IKEv2 exchange with Peer
                   - IDr
                   ## Can set (redefine) all configuration attributes
                   - IKE_Tranport Attributes
                   - IKE_INIT Attributes
                   - IKE_AUTH Attributes
                   - ...
                   - Optional Configuration Request
                       - INTERNAL_ADDRESS
                       - ...
                   - Optional Configuration Reply
                       - INTERNAL_ADDRESS

   Optional Enable INITIAL_CONTACT #[RFC7296] section 2.4
   Optional IKE_AUTH Initiator CERTREQ
   Optional IKE_AUTH Initiator CERT
   Optional IKE_AUTH Initiator-IDr
   Optional IKE_AUTH Responder-CERT





Tran, et al.          Expires September 18, 2016              [Page 16]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


3.5. IKEv2 Configuration Data Model

      This section will present the YANG data model for IKEv2. The
   IKEv2 data model provides the appropriate leaves for configuring the
   IKEv2 protocol.  The IKEv2 YANG data model has the following
   structure:


   module: ietf-ikev2
      +--rw ikev2 {ikev2}?
      |  +--rw transport {ikev2-transport}?
      |  +--rw init {ikev2-init}?
      |  +--rw sa {ikev2-sa}?
      |  +--rw peer* [peer-address] {ikev2-peer}?



   The tree detail is:


      +--rw ikev2 {ikev2}?
      |  +--rw transport {ikev2-transport}?
      |  |  +--rw base-info
      |  |  |  +--rw major-version?           uint8
      |  |  |  +--rw minor-version?           uint8
      |  |  |  +--rw spi-generation-policy?   string
      |  |  +--rw anti-replay-mechanism
      |  |  |  +--rw window-size?                    uint32
      |  |  |  +--rw enable-notify-invalid-msg-id?   empty {ikev2-transport-enable-notify-
   invalid-msg-id}?
      |  |  +--rw retransmision {ikev2-transport-retransmission}?
      |  |  |  +--rw max-retries?                      uint32
      |  |  |  +--rw initial-retransmission-timeout?   uint32
      |  |  |  +--rw retransmission-timeout-policy?    string
      |  |  |  +--rw max-response-buffer-timeout?      uint32
      |  |  |  +--rw keepalive-timeout?                uint32
      |  |  |  +--rw nat-keepalive-timeout?            uint32
      |  |  +--rw cookie-mechanism {ikev2-transport-cookie-mechanism}?
      |  |  |  +--rw cookie-lifetime?              uint32
      |  |  |  +--rw half-open-ike-sa-threshold?   uint32
      |  |  +--rw vendor-id?               uint64
      |  +--rw init {ikev2-init}?
      |  |  +--rw authorized-dh* [dhg key-length] {ikev2-init-authorized-dh}?
      |  |  |  +--rw dhg           ikev2-crypto:ikev2-diffie-hellman-group-t
      |  |  |  +--rw key-length    uint32
      |  |  +--rw proposal* [number]
      |  |  |  +--rw name?                            string
      |  |  |  +--rw description?                     string
      |  |  |  +--rw transform-encr-algorithm* [encr-algorithm key-length]
      |  |  |  |  +--rw encr-algorithm    ikev2-crypto:ikev2-encryption-algorithm-t
      |  |  |  |  +--rw key-length        uint32
      |  |  |  +--rw transform-prf-algorithm* [prf-algorithm key-length]
      |  |  |  |  +--rw prf-algorithm    ikev2-crypto:ikev2-pseudo-random-function-t


Tran, et al.          Expires September 18, 2016              [Page 17]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

      |  |  |  |  +--rw key-length       uint32
      |  |  |  +--rw transform-integrity-algorithm* [integrity-algorithm key-length]
      |  |  |  |  +--rw integrity-algorithm    ikev2-crypto:ikev2-integrity-algorithm-t
      |  |  |  |  +--rw key-length             uint32
      |  |  |  +--rw transform-dh* [dh key-length]
      |  |  |  |  +--rw dh            ikev2-crypto:ikev2-diffie-hellman-group-t
      |  |  |  |  +--rw key-length    uint32
      |  |  |  +--rw number                           uint32
      |  |  |  +--rw protocol?                        ikev2-crypto:ikev2-protocol-identifiers-
   t
      |  |  +--rw optional {ikev2-init-optional}?
      |  |  |  +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}?
      |  |  |  |  +--rw (ip-address)?
      |  |  |  |  |  +--:(ipv4-address)
      |  |  |  |  |  |  +--rw ipv4-address?             inet:ipv4-address
      |  |  |  |  |  +--:(ipv6-address)
      |  |  |  |  |     +--rw ipv6-address?             inet:ipv6-address
      |  |  |  |  +--rw nat-keepalive-interval?   uint16
      |  |  |  +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination-ip}?
      |  |  |  |  +--rw (ip-address)?
      |  |  |  |  |  +--:(ipv4-address)
      |  |  |  |  |  |  +--rw ipv4-address?             inet:ipv4-address
      |  |  |  |  |  +--:(ipv6-address)
      |  |  |  |  |     +--rw ipv6-address?             inet:ipv6-address
      |  |  |  |  +--rw nat-keepalive-interval?   uint16
      |  |  |  +--rw redirect-supported?                    boolean {ikev2-init-redirect-
   supported}?
      |  |  |  +--rw fragmentation-supported?               boolean {ikev2-init-fragmentation-
   supported}?
      |  |  |  +--rw mobike-supported?                      boolean {ikev2-auth-mobike-
   supported}?
      |  |  |  +--rw rohc-supported?                        boolean {ikev2-auth-rohc-
   supported}?
      |  |  |  +--rw childless-ikev2-supported?             boolean {ikev2-auth-childless-
   supported}?
      |  |  |  +--rw message-id-sync-supported?             boolean {ikev2-auth-message-id-
   supported}?
      |  |  |  +--rw ipsec-replay-counter-sync-supported?   boolean {ikev2-auth-ipsec-replay-
   counter-sync-supported}?
      |  |  |  +--rw erx-supported?                         boolean {ikev2-auth-erx-
   supported}?
      |  |  |  +--rw clone-ike-sa-supported?                boolean {ikev2-auth-clone-ike-sa-
   supported}?
      |  |  +--rw auth-method?            ikev2-crypto:ikev2-authentication-method-t
      |  |  +--rw responder-certreq {ikev2-init-responder-certreq}?
      |  |  |  +--rw cert-encoding?   ikev2-crypto:ikev2-cert-encoding-t
      |  |  |  +--rw cert-value?      uint32
      |  |  +--rw config-request
      |  |  |  +--rw (ip-address)?
      |  |  |     +--:(ipv4-address)
      |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |  |     +--:(ipv6-address)
      |  |  |        +--rw ipv6-address?   inet:ipv6-address
      |  |  +--rw config-responder
      |  |  |  +--rw (ip-address)?


Tran, et al.          Expires September 18, 2016              [Page 18]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

      |  |  |     +--:(ipv4-address)
      |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |  |     +--:(ipv6-address)
      |  |  |        +--rw ipv6-address?   inet:ipv6-address
      |  |  +--rw authorized-cert-auth* [cert-encoding] {ikev2-init-authorized-certification-
   auth}?
      |  |     +--rw cert-encoding    ikev2-crypto:ikev2-cert-encoding-t
      |  |     +--rw cert-value?      uint32
      |  +--rw sa {ikev2-sa}?
      |  |  +--rw role?                       role-t
      |  |  +--rw local-ip-address
      |  |  |  +--rw (ip-address)?
      |  |  |     +--:(ipv4-address)
      |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |  |     +--:(ipv6-address)
      |  |  |        +--rw ipv6-address?   inet:ipv6-address
      |  |  +--rw remote-ip-address
      |  |  |  +--rw (ip-address)?
      |  |  |     +--:(ipv4-address)
      |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |  |     +--:(ipv6-address)
      |  |  |        +--rw ipv6-address?   inet:ipv6-address
      |  |  +--rw cryptgraphic?               cryptographic-material-t
      |  |  +--rw lifetime?                   uint32
      |  |  +--rw proposal?                   ikev2-proposal-number-ref
      |  |  +--rw base-info
      |  |  |  +--rw major-version?           uint8
      |  |  |  +--rw minor-version?           uint8
      |  |  |  +--rw spi-generation-policy?   string
      |  |  +--rw anti-replay-mechanism
      |  |  |  +--rw window-size?                    uint32
      |  |  |  +--rw enable-notify-invalid-msg-id?   empty {ikev2-transport-enable-notify-
   invalid-msg-id}?
      |  |  +--rw retransmistion-ctx* [window-id]
      |  |  |  +--rw window-id        uint32
      |  |  |  +--rw retransmision {ikev2-transport-retransmission}?
      |  |  |     +--rw max-retries?                      uint32
      |  |  |     +--rw initial-retransmission-timeout?   uint32
      |  |  |     +--rw retransmission-timeout-policy?    string
      |  |  |     +--rw max-response-buffer-timeout?      uint32
      |  |  |     +--rw keepalive-timeout?                uint32
      |  |  |     +--rw nat-keepalive-timeout?            uint32
      |  |  +--rw initiator-id
      |  |  |  +--rw initiator-id-type?   ikev2-crypto:pad-type-t
      |  |  |  +--rw initiator-id?        string
      |  |  +--rw responder-id
      |  |  |  +--rw responder-id-type?   ikev2-crypto:pad-type-t
      |  |  |  +--rw responder-id?        string
      |  |  +--rw cert-authentication-type?   string
      |  |  +--rw cert-auth
      |  |  |  +--rw cert-auth-encoding?   ikev2-crypto:ikev2-cert-encoding-t
      |  |  |  +--rw cert-auth-value?      uint32
      |  |  +--rw vendor-id?                  uint64
      |  |  +--rw optional-ctx* [window-id]
      |  |     +--rw window-id    uint32


