[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-wang-ipsecme-ipsec-yang) 00 01

Network Working Group                                           K. Tran
Internet Draft                                                 Ericsson
Intended status: Standard Track                                 H. Wang
Expires: September 18, 2016                                  V. Nagaraj
                                                               X. Chen
                                                    Huawei Technologies
                                                         March 18, 2016



          Yang Data Model for Internet Protocol Security (IPsec)
                      draft-tran-ipsecme-yang-01.txt


Abstract

   This document defines a YANG data model that can be used to
   configure and manage Internet Protocol Security (IPsec).  The model
   covers the IPsec protocol operational state, remote procedural
   calls, and event notifications data.



Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on November 18, 2016.







Tran, et al.          Expires September 18, 2016               [Page 1]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.



Table of Contents


   1. Introduction...................................................3
   2. Conventions used in this document..............................3
   3. IPsec Configuration and Operation Model Overview...............4
      3.1. IPsec Configuration Data Model............................5
      3.2. IKEv1 Configuration Data Model............................8
      3.3. IKEv2 Configuration Data Model...........................10
      3.4. IPsec Operation Data Model...............................13
      3.5. IKEv1 Operation Data Model...............................14
      3.6. IKEv2 Operation Data Model...............................15
      3.7. IPsec SAD Operational Data Model.........................16
      3.8. IPsec SPD Operational Data Model.........................17
      3.9. IPsec Global Statistics Operational Data Model...........19
      3.10. RPC Operation...........................................21
      3.11. Notifications...........................................22
   4. IPsec YANG Module.............................................23
   5. Security Considerations.......................................98
   6. References....................................................98
      6.1. Normative References.....................................98
      6.2. Informative References...................................98










Tran, et al.          Expires September 18, 2016               [Page 2]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


1. Introduction

   Internet Protocol Security (IPsec) is a suite of protocols that
   provides security to internet communications at the IP layer.  This
   document defines a YANG data model that can be used to configure and
   manage the IPsec protocol including Encapsulating Security Payload
   (ESP), Authentication Header (AH), Internet Key Exchange version 1
   (IKEv1), and Internet Key Exchange version 2 (IKEv2) components.



2. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119 [RFC2119].

   In this document, these words will appear with that interpretation
   only when in ALL CAPS. Lower case uses of these words are not to be
   interpreted as carrying RFC-2119 significance.

   In this document, the characters ">>" preceding an indented line(s)
   indicates a compliance requirement statement using the key words
   listed above. This convention aids reviewers in quickly identifying
   or finding the explicit compliance requirements of this RFC.
























Tran, et al.          Expires September 18, 2016               [Page 3]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3. IPsec Configuration and Operation Model Overview

   This section will give the relationship of AH/ESP/SA with IPsec, and
   IKEv2 with IPsec.

   Figure 1 shows the protocols of (AH and ESP) associated with IPsec.

   +------------------------------------------------+
   |                                                |
   |      Internet Protocol Security (IPsec)        |
   |             +------------+                     |
   |             |   AH/ESP   |                     |
   |             +------------+                     |
   |                   |                            |
   |                   V                            |
   |             +------------+                     |
   |             |   SA       |                     |
   |             +------------+                     |
   |                   |                            |
   |                   V                            |
   |             +------------+                     |
   |             |   IPsec    |                     |
   |             | Data Model |                     |
   |             +------------+                     |
   |                                                |
   +------------------------------------------------+

            Figure 1. Relationship between AH/ESP/SA and IPsec





















Tran, et al.          Expires September 18, 2016               [Page 4]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.1. IPsec Configuration Data Model

   The IPsec data model provides the appropriate leaves for configuring
   the IPsec protocol.  The IPsec YANG data model shall contain AH,
   ESP, Security Policy (SP), Security Policy Database (SPD), Security
   Association (SA), Security Association Database (SAD), and Peer
   Authorization Database (PAD) components.

   module: ietf-ipsec


   +--rw ipsec {ipsec}?
      |  +--rw sad {ipsec-sad}?
      |  |  +--rw sad-entries* [spi direction]
      |  |     +--rw spi                              uint32
      |  |     +--rw anti-replay-window?              uint16
      |  |     +--rw ip-comp?                         empty
      |  |     +--rw local-peer
      |  |     |  +--rw (ip-address)?
      |  |     |     +--:(ipv4-address)
      |  |     |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |     |     +--:(ipv6-address)
      |  |     |        +--rw ipv6-address?   inet:ipv6-address
      |  |     +--rw remote-peer
      |  |     |  +--rw (ip-address)?
      |  |     |     +--:(ipv4-address)
      |  |     |     |  +--rw ipv4-address?   inet:ipv4-address
      |  |     |     +--:(ipv6-address)
      |  |     |        +--rw ipv6-address?   inet:ipv6-address
      |  |     +--rw sa-mode?                         ipsec-mode
      |  |     +--rw security-protocol?               ipsec-protocol
      |  |     +--rw sequence-number?                 uint64
      |  |     +--rw sequence-number-overflow-flag?   boolean
      |  |     +--rw path-mtu?                        uint16
      |  |     +--rw life-time
      |  |     |  +--rw life-time-in-seconds?          uint32
      |  |     |  +--rw remain-life-time-in-seconds?   uint32
      |  |     |  +--rw life-time-in-byte?             uint32
      |  |     |  +--rw remain-life-time-in-byte?      uint32
      |  |     +--rw upper-protocol?                  string
      |  |     +--rw direction                        ipsec-traffic-direction
      |  |     +--rw source-address
      |  |     |  +--rw (ip-address)?
      |  |     |  |  +--:(ipv4-address)
      |  |     |  |  |  +--rw ipv4-address?   inet:ipv4-address
      |  |     |  |  +--:(ipv6-address)
      |  |     |  |     +--rw ipv6-address?   inet:ipv6-address
      |  |     |  +--rw port-number?    uint32
      |  |     +--rw destination-address


Tran, et al.          Expires September 18, 2016               [Page 5]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


      |  |     |  +--rw (ip-address)?
      |  |     |  |  +--:(ipv4-address)
      |  |     |  |  |  +--rw ipv4-address?   inet:ipv4-address
      |  |     |  |  +--:(ipv6-address)
      |  |     |  |     +--rw ipv6-address?   inet:ipv6-address
      |  |     |  +--rw port-number?    uint32
      |  |     +--rw nat-traversal-flag?              boolean
      |  |     +--rw ah
      |  |     |  +--rw (authentication-algorithm)?
      |  |     |     +--:(hmac-aes-xcbc)
      |  |     |     |  +--rw hmac-aes-xcbc
      |  |     |     |     +--rw key-str?   union
      |  |     |     +--:(hmac-md5-96)
      |  |     |     |  +--rw hmac-md5-96
      |  |     |     |     +--rw key-str?   union
      |  |     |     +--:(hmac-sha1-96)
      |  |     |     |  +--rw hmac-sha1-96
      |  |     |     |     +--rw key-str?   union
      |  |     |     +--:(key-string)
      |  |     |        +--rw key-string
      |  |     |           +--rw key-str?   union
      |  |     +--rw esp
      |  |        +--rw authentication
      |  |        |  +--rw (authentication-algorithm)?
      |  |        |     +--:(hmac-aes-xcbc)
      |  |        |     |  +--rw hmac-aes-xcbc
      |  |        |     |     +--rw key-str?   union
      |  |        |     +--:(hmac-md5-96)
      |  |        |     |  +--rw hmac-md5-96
      |  |        |     |     +--rw key-str?   union
      |  |        |     +--:(hmac-sha1-96)
      |  |        |     |  +--rw hmac-sha1-96
      |  |        |     |     +--rw key-str?   union
      |  |        |     +--:(key-string)
      |  |        |        +--rw key-string
      |  |        |           +--rw key-str?   union
      |  |        +--rw encryption
      |  |           +--rw (encryption-algorithm)?
      |  |              +--:(des3-cbc)
      |  |              |  +--rw des3-cbd
      |  |              |     +--rw key-str?   union
      |  |              +--:(aes-128-cbc)
      |  |              |  +--rw aes-128-cbc
      |  |              |     +--rw key-str?   union
      |  |              +--:(aes-192-cbc)
      |  |              |  +--rw aes-192-cbc
      |  |              |     +--rw key-str?   union
      |  |              +--:(aes-256-cbc)
      |  |              |  +--rw aes-256-cbc



Tran, et al.          Expires September 18, 2016               [Page 6]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


      |  |              |     +--rw key-str?   union
      |  |              +--:(des-cbc)
      |  |              |  +--rw des-cbc
      |  |              |     +--rw key-str?   union
      |  |              +--:(key-string)
      |  |                 +--rw key-string
      |  |                    +--rw key-str?   union
      |  +--rw proposal {ipsec-proposal}?
      |  |  +--rw ipsec-proposal* [name]
      |  |     +--rw name        string
      |  |     +--rw ah?         ike-integrity-algorithm-t
      |  |     +--rw esp
      |  |     |  +--rw authentication?   ike-integrity-algorithm-t
      |  |     |  +--rw encryption?       ike-encryption-algorithm-t
      |  |     +--rw ip-comp?    empty
      |  |     +--rw lifetime
      |  |        +--rw kbytes?    uint32
      |  |        +--rw seconds?   uint32
      |  +--rw spd {ipsec-spd}?
      |  |  +--rw spd-entries* [name]
      |  |     +--rw name                       string
      |  |     +--rw description?               string
      |  |     +--rw anti-replay-window?        uint32
      |  |     +--rw perfect-forward-secrecy
      |  |     |  +--rw dh-group?   diffie-hellman-group-t
      |  |     +--rw seq* [seq-id]
      |  |        +--rw seq-id         uint32
      |  |        +--rw description?   string
      |  |        +--rw proposal?      leafref
      |  +--rw pad
      |     +--rw pad-entries* [pad-type pad-id]
      |        +--rw (identity)?
      |        |  +--:(ipv4-address)
      |        |  |  +--rw ipv4-address?            inet:ipv4-address
      |        |  +--:(ipv6-address)
      |        |  |  +--rw ipv6-address?            inet:ipv6-address
      |        |  +--:(fqdn-string)
      |        |  |  +--rw fqdn-string?             inet:domain-name
      |        |  +--:(rfc822-address-string)
      |        |  |  +--rw rfc822-address-string?   string
      |        |  +--:(dnX509)
      |        |     +--rw dnX509?                  string
      |        +--rw pad-id                   uint32
      |        +--rw pad-type                 pad-type-t
      |        +--rw ike-peer-name?           string
      |        +--rw peer-authentication
      |           +--rw algorithm?       ike-integrity-algorithm-t
      |           +--rw preshared-key?   empty
      |           +--rw rsa-signature?   empty



Tran, et al.          Expires September 18, 2016               [Page 7]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.2. IKEv1 Configuration Data Model

   This section will present the YANG data model for IKEv1.

      +--rw ikev1 {ikev1}?
      |  +--rw proposal* [name]
      |  |  +--rw name              string
      |  |  +--rw description?      string
      |  |  +--rw dh-group          diffie-hellman-group-t
      |  |  +--rw encryption
      |  |  |  +--rw algorithm?   ike-encryption-algorithm-t
      |  |  +--rw lifetime          uint32
      |  |  +--rw authentication
      |  |     +--rw algorithm?       ike-integrity-algorithm-t
      |  |     +--rw preshared-key?   empty
      |  |     +--rw rsa-signature?   empty
      |  +--rw keepalive?   empty
      |  +--rw policy* [name]
      |     +--rw name                             string
      |     +--rw mode
      |     |  +--rw aggressive?   empty
      |     |  +--rw main?         empty
      |     +--rw connection-type                  connection-type-t
      |     +--rw pre-shared-key?                  union
      |     +--rw validate-certificate-identity?   empty
      |     +--rw seq* [seq-id]
      |     |  +--rw seq-id      uint32
      |     |  +--rw proposal?   leafref
      |     +--rw identity
      |        +--rw local
      |        |  +--rw (identity)?
      |        |     +--:(ipv4-address)
      |        |     |  +--rw ipv4-address?            inet:ipv4-address
      |        |     +--:(ipv6-address)
      |        |     |  +--rw ipv6-address?            inet:ipv6-address
      |        |     +--:(fqdn-string)
      |        |     |  +--rw fqdn-string?             inet:domain-name
      |        |     +--:(rfc822-address-string)
      |        |     |  +--rw rfc822-address-string?   string
      |        |     +--:(dnX509)
      |        |        +--rw dnX509?                  string
      |        +--rw remote
      |           +--rw (identity)?
      |              +--:(ipv4-address)
      |              |  +--rw ipv4-address?            inet:ipv4-address
      |              +--:(ipv6-address)
      |              |  +--rw ipv6-address?            inet:ipv6-address
      |              +--:(fqdn-string)
      |              |  +--rw fqdn-string?             inet:domain-name


Tran, et al.          Expires September 18, 2016               [Page 8]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


      |              +--:(rfc822-address-string)
      |              |  +--rw rfc822-address-string?   string
      |              +--:(dnX509)
      |                 +--rw dnX509?                  String









































Tran, et al.          Expires September 18, 2016               [Page 9]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.3. IKEv2 Configuration Data Model

   This section will present the YANG data model for IKEv2 as per RFC-
   7296 [RFC7296].


   The IKEv2 data model provides the appropriate leaves for configuring
   the IKEv2 protocol.  The IKEv2 YANG data model has the following
   structure:


      +--rw ikev2 {ikev2}?
      |  +--rw ike-global-configuration {ikev2-global}?
      |  |  +--rw (df-flag)?
      |  |  |  +--:(set)
      |  |  |  |  +--rw set?                      empty
      |  |  |  +--:(clear)
      |  |  |  |  +--rw clear?                    empty
      |  |  |  +--:(copy)
      |  |  |     +--rw copy?                     empty
      |  |  +--rw stateful-frag-check?      boolean
      |  |  +--rw life-time-kb?             uint32
      |  |  +--rw life-time-second?         uint32
      |  |  +--rw (anti-replay)?
      |  |  |  +--:(enable)
      |  |  |  |  +--rw enable?                   empty
      |  |  |  |  +--rw (anti-replay-windows-size)?
      |  |  |  |     +--:(size-32)
      |  |  |  |     +--:(size-64)
      |  |  |  |     +--:(size-128)
      |  |  |  |     +--:(size-256)
      |  |  |  |     +--:(size-512)
      |  |  |  |     +--:(size-1024)
      |  |  |  +--:(disable)
      |  |  |     +--rw disable?                  empty
      |  |  +--rw inbound-dscp?             uint16
      |  |  +--rw outbound-dscp?            uint16
      |  |  +--rw local-name?               string
      |  |  +--rw nat-keepalive-interval?   uint16
      |  |  +--rw dpd-interval?             uint16
      |  +--rw ike-peer {ikev2-peer}?
      |  |  +--rw ike-peer-entries* [peer-name]
      |  |     +--rw peer-name              string
      |  |     +--rw ike-proposal-number?   ike-proposal-number-ref
      |  |     +--rw PresharedKey?          string
      |  |     +--rw nat-traversal?         boolean
      |  |     +--rw (local-id-type)?
      |  |     |  +--:(ip)
      |  |     |  |  +--rw ip?                    empty


Tran, et al.          Expires September 18, 2016              [Page 10]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


      |  |     |  +--:(fqdn)
      |  |     |  |  +--rw fqdn?                  empty
      |  |     |  +--:(dn)
      |  |     |  |  +--rw dn?                    empty
      |  |     |  +--:(user_fqdn)
      |  |     |     +--rw user_fqdn?             empty
      |  |     +--rw local-id?              string
      |  |     +--rw remote-id?             string
      |  |     +--rw low-remote-address?    inet:ip-address
      |  |     +--rw high-remote-address?   inet:ip-address
      |  |     +--rw certificate?           string
      |  |     +--rw auth-address-begin?    inet:ip-address
      |  |     +--rw auth-address-end?      inet:ip-address
      |  +--rw proposal* [name] {ikev2-proposal}?
      |  |  +--rw name                      string
      |  |  +--rw description?              string
      |  |  +--rw dh-group                  diffie-hellman-group-t
      |  |  +--rw encryption
      |  |  |  +--rw algorithm?   ike-encryption-algorithm-t
      |  |  +--rw pseudo-random-function    pseudo-random-function-t
      |  |  +--rw authentication
      |  |     +--rw algorithm?   ike-integrity-algorithm-t
      |  +--rw policy* [name] {ikev2-policy}?
      |     +--rw name                             string
      |     +--rw authentication
      |     |  +--rw preshared-key?   empty
      |     |  +--rw rsa-signature?   empty
      |     +--rw lifetime                         uint32
      |     +--rw address-allocation
      |     |  +--rw aaa?   empty
      |     +--rw connection-type                  connection-type-t
      |     +--rw pre-shared-key?                  union
      |     +--rw validate-certificate-identity?   empty
      |     +--rw seq* [seq-id]
      |     |  +--rw seq-id      uint32
      |     |  +--rw proposal?   leafref
      |     +--rw identity
      |     |  +--rw local
      |     |  |  +--rw (identity)?
      |     |  |     +--:(ipv4-address)
      |     |  |     |  +--rw ipv4-address?            inet:ipv4-address
      |     |  |     +--:(ipv6-address)
      |     |  |     |  +--rw ipv6-address?            inet:ipv6-address
      |     |  |     +--:(fqdn-string)
      |     |  |     |  +--rw fqdn-string?             inet:domain-name
      |     |  |     +--:(rfc822-address-string)
      |     |  |     |  +--rw rfc822-address-string?   string
      |     |  |     +--:(dnX509)
      |     |  |        +--rw dnX509?                  string



Tran, et al.          Expires September 18, 2016              [Page 11]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


      |     |  +--rw remote
      |     |     +--rw (identity)?
      |     |        +--:(ipv4-address)
      |     |        |  +--rw ipv4-address?            inet:ipv4-address
      |     |        +--:(ipv6-address)
      |     |        |  +--rw ipv6-address?            inet:ipv6-address
      |     |        +--:(fqdn-string)
      |     |        |  +--rw fqdn-string?             inet:domain-name
      |     |        +--:(rfc822-address-string)
      |     |        |  +--rw rfc822-address-string?   string
      |     |        +--:(dnX509)
      |     |           +--rw dnX509?                  string
      |     +--rw description?                     String

































Tran, et al.          Expires September 18, 2016              [Page 12]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.4. IPsec Operation Data Model

   The IPsec data model provides the appropriate leaves for operational
   states of the IPsec protocol.  The IPsec YANG data model has the
   following structure:


   +--ro ipsec-state {ipsec-state}?
   |  +--ro policy* {ipsec-policy-state}?
   |  |  +--ro name?                      string
   |  |  +--ro anti-replay-window?        uint32
   |  |  +--ro perfect-forward-secrecy?   diffie-hellman-group-t
   |  |  +--ro seq*
   |  |     +--ro seq-id?          uint32
   |  |     +--ro proposal-name?   string
   |  +--ro proposal* {ipsec-proposal-state}?
   |  |  +--ro name?       string
   |  |  +--ro ah?         ike-integrity-algorithm-t
   |  |  +--ro esp
   |  |  |  +--ro authentication?   ike-integrity-algorithm-t
   |  |  |  +--ro encryption?       ike-encryption-algorithm-t
   |  |  +--ro ip-comp?    empty
   |  |  +--ro lifetime
   |  |     +--ro kbytes?    uint32
   |  |     +--ro seconds?   uint32
   |  +--ro hold-down?    uint32 {ipsec-alarms-state}?
   |  +--ro sa* {ipsec-sa-state}?
   |  |  +--ro name?                       string
   |  |  +--ro anti-replay-window?         uint16
   |  |  +--ro ip-comp?                    empty
   |  |  +--ro spi?                        uint32 {ipsec-sa-ah-state}?
   |  |  +--ro description?                string {ipsec-sa-ah-state}?
   |  |  +--ro authentication-algorithm?   ike-integrity-algorithm-t {ipsec-sa-ah-
state}?
   |  |  +--ro encryption-algorithm?       ike-encryption-algorithm-t {ipsec-sa-ah-
state}?
   |  +--ro redundancy {ipsec-redundancy}?
      |     +--ro inter-chassis?   Empty













Tran, et al.          Expires September 18, 2016              [Page 13]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.5. IKEv1 Operation Data Model

   The IKEv1 data model provides the appropriate leaves for operational
   states of the IKEv1 protocol.  The IKEv1 YANG data model has the
   following structure:

   +--ro ike-state {ikev1-state}?
   |  +--ro proposal* {ike-proposal-state}?
   |  |  +--ro name?             string
   |  |  +--ro lifetime?         uint32
   |  |  +--ro encryption?       ike-encryption-algorithm-t
   |  |  +--ro dh-group?         diffie-hellman-group-t
   |  |  +--ro authentication?   ike-integrity-algorithm-t
   |  +--ro policy* {ike-policy-state}?
   |     +--ro name?              string
   |     +--ro description?       string
   |     +--ro mode?              enumeration
   |     +--ro connection-type?   connection-type-t
   |     +--ro local-identity?    inet:ipv4-address-no-zone
   |     +--ro remote-identity?   inet:ipv4-address-no-zone
   |     +--ro pre-shared-key?    string
   |     +--ro seq?               uint32
   |     +--ro proposal?          String



























Tran, et al.          Expires September 18, 2016              [Page 14]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.6. IKEv2 Operation Data Model

   The IKEv2 data model provides the appropriate leaves for operational
   sattes of the IKEv2 protocol.  The IKEv2 YANG data model has the
   following structure:


   +--ro ikev2-state {ikev2-state}?
   |  +--ro proposal* {ikev2-proposal-state}?
   |  |  +--ro name?                     string
   |  |  +--ro pseudo-random-function?   pseudo-random-function-t
   |  |  +--ro authentication?           ike-integrity-algorithm-t
   |  |  +--ro encryption?               ike-encryption-algorithm-t
   |  |  +--ro dh-group                  diffie-hellman-group-t
   |  +--ro policy* {ike-policy-state}?
   |     +--ro name?              string
   |     +--ro description?       string
   |     +--ro mode?              enumeration
   |     +--ro connection-type?   connection-type-t
   |     +--ro local-identity?    inet:ipv4-address-no-zone
   |     +--ro remote-identity?   inet:ipv4-address-no-zone
   |     +--ro pre-shared-key?    string
   |     +--ro seq?               uint32
   |     +--ro proposal?          String


























Tran, et al.          Expires September 18, 2016              [Page 15]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.7. IPsec SAD Operational Data Model

   The IPsec SAD(Security Association Database) container maintains
   information related to the IPSEC SAs established in a system.  This
   is a run-time data structure that is created upon the first SA being
   established.  The key for fetching SA in this database is the
   triplet: SPI, Protocol and Destination address of the SA to be
   fetched form the SA database.

   The SAD entries also contain information about the IPSEC tunnel like
   direction, SA-type (manual or VPN SA), sequence number, anti-replay
   window size, protocol mode, ipsec algorithm info, life time in
   Seconds/Bytes etc, NAT traversal info, path-mtu, dscp etc.

   +--ro sad {sad}?
   |  +--ro sad-entries* [spi security-protocol direction]
   |     +--ro spi                              ipsec-spi
   |     +--ro security-protocol                ipsec-protocol
   |     +--ro direction                        ipsec-traffic-direction
   |     +--ro sa-type?                         enumeration
   |     +--ro sequence-number?                 uint64
   |     +--ro sequence-number-overflow-flag?   boolean
   |     +--ro anti-replay-enable-flag?         boolean
   |     +--ro anti-replay-window-size?         uint64
   |     +--ro ah-auth-algorithm?               ipsec-authentication-algorithm {ipsec-
ah-authentication}?
   |     +--ro esp-integrity-algorithm?         ipsec-authentication-algorithm {ipsec-
esp-integrity}?
   |     +--ro esp-encrypt-algorithm?           ipsec-encryption-algorithm {ipsec-esp-
encrypt}?
   |     +--ro life-time
   |     |  +--ro life-time-in-seconds?          uint32
   |     |  +--ro remain-life-time-in-seconds?   uint32
   |     |  +--ro life-time-in-byte?             uint32
   |     |  +--ro remain-life-time-in-byte?      uint32
   |     +--ro protocol-mode?                   ipsec-mode
   |     +--ro tunnel-mode-process-info
   |     |  +--ro local-address?              string {ipsec-tunnel}?
   |     |  +--ro remote-address?             string {ipsec-tunnel}?
   |     |  +--ro bypass-df?                  enumeration {ipsec-tunnel}?
   |     |  +--ro dscp-flag?                  boolean {ipsec-tunnel}?
   |     |  +--ro stateful-frag-check-flag?   boolean {ipsec-tunnel}?
   |     +--ro dscp*                            uint8
   |     +--ro path-mtu?                        uint16
   |     +--ro nat-traversal-flag?              boolean





Tran, et al.          Expires September 18, 2016              [Page 16]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.8. IPsec SPD Operational Data Model

   The IPSEC SPD(Security Policy Database) container maintains policy
   information related to the IPSEC SAs established in a system.  This
   is a run-time data structure that is created when the first IPSEC
   policy is created.

   The SPD entries also contain information about the traffic
   selectors, protect action (permit, deny), protocol information etc
   as shown below.  Based on these information the IPSEC module
   processes the outbound and inbound traffic.

   +--ro spd {spd}?
   |  +--ro spd-entries*
   |     +--ro name*
   |     |  +--ro name-type?     ipsec-spd-name
   |     |  +--ro name-string?   string
   |     |  +--ro name-binary?   binary
   |     +--ro pfp-flag?            boolean
   |     +--ro traffic-selector*
   |     |  +--ro local-address-low?     inet:ip-address {ipsec-local-address-range}?
   |     |  +--ro local-address-high?    inet:ip-address {ipsec-local-address-range}?
   |     |  +--ro remote-address-low?    inet:ip-address {ipsec-remote-address-range}?
   |     |  +--ro remote-address-high?   inet:ip-address {ipsec-remote-address-range}?
   |     |  +--ro next-protocol-low?     uint16 {ipsec-next-protocol-range}?
   |     |  +--ro next-protocol-high?    uint16 {ipsec-next-protocol-range}?
   |     |  +--ro local-port-low?        inet:port-number {ipsec-local-port-range}?
   |     |  +--ro local-port-high?       inet:port-number {ipsec-local-port-range}?
   |     |  +--ro remote-port-high?      inet:port-number {ipsec-remote-port-range}?
   |     |  +--ro remote-port-low?       inet:port-number {ipsec-remote-port-range}?
   |     +--ro operation?           ipsec-spd-operation
   |     +--ro protect-operation
   |        +--ro spd-ipsec-mode?           ipsec-mode
   |        +--ro esn-flag?                 boolean
   |        +--ro spd-ipsec-protocol?       ipsec-protocol
   |        +--ro tunnel-mode-additional
   |        |  +--ro local-address?              string {ipsec-tunnel}?
   |        |  +--ro remote-address?             string {ipsec-tunnel}?
   |        |  +--ro bypass-df?                  enumeration {ipsec-tunnel}?
   |        |  +--ro dscp-flag?                  boolean {ipsec-tunnel}?
   |        |  +--ro stateful-frag-check-flag?   boolean {ipsec-tunnel}?
   |        +--ro spd-algorithm*
   |           +--ro ah-auth-algorithm?         ipsec-authentication-algorithm {ipsec-
ah-authentication}?
   |           +--ro esp-integrity-algorithm?   ipsec-authentication-algorithm {ipsec-
esp-integrity}?