Tran, et al.          Expires September 18, 2016              [Page 19]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

      |  |     +--rw optional {ikev2-init-optional}?
      |  |        +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}?
      |  |        |  +--rw (ip-address)?
      |  |        |  |  +--:(ipv4-address)
      |  |        |  |  |  +--rw ipv4-address?             inet:ipv4-address
      |  |        |  |  +--:(ipv6-address)
      |  |        |  |     +--rw ipv6-address?             inet:ipv6-address
      |  |        |  +--rw nat-keepalive-interval?   uint16
      |  |        +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination-
   ip}?
      |  |        |  +--rw (ip-address)?
      |  |        |  |  +--:(ipv4-address)
      |  |        |  |  |  +--rw ipv4-address?             inet:ipv4-address
      |  |        |  |  +--:(ipv6-address)
      |  |        |  |     +--rw ipv6-address?             inet:ipv6-address
      |  |        |  +--rw nat-keepalive-interval?   uint16
      |  |        +--rw redirect-supported?                    boolean {ikev2-init-redirect-
   supported}?
      |  |        +--rw fragmentation-supported?               boolean {ikev2-init-
   fragmentation-supported}?
      |  |        +--rw mobike-supported?                      boolean {ikev2-auth-mobike-
   supported}?
      |  |        +--rw rohc-supported?                        boolean {ikev2-auth-rohc-
   supported}?
      |  |        +--rw childless-ikev2-supported?             boolean {ikev2-auth-childless-
   supported}?
      |  |        +--rw message-id-sync-supported?             boolean {ikev2-auth-message-id-
   supported}?
      |  |        +--rw ipsec-replay-counter-sync-supported?   boolean {ikev2-auth-ipsec-
   replay-counter-sync-supported}?
      |  |        +--rw erx-supported?                         boolean {ikev2-auth-erx-
   supported}?
      |  |        +--rw clone-ike-sa-supported?                boolean {ikev2-auth-clone-ike-
   sa-supported}?
      |  +--rw peer* [peer-address] {ikev2-peer}?
      |     +--rw peer-address       string
      |     +--rw role?              role-t
      |     +--rw peer-id-entries* [peer-id peer-id-type]
      |     |  +--rw peer-id-type    ikev2-crypto:pad-type-t
      |     |  +--rw peer-id         string
      |     +--rw session* [session-label]
      |     |  +--rw session-label       string
      |     |  +--rw initiator-id
      |     |  |  +--rw initiator-id-type?   ikev2-crypto:pad-type-t
      |     |  |  +--rw initiator-id?        string
      |     |  +--rw responder-id
      |     |  |  +--rw responder-id-type?   ikev2-crypto:pad-type-t
      |     |  |  +--rw responder-id?        string
      |     |  +--rw transport {ikev2-transport}?
      |     |  |  +--rw base-info
      |     |  |  |  +--rw major-version?           uint8
      |     |  |  |  +--rw minor-version?           uint8
      |     |  |  |  +--rw spi-generation-policy?   string
      |     |  |  +--rw anti-replay-mechanism
      |     |  |  |  +--rw window-size?                    uint32


Tran, et al.          Expires September 18, 2016              [Page 20]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

      |     |  |  |  +--rw enable-notify-invalid-msg-id?   empty {ikev2-transport-enable-
   notify-invalid-msg-id}?
      |     |  |  +--rw retransmision {ikev2-transport-retransmission}?
      |     |  |  |  +--rw max-retries?                      uint32
      |     |  |  |  +--rw initial-retransmission-timeout?   uint32
      |     |  |  |  +--rw retransmission-timeout-policy?    string
      |     |  |  |  +--rw max-response-buffer-timeout?      uint32
      |     |  |  |  +--rw keepalive-timeout?                uint32
      |     |  |  |  +--rw nat-keepalive-timeout?            uint32
      |     |  |  +--rw cookie-mechanism {ikev2-transport-cookie-mechanism}?
      |     |  |  |  +--rw cookie-lifetime?              uint32
      |     |  |  |  +--rw half-open-ike-sa-threshold?   uint32
      |     |  |  +--rw vendor-id?               uint64
      |     |  +--rw init {ikev2-init}?
      |     |  |  +--rw authorized-dh* [dhg key-length] {ikev2-init-authorized-dh}?
      |     |  |  |  +--rw dhg           ikev2-crypto:ikev2-diffie-hellman-group-t
      |     |  |  |  +--rw key-length    uint32
      |     |  |  +--rw proposal* [number]
      |     |  |  |  +--rw name?                            string
      |     |  |  |  +--rw description?                     string
      |     |  |  |  +--rw transform-encr-algorithm* [encr-algorithm key-length]
      |     |  |  |  |  +--rw encr-algorithm    ikev2-crypto:ikev2-encryption-algorithm-t
      |     |  |  |  |  +--rw key-length        uint32
      |     |  |  |  +--rw transform-prf-algorithm* [prf-algorithm key-length]
      |     |  |  |  |  +--rw prf-algorithm    ikev2-crypto:ikev2-pseudo-random-function-t
      |     |  |  |  |  +--rw key-length       uint32
      |     |  |  |  +--rw transform-integrity-algorithm* [integrity-algorithm key-length]
      |     |  |  |  |  +--rw integrity-algorithm    ikev2-crypto:ikev2-integrity-algorithm-t
      |     |  |  |  |  +--rw key-length             uint32
      |     |  |  |  +--rw transform-dh* [dh key-length]
      |     |  |  |  |  +--rw dh            ikev2-crypto:ikev2-diffie-hellman-group-t
      |     |  |  |  |  +--rw key-length    uint32
      |     |  |  |  +--rw number                           uint32
      |     |  |  |  +--rw protocol?                        ikev2-crypto:ikev2-protocol-
   identifiers-t
      |     |  |  +--rw optional {ikev2-init-optional}?
      |     |  |  |  +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}?
      |     |  |  |  |  +--rw (ip-address)?
      |     |  |  |  |  |  +--:(ipv4-address)
      |     |  |  |  |  |  |  +--rw ipv4-address?             inet:ipv4-address
      |     |  |  |  |  |  +--:(ipv6-address)
      |     |  |  |  |  |     +--rw ipv6-address?             inet:ipv6-address
      |     |  |  |  |  +--rw nat-keepalive-interval?   uint16
      |     |  |  |  +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination-
   ip}?
      |     |  |  |  |  +--rw (ip-address)?
      |     |  |  |  |  |  +--:(ipv4-address)
      |     |  |  |  |  |  |  +--rw ipv4-address?             inet:ipv4-address
      |     |  |  |  |  |  +--:(ipv6-address)
      |     |  |  |  |  |     +--rw ipv6-address?             inet:ipv6-address
      |     |  |  |  |  +--rw nat-keepalive-interval?   uint16
      |     |  |  |  +--rw redirect-supported?                    boolean {ikev2-init-
   redirect-supported}?
      |     |  |  |  +--rw fragmentation-supported?               boolean {ikev2-init-
   fragmentation-supported}?


Tran, et al.          Expires September 18, 2016              [Page 21]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

      |     |  |  |  +--rw mobike-supported?                      boolean {ikev2-auth-mobike-
   supported}?
      |     |  |  |  +--rw rohc-supported?                        boolean {ikev2-auth-rohc-
   supported}?
      |     |  |  |  +--rw childless-ikev2-supported?             boolean {ikev2-auth-
   childless-supported}?
      |     |  |  |  +--rw message-id-sync-supported?             boolean {ikev2-auth-message-
   id-supported}?
      |     |  |  |  +--rw ipsec-replay-counter-sync-supported?   boolean {ikev2-auth-ipsec-
   replay-counter-sync-supported}?
      |     |  |  |  +--rw erx-supported?                         boolean {ikev2-auth-erx-
   supported}?
      |     |  |  |  +--rw clone-ike-sa-supported?                boolean {ikev2-auth-clone-
   ike-sa-supported}?
      |     |  |  +--rw auth-method?            ikev2-crypto:ikev2-authentication-method-t
      |     |  |  +--rw responder-certreq {ikev2-init-responder-certreq}?
      |     |  |  |  +--rw cert-encoding?   ikev2-crypto:ikev2-cert-encoding-t
      |     |  |  |  +--rw cert-value?      uint32
      |     |  |  +--rw config-request
      |     |  |  |  +--rw (ip-address)?
      |     |  |  |     +--:(ipv4-address)
      |     |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |     |  |  |     +--:(ipv6-address)
      |     |  |  |        +--rw ipv6-address?   inet:ipv6-address
      |     |  |  +--rw config-responder
      |     |  |  |  +--rw (ip-address)?
      |     |  |  |     +--:(ipv4-address)
      |     |  |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |     |  |  |     +--:(ipv6-address)
      |     |  |  |        +--rw ipv6-address?   inet:ipv6-address
      |     |  |  +--rw authorized-cert-auth* [cert-encoding] {ikev2-init-authorized-
   certification-auth}?
      |     |  |     +--rw cert-encoding    ikev2-crypto:ikev2-cert-encoding-t
      |     |  |     +--rw cert-value?      uint32
      |     |  +--rw auth {ikev2-auth}?
      |     |  |  +--rw avail-signing-capabilities* [auth-method-name]
      |     |  |  |  +--rw auth-method-name      string
      |     |  |  |  +--rw auth-method?          ikev2-crypto:ikev2-authentication-method-t
      |     |  |  |  +--rw auth-material-data?   string
      |     |  |  +--rw cert-auth
      |     |  |  |  +--rw cert-auth-encoding?   ikev2-crypto:ikev2-cert-encoding-t
      |     |  |  |  +--rw cert-auth-value?      uint32
      |     |  |  +--rw avail-hash* [hash-method]
      |     |  |  |  +--rw hash-method           string
      |     |  |  |  +--rw auth-hash-lifetime?   uint32
      |     |  |  +--rw avail-signature-verify* [signature-id]
      |     |  |  |  +--rw signature-id          string
      |     |  |  |  +--rw signature-lifetime?   uint32
      |     |  |  +--rw local-id* [host-id]
      |     |  |  |  +--rw host-id       string
      |     |  |  |  +--rw preference?   string
      |     |  |  |  +--rw id-type?      string
      |     |  |  |  +--rw id-value?     string
      |     |  |  +--rw authorized-certificate-authority
      |     |  |     +--rw cert-encoding?   ikev2-crypto:ikev2-cert-encoding-t


Tran, et al.          Expires September 18, 2016              [Page 22]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

      |     |  |     +--rw cert-value?      uint32
      |     |  +--rw config-request
      |     |  |  +--rw (ip-address)?
      |     |  |     +--:(ipv4-address)
      |     |  |     |  +--rw ipv4-address?   inet:ipv4-address
      |     |  |     +--:(ipv6-address)
      |     |  |        +--rw ipv6-address?   inet:ipv6-address
      |     |  +--rw config-responder
      |     |     +--rw (ip-address)?
      |     |        +--:(ipv4-address)
      |     |        |  +--rw ipv4-address?   inet:ipv4-address
      |     |        +--:(ipv6-address)
      |     |           +--rw ipv6-address?   inet:ipv6-address
      |     +--rw preshared-key?     string
      |     +--rw nat-traversal?     boolean








































Tran, et al.          Expires September 18, 2016              [Page 23]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


3.6. IKEv2 Operation Data Model

   The IKEv2 data model provides the appropriate leaves for operational
   sattes of the IKEv2 protocol.  The IKEv2 YANG data model has the
   following structure:


   +--ro ikev2-state {ikev2-state}?
      +--ro transport-state {ikev2-transport-state}?
      +--ro ike-sa-state* [initiator-spi responder-spi]

   The tree detail is:

      +--ro ikev2-state {ikev2-state}?
      +--ro ikev2-state {ikev2-state}?
         +--ro transport-state {ikev2-transport-state}?
         |  +--ro major-version?           uint8
         |  +--ro minor-version?           uint8
         |  +--ro spi-generation-policy?   string
         |  +--ro exchange-type?           ikev2-crypto:ikev2-exchange-type-t
         |  +--ro flags?                   uint8
         +--ro sa-state* [initiator-spi responder-spi]
            +--ro initiator-spi               ipsec-spi
            +--ro responder-spi               ipsec-spi
            +--ro retransmistion-ctx* [window-id]
            |  +--ro window-id        uint32
            |  +--ro retransmision {ikev2-transport-retransmission}?
            |     +--ro max-retries?                      uint32
            |     +--ro initial-retransmission-timeout?   uint32
            |     +--ro retransmission-timeout-policy?    string
            |     +--ro max-response-buffer-timeout?      uint32
            |     +--ro keepalive-timeout?                uint32
            |     +--ro nat-keepalive-timeout?            uint32
            +--ro anti-replay-mechanism
            |  +--ro window-size?             uint32
            |  +--ro peer-request-msg-id?     uint32
            |  +--ro peer-response-msg-id?    uint32
            |  +--ro local-request-msg-id?    uint32
            |  +--ro local-response-msg-id?   uint32
            +--ro vendor-id?                  uint64
            +--ro initiator-id
            |  +--ro initiator-id-type?   ikev2-crypto:pad-type-t
            |  +--ro initiator-id?        string
            +--ro responder-id
            |  +--ro responder-id-type?   ikev2-crypto:pad-type-t
            |  +--ro responder-id?        string
            +--ro auth {ikev2-auth}?
            |  +--ro avail-signing-capabilities* [auth-method-name]
            |  |  +--ro auth-method-name      string
            |  |  +--ro auth-method?          ikev2-crypto:ikev2-authentication-method-t
            |  |  +--ro auth-material-data?   string
            |  +--ro cert-auth


Tran, et al.          Expires September 18, 2016              [Page 24]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016

            |  |  +--ro cert-auth-encoding?   ikev2-crypto:ikev2-cert-encoding-t
            |  |  +--ro cert-auth-value?      uint32
            |  +--ro avail-hash* [hash-method]
            |  |  +--ro hash-method           string
            |  |  +--ro auth-hash-lifetime?   uint32
            |  +--ro avail-signature-verify* [signature-id]
            |  |  +--ro signature-id          string
            |  |  +--ro signature-lifetime?   uint32
            |  +--ro local-id* [host-id]
            |  |  +--ro host-id       string
            |  |  +--ro preference?   string
            |  |  +--ro id-type?      string
            |  |  +--ro id-value?     string
            |  +--ro authorized-certificate-authority
            |     +--ro cert-encoding?   ikev2-crypto:ikev2-cert-encoding-t
            |     +--ro cert-value?      uint32
            +--ro half-open-ike-sa-counter?   uint32
            +--ro optional-ctx* [window-id]
               +--ro window-id    uint32
               +--ro optional {ikev2-init-optional}?
                  +--ro nat-detection-source-ip {ikev2-init-nat-detection-src-ip}?
                  |  +--ro (ip-address)?
                  |  |  +--:(ipv4-address)
                  |  |  |  +--ro ipv4-address?             inet:ipv4-address
                  |  |  +--:(ipv6-address)
                  |  |     +--ro ipv6-address?             inet:ipv6-address
                  |  +--ro nat-keepalive-interval?   uint16
                  +--ro nat-detection-destination-ip {ikev2-init-nat-detection-destination-
   ip}?
                  |  +--ro (ip-address)?
                  |  |  +--:(ipv4-address)
                  |  |  |  +--ro ipv4-address?             inet:ipv4-address
                  |  |  +--:(ipv6-address)
                  |  |     +--ro ipv6-address?             inet:ipv6-address
                  |  +--ro nat-keepalive-interval?   uint16
                  +--ro redirect-supported?                    boolean {ikev2-init-redirect-
   supported}?
                  +--ro fragmentation-supported?               boolean {ikev2-init-
   fragmentation-supported}?
                  +--ro mobike-supported?                      boolean {ikev2-auth-mobike-
   supported}?
                  +--ro rohc-supported?                        boolean {ikev2-auth-rohc-
   supported}?
                  +--ro childless-ikev2-supported?             boolean {ikev2-auth-childless-
   supported}?
                  +--ro message-id-sync-supported?             boolean {ikev2-auth-message-id-
   supported}?
                  +--ro ipsec-replay-counter-sync-supported?   boolean {ikev2-auth-ipsec-
   replay-counter-sync-supported}?
                  +--ro erx-supported?                         boolean {ikev2-auth-erx-
   supported}?
                  +--ro clone-ike-sa-supported?                boolean {ikev2-auth-clone-ike-
   sa-supported}?




Tran, et al.          Expires September 18, 2016              [Page 25]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


4. IKEv2 Crypto YANG Module

   This section will present the YANG data model for IKEv2 Crypto.

   <CODE BEGINS> file "ietf-ikev2-crypto@2016-02-26.yang"

   module ietf-ikev2-crypto {
     namespace "urn:ietf:params:xml:ns:yang:ietf-ikev2-crypto";
     prefix ikev2-crypto;

     organization "Ericsson AB.
                   Huawei Technologies India Pvt Ltd.";

     contact "Web:   <http://www.ericsson.com>";

     description
       "This YANG module defines the parameters"+
       " for IANA, Internet Key Exchange Version 2 (IKEv2)"+
       " Parameters."+
       " <http://www.rfc-editor.org/info/rfc4301>"+
       " Copyright (c) 2016 Ericsson AB."+
       " All rights reserved.";

     revision 2016-02-26 {
       description
         "First revision.";
       reference
         "RFC 7296: Internet Key Exchange Protocol Version 2.";
     }

     /*--------------------*/
     /* Typedefs           */
     /*--------------------*/

     /* IKEv2 Exchange Types (ET) */
     typedef ikev2-exchange-type-t {
       type enumeration {
         enum et-ike-sa-init {
           value 34;
           description
             "et-ike-sa-init - IKEv2 Exchange Types (ET)";
         }
         enum et-ike-auth {
           value 35;
           description
             "et-ike-auth - IKEv2 Exchange Types (ET)";
         }
         enum et-create-child-sa {
           value 36;


Tran, et al.          Expires September 18, 2016              [Page 26]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           description
             "et-create-child-sa - IKEv2 Exchange Types (ET)";
         }
         enum et-informational {
           value 37;
           description
             "et-informational - IKEv2 Exchange Types (ET)";
         }
         enum et-ike-session-resume {
           value 38;
           description
             "et-ike-session-resume - IKEv2 Exchange Types (ET)";
         }
         enum et-gsa-auth {
           value 39;
           description
             "et-gsa-auth - IKEv2 Exchange Types (ET)";
         }
         enum et-gsa-registration {
           value 40;
           description
             "et-gsa-registration - IKEv2 Exchange Types (ET)";
         }
         enum et-gsa-rekey {
           value 41;
           description
             "et-gsa-rekey - IKEv2 Exchange Types (ET)";
         }
       }
       description
         "IKEv2 Exchange Types (ET).";
     }

      /* Transform Type Values (TTV), RFC 7296 */
      typedef ikev2-transform-type-value-t {
       type enumeration {
         enum ttv-reserved-0 {
           value 0;
           description
             "ttv-reserved-0 - Transform Type Value (TTV)"+
             " Reserved ";
         }
         enum ttv-encr {
           value 1;
           description
             "ttv-encr - Transform Type Value 1 (TTV),"+
             " Encryption Algorithm "+
             "(ENCR) used in IKE and ESP.";
         }



Tran, et al.          Expires September 18, 2016              [Page 27]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         enum ttv-prf {
           value 2;
           description
             "ttv-prf - Transform Type Value 2 (TTV),"+
             " Pseudo-Random Function(PRF) used in IKE.";
         }
         enum ttv-integ {
           value 3;
           description
             "ttv-integ - Transform Type Value 3 (TTV),"+
             " Integrity Algorithm"+
             " (INTEG) used in IKE, AH, optional ESP.";
         }
         enum ttv-dh {
           value 4;
           description
             "ttv-dh - Transform Type Value 4 (TTV),"+
             " Diffie-Hellman (DH)"+
             " used in IKE, optional AH and ESP.";
         }
         enum ttv-esn {
           value 5;
           description
             "ttv-esn - Transform Type Value 5 (TTV),"+
             " Extended Sequence"+
             " Numbers (ESN) used in AH and ESP.";
         }
       }
       description
         "IKEv2 Transform Type Values ((TTV).";
     }

      /* IKEv2 Transform Attribute Types (TAT) */
      typedef ikev2-transform-attribute-type-t {
       type enumeration {
         enum tat-reserved-0 {
           value 0;
           description
             "tat-reserved-0 - IKEv2 Transform Attribute "+
             "Type (TAT) Reserved-0";
         }
         enum tat-reserved-1 {
           value 1;
           description
             "tat-reserved-1 - IKEv2 Transform Attribute "+
             "Type (TAT) Reserved-1";
         }
         enum tat-reserved-13 {
           value 13;



Tran, et al.          Expires September 18, 2016              [Page 28]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           description
             "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+
             "Type (TAT) Reserved-13";
         }
         enum tat-key-length {
           value 41;
           description
             "ikev2-tat-key-length - IKEv2 Transform Attribute "+
             "Type (TAT) KEY LENGTH (in bits)";
         }
       }
       description
         "IKEv2 Transform Attribute Types (TAT)";
     }

      /* Transform Type 1 (Encryption Algorithm) Transform IDs */
     typedef ikev2-encryption-algorithm-t {
       type enumeration {
         enum encr-reserved-0 {
           value 0;
           description
             "encr-reserved-0 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-des-iv4 {
           value 1;
           description
             "encr-des-iv4 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-des {
           value 2;
           description
             "encr-des - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-3des {
           value 3;
           description
             "encr-3des - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-rc5 {
           value 4;
           description
             "encr-rc5 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-idea {
           value 5;
           description
             "encr-idea - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-cast {



Tran, et al.          Expires September 18, 2016              [Page 29]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           value 6;
           description
             "encr-cast - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-blowfish {
           value 7;
           description
             "encr-blowfish - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-3idea {
           value 8;
           description
             "encr-3idea - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-des-iv32 {
           value 9;
           description
             "encr-des-iv32 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-reserved-10 {
           value 10;
           description
             "encr-reserved-10 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-null {
           value 11;
           description
             "encr-null - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-aes-cbc {
           value 12;
           description
             "encr-aes-cbc - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-aes-ctr {
           value 13;
           description
             "encr-aes-ctr - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-aes-ccm-8 {
           value 14;
           description
             "encr-aes-ccm-8 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-aes-ccm-12 {
           value 15;
           description
             "encr-aes-ccm-12 - IKEv2 Encryption Algorithm"+