Tran, et al.          Expires September 18, 2016              [Page 17]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


   |           +--ro esp-encrypt-algorithm?     ipsec-encryption-algorithm {ipsec-esp-
encrypt}?










































Tran, et al.          Expires September 18, 2016              [Page 18]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.9. IPsec Global Statistics Operational Data Model

   The IPSEC Global Statistics container is used to maintain
   information related to all the IPSEC tunnels established in the
   system.  These could be related to IPv4 IPSEC tunnels or IPv6 IPSEC
   tunnels.

   The information maintained includes: traffic sent/received on an
   IPSEC tunnel like number of outbound/inbound packets, number of
   outbound/inbound bytes, number of packets dropped, number of
   replayed packets, number of packet authentication failures, number
   of packets dropped due to queue full, number of packets dropped due
   to deny policy, number of packet dropped due to being malformed,
   number of packets dropped due to being too large.


   +--ro ipsec-global-statistics {ipsec-global-stats}?
      +--ro ipv4
      |  +--ro inbound-packets?         uint64 {ipsec-stat}?
      |  +--ro outbound-packets?        uint64 {ipsec-stat}?
      |  +--ro inbound-bytes?           uint64 {ipsec-stat}?
      |  +--ro outbound-bytes?          uint64 {ipsec-stat}?
      |  +--ro inbound-drop-packets?    uint64 {ipsec-stat}?
      |  +--ro outbound-drop-packets?   uint64 {ipsec-stat}?
      |  +--ro dropped-packet-detail {ipsec-stat}?
      |     +--ro sa-non-exist?   uint64
      |     +--ro queue-full?     uint64
      |     +--ro auth-failure?   uint64
      |     +--ro malform?        uint64
      |     +--ro replay?         uint64
      |     +--ro large-packet?   uint64
      |     +--ro invalid-sa?     uint64
      |     +--ro policy-deny?    uint64
      |     +--ro other-reason?   uint64
      +--ro ipv6
      |  +--ro inbound-packets?         uint64 {ipsec-stat}?
      |  +--ro outbound-packets?        uint64 {ipsec-stat}?
      |  +--ro inbound-bytes?           uint64 {ipsec-stat}?
      |  +--ro outbound-bytes?          uint64 {ipsec-stat}?
      |  +--ro inbound-drop-packets?    uint64 {ipsec-stat}?
      |  +--ro outbound-drop-packets?   uint64 {ipsec-stat}?
      |  +--ro dropped-packet-detail {ipsec-stat}?
      |     +--ro sa-non-exist?   uint64
      |     +--ro queue-full?     uint64
      |     +--ro auth-failure?   uint64
      |     +--ro malform?        uint64
      |     +--ro replay?         uint64


Tran, et al.          Expires September 18, 2016              [Page 19]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


      |     +--ro large-packet?   uint64
      |     +--ro invalid-sa?     uint64
      |     +--ro policy-deny?    uint64
      |     +--ro other-reason?   uint64
      +--ro global
         +--ro inbound-packets?         uint64 {ipsec-stat}?
         +--ro outbound-packets?        uint64 {ipsec-stat}?
         +--ro inbound-bytes?           uint64 {ipsec-stat}?
         +--ro outbound-bytes?          uint64 {ipsec-stat}?
         +--ro inbound-drop-packets?    uint64 {ipsec-stat}?
         +--ro outbound-drop-packets?   uint64 {ipsec-stat}?
         +--ro dropped-packet-detail {ipsec-stat}?
            +--ro sa-non-exist?   uint64
            +--ro queue-full?     uint64
            +--ro auth-failure?   uint64
            +--ro malform?        uint64
            +--ro replay?         uint64
            +--ro large-packet?   uint64
            +--ro invalid-sa?     uint64
            +--ro policy-deny?    uint64
            +--ro other-reason?   uint64





























Tran, et al.          Expires September 18, 2016              [Page 20]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.10. RPC Operation

   This section defines a list of RPC support for IPsec protocol.

   rpcs:
      +---x clear-ipsec-group     {clear-ipsec-group}?
      |  +--ro input
      |     +--ro alarm-hold-down?     uint8
      |     +--ro ipsec-policy-name?   leafref
      +---x clear-ike-group       {clear-ike-group}?
      |  +--ro input
      |     +--ro proposal?   leafref
      +---x clear-ikev2-group     {clear-ikev2-group}?
      |  +--ro input
      |     +--ro proposal?   leafref
      +---x reset-ipv4            {reset-ipv4}?
      |  +--ro input
      |  |  +--ro ipv4?   empty
      |  +--ro output
      |     +--ro status?   string
      +---x reset-ipv6            {reset-ipv6}?
      |  +--ro input
      |  |  +--ro ipv6?   empty
      |  +--ro output
      |     +--ro status?   string
      +---x reset-global          {reset-global}?
         +--ro input
         |  +--ro ipv6?   empty
         +--ro output
            +--ro status?   string


















Tran, et al.          Expires September 18, 2016              [Page 21]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


3.11. Notifications

   This model defines a list of notifications to inform client of
   important events detected during the protocol operation.  These
   events include events related to changes in the operational state of
   an IKE SA, IPsec SA, Statistics etc.

notifications:
   +---n dpd-failure
   |  +--ro peer-id?   string
   +---n peer-authentication-failure     {peer-authentication-failure}?
   |  +--ro peer-id?   string
   +---n ike-reauth-failure              {ike-reauth-failure}?
   |  +--ro peer-id?   string
   +---n ike-rekey-failure               {ike-rekey-failure}?
   |  +--ro peer-id?     string
   |  +--ro old-i-spi?   uint64
   |  +--ro old-r-spi?   uint64
   +---n ipsec-rekey-failure             {ipsec-rekey-failure}?
      +--ro peer-id?            string
      +--ro old-inbound-spi?    ipsec-spi
      +--ro old-outbound-spi?   ipsec-spi
























Tran, et al.          Expires September 18, 2016              [Page 22]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


4. IPsec YANG Module

   This section will present the YANG data model for IPsec, IKEv1, and
   IKEv2.

   <CODE BEGINS> file "ietf-ipsec@2016-03-09.yang"


   module ietf-ipsec {
     namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec";
     prefix "eipsec";

     import ietf-inet-types {
       prefix inet;
     }

     import ietf-yang-types {
       prefix yang;
     }

     organization "Ericsson AB.
                   Huawei Technologies India Pvt Ltd.";

     contact "Web:   <http://www.ericsson.com>";

     description
       "This YANG module defines the configuration and operational
        state data for Internet Protocol Security (IPSec) on
        IETF draft.
        Copyright (c) 2016 Ericsson AB.
        All rights reserved.";

     revision 2016-03-09 {
       description
         "Third revision.
          Fix YANG compiling error because it used internal
          data model econtext and should be removed in the
          draft.
          Fix warnings.
          Run validation on
          http://www.netconfcentral.org/yangdumpresults";
       reference
         "Update since second revision.";
     }
     revision 2015-09-13 {
       description
         "Second revision.";
       reference
         "updates since initial revision.


Tran, et al.          Expires September 18, 2016              [Page 23]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         combining:
          draft-tran-ipecme-yang-ipsec-00.
          draft-wang-ipsecme-ike-yang-00.
          draft-wang-ipsecme-ipsec-yang-00.";
     }
     revision 2015-05-14 {
       description
         "Initial revision.";
       reference
         "May 14, 2015  draft-tran-ipecme-yang-ipsec-00.
          May 22, 2015  draft-wang-ipsecme-ike-yang-00.
          June 15, 2015 draft-wang-ipsecme-ipsec-yang-00.";
     }
     /*--------------------*/
     /* Feature            */
     /*--------------------*/

     feature ikev1 {
       description
         "Feature IKEv1";
     }

     feature ike-proposal-state {
       description
         "IKEv2 Proposal Operational State";
     }

     feature ike-policy-state {
       description
         "IKEv1 Policy Operational State";
     }

     feature ikev1-state {
       description
         "IKEv1 Operational State";
     }

     feature ike-reauth-failure {
       description
         "IKEv1 Reauthorization Failure";
     }

     feature ike-rekey-failure {
       description
         "IKEv1 Rekey Failure";
     }


     feature ikev2 {



Tran, et al.          Expires September 18, 2016              [Page 24]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       description
         "Feature IKEv2";

     }

     feature ikev2-global {
       description
         "Feature IKEv2 Global Parameters";

     }

     feature ikev2-peer {
       description
         "Feature IKEv2 Peer";

     }

     feature ikev2-proposal {
       description
         "Feature IKEv2 Proposal";

     }

     feature ikev2-policy {
       description
         "Feature IKEv2 Policy";

     }

     feature ikev2-proposal-state {
       description
         "IKEv2 Proposal Operational State";
     }

     feature ikev2-state {
       description
         "IKEv2 Operational State";
     }

     feature ipsec {
       description
         "Feature IPsec";

     }

     feature ipsec-acl {
       description
         "Feature IPsec ACL";




Tran, et al.          Expires September 18, 2016              [Page 25]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     }
     feature ipsec-sad {
       description
         "Feature IPsec SAD";

     }

     feature ipsec-proposal {
       description
         "Feature IPsec Proposal";

     }

     feature ipsec-spd {
       description
         "Feature IPsec SPD";