Tran, et al.          Expires September 18, 2016              [Page 30]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             " Transform";
         }
         enum encr-aes-ccm-16 {
           value 16;
           description
             "encr-aes-ccm-16 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-reserved-17 {
           value 17;
           description
             "encr-reserved-17 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-aes-gcm-8-icv {
           value 18;
           description
             "encr-aes-gcm-8-icv - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-aes-gcm-12-icv {
           value 19;
           description
             "encr-aes-gcm-12-icv - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-aes-gcm-16-icv {
           value 20;
           description
             "encr-aes-gcm-16-icv - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-null-auth-aes-gmac {
           value 21;
           description
             "encr-null-auth-aes-gmac - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-ieee-p1619-xts-aes {
           value 22;
           description
             "encr-ieee-p1619-xts-aes - IKEv2 Encryption Algorithm"+
             " Transform IEEE P1619 XTS-AES.";
         }
         enum encr-camellia-cbc {
           value 23;
           description
             "encr-camellia-cbc - IKEv2 Encryption Algorithm"+
             " Transform";



Tran, et al.          Expires September 18, 2016              [Page 31]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
         enum encr-camellia-ctr {
           value 24;
           description
             "encr-camellia-ctr - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-camellia-ccm-8-icv {
           value 25;
           description
             "encr-camellia-ccm-8-icv - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-camellia-ccm-12-icv {
           value 26;
           description
             "encr-camellia-ccm-12-icv - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-camellia-ccm-16-icv {
           value 27;
           description
             "encr-camellia-ccm-16-icv - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-chacha20-poly1305 {
           value 28;
           description
             "encr-chacha20-poly1305 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-aes-cbc-128 {
           value 1024;
           description
             "encr-aes-cbc-128 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-aes-cbc-192 {
           value 1025;
           description
             "encr-aes-cbc-192 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-aes-cbc-256 {
           value 1026;
           description
             "encr-aes-cbc-256 - IKEv2 Encryption Algorithm Transform";
         }
         enum encr-blowfish-128 {
           value 1027;
           description



Tran, et al.          Expires September 18, 2016              [Page 32]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             "encr-blowfish-128 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-blowfish-192 {
           value 1028;
           description
             "encr-blowfish-192 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-blowfish-256 {
           value 1029;
           description
             "encr-blowfish-256 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-blowfish-448 {
           value 1030;
           description
             "encr-blowfish-448 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-camellia-128 {
           value 1031;
           description
             "encr-camellia-128 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-camellia-192 {
           value 1032;
           description
             "encr-camellia-192 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
         enum encr-camellia-256 {
           value 1033;
           description
             "encr-camellia-256 - IKEv2 Encryption Algorithm"+
             " Transform";
         }
       }
       description
         "Transform Type 1 - IKEv2 Encryption Algorithm Transformm"+
         " IDs";
     }

     /* Transform Type 2 (Pseudo-Random Function PRF) Transform IDs */
     typedef ikev2-pseudo-random-function-t {
       type enumeration {
         enum prf-reserved-0 {



Tran, et al.          Expires September 18, 2016              [Page 33]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           value 0;
           description
             "prf-reserved-0 - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-hmac-md5 {
           value 1;
           description
             "prf-hmac-md5 - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-hmac-sha1 {
           value 2;
           description
             "prf-hmac-sha1 - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-hmac-tiger {
           value 3;
           description
             "prf-hmac-tiger - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-aes128-xcbc {
           value 4;
           description
             "prf-aes128-xcbc - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-hmac-sha2-256 {
           value 5;
           description
             "prf-hmac-sha2-256 - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-hmac-sha2-384 {
           value 6;
           description
             "prf-hmac-sha2-384 - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-hmac-sha2-512 {
           value 7;
           description
             "prf-hmac-sha2-512 - IKEv2 Pseudo-Random Function (PRF)";
         }
         enum prf-aes128-cmac {
           value 8;
           description
             "prf-aes128-cmac - IKEv2 Pseudo-Random Function (PRF)";
         }
       }
       description
         "Transform Type 2 - IKEv2 Pseudo-Random Function (PRF)"+
         " Transform IDs";
     }



Tran, et al.          Expires September 18, 2016              [Page 34]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



      /* Transform Type 3 (Integrity Algorithm) Transform IDs */
     typedef ikev2-integrity-algorithm-t {
       type enumeration {
         enum auth-none {
           value 0;
           description
             "auth-none - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-md5-96 {
           value 1;
           description
             "auth-hmac-md5-96 - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-sha1-96 {
           value 2;
           description
             "auth-hmac-sha1-96 - IKEv2 Integrity Algorithm";
         }
         enum auth-des-mac {
           value 3;
           description
             "auth-des-mac - IKEv2 Integrity Algorithm";
         }
         enum auth-kpdk-md5 {
           value 4;
           description
             "auth-kpdk-md5 - IKEv2 Integrity Algorithm";
         }
         enum auth-aes-xcbc-96 {
           value 5;
           description
             "auth-aes-xcbc-96 - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-md5-128 {
           value 6;
           description
             "auth-hmac-md5-128 - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-sha1-160 {
           value 7;
           description
             "auth-hmac-sha1-160 - IKEv2 Integrity Algorithm";
         }
         enum auth-aes-cmac-96 {
           value 8;
           description
             "auth-aes-cmac-96 - IKEv2 Integrity Algorithm";
         }



Tran, et al.          Expires September 18, 2016              [Page 35]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         enum auth-aes-128-gmac {
           value 9;
           description
             "auth-aes-128-gmac - IKEv2 Integrity Algorithm";
         }
         enum auth-aes-192-gmac {
           value 10;
           description
             "auth-aes-192-gmac - IKEv2 Integrity Algorithm";
         }
         enum auth-aes-256-gmac {
           value 11;
           description
             "auth-aes-256-gmac - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-sha2-256-128 {
           value 12;
           description
             "auth-hmac-sha2-256-128 - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-sha2-384-192 {
           value 13;
           description
             "auth-hmac-sha2-384-192 - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-sha2-512-256 {
           value 14;
           description
             "auth-hmac-sha2-512-256 - IKEv2 Integrity Algorithm";
         }
         enum auth-hmac-sha2-256-96 {
           value 1024;
           description
             "auth-hmac-sha2-256-96 - IKEv2 Integrity Algorithm";
         }
       }
       description
         "Transform Type 3 - IKEv2"+
         " Integrity Algorithms Transform IDs";
     }

     /* Transform Type 4 (Diffie-Hellman Group) Transform IDs */
     typedef ikev2-diffie-hellman-group-t {
       type enumeration {
         enum dh-group-none {
           value 0;
           description
             "dh-group-none - IKEv2 Diffie-Hellman Group (DH)";
         }



Tran, et al.          Expires September 18, 2016              [Page 36]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         enum dh-modp-768-group-1 {
           value 1;
           description
             "dh-modp-768-group-1 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-1024-group-2 {
           value 2;
           description
             "dh-modp-1024-group-2 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-1536-group-5 {
           value 5;
           description
             "dh-modp-1536-group-5 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-2048-group-14 {
           value 14;
           description
             "dh-modp-2048-group-14 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-3072-group-15 {
           value 15;
           description
             "dh-modp-3072-group-15 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-4096-group-16 {
           value 16;
           description
             "dh-modp-4096-group-16 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-6144-group-17 {
           value 17;
           description
             "dh-modp-6144-group-17 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-8192-group-18 {
           value 18;
           description
             "dh-modp-8192-group-18 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-recp-256-group-19 {
           value 19;
           description
             "dh-recp-256-group-19 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-recp-384-group-20 {
           value 20;
           description
             "dh-recp-384-group-20 - IKEv2 Diffie-Hellman Group (DH)";



Tran, et al.          Expires September 18, 2016              [Page 37]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
         enum dh-recp-521-group-21 {
           value 21;
           description
             "dh-recp-521-group-21 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-modp-1024-160-pos-group-22 {
           value 22;
           description
             "dh-modp-1024-160-pos-group-22 - IKEv2 Diffie-Hellman"+
             " Group (DH)";
         }
         enum dh-modp-2048-224-pos-group-23 {
           value 23;
           description
             "dh-modp-2048-224-pos-group-23 - IKEv2 Diffie-Hellman"+
             " Group (DH)";
         }
         enum dh-modp-2048-256-pos-group-24 {
           value 24;
           description
             "dh-modp-2048-256-pos-group-24 - IKEv2 Diffie-Hellman"+
             " Group (DH)";
         }
         enum dh-recp-192-group-25 {
           value 25;
           description
             "dh-recp-192-group-25 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-recp-224-group-26 {
           value 26;
           description
             "dh-recp-224-group-26 - IKEv2 Diffie-Hellman Group (DH)";
         }
         enum dh-brainpool-ip-224-r1 {
           value 27;
           description
             "dh-brainpool-ip-224-r1 - IKEv2 Diffie-Hellman Group"+
             " (DH)";
         }
         enum dh-brainpool-ip-256-r1 {
           value 28;
           description
             "dh-brainpool-ip-256-r1 - IKEv2 Diffie-Hellman Group"+
             " (DH)";
         }
         enum dh-brainpool-ip-384-r1 {
           value 29;
           description



Tran, et al.          Expires September 18, 2016              [Page 38]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             "dh-brainpool-ip-384-r1 - IKEv2 Diffie-Hellman Group"+
             " (DH)";
         }
         enum dh-brainpool-ip-512-r1 {
           value 30;
           description
             "dh-brainpool-ip-512-r1 - IKEv2 Diffie-Hellman Group"+
             " (DH)";
         }
       }
       description
         "Transform Type 4 - IKEv2"+
         " Diffie-Hellman Groups (DH) Transform IDs";
     }
     /* Transform Type 5 (Extended Sequence Numbers ESN
        Transform IDs) */
     typedef ikev2-extended-sequence-number-t {
       type enumeration {
         enum esn-none {
           value 0;
           description
             "esn-none - IKEv2 Extended Sequence Number";
         }
         enum esn-1 {
           value 1;
           description
             "esn-1 - IKEv2 Extended Sequence Number";
         }
       }
       description
         "Transform Type 5 - IKEv2 Extended Sequence Number (ESN)";
     }
     typedef ikev2-connection-type-t {
       type enumeration {
         enum initiator-only {
           value 0;
           description
             "initiator-only: ME will act as initiator for"+
             " bringing up IKEv2"+
             " session with its IKE peer.";
         }
         enum responder-only {
           value 1;
           description
             "responder-only: ME will act as responder for"+
             " bringing up IKEv2"+
             " session with its IKE peer.";
         }
         enum both {