     }

     feature ipsec-policy-state {
       description
         "IPsec Policy Operational State";
     }

     feature ipsec-proposal-state {
       description
         "IPsec Proposal Operational State";
     }

     feature ipsec-alarms-state {
       description
         "IPsec Alarm State Operational State";
     }

     feature ipsec-sa-ah-state {
       description
         "IPsec SA AH Operational State";
     }

     feature ipsec-sa-state {
       description
         "IPsec SA Operational State";
     }

     feature ipsec-tunnel {
       description
         "IPsec Tunnel";
     }




Tran, et al.          Expires September 18, 2016              [Page 26]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     feature ipsec-local-address-range {
       description
         "IPsec Local Address Range";
     }

     feature ipsec-remote-address-range {
       description
         "IPsec Remote Address Range";
     }

     feature ipsec-next-protocol-range {
       description
         "IPsec Next Protocol Range";
     }

     feature ipsec-local-port-range {
       description
         "IPsec Local Port Range";
     }

     feature ipsec-remote-port-range {
       description
         "IPsec Remote Port Range";
     }

     feature ipsec-ah-authentication {
       description
         "IPsec AH Authentication";
     }

     feature ipsec-esp-integrity {
       description
         "IPsec ESP Integrity";
     }

     feature ipsec-esp-encrypt {
       description
         "IPsec ESP encryption";
     }

     feature ipsec-stat {
       description
         "IPsec Stats";
     }

     feature ipsec-state {
       description
         "IPsec Operational State";
     }



Tran, et al.          Expires September 18, 2016              [Page 27]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016



     feature ipsec-rekey-failure {
       description
         "IPsec Rekey Failure";
     }

     feature ipsec-redundancy {
       description
         "IPsec Redundancy State";
     }

     feature sad {
       description
         "Security Association (SA) Database";
     }

     feature spd {
       description
         "Security Policy Database";
     }

     feature ipsec-global-stats {
       description
         "IPsec Global Stats";
     }

     feature clear-ipsec-group {
       description
         "Clear IPsec group";
     }

     feature clear-ike-group {
       description
         "Clear IKE group";
     }

     feature clear-ikev2-group {
       description
         "Clear IKEv2 group";
     }

     feature reset-ipv4 {
       description
         "Reset IPv4";
     }

     feature reset-ipv6 {
       description
         "Reset IPv6";



Tran, et al.          Expires September 18, 2016              [Page 28]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     }

     feature reset-global {
       description
         "Reset Global";
     }

     feature peer-authentication-failure {
       description
         "Peer Authentication Failure";
     }
     /*--------------------*/
     /* Typedefs           */
     /*--------------------*/

     typedef authentication-method-t {
       type enumeration {
         enum psk {
           value 0;
           description
             "Pre-Sharing Keys.";
         }
         enum certificate {
           value 1;
           description
             "Certificate.";
         }
       }
       description
         "Available authentication methods.";
     }

     /* IKEv2 Exchange Types (ET) */
     typedef ikev2-exchange-type-t {
       type enumeration {
         enum ikev2-et-ike-sa-init {
           value 34;
           description
             "ikev2-et-ike-sa-init - RFC 7296.";
         }
         enum ikev2-et-ike-auth {
           value 35;
           description
             "ikev2-et-ike-auth - RFC 7296.";
         }
         enum ikev2-et-create-child-sa {
           value 36;
           description
             "ikev2-et-create-child-sa - RFC 7296.";



Tran, et al.          Expires September 18, 2016              [Page 29]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         }
         enum ikev2-et-informational {
           value 37;
           description
             "ikev2-et-informational - RFC 7296.";
         }
         enum ikev2-et-ike-session-resume {
           value 38;
           description
             "ikev2-et-ike-session-resume - RFC 7296.";
         }
         enum ikev2-et-gsa-auth {
           value 39;
           description
             "ikev2-et-gsa-auth - RFC 7296.";
         }
         enum ikev2-et-gsa-registration {
           value 40;
           description
             "ikev2-et-gsa-registration - RFC 7296.";
         }
         enum ikev2-et-gsa-rekey {
           value 41;
           description
             "ikev2-et-gsa-rekey - RFC 7296.";
         }
       }
       description
         "IKEv2 Exchange Types (ET).";
     }

      /* Transform Type Values (TTV), RFC 7296 */
      typedef transform-type-value-t {
       type enumeration {
         enum ttv-reserved-0 {
           value 0;
           description
             "ttv-reserved-0 - Transform Type Value Reserved "+
             "(RFC 7296).";
         }
         enum ttv-encr {
           value 1;
           description
             "ttv-encr - Transform Type Value 1,
              Encryption Algorithm "+
             "(ENCR) used in IKE and ESP.";
         }
         enum ttv-prf {
           value 2;



Tran, et al.          Expires September 18, 2016              [Page 30]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "ttv-prf - Transform Type Value 2, "+
             "Pseudo-Random Function(PRF) used in IKE.";
         }
         enum ttv-integ {
           value 3;
           description
             "ttv-integ - Transform Type Value 3, Integrity Algorithm"+
             " (INTEG) used in IKE, AH, optional ESP.";
         }
         enum ttv-dh {
           value 4;
           description
             "ttv-dh - Transform Type Value 4, Diffie-Hellman (DH) "+
             "used in IKE, optional AH and ESP.";
         }
         enum ttv-esn {
           value 5;
           description
             "ttv-esn - Transform Type Value 5, Extended Sequence "+
             "Numbers (ESN) used in AH and ESP.";
         }
       }
       description
         "Transform Type Values (RFC 7296).";
     }

      /* IKEv2 Transform Attribute Types (TAT) */
      typedef ikev2-transform-attribute-type-t {
       type enumeration {
         enum ikev2-tat-reserved-0 {
           value 0;
           description
             "ikev2-tat-reserved-0 - IKEv2 Transform Attribute "+
             "Type Reserved-0 (RFC 7296).";
         }
         enum ikev2-tat-reserved-1 {
           value 1;
           description
             "ikev2-tat-reserved-1 - IKEv2 Transform Attribute "+
             "Type Reserved-1 (RFC 7296).";
         }
         enum ikev2-tat-reserved-13 {
           value 13;
           description
             "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+
             "Type Reserved-13 (RFC 7296).";
         }
         enum ikev2-tat-key-length {



Tran, et al.          Expires September 18, 2016              [Page 31]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           value 41;
           description
             "ikev2-tat-key-length - IKEv2 Transform Attribute "+
             "Type KEY LENGTH (in bits) (RFC 7296).";
         }
       }
       description
         "IKEv2 Transform Attribute Types (TAT) (RFC 7296).";
     }

      /* Transform Type 1 (Encryption Algorithm Transform IDs) */
     typedef ike-encryption-algorithm-t {
       type enumeration {
         enum encr-reserved-0 {
           value 0;
           description
             "encr-reserved-0 --> RFC_5996.";
         }
         enum encr-des-iv4 {
           value 1;
           description
             "encr-des-iv4 --> RFC_5996.";
         }
         enum encr-des {
           value 2;
           description
             "encr-des --> RFC_5996.";
         }
         enum encr-3des {
           value 3;
           description
             "encr-3des --> RFC_5996.";
         }
         enum encr-rc5 {
           value 4;
           description
             "encr-rc5 --> RFC_5996.";
         }
         enum encr-idea {
           value 5;
           description
             "encr-idea --> RFC_5996.";
         }
         enum encr-cast {
           value 6;
           description
             "encr-cast --> RFC_5996.";
         }
         enum encr-blowfish {



Tran, et al.          Expires September 18, 2016              [Page 32]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           value 7;
           description
             "encr-blowfish --> RFC_5996.";
         }
         enum encr-3idea {
           value 8;
           description
             "encr-3idea --> RFC_5996.";
         }
         enum encr-des-iv32 {
           value 9;
           description
             "encr-des-iv32 --> RFC_5996.";
         }
         enum encr-reserved-10 {
           value 10;
           description
             "encr-reserved-10 --> RFC_5996.";
         }
         enum encr-null {
           value 11;
           description
             "encr-null --> RFC_5996.";
         }
         enum encr-aes-cbc {
           value 12;
           description
             "encr-aes-cbc --> RFC_5996.";
         }
         enum encr-aes-ctr {
           value 13;
           description
             "encr-aes-ctr --> RFC_5996.";
         }
         enum encr-aes-ccm-8 {
           value 14;
           description
             "encr-aes-ccm-8 --> RFC_5996.";
         }
         enum encr-aes-ccm-12 {
           value 15;
           description
             "encr-aes-ccm-12 --> RFC_5996.";
         }
         enum encr-aes-ccm-16 {
           value 16;
           description
             "encr-aes-ccm-16 --> RFC_5996.";
         }



Tran, et al.          Expires September 18, 2016              [Page 33]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         enum encr-reserved-17 {
           value 17;
           description
             "encr-reserved-17 --> RFC_5996.";
         }
         enum encr-aes-gcm-8-icv {
           value 18;
           description
             "encr-aes-gcm-8-icv --> RFC_5996.";
         }
         enum encr-aes-gcm-12-icv {
           value 19;
           description
             "encr-aes-gcm-12-icv --> RFC_5996.";
         }
         enum encr-aes-gcm-16-icv {
           value 20;
           description
             "encr-aes-gcm-16-icv--> RFC_5996.";
         }
         enum encr-null-auth-aes-gmac {
           value 21;
           description
             "encr-null-auth-aes-gmac --> RFC_5996.";
         }
         enum encr-ieee-p1619-xts-aes {
           value 22;
           description
             "encr-ieee-p1619-xts-aes --> Reserved for "+
             "IEEE P1619 XTS-AES.";
         }
         enum encr-camellia-cbc {
           value 23;
           description
             "encr-camellia-cbc --> RFC_5996.";
         }
         enum encr-camellia-ctr {
           value 24;
           description
             "encr-camellia-ctr --> RFC_5996.";
         }
         enum encr-camellia-ccm-8-icv {
           value 25;
           description
             "encr-camellia-ccm-8-icv --> RFC_5996.";
         }
         enum encr-camellia-ccm-12-icv {
           value 26;
           description



Tran, et al.          Expires September 18, 2016              [Page 34]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "encr-camellia-ccm-12-icv --> RFC_5996.";
         }
         enum encr-camellia-ccm-16-icv {
           value 27;
           description
             "encr-camellia-ccm-16-icv --> RFC_5996.";
         }
         enum encr-aes-cbc-128 {
           value 1024;
           description
             "encr-aes-cbc-128 --> RFC_5996.";
         }
         enum encr-aes-cbc-192 {
           value 1025;
           description
             "encr-aes-cbc-192 --> RFC_5996.";
         }
         enum encr-aes-cbc-256 {
           value 1026;
           description
             "encr-aes-cbc-256 --> RFC_5996.";
         }
         enum encr-blowfish-128 {
           value 1027;
           description
             "encr-blowfish-128 --> RFC_5996.";
         }
         enum encr-blowfish-192 {
           value 1028;
           description
             "encr-blowfish-192 --> RFC_5996.";
         }
         enum encr-blowfish-256 {
           value 1029;
           description
             "encr-blowfish-256 --> RFC_5996.";
         }
         enum encr-blowfish-448 {
           value 1030;
           description
             "encr-blowfish-448 --> RFC_5996.";
         }
         enum encr-camellia-128 {
           value 1031;
           description
             "encr-camellia-128 --> RFC_5996.";
         }
         enum encr-camellia-192 {
           value 1032;



Tran, et al.          Expires September 18, 2016              [Page 35]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "encr-camellia-192 --> RFC_5996.";
         }
         enum encr-camellia-256 {
           value 1033;
           description
             "encr-camellia-256 --> RFC_5996.";
         }
       }
       description
         "Transform Type 1 - Internet Key Exchange (IKE) "+
         "encryption algorithms.";
     }

     /* Transform Type 2 (Pseudo-Random Function PRF) */
     typedef pseudo-random-function-t {
       type enumeration {
         enum prf-reserved-0 {
           value 0;
           description
             "prf-reserved-0 --> RFC_2104.";
         }
         enum prf-hmac-md5 {
           value 1;
           description
             "prf-hmac-md5 --> RFC_2104.";
         }
         enum prf-hmac-sha1 {
           value 2;
           description
             "prf-hmac-sha1 --> RFC2104.";
         }
         enum prf-hmac-tiger {
           value 3;
           description
             "prf-hmac-tiger --> RFC2104.";
         }
         enum prf-aes128-xcbc {
           value 4;
           description
             "prf-aes128-xcbc --> RFC_4434.";
         }
         enum prf-hmac-sha2-256 {
           value 5;
           description
             "prf-hmac-sha2-256 --> RFC_4434.";
         }
         enum prf-hmac-sha2-384 {
           value 6;



Tran, et al.          Expires September 18, 2016              [Page 36]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "prf-hmac-sha2-384 --> RFC_4434.";
         }
         enum prf-hmac-sha2-512 {
           value 7;
           description
             "prf-hmac-sha2-512 --> RFC_4434.";
         }
         enum prf-aes128-cmac {
           value 8;
           description
             "prf-aes128-cmac --> RFC_4615.";
         }
       }
       description
         "Available Pseudo-Random Functions (PRF).";
     }

      /* Transform Type 3 (Integrity Algorithm) */
     typedef ike-integrity-algorithm-t {
       type enumeration {
         enum auth-none {
           value 0;
           description
             "auth-none --> RFC_5996.";
         }
         enum auth-hmac-md5-96 {
           value 1;
           description
             "auth-hmac-md5-96 --> RFC_5996.";
         }
         enum auth-hmac-sha1-96 {
           value 2;
           description
             "auth-hmac-sha1-96 --> RFC_5996.";
         }
         enum auth-des-mac {
           value 3;
           description
             "auth-des-mac --> RFC_5996.";
         }
         enum auth-kpdk-md5 {
           value 4;
           description
             "auth-kpdk-md5 --> RFC_5996.";
         }
         enum auth-aes-xcbc-96 {
           value 5;
           description



Tran, et al.          Expires September 18, 2016              [Page 37]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "auth-aes-xcbc-96 --> RFC_5996.";
         }
         enum auth-hmac-md5-128 {
           value 6;
           description
             "auth-hmac-md5-128 --> RFC_5996.";
         }
         enum auth-hmac-sha1-160 {
           value 7;
           description
             "auth-hmac-sha1-160 --> RFC_5996.";
         }
         enum auth-aes-cmac-96 {
           value 8;
           description
             "auth-aes-cmac-96 --> RFC_5996.";
         }
         enum auth-aes-128-gmac {
           value 9;
           description
             "auth-aes-128-gmac --> RFC_5996.";
         }
         enum auth-aes-192-gmac {
           value 10;
           description
             "auth-aes-192-gmac --> RFC_5996.";
         }
         enum auth-aes-256-gmac {
           value 11;
           description
             "auth-aes-256-gmac --> RFC_5996.";
         }
         enum auth-hmac-sha2-256-128 {
           value 12;
           description
             "auth-hmac-sha2-256-128 --> RFC_5996.";
         }
         enum auth-hmac-sha2-384-192 {
           value 13;
           description
             "auth-hmac-sha2-384-192 --> RFC_5996.";
         }
         enum auth-hmac-sha2-512-256 {
           value 14;
           description
             "auth-hmac-sha2-512-256 --> RFC_5996.";
         }
         enum auth-hmac-sha2-256-96 {
           value 1024;



Tran, et al.          Expires September 18, 2016              [Page 38]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "auth-hmac-sha2-256-96.";
         }
       }
       description
         "Transform Type 3 - Internet Key Exchange (IKE) "+
         "Integrity Algorithms.";
     }

     /* Transform Type 4 (Diffie-Hellman Group) */
     typedef diffie-hellman-group-t {
       type enumeration {
         enum group-none {
           value 0;
           description
             "group-none --> RFC_5996.";
         }
         enum modp-768-group-1 {
           value 1;
           description
             "modp-768-group-1 --> RFC_5996.";
         }
         enum modp-1024-group-2 {
           value 2;
           description
             "modp-1024-group-2 --> RFC_5996.";
         }
         enum modp-1536-group-5 {
           value 5;
           description
             "modp-1536-group-5 --> RFC_3526.";
         }
         enum modp-2048-group-14 {
           value 14;
           description
             "modp-2048-group-14 --> RFC_3526.";
         }
         enum modp-3072-group-15 {
           value 15;
           description
             "modp-3072-group-15 --> RFC_3526.";
         }
         enum modp-4096-group-16 {
           value 16;
           description
             "modp-4096-group-16 --> RFC_3526.";
         }
         enum modp-6144-group-17 {
           value 17;



Tran, et al.          Expires September 18, 2016              [Page 39]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "modp-6144-group-17 --> RFC_3526.";
         }
         enum modp-8192-group-18 {
           value 18;
           description
             "modp-8192-group-18 --> RFC_3526.";
         }
         enum recp-256-group-19 {
           value 19;
           description
             "recp-256-group-19 --> RFC_6989. 256-bit"+
             " Random ECP Group.";
         }
         enum recp-384-group-20 {
           value 20;
           description
             "recp-384-group-20 --> RFC_6989. 384-bit"+
             " Random ECP Group.";
         }
         enum recp-521-group-21 {
           value 21;
           description
             "recp-521-group-21 --> RFC_6989. 521-bit"+
             " Random ECP Group.";
         }
         enum modp-1024-160-pos-group-22 {
           value 22;
           description
             "modp-1024-160-pos-group-22 --> RFC_6989."+
             " 1024-bit MODP Group with"+
             " 160-bit Prime Order Subgroup (POS).";
         }
         enum modp-2048-224-pos-group-23 {
           value 23;
           description
             "modp-2048-224-pos-group-23 --> RFC_6989."+
             " 2048-bit MODP Group with"+
             " 224-bit Prime Order Subgroup (POS).";
         }
         enum modp-2048-256-pos-group-24 {
           value 24;
           description
             "modp-2048-256-pos-group-24 --> RFC_6989."+
             " 2048-bit MODP Group with"+
             " 256-bit Prime Order Subgroup (POS).";
         }
         enum recp-192-group-25 {
           value 25;



Tran, et al.          Expires September 18, 2016              [Page 40]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "recp-192-group-25 --> RFC_6989."+
             " 192-bit Random ECP Group.";
         }
         enum recp-224-group-26 {
           value 26;
           description
             "recp-224-group-26 --> RFC_6989."+
             " 224-bit Random ECP Group.";
         }
       }
       description
         "Diffie-Hellman Groups (RFC 5996).";
     }


     /* Transform Type 5 (Extended Sequence Numbers
        Transform ESN IDs) */
     typedef extended-sequence-number-t {
       type enumeration {
         enum esn-none {
           value 0;
           description
             "esn-none - Extended Sequence Number None --> RFC_7296.";
         }
         enum esn-1 {
           value 1;
           description
             "esn-1 - Extended Sequence Number --> RFC_7296.";
         }
       }
       description
         "Extended Sequence Number (RFC 7296).";
     }


     typedef connection-type-t {
       type enumeration {
         enum initiator-only {
           value 0;
           description
             "initiator-only: ME will act as initiator for"+
             " bringing up IKEv2"+
             " session with its IKE peer.";
         }
         enum responder-only {
           value 1;
           description
             "responder-only: ME will act as responder for"+