Tran, et al.          Expires September 18, 2016              [Page 39]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           value 2;
           description
             "both: ME can act as initiator or responder.";
         }
       }
       description
         "IKEv2 Connection type for IKE session.";
     }
     typedef ikev2-transport-protocol-name-t {
       type enumeration {
         enum tcp {
           value 1;
           description
             "Transmission Control Protocol (TCP) Transport Protocol.";
         }
         enum udp {
           value 2;
           description
             "User Datagram Protocol (UDP) Transport Protocol";
         }
         enum sctp {
           value 3;
           description
             "Stream Control Transmission Protocol (SCTP) Transport "+
             "Protocol";
         }
         enum icmp {
           value 4;
           description
             "Internet Control Message Protocol (ICMP) Transport "+
             "Protocol";
         }
       }
       description
         "Enumeration of well known transport protocols.";
     }

     typedef preshared-key-t {
       type string;
       description
         "Derived string used as Pre-Shared Key.";
     }

     typedef pad-type-t {
       type enumeration {
         enum id-ipv4-addr {
           value 1;
           description
             "A single four (4) octet IPv4 address";



Tran, et al.          Expires September 18, 2016              [Page 40]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
         enum id-fdqn {
           value 2;
           description
             "A fully-qualified domain name string.";
         }
         enum id-rfc822-addr {
           value 3;
           description
             "A fully-qualified RFC 822 email address string";
         }
         enum id-ipv6-addr {
           value 5;
           description
             "A single sixteen (16) octet IPv6 address";
         }
         enum id-der-asn1-dn {
           value 9;
           description
             "The binary Distinguished Encoding Rules (DER) encoding"+
             " of an ASN.1 X.500 Distinguished Name";
         }
         enum id-der-asn1-gn {
           value 10;
           description
             "The binary Distinguished Encoding Rules (DER) encoding"+
             " of an ASN.1 X.509 General Name";
         }
         enum id-key {
           value 11;
           description
             "Key ID (exact match only). An opaque octet stream that"+
             " may be used to pass vendor-specific information"+
             " necessary to do certain proprietary types of"+
             " identification";
         }
         enum id-any {
           value 100;
           description
             "Optional: openIKEv2.conf";
         }
       }
       description
         "Peer Authorization  Database (PAD) Type";
     }

     typedef ikev2-protocol-identifiers-t {
       type enumeration {
         enum "reserved-0" {



Tran, et al.          Expires September 18, 2016              [Page 41]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           value 0;
           description
             "Reserved IKEv2 Security Protocol Identifier";
         }
         enum "ike" {
           value 1;
           description
             "Internet Key Exchange (IKE) Protocol Identifier";
         }
         enum "ah" {
           value 2;
           description
             "Authentication Header (AH) Protocol Identifier";
         }
         enum "esp" {
           value 3;
           description
             "Encapsulating Security Payload (ESP) Protocol"+
             " Identifier";
         }
         enum "fc_esp_header" {
           value 4;
           description
             "Fibre Channel Encapsulating Security Payload Header";
         }
         enum "fc_ct_authentication" {
           value 5;
           description
             "Fibre Channel Common Transport Authentication";
         }
       }
       description
         "IKEv2 Security Protocol Identifiers";
     }

     typedef ikev2-authentication-method-t {
       type enumeration {
         enum auth-preshared {
           value 0;
           description
             "authorization preshared - IKEv2 Authentication Method";
         }
         enum rsa-digital-signature {
           value 1;
           description
             "rsa-digital-signature - IKEv2 Authentication Method";
         }
         enum shared-key-msg-integrity-code {
           value 2;



Tran, et al.          Expires September 18, 2016              [Page 42]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           description
             "shared-key-msg-integrity-code - IKEv2 Authentication"+
             " Method";
         }
         enum dss-digital-signature {
           value 3;
           description
             "dss-digital-signature - IKEv2 Authentication Method";
         }
         enum ecdsa-sha-256-p256-curve {
           value 9;
           description
             "ecdsa-sha-256-p256-curve - IKEv2 Authentication Method";
         }
         enum ecdsa-sha-384-p384-curve {
           value 10;
           description
             "ecdsa-sha-384-p384-curve - IKEv2 Authentication Method";
         }
         enum ecdsa-sha-512-p512-curve {
           value 11;
           description
             "ecdsa-sha-512-p512-curve - IKEv2 Authentication Method";
         }
         enum generic-secure-passwd-auth-method {
           value 12;
           description
             "generic-secure-passwd-auth-method - IKEv2"+
             " Authentication Method";
         }
         enum null-auth-method {
           value 13;
           description
             "null-auth-method - IKEv2 Authentication Method";
         }
         enum digital-signature {
           value 14;
           description
             "digital-signature - IKEv2 Authentication Method";
         }
       }
       description "IKEv2 Authentication Methods";
     }

     typedef ikev2-traffic-selector-types-t {
       type enumeration {
         enum "ts-ipv4-addr-range" {
           value 7;
           description



Tran, et al.          Expires September 18, 2016              [Page 43]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             "ts-ipv4-addr-range - IKEv2 Traffic Selector Type (TS)";
         }
         enum "ts-ipv6-addr-range" {
           value 8;
           description
             "ts-ipv6-addr-range - IKEv2 Traffic Selector Type (TS)";
         }
         enum "ts-fc-addr-range" {
           value 9;
           description
             "ts-fc-addr-range - IKEv2 Traffic Selector Type (TS)";
         }
       }
       description
         "IKEv2 Traffic Selector Types";
     }

     typedef ikev2-cert-encoding-t {
       type enumeration {
         enum cert-pkcs-7-wrapped-x509 {
           value 1;
           description
             "PKCS #7 wrapped X.509 certificate";
         }
         enum cert-pgp {
           value 2;
           description
             "PGP Certificate";
         }
         enum cert-dns-signed-key {
           value 3;
           description
             "DNS Signed Key";
         }
         enum cert-x509-signature {
           value 4;
           description
             "X.509 Certificate - Signature";
         }
         enum cert-kerberos-token {
           value 6;
           description
             "Kerberos Token";
         }
         enum cert-revocation-list {
           value 7;
           description
             "Certificate Revocation List (CRL)";
         }



Tran, et al.          Expires September 18, 2016              [Page 44]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         enum cert-authority-revocation-list {
           value 8;
           description
             "Authority Revocation List (ARL)";
         }
         enum cert-spki {
           value 9;
           description
             "SPKI Certificate";
         }
         enum cert-x509-attribute {
           value 10;
           description
             "X.509 Certificate - Attribute";
         }
         enum cert-raw-rsa-key {
           value 11;
           description
             "Raw RSA Key";
         }
         enum cert-hash-url-x509 {
           value 12;
           description
             "Hash and URL of X.509 certificate";
         }
         enum cert-hash-url-x509-bundle {
           value 13;
           description
             "Hash and URL of X.509 bundle";
         }
         enum cert-ocsp-content {
           value 14;
           description
             "OCSP Content";
         }
         enum cert-raw-public-key {
           value 15;
           description
             "Raw Public Key";
         }
       }
       description
         "Type of Certificate Encoding";
     }
   }


   <CODE ENDS>



Tran, et al.          Expires September 18, 2016              [Page 45]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


5. IKEv2 YANG Module

   This section will present the YANG data model for IKEv2.

   <CODE BEGINS> file "ietf-ikev2@2016-03-10.yang"


   module ietf-ikev2 {
     namespace "urn:ietf:params:xml:ns:yang:ietf-ikev2";
     prefix "ikev2";

     import "ietf-ikev2-crypto" {
       prefix "ikev2-crypto";
     }

     import ietf-inet-types {
       prefix inet;
     }

     organization "Ericsson AB.
                   Huawei Technologies India Pvt Ltd.";

     contact "Web:   <http://www.ericsson.com>";

     description
       "This YANG module defines the configuration and operational
        state data for Internet Key Exchange version 2 (IKEv2) on
        IETF draft.
        Copyright (c) 2016 Ericsson AB.
        All rights reserved.";

     revision 2016-03-10 {
       description
         "First revision.";
       reference
         "YANG Data model for Internet Protocol Security - IPSec.
          draft-tran-ipecme-yang-ipsec-00.
          draft-wang-ipsecme-ike-yang-00.
          draft-wang-ipsecme-ipsec-yang-00.";
     }

     /*--------------------*/
     /* Feature            */
     /*--------------------*/

     feature ikev2 {
       description
         "Feature IKEv2";



Tran, et al.          Expires September 18, 2016              [Page 46]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


     }
     feature ikev2-transport {
       description
         "Common IKEv2 Transport attributes";
     }
     feature ikev2-transport-anti-replay-mechanism {
       description
         "Optional: Enable INVALID_MESSAGE_ID defines whether an"+
         " optional INVALID_MESSAGE_ID  Notify Payload is sent when"+
         " the IKEv2 message received is outside the Operational"+
         " Window Size";
     }
     feature ikev2-transport-enable-notify-invalid-msg-id {
       description
         "Feature IKEv2 Transport enable notify of invalid message id";

     }
     feature ikev2-transport-retransmission {
       description
         "Feature IKEv2 Transport retransmission";

     }
     feature ikev2-transport-cookie-mechanism {
       description
         "Feature IKEv2 Transport Cookie mechanism";

     }
     feature ikev2-init {
       description
         "Feature IKEv2 INIT";

     }
     feature ikev2-init-authorized-dh {
       description
         "Feature IKEv2 INIT authorized Diffie-Hellman (DH)";

     }
     feature ikev2-init-authorized-certification-auth {
       description
         "Feature IKEv2 INIT authorized certification author";

     }
     feature ikev2-init-nat-detection-src-ip {
       description
         "Feature IKEv2 INIT NAT Detection Source IP Address";

     }
     feature ikev2-init-nat-detection-destination-ip {
       description



Tran, et al.          Expires September 18, 2016              [Page 47]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         "Feature IKEv2 INIT Detection Destination IP Address";

     }
     feature ikev2-init-redirect-supported {
       description
         "Feature IKEv2 INIT Redirect Supported";

     }
     feature ikev2-init-fragmentation-supported {
       description
         "Feature IKEv2 INIT Fragmentation Supported";

     }
     feature ikev2-init-responder-certreq {
       description
         "Feature IKEv2 INIT Responder CERTREQ";
     }
     feature ikev2-init-optional {
       description
         "Feature IKEv2 INIT Optional Attributes";
     }
     feature ikev2-auth-mobike-supported {
       description
         "Feature IKEv2 AUTH Mobike Supported";

     }
     feature ikev2-auth-rohc-supported {
       description
         "Feature IKEv2 AUTH RObust Header Compression ROHC Supported";

     }
     feature ikev2-auth-childless-supported {
       description
         "Feature IKEv2 AUTH Childless Supported";

     }
     feature ikev2-auth-message-id-supported {
       description
         "Feature IKEv2 AUTH Message ID supported";

     }
     feature ikev2-auth-ipsec-replay-counter-sync-supported {
       description
         "Feature IKEv2 AUTH IPSec Replay Counter Sync Supported";

     }
     feature ikev2-auth-erx-supported {
       description
         "Feature IKEv2 AUTH ERX Supported";



Tran, et al.          Expires September 18, 2016              [Page 48]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



     }
     feature ikev2-auth-clone-ike-sa-supported {
       description
         "Feature IKEv2 AUTH Clone IKE-SA Supported";

     }

     feature ikev2-sa {
       description
         "Feature IKEv2 Security Association (SA)";
     }

     feature ikev2-auth {
       description
         "Feature IKEv2 AUTH";
     }

     feature ikev2-peer {
       description
         "Feature IKEv2 Peer";
     }

     feature ikev2-state {
       description
         "IKEv2 Operational State";
     }

     feature ikev2-proposal-state {
       description
         "IKEv2 Proposal Operational State";
     }

     feature ikev2-transport-state {
       description
         "IKEv2 Transport State";
     }


     /*--------------------*/
     /* Typedefs           */
     /*--------------------*/
     typedef ipsec-spi {
       type uint64 {
         range "1..max";
       }
       description
         "Security Parameter Index SPI";
     }



Tran, et al.          Expires September 18, 2016              [Page 49]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



     typedef transport-protocol-name-t {
       type enumeration {
         enum tcp {
           value 1;
           description
             "Transmission Control Protocol (TCP) Transport Protocol.";
         }
         enum udp {
           value 2;
           description
             "User Datagram Protocol (UDP) Transport Protocol";
         }
         enum sctp {
           value 3;
           description
             "Stream Control Transmission Protocol (SCTP) Transport "+
             "Protocol";
         }
         enum icmp {
           value 4;
           description
             "Internet Control Message Protocol (ICMP) Transport "+
             "Protocol";
         }
       }
       description
         "Enumeration of well known transport protocols.";
     }

     typedef role-t {
       type enumeration {
         enum any {
           value 0;
           description
             "Role: Any";
         }
         enum initiator {
           value 1;
           description
             "Role: Initiator";
         }
         enum responder {
           value 2;
           description
             "Role: Responder";
         }
       }
       description



Tran, et al.          Expires September 18, 2016              [Page 50]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         "Role Type";
     }

     typedef cryptographic-material-t {
       type enumeration {
         enum sk-d {
           value 0;
           description
             "SK_d";
         }
         enum sk-ai {
           value 1;
           description
             "SK_ai";
         }
         enum sk-ar {
           value 2;
           description
             "SK_ar";
         }
         enum sk-ei {
           value 3;
           description
             "SK_ei";
         }
         enum sk-er {
           value 4;
           description
             "SK_er";
         }
         enum sk-pi {
           value 5;
           description
             "SK_pi";
         }
         enum sk-pr {
           value 6;
           description
             "SK_pr";
         }
         enum skeyseed {
           value 7;
           description
             "SKEYSEED";
         }
         enum nonces {
           value 8;
           description
             "Nonces";



Tran, et al.          Expires September 18, 2016              [Page 51]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
       }
       description
         "Cryptographic Material Type";
     }

     typedef ikev2-proposal-number-ref {
       type leafref {
         path "/ikev2/init/proposal/number";
       }
       description
         "reference to IKEv2 proposal number";
     }

     typedef ikev2-transport-base-mjver-ref {
       type leafref {
         path "/ikev2/transport/base-info/major-version";
       }
       description
         "reference to IKEv2 Transport Base Information
         Major Version";
     }

     typedef ikev2-transport-base-mnver-ref {
       type leafref {
         path "/ikev2/transport/base-info/minor-version";
       }
       description
         "reference to IKEv2 Transport Base Information
         Minor Version";
     }

     typedef ikev2-transport-base-spi-gen-policy-ref {
       type leafref {
         path "/ikev2/transport/base-info/spi-generation-policy";
       }
       description
         "reference to IKEv2 Transport Base Information
         SPI Generation Policy";
     }

     typedef ikev2-transport-anti-replay-mechanism-window-size-ref {
       type leafref {
         path "/ikev2/transport/anti-replay-mechanism/window-size";
       }
       description
         "reference to IKEv2 Transport Anti Replay Mechanism
         Window Size";
     }



Tran, et al.          Expires September 18, 2016              [Page 52]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



     typedef ikev2-transport-anti-replay-mechanism-enable-notify-ref {
       type leafref {
         path "/ikev2/transport/anti-replay-mechanism/"+
               "enable-notify-invalid-msg-id";
       }
       description
         "reference to IKEv2 Transport Anti Replay Mechanism
         Enable Notify Invalid Message ID";
     }

     /*--------------------*/
     /*   grouping         */
     /*--------------------*/

      /* The following groupings are used in both configuration data
        and operational state data */
     grouping name-grouping {
       description
         "This grouping provides a leaf identifying the name.";
       leaf name {
         type string;
         description
           "Name of a identifying.";
       }
       leaf description {
         type string;
         description
           "Specify the description.";
       }
     }

     grouping ip-address-grouping {
       description
         "IP Address grouping";

       choice ip-address {
         description
           "Choice of IPv4 or IPv6.";
         leaf ipv4-address {
           type inet:ipv4-address;
           description
             "Specifies the identity as a single four (4)
              octet IPv4 address.
              An example is, 10.10.10.10. ";
         }
         leaf ipv6-address {
           type inet:ipv6-address;
           description



Tran, et al.          Expires September 18, 2016              [Page 53]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             "Specifies the identity as a single sixteen (16) "+
             "octet IPv6 address. "+
             "An example is, "+
             "FF01::101, 2001:DB8:0:0:8:800:200C:417A .";
         }
       }
     }

     grouping certificate-auth-grouping {
       description
         "Certificate Authority";
       leaf cert-encoding {
         type ikev2-crypto:ikev2-cert-encoding-t;
         description
           "Certificate Authority Encoding";
       }
       leaf cert-value {
         type uint32;
         description
           "Certificate Authority value";
       }
     }

     grouping sequence-number-grouping {
       description
         "This grouping provides a leaf identifying
          a sequence number.";
       leaf sequence-number {
         type uint32 {
           range "1..4294967295";
         }
         description
           "Specify the sequence number.";
       }
     }

     grouping description-grouping {
       description
         "description for free use.";
       leaf description {
         type string;
         description
           "description for free use.";
       }
     }

     grouping transform-encr-algorithm-grouping {
       description
         "Transform Type 1, Encryption Algorithm";



Tran, et al.          Expires September 18, 2016              [Page 54]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



       list transform-encr-algorithm {
         key "encr-algorithm key-length";
         leaf encr-algorithm {
           type ikev2-crypto:ikev2-encryption-algorithm-t;
           description
             "IKEv2 Transform Type 1, Encryption Algorithm";
         }
         leaf key-length {
           type uint32;
           description
             "IKEv2 Transform Type 1, key length for Encryption"+
             " Algorithm";
         }
         description
           "IKEv2 Transform Type 1, Encryption Algorithm";
       }
     }

     grouping transform-prf-algorithm-grouping {
       description
         "IKEv2 Transform Type 2, Pseudo-Random Function PRF";
       list transform-prf-algorithm {
         key "prf-algorithm key-length";
         leaf prf-algorithm {
           type ikev2-crypto:ikev2-pseudo-random-function-t;
           description
             "IKEv2 Transform Type 2, Pseudo-Random Function"+
             " (PRF) Algorithm";
         }
         leaf key-length {
           type uint32;
           description
             "IKEv2 Transform Type 2, key length for PRF";
         }
         description
           "IKEv2 Transform Type 2, Pseudo-Random Function PRF";
       }
     }

     grouping transform-integrity-algorithm-grouping {
       description
         "IKEv2 Transform Type 3, Integrity Algorithm";
       list transform-integrity-algorithm {
         key "integrity-algorithm key-length";
         leaf integrity-algorithm {
           type ikev2-crypto:ikev2-integrity-algorithm-t;
           description
             "IKEv2 Transform Type 3, Integrity Algorithm";



Tran, et al.          Expires September 18, 2016              [Page 55]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
         leaf key-length {
           type uint32;
           description
             "IKEv2 Transform Type 3, key length for Integrity"+
             " Algorithm";
         }
         description
           "IKEv2 Transform Type 3, Integrity Algorithm";
       }
     }

     grouping transform-dh-grouping {
       description
         "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)";
       list transform-dh {
         key "dh key-length";
         leaf dh {
           type ikev2-crypto:ikev2-diffie-hellman-group-t;
           description
             "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)";
         }
         leaf key-length {
           type uint32;
           description
             "IKEv2 Transform Type 4, key length for Diffie-Hellman"+
             " Group (DH)";
         }
         description
           "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)";
       }
     }

     grouping ikev2-proposal-grouping {
       description
         "IKEv2 Proposal";
       list proposal {
         key "number";
         description
           "Configure IKEv2 proposal";
         uses name-grouping;
         uses transform-encr-algorithm-grouping;
         uses transform-prf-algorithm-grouping;
         uses transform-integrity-algorithm-grouping;
         uses transform-dh-grouping;
         leaf number {
           type uint32;
           description
             "specify the order the proposals are sent";



Tran, et al.          Expires September 18, 2016              [Page 56]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
         leaf protocol {
           type ikev2-crypto:ikev2-protocol-identifiers-t;
           description
             "IKEv2 Proposal Protocol Identifier";
         }
       }
     }

     grouping ikev2-retransmission-grouping {
       description
         "IKEv2 retransmission policy configuration";
       container retransmision {
         if-feature ikev2-transport-retransmission;
         leaf max-retries {
           type uint32;
           description
             "maximum retry when retransmission failed";
         }
         leaf initial-retransmission-timeout {
           type uint32;
           description
             "initial retransmission timeout value";
         }
         leaf retransmission-timeout-policy {
           type string;
           description
             "defines of the Retransmission Timeout should be"+
             " computed";
         }
         leaf max-response-buffer-timeout {
           type uint32;
           description
             "This timer set when the response buffer can be clean"+
             " when the message ID is not being updated. It value"+
             " is expected to be in the order of several minutes";
         }
         leaf keepalive-timeout {
           type uint32;
           description
             "Keep-alive timeout";
         }
         leaf nat-keepalive-timeout {
           type uint32;
           description
             "Network Address Translation (NAT) Keep-alive timeout";
         }
         description
           "IKEv2 retransmission policy configuration";



Tran, et al.          Expires September 18, 2016              [Page 57]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