Tran, et al.          Expires September 18, 2016              [Page 41]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             " bringing up IKEv2"+
             " session with its IKE peer.";
         }
         enum both {
           value 2;
           description
             "both: ME can act as initiator or responder.";
         }
       }
       description
         "Connection type for IKE session.";
     }

     typedef transport-protocol-name-t {
       type enumeration {
         enum tcp {
           value 1;
           description
             "Transmission Control Protocol (TCP) Transport Protocol.";
         }
         enum udp {
           value 2;
           description
             "User Datagram Protocol (UDP) Transport Protocol";
         }
         enum sctp {
           value 3;
           description
             "Stream Control Transmission Protocol (SCTP) Transport "+
             "Protocol";
         }
         enum icmp {
           value 4;
           description
             "Internet Control Message Protocol (ICMP) Transport "+
             "Protocol";
         }
       }
       description
         "Enumeration of well known transport protocols.";
     }

     typedef preshared-key-t {
       type string;
       description
         "Derived string used as Pre-Shared Key.";
     }

     typedef pad-type-t {



Tran, et al.          Expires September 18, 2016              [Page 42]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       type enumeration {
         enum dns-name {
           value 1;
           description
             "DNS name (specific or partial)";
         }
         enum distinguished-name {
           value 2;
           description
             "Distinguished Name (complete or sub-tree constrained)";
         }
         enum rfc-822 {
           value 3;
           description
             "RFC 822 email address (complete or partially qualified)";
         }
         enum ipv4-range {
           value 4;
           description
             "IPv4 Address Range";
         }
         enum ipv6-range {
           value 5;
           description
             "IPv6 Address Range";
         }
         enum key-id {
           value 6;
           description
             "Key ID (exact match only)";
         }
       }
       description
         "PAD Type";
     }


     /*-------------------------------------------------- */
     /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-type */
     /*-------------------------------------------------- */
     typedef ipsec-mode {
       type enumeration {
         enum "transport" {
           description
             "Transport mode";
         }
         enum "tunnel" {
           description
             "Tunnel mode";



Tran, et al.          Expires September 18, 2016              [Page 43]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         }
       }
       description
         "type define of ipsec mode";
     }

     typedef ipsec-protocol {
       type enumeration {
         enum "ah" {
           description
             "AH Protocol";
         }
         enum "esp" {
           description
             "ESP Protocol";
         }
       }
       description
         "type define of ipsec security protocol";
     }

     typedef ipsec-spi {
       type uint32 {
         range "1..max";
       }
       description
         "SPI";
     }

     typedef ipsec-spd-name {
      type enumeration {
       enum id_rfc_822_addr {
           description
             "Fully qualified user name string.";
         }
         enum id_fqdn {
           description
             "Fully qualified DNS name.";
         }
         enum id_der_asn1_dn {
           description
             "X.500 distinguished name.";
         }
         enum id_key {
           description
             "IKEv2 Key ID.";
         }
       }
       description



Tran, et al.          Expires September 18, 2016              [Page 44]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         "IPsec SPD name type";
     }

     typedef ipsec-traffic-direction {
       type enumeration {
         enum inbound {
           description
             "Inbound traffic";
         }
         enum outbound {
           description
             "Outbound traffic";
         }
       }
       description
         "IPsec traffic direction";
     }

     typedef ipsec-spd-operation {
       type enumeration {
         enum protect {
           description
             "PROTECT the traffic with IPsec";
         }
         enum bypass {
           description
             "BYPASS the traffic";
         }
         enum discard {
           description
             "DISCARD the traffic";
         }
       }
       description
         "The operation when traffic matches IPsec security policy";
     }


     /*---------------------------------------------------- */
     /* draft-wang-ipsecme-ipsec-yang-00: ietf-ipsec-crypto */
     /*---------------------------------------------------- */
     typedef ipsec-authentication-algorithm {
       type enumeration {
         enum "null" {
           value 0;
           description
             "null";
         }
         enum "md5" {



Tran, et al.          Expires September 18, 2016              [Page 45]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           value 1;
           description
             "MD5 authentication algorithm";
         }
         enum "sha1" {
           value 2;
           description
             "SHA1 authentication algorithm";
         }
         enum "sha2-256" {
           value 3;
           description
             "SHA2-256 authentication algorithm";
         }
         enum "sha2-384" {
           value 4;
           description
             "SHA2-384 authentication algorithm";
         }
         enum "sha2-512" {
           value 5;
           description
             "SHA2-512 authentication algorithm";
         }
       }
       description
         "typedef for ipsec authentication algorithm";
     }

     typedef ipsec-encryption-algorithm {
       type enumeration {
         enum "null" {
           description
             "null";
         }
         enum "des" {
           description
             "DES encryption algorithm";
         }
         enum "3des" {
           description
             "3DES encryption algorithm";
         }
         enum "aes-128" {
           description
             "AES-128 encryption algorithm";
         }
         enum "aes-192" {
           description



Tran, et al.          Expires September 18, 2016              [Page 46]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "AES-192 encryption algorithm";
         }
         enum "aes-256" {
           description
             "AES-256 encryption algorithm";
         }
       }
       description
        "typedef for ipsec encryption algorithm";
     }

     /*-------------------------------------------------- */
     /* draft-wang-ipsecme-ike-yang-00: ietf-ipsec-type */
     /*-------------------------------------------------- */
     typedef ike-integrity-algorithm {
       type enumeration {
         enum "hmac-md5-96" {
           description
             "HMAC-MD5-96 Integrity Algorithm";
         }
         enum "hmac-sha1-96" {
           description
             "HMAC-SHA1-96 Integrity Algorithm";
         }
         enum "hmac-sha2-256" {
           description
             "HMAC-SHA2-256 Integrity Algorithm";
         }
         enum "hmac-sha2-384" {
           description
             "HMAC-SHA2-384 Integrity Algorithm";
         }
         enum "hmac-sha2-512" {
           description
             "HMAC-SHA2-512 Integrity Algorithm";
         }
       }
       description
         "typedef for ike integrity algorithm.";
     }

     typedef ike-encryption-algorithm {
       type enumeration {
         enum "des-cbc" {
           description
             "DES-CBC Encryption algorithm";
         }
         enum "3des-cbc" {
           description



Tran, et al.          Expires September 18, 2016              [Page 47]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "3DES-CBC Encryption algorithm";
         }
         enum "aes-cbc-128" {
           description
             "AES-CBC-128 Encryption algorithm";
         }
         enum "aes-cbc-192" {
           description
             "AES-CBC-192 Encryption algorithm";
         }
         enum "aes-cbc-256" {
           description
             "AES-CBC-256 Encryption algorithm";
         }
       }
       description
         "typedef for ike encryption algorithm.";
     }

     typedef ike-prf-algorithm {
       type enumeration {
         enum "hmac-md5-96" {
           description
             "HMAC-MD5-96 PRF Algorithm";
         }
         enum "hmac-sha1-96" {
           description
             "HMAC-SHA1-96 PRF Algorithm";
         }
         enum "hmac-sha2-256" {
           description
             "HMAC-SHA2-256 PRF Algorithm";
         }
         enum "hmac-sha2-384" {
           description
             "HMAC-SHA2-384 PRF Algorithm";
         }
         enum "hmac-sha2-512" {
           description
             "HMAC-SHA2-512 PRF Algorithm";
         }
       }
       description
         "typedef for ike prf algorithm.";
     }

     typedef ike-dh-group {
       type enumeration {
         enum "dh-group-none" {



Tran, et al.          Expires September 18, 2016              [Page 48]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "None Diffie-Hellman group";
         }
         enum "dh-group-1" {
           description
             "768 bits Diffie-Hellman group";
         }
         enum "dh-group-2" {
           description
             "1024 bits Diffie-Hellman group";
         }
         enum "dh-group-5" {
           description
             "1536 bits Diffie-Hellman group";
         }
         enum "dh-group-14" {
           description
             "2048 bits Diffie-Hellman group";
         }
       }
       description
         "typedef for ike dh group";
     }


     typedef ike-peer-name-ref {
       type leafref {
         path "/ikev2/ike-peer/ike-peer-entries/peer-name";
       }
       description "reference to ike peer name";
     }

     typedef ike-proposal-number-ref {
       type leafref {
         path "/ikev2/proposal/name";
       }
       description "reference to ike proposal name";
     }

     typedef ipsec-proposal-name-ref{
       type leafref {
         path "/ipsec/proposal/ipsec-proposal/name";
       }
       description "reference to ike proposal name";
     }

     typedef ike-auth-method {
       type enumeration {
         enum pre-share {



Tran, et al.          Expires September 18, 2016              [Page 49]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "Select pre-shared key message as the
              authentication method";
         }
         enum rsa-digital-signature {
           description
             "Select rsa digital signature as the
              authentication method";
         }
         enum dss-digital-signature {
           description
             "Select dss digital signature as the
              authentication method";
         }
       }
       description "IKE authentication methods";
     }

     /*--------------------*/
     /*   grouping         */
     /*--------------------*/