       }
     }

     grouping ikev2-cookie-mechanism-grouping {
       description
         "IKEv2 Cookie Mechanism";
       container cookie-mechanism {
         if-feature ikev2-transport-cookie-mechanism;
         leaf cookie-lifetime {
           type uint32;
           description
             "Cookie Lifetime";
         }
         leaf half-open-ike-sa-threshold {
           type uint32;
           description
             "Half-open IKE-SA Threshold";
         }
         description
           "IKEv2 Cookie Mechanism";
       }
     }

     grouping ikev2-auth-avail-signing-capabilities-grouping {
       description
         "IKEv2 AUTH Available Signing Capabilities";
       list avail-signing-capabilities {
         key "auth-method-name";
         description
           "availiable signing capabilities";
         leaf auth-method-name {
           type string;
           description
             "Authentication method name";
         }
         leaf auth-method {
           type ikev2-crypto:ikev2-authentication-method-t;
           description
             "type of authentication method";
         }
         leaf auth-material-data {
           type string;
           description
             "authentication material data";
         }
       }
     }

     grouping ikev2-cert-auth-grouping {



Tran, et al.          Expires September 18, 2016              [Page 58]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


       description
         "IKEv2 AUTH Certificate Authentication";
       container cert-auth {
         description
           "Certificate authentication";
         leaf cert-auth-encoding {
           type ikev2-crypto:ikev2-cert-encoding-t;
           description
             "certificate authentication encoding";
         }
         leaf cert-auth-value {
           type uint32;
           description
             "certificate authentication value";
         }
       }
     }

     grouping ikev2-cert-authentication-material-grouping {
       description
         "IKEv2 CERT Authentication Material";
       leaf cert-authentication-type {
         type string;
         default "cert";
         description
           "CERT Authentication Type";
       }
       uses ikev2-cert-auth-grouping;
     }

     grouping ikev2-auth-avail-hash-capabilities-grouping {
       description
         "IKEv2 AUTH Available Hash Capabilities";
       list avail-hash {
         key "hash-method";
         description
           "available hash";
         leaf hash-method {
           type string;
           description
             "hash method";
         }
         leaf auth-hash-lifetime {
           type uint32;
           description
             "Authentication Hash lifetime";
         }
       }
     }



Tran, et al.          Expires September 18, 2016              [Page 59]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



     grouping ikev2-auth-avail-signature-verification-grouping {
       description
         "IKEv2 AUTH Available Signature Verification";
       list avail-signature-verify {
         key "signature-id";
         description
           "available signature verification";
         leaf signature-id {
           type string;
           description
             "signature ID";
         }
         leaf signature-lifetime {
           type uint32;
           description
             "signature lifetime";
         }
       }
     }

     grouping local-id-grouping {
       description
         "IKEv2 AUTH Local ID";
       list local-id {
         key "host-id";
         description
           "list of Local ID";
         leaf host-id {
           type string;
           description
             "Local Host ID";
         }
         leaf preference {
           type string;
           description
             "Local Preference";
         }
         leaf id-type {
           type string;
           description
             "Local ID type";
         }
         leaf id-value {
           type string;
           description
             "ID value";
         }
       }



Tran, et al.          Expires September 18, 2016              [Page 60]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


     }

     grouping ikev2-vendor-id-grouping {
       description
         "IKEv2 Vendor ID";
       leaf vendor-id {
         type uint64;
         description
           "IKEv2 Vendor ID";
       }
     }

     grouping ikev2-base-info-grouping {
       description
         "IKEv2 Base Information";
       container base-info {
         description
           "IKEv2 basic information";
         leaf major-version {
           type uint8;
           default 2;
           description
             "IKEv2 Major Version";
         }
         leaf minor-version {
           type uint8;
           default 0;
           description
             "IKEv2 Minor Version";
         }
         leaf spi-generation-policy {
           type string;
           description
             "SPI genration policy";
         }
       }
     }

     grouping ikev2-anti-replay-mechanism-grouping {
       description
         "IKEv2 Anti Replay Mechanism";
       container anti-replay-mechanism {
         leaf window-size {
           type uint32;
           default 1;
           description
             "Window Size defines how much parallel exchange can"+
             " be performed between the peers. By default this"+
             " value is set to 1. When greater than 1, as defined"+



Tran, et al.          Expires September 18, 2016              [Page 61]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             " in [RFC7296] section 2.3, a SET_WINDOW_SIZE Notify"+
             " Payloads will be sent by the peer to agree withe the"+
             " other peer on the Window Size. After this exchange"+
             " succeeds, the operational attribute that defines"+
             " the Window Size used by the IKE_SA, will be updated"+
             " with the value agreed by the peers.";
         }
         leaf enable-notify-invalid-msg-id {
           if-feature ikev2-transport-enable-notify-invalid-msg-id;
           type empty;
           description
             "Optional Enable INVALID_MESSAGE_ID defines whether an"+
             " optional INVALID_MESSAGE_ID  Notify Payload is sent"+
             " when the IKEv2 message received is outside the"+
             " Operational Window Size.";
         }
         description
           "Anti Replay Mechanism describes when message should be"+
           " rejected or considered by the IKEv2 daemon. The anti"+
           " reply mechanism is defined for each session.";
       }
     }


     grouping ikev2-init-optional-grouping {
       description
         "IKEv2 INIT Optional";
       container optional {
         if-feature ikev2-init-optional;
         container nat-detection-source-ip {
           if-feature ikev2-init-nat-detection-src-ip;
           description
             "Optional support: for Network Address Translation (NAT)"+
             " Destination Source IP Address, sent during the"+
             " IKE_INIT";
           uses ip-address-grouping;
           leaf nat-keepalive-interval {
             type uint16 {
               range "5..300";
             }
             units "Seconds";
             default 20;
             description "NAT detected and keepalive interval";
           }
         }

         container nat-detection-destination-ip {
           if-feature ikev2-init-nat-detection-destination-ip;
           description



Tran, et al.          Expires September 18, 2016              [Page 62]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             "Optional support: for Network Address Translation (NAT)"+
             " Detecttion Destination IP Address, sent during the"+
             " IKE_INIT";
           uses ip-address-grouping;
           leaf nat-keepalive-interval {
             type uint16 {
               range "5..300";
             }
             units "Seconds";
             default 20;
             description "NAT detected and keepalive interval";
           }
         }

         leaf redirect-supported {
           if-feature ikev2-init-redirect-supported;
           type boolean;
           default true;
           description
             "Optional support: for redirect supported, sent"+
             " during the IKE_INIT";
         }
         leaf fragmentation-supported {
           if-feature ikev2-init-fragmentation-supported;
           type boolean;
           default true;
           description
             "Optional support: for fragmentation supported"+
             " sent during the IKE_INIT";
         }
         leaf mobike-supported {
           if-feature ikev2-auth-mobike-supported;
           type boolean;
           default true;
           description
             "Optional support: for mobike supported, sent during"+
             " IKE-AUTH";
         }
         leaf rohc-supported {
           if-feature ikev2-auth-rohc-supported;
           type boolean;
           default true;
           description
             "Optional support: for RObust Header Compression (ROHC)"+
             " supported, sent during IKE-AUTH";
         }
         leaf childless-ikev2-supported {
           if-feature ikev2-auth-childless-supported;
           type boolean;



Tran, et al.          Expires September 18, 2016              [Page 63]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           default true;
           description
             "Optional support: for CHILDLESS_IKEV2_SUPPORTED,"+
             " sent during IKE-AUTH";
         }
         leaf message-id-sync-supported {
           if-feature ikev2-auth-message-id-supported;
           type boolean;
           default true;
           description
             "Optional support: for IKEV2_MESSAGE_ID_SYNC_SUPPORTED,"+
             " sent during IKE-AUTH";
         }
         leaf ipsec-replay-counter-sync-supported {
           if-feature ikev2-auth-ipsec-replay-counter-sync-supported;
           type boolean;
           default true;
           description
             "Optional support: for"+
             " IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED,"+
             " sent during IKE-AUTH";
         }
         leaf erx-supported {
           if-feature ikev2-auth-erx-supported;
           type boolean;
           default true;
           description
             "Optional support: for ERX_SUPPORTED,"+
             " sent during IKE-AUTH";
         }
         leaf clone-ike-sa-supported {
           if-feature ikev2-auth-clone-ike-sa-supported;
           type boolean;
           default true;
           description
             "Optional support: for CLONE_IKE_SA_SUPPORTED,"+
             " sent during IKE-AUTH";
         }
         description
           "IKEv2 INIT Optional Attributes";
       }
     }

     grouping ikev2-initiator-id-grouping {
       container initiator-id {
         leaf initiator-id-type {
           type ikev2-crypto:pad-type-t;
           description
             "Initiator ID Type";



Tran, et al.          Expires September 18, 2016              [Page 64]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         }
         leaf initiator-id {
           type string;
           description
             "Initiator ID";
         }
         description
           "Initiator ID";
       }
       description
         "Initiator ID";
     }

     grouping ikev2-responder-id-grouping {
       container responder-id {
         leaf responder-id-type {
           type ikev2-crypto:pad-type-t;
           description
             "Responder ID Type";
         }
         leaf responder-id {
           type string;
           description
             "Responder ID";
         }
         description
           "Responder ID";
       }
       description
         "Responder ID";
     }

     grouping ikev2-transport-grouping {
       description
         "IKEv2 Transport Attributes";
       container transport {
         if-feature ikev2-transport;
         description
           "Common IKEv2 transport attributes";

         uses ikev2-base-info-grouping;
         uses ikev2-anti-replay-mechanism-grouping;
         uses ikev2-retransmission-grouping;
         uses ikev2-cookie-mechanism-grouping;
         uses ikev2-vendor-id-grouping;
       } //  End of container transport
     }

     grouping ikev2-config-request-grouping {



Tran, et al.          Expires September 18, 2016              [Page 65]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


       description
         "Optional Configuration Request";
       container config-request {
         uses ip-address-grouping;
         description
           "Optional Configuration Requester";
       }
     }

     grouping ikev2-config-responder-grouping {
       description
         "Optional Configuration Responder";
       container config-responder {
         uses ip-address-grouping;
         description
           "Optional Configuration Responder";
       }
     }

     grouping ikev2-init-grouping {
       description
         "IKEv2 INIT Attributes";
       container init {
         if-feature ikev2-init;
         description
           "configuration attributes for the IKE_INIT exchange";

         list authorized-dh {
           if-feature ikev2-init-authorized-dh;
           key "dhg key-length";
           leaf dhg {
             type ikev2-crypto:ikev2-diffie-hellman-group-t;
             description
               "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)";
           }
           leaf key-length {
             type uint32;
             description
               "IKEv2 Transform Type 4, key length for Diffie-Hellman"+
               " Group (DH)";
           }
           description
             "IKEv2 INIT Authorized Diffie-Hellman";
         }

         uses ikev2-proposal-grouping;
         uses ikev2-init-optional-grouping;

         leaf auth-method {



Tran, et al.          Expires September 18, 2016              [Page 66]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           type ikev2-crypto:ikev2-authentication-method-t;
           default auth-preshared;
           description
             "The authentication method of IKEv2 peer";
         }

         container responder-certreq {
           if-feature ikev2-init-responder-certreq;
           uses certificate-auth-grouping;
           description
             "IKEv2 INIT Responder CERTREQ";
         }

         uses ikev2-config-request-grouping;
         uses ikev2-config-responder-grouping;

         list authorized-cert-auth {
           if-feature ikev2-init-authorized-certification-auth;
           key "cert-encoding";
           uses certificate-auth-grouping;
           description
             "IKev2 Initiator authorized certification authorities";
         }
       } // end of container init
     }

     grouping ikev2-auth-grouping {
       description
         "IKEv2 AUTH Attributes";
       container auth {
         if-feature ikev2-auth;
         description
           "IKEv2 AUTH Exchange";
         uses ikev2-auth-avail-signing-capabilities-grouping;
         uses ikev2-cert-auth-grouping;
         uses ikev2-auth-avail-hash-capabilities-grouping;
         uses ikev2-auth-avail-signature-verification-grouping;
         uses local-id-grouping;
         container authorized-certificate-authority {
           uses certificate-auth-grouping;
           description
             "IKEv2 AUTH Authorized Certificate Authority";
         }
       } // End of container auth
     }
     grouping ikev2-proposal-state-components {
       description
         "IKEv2 Operational state";
       list proposal {



Tran, et al.          Expires September 18, 2016              [Page 67]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         if-feature ikev2-proposal-state;
         key "name";
         description
           "IKEv2 proposal operational data";
         uses name-grouping;

         leaf encryption-algorithm {
           type ikev2-crypto:ikev2-encryption-algorithm-t;
           description
             "Transform Type 1 - IKEv2 Encryption Algorithm";
         }
         leaf prf-algorithm {
           type ikev2-crypto:ikev2-pseudo-random-function-t;
           description
             "Transform Type 2 - IKEv2 Pseudo-Random Function (PRF)";
         }
         leaf integrity-algorithm {
           type ikev2-crypto:ikev2-integrity-algorithm-t;
           description
             "Transform Type 3 - IKEv2 Integrity Algorithms";
         }
         leaf dh-group {
           type ikev2-crypto:ikev2-diffie-hellman-group-t;
           mandatory true;
           description
             "Transform Type 4 - IKEv2 Diffie-Hellman group.";
         }
         leaf esn {
           type ikev2-crypto:ikev2-extended-sequence-number-t;
           description
             "Transform Type 5 - IKEv2 Extended Sequence Number (ESN)";
         }
       }
       leaf connection-type {
         type ikev2-crypto:ikev2-connection-type-t;
         description
           "define whether the corresponding IKEv2 SA is being used"+
           " as an initiator or as a responder or both";
       }
     }


     /*---------------------------------------------------------*/
     /*************       Configuration Data        *************/
     /*---------------------------------------------------------*/

     /* ------------------- */
     /* IKEv2 configuration */
     /* ------------------- */



Tran, et al.          Expires September 18, 2016              [Page 68]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


     container ikev2 {
       if-feature ikev2;
       description
         "Configuration IPSec IKEv2";

       uses ikev2-transport-grouping;
       uses ikev2-init-grouping;

       container sa {
         if-feature ikev2-sa;
         description
           "IKEv2 Security Association";
         leaf role {
           type role-t;
           description
             "IKEv2 SA Role [any | initiator | responder]";
         }
         container local-ip-address {
           description
             "IKEv2 SA Local IP Address";
           uses ip-address-grouping;
         }
         container remote-ip-address {
           description
             "IKEv2 SA Remote IP Address";
           uses ip-address-grouping;
         }
         leaf cryptgraphic {
           type cryptographic-material-t;
           description
             "Cryptographic Material Type";
         }
         leaf lifetime {
           type uint32;
           description
             "lifetime for IKEv2 SAs
              0: for no timeout.
              300 .. 99999999:  IKEv2 SA lifetime in seconds.";
         }
         leaf proposal {
           type ikev2-proposal-number-ref;
           description
             "IKE proposal number referenced by IKE peer";
         }
         uses ikev2-base-info-grouping;
         uses ikev2-anti-replay-mechanism-grouping;

         list retransmistion-ctx {
           key "window-id";



Tran, et al.          Expires September 18, 2016              [Page 69]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


           leaf window-id {
             type uint32;
             description
               "Window ID";
           }
           uses ikev2-retransmission-grouping;
           description
             "IKEv2 Security Association Retransmission CTX
             that contains the element to enable retransmission
             for all ongoing exchange";
         }
         uses ikev2-initiator-id-grouping;
         uses ikev2-responder-id-grouping;
         uses ikev2-cert-authentication-material-grouping;
         uses ikev2-vendor-id-grouping;
         list optional-ctx {
           key "window-id";
           description
             "Optional Security Association CTX";
           leaf window-id {
             type uint32;
             description
               "Window ID";
           }
           uses ikev2-init-optional-grouping;
         }
       } // end of container sa

       list peer {
         if-feature ikev2-peer;
         key "peer-address";
         description "IKEv2 peer information";
         leaf peer-address {
           type string;
           description
             "Peer address";
         }
         leaf role {
           type role-t;
           default any;
           description
             "Peer Role [any | initiator | responder]";
         }

         list peer-id-entries {
           key "peer-id peer-id-type";
           description "IKE peer information";
           leaf peer-id-type {
             type ikev2-crypto:pad-type-t;



Tran, et al.          Expires September 18, 2016              [Page 70]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             description
               "Peer ID Type";
           }
           leaf peer-id {
             type string;
             description
               "Peer ID";
           }
         } // End of peer-entries

         list session {
           key "session-label";
           description
             "List of session";
           leaf session-label {
             type string;
             description
               "Session Label";
           }
           uses ikev2-initiator-id-grouping;
           uses ikev2-responder-id-grouping;
           uses ikev2-transport-grouping;
           uses ikev2-init-grouping;
           uses ikev2-auth-grouping;
           uses ikev2-config-request-grouping;
           uses ikev2-config-responder-grouping;
         }

         leaf preshared-key {
           type string;
           description "Preshare key";
         }
         leaf nat-traversal {
           type boolean;
           default false;
           description
             "Enable/Disable Network Address Translation"+
             " (NAT) traversal";
         }
       } //End of peer


     } // End of ikev2



     /*---------------------------------------------------------*/
     /*************         Operational State       *************/
     /*---------------------------------------------------------*/



Tran, et al.          Expires September 18, 2016              [Page 71]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016



     /*--------------------------*/
     /* IKEv2 Operational State  */
     /*--------------------------*/
     container ikev2-state {
       if-feature ikev2-state;
       config "false";

       container transport-state {
         if-feature ikev2-transport-state;
         description
           "Common IKEv2 operational transport state";
         leaf major-version {
           type uint8;
           default 2;
           description
             "IKEv2 Major Version";
         }
         leaf minor-version {
           type uint8;
           default 0;
           description
             "IKEv2 Minor Version";
         }
         leaf spi-generation-policy {
           type string;
           description
             "SPI genration policy";
         }
         leaf exchange-type {
           type ikev2-crypto:ikev2-exchange-type-t;
           description
             "IKEv2 Exchange Type";
         }
         leaf flags {
           type uint8;
           description
             "indicate specific options that are set for message";
         }
       }

       list sa-state {
         key "initiator-spi responder-spi";
         description
           "IKEv2 Security Association (SA) Operational State";

         leaf initiator-spi {
           type ipsec-spi;
           description



Tran, et al.          Expires September 18, 2016              [Page 72]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


             "initiator Security Parameter Index (SPI)";
         }
         leaf responder-spi {
           type ipsec-spi;
           description
             "initiator Security Parameter Index (SPI)";
         }
         list retransmistion-ctx {
           key "window-id";
           leaf window-id {
             type uint32;
             description
               "Window ID";
           }
           uses ikev2-retransmission-grouping;
           description
             "IKEv2 Security Association Retransmission CTX
             that contains the element to enable retransmission
             for all ongoing exchange";
         }
         container anti-replay-mechanism {
           leaf window-size {
             type uint32;
             description
               "window size";
           }
           leaf peer-request-msg-id {
             type uint32;
             description
               "Peer Request Message ID";
           }
           leaf peer-response-msg-id {
             type uint32;
             description
               "Peer Response Message ID";
           }
           leaf local-request-msg-id {
             type uint32;
             description
               "Local Request Message ID";
           }
           leaf local-response-msg-id {
             type uint32;
             description
               "Local Response Message ID";
           }
           description
             "IKEv2 Anti Replay Mechanism Operational State";
         }



Tran, et al.          Expires September 18, 2016              [Page 73]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


         uses ikev2-vendor-id-grouping;
         uses ikev2-initiator-id-grouping;
         uses ikev2-responder-id-grouping;
         uses ikev2-auth-grouping;
         leaf half-open-ike-sa-counter {
           type uint32;
           description
             "IKEv2 Cookie Mechanism Half-Open IKE-SA counter";
         }
         list optional-ctx {
           key "window-id";
           description
             "Optional Security Association CTX";
           leaf window-id {
             type uint32;
             description
               "Window ID";
           }
           uses ikev2-init-optional-grouping;
         }
       }
       description
         "Contain the operational data for IKEv2";
     }
   } /* module ietf-ikev2 */


   <CODE ENDS>






















Tran, et al.          Expires September 18, 2016              [Page 74]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


6. Security Considerations

   The configuration, state, and action data defined in this document
   are designed to be accessed via the NETCONF protocol [RFC6241].  The
   data model by itself does not create any security implications.  The
   security considerations for the NETCONF protocol are applicable.
   The NETCONF protocol used for sending the data supports
   authentication and encryption.



7. References



7.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for
             Syntax Specifications: ABNF", RFC 2234, Internet Mail
             Consortium and Demon Internet Ltd., November 1997.

   [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
             Network Configuration Protocol (NETCONF)", RFC 6020,
             October 2010.

   [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021,
             October 2010.

   [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
             Bierman, "Network Configuration Protocol (NETCONF)", RFC
             6241, June 2011.

   [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen,
             T., "Internet Key Exchange Protocol Version 2 (IKEv2)",
             RFC 5996, October 2014.

   [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPsec) and
             Internet Key Exchange (IKE) Document Roadmap", February
             2011.






Tran, et al.          Expires September 18, 2016              [Page 75]


Internet-Draft   draft-tran-ipsecme-ikev2-yang-00.txt        March 2016


7.2. Informative References

   [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
             Data Model Documents", RFC 6087, January 2011.



Authors' Addresses

   Khanh Tran
   Ericsson
   300 Holger Way
   San Jose, CA 95134
   USA
   Email: khanh.x.tran@ericsson.com

   Daniel Migault
   Ericsson
   8500 Decarie Blvd
   Montreal, Quebec H4P 2N2
   CANADA
   Email: daniel.migault@ericsson.com

   Honglei Wang
   Huawei Technologies
   Huawei Bld., No.156 Beiqing Rd.
   Beijing  100095
   China
   Email: stonewater.wang@huawei.com


   Vijay Kumar Nagaraj
   Huawei Technologies
   Huawei Technologies India Pvt Ltd
   Bangalore  560008
   India
   Email: vijay.kn@huawei.com


   Xia Chen
   Huawei Technologies
   Huawei Bld., No.156 Beiqing Rd.
   Beijing  100095
   China
   Email: xiachen@huawei.com




Tran, et al.          Expires September 18, 2016              [Page 76]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/