      /* The following groupings are used in both configuration data
        and operational state data */
     grouping name-grouping {
       description
         "This grouping provides a leaf identifying the name.";
       leaf name {
         type string;
         description
           "Name of a identifying.";
       }
       leaf description {
         type string;
         description
           "Specify the description.";
       }
     }

     grouping sequence-number-grouping {
       description
         "This grouping provides a leaf identifying
          a sequence number.";
       leaf sequence-number {
         type uint32 {
           range "1..4294967295";
         }
         description
           "Specify the sequence number.";



Tran, et al.          Expires September 18, 2016              [Page 50]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       }
     }

     grouping description-grouping {
       description
         "description for free use.";
       leaf description {
         type string;
         description
           "description for free use.";
       }
     }

     grouping traffic-selector-grouping {
       description
         "Traffic selector to be used for SA negotiation.";
       leaf traffic-selector-id {
         type string;
         mandatory true;
         description
           "Traffic selector identifier.";
       }
       leaf protocol-name {
         type transport-protocol-name-t;
         description
           "Specifies the protocol selector.";
       }
       leaf address-range {
         type string;
         mandatory true;
         description
           "Specifies the IPv4 or IPv6 address range.";
       }
     }



     grouping ike-general-proposal-grouping {
       description
         "IKE proposal.";
       leaf name {
          type string;
          mandatory true;
          description
            "IKE Proposal identify.";
       }
       leaf description {
         type string;
         description



Tran, et al.          Expires September 18, 2016              [Page 51]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           "Specify the description.";
       }

       leaf dh-group {
         type diffie-hellman-group-t;
         mandatory true;
         description
           "Specifies a Diffie-Hellman group.";
       }
       container encryption {
         description
           "Specify IKE Proposal encryption configuration";
         leaf algorithm {
            type ike-encryption-algorithm-t;
            description
              "Specifies an Encryption Algorithm.";
         }
       }
     }

     grouping ike-proposal-grouping {
       description
         "Configure the IKE Proposal";
       uses ike-general-proposal-grouping;

       leaf lifetime {
         type uint32;
          mandatory true;
         description
           "Configure lifetime for IKE SAs
            0: for no timeout.
            300 .. 99999999:  IKE SA lifetime in seconds.";
       }
       container authentication {
         description
           "Specify IKE Proposal authentication configuration";
         leaf algorithm {
           type ike-integrity-algorithm-t;
           description
             "Specify the authentication algorithm";
         }
         leaf preshared-key {
           type empty;
           description
             "Use pre-shared key based authentication";
         }
         leaf rsa-signature {
           type empty;
           description



Tran, et al.          Expires September 18, 2016              [Page 52]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "Use signature based authentication by using
              PKI certificates";
         }
       }
     }

     grouping ikev2-proposal-grouping {
       description
         "Holds an IKEv2 transform proposal used during "+
         "IKEv2 SA negotiation.  Multiple IKEv2 Transforms "+
         " can be proposed during an IKEv2 session initiation "+
         "in an ordered list.";
       uses ike-general-proposal-grouping;

       leaf pseudo-random-function {
         type pseudo-random-function-t;
         mandatory true;
         description
           "Specifies Pseudo Random Function for IKEv2 key exchange";
       }
       container authentication {
         description
           "Specify IKEv2 Proposal authentication configuration";
         leaf algorithm {
           type ike-integrity-algorithm-t;
           description
             "Specify the authentication algorithm";
         }
       }
     }

     grouping ipsec-proposal-grouping {
       description
         "Configure IPSec Proposal";
       leaf name {
          type string;
          mandatory true;
          description
            "IPSec proposal identifier.";
       }
       leaf ah {
         type ike-integrity-algorithm-t;
         description
           "Configure Authentication Header (AH).";
       }
       container esp {
         description
           "Configure Encapsulating Security Payload (ESP).";
         leaf authentication {



Tran, et al.          Expires September 18, 2016              [Page 53]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           type ike-integrity-algorithm-t;
           description
             "Configure ESP authentication";
         }
         leaf encryption {
           type ike-encryption-algorithm-t;
           description
             "Configure ESP encryption";
         }
       }
       leaf ip-comp{
         type empty;
         description
           "Enable IPSec proposal IP-COMP which uses the IP Payload "+
           "compression protocol to compress IP Security (IPSec) "+
           "packets before encryption";
       }
       container lifetime {
         description
           "Configure lifetime for IPSEC SAs";
         leaf kbytes {
           type uint32 {
             range "128..2147483647";
           }
           description
             "Enter lifetime kbytes for IPSEC SAs";
         }
         leaf seconds {
           type uint32 {
             range "300..99999999";
           }
           description
             "Enter lifetime seconds for IPSEC SAs
             0: lifetime of 0 for no timeout
             300..99999999: IPSec SA lifetime in seconds";
         }
       }
     }

     grouping identity-grouping {
       description
         "Identification type. It is an union identity, "+
         "possible type as follows: "+
         "a) ID_FQDN: A fully-qualified domain name string. "+
         "  An example of a ID_FQDN is, example.com. "+
         "  The string MUST not contain any terminators "+
         "(e.g., NULL, CR, etc.). "+
         "b) ID_RFC822_ADDR: A fully-qualified RFC822 email "+
         "   address string, An example of a ID_RFC822_ADDR is, "+



Tran, et al.          Expires September 18, 2016              [Page 54]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         "   jsmith@example.com. The string MUST not contain "+
         "   any terminators. "+
         "c) ID_IPV4_ADDR: A single four (4) octet IPv4 address. "+
         "d) ID_IPV6_ADDR: A single sixteen (16) octet IPv6 address. "+
         "e) DN_X509: Distinguished name in the X.509 tradition.";
       choice identity {
         description
           "Choice of identity.";
         leaf ipv4-address {
           type inet:ipv4-address;
           description
             "Specifies the identity as a single four (4)
              octet IPv4 address.
              An example is, 10.10.10.10. ";
         }
         leaf ipv6-address {
           type inet:ipv6-address;
           description
             "Specifies the identity as a single sixteen (16) "+
             "octet IPv6 address. "+
             "An example is, "+
             "FF01::101, 2001:DB8:0:0:8:800:200C:417A .";
         }
         leaf fqdn-string {
           type inet:domain-name;
           description
             "Specifies the identity as a Fully-Qualified
              Domain Name (FQDN) string.
              An example is: example.com.
              The string MUST not contain any terminators
              (e.g., NULL, CR, etc.).";
         }
         leaf rfc822-address-string {
           type string;
           description
             "Specifies the identity as a fully-qualified RFC822
              email address string.
              An example is, jsmith@example.com.
              The string MUST not contain any terminators
              (e.g., NULL, CR, etc.).";
         }
         leaf dnX509 {
           type string;
           description
             "Specifies the identity as a distinguished name
              in the X.509 tradition.";
         }
       }
     } /* grouping identity-grouping */



Tran, et al.          Expires September 18, 2016              [Page 55]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016



     grouping ike-general-policy-profile-grouping {
       description
         "IKE policy.";
       leaf connection-type {
         type connection-type-t;
         mandatory true;
         description
           "Specify the IKE connection type";
       }
       leaf pre-shared-key {
         type union {
           type string {
             length "16";
           }
           type yang:hex-string {
             length "40";
           }
         }
         description
           "Specify IKE pre-shared-key value";
       }
       leaf validate-certificate-identity {
         type empty;
         description
           "Validate Remote-ID payload against the
           ID's available in the certificate";
       }
       list seq {
         key seq-id;
         description
           "list of sequence of policy.";
         leaf seq-id {
           type uint32 {
             range "1..429496729";
           }
           description
             "Sequence Number";
         }
         leaf proposal {
           type leafref {
             path "/eipsec:ikev1/eipsec:proposal"+
                  "/eipsec:name";
           }
           description
             "IKE Proposal reference.";
         }
       }
       container identity {



Tran, et al.          Expires September 18, 2016              [Page 56]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         description
           "Specify IKE identity value";
         container local {
           description
             "Specify the identity of the local IP Security (IPSec)
             tunnel endpoint in an Internet Key Exchange (IKE)
             policy to use when negotiating IKE request with a
             remote peer.";
           uses identity-grouping;
         }
         container remote {
           description
             "Specify the identity of the remote IP Security (IPSec)
             tunnel endpoint in an
              Internet Key Exchange (IKE) policy to use when
              negotiating IKE request with a remote peer.";
           uses identity-grouping;
         }
       }
     }

     grouping ike-policy-mode-grouping {
       description
         "IKE Policy Mode";
       container mode {
         description
           "Specify IKE mode configuration";
         leaf aggressive {
           type empty;
           description
             "Set IKE Aggressive mode";
         }
         leaf main {
           type empty;
           description
             "Set IKE Main mode";
         }
       }
     }

     grouping ike-policy-profile-grouping {
       description
         "Configure IKE policy";
       leaf name {
         type string;
         mandatory true;
         description
           "Specify an IKE policy name";
       }



Tran, et al.          Expires September 18, 2016              [Page 57]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       uses ike-policy-mode-grouping;
       uses ike-general-policy-profile-grouping;
     }

     grouping ikev2-policy-profile-grouping {
       description
         "Common information for multiple IKE sessions
         to be instantiated on a managed element.;
          One or more Ikev2Session instances might refer
          to this instance.";
       leaf name {
         type string;
         mandatory true;
         description
           "Value component of the RDN.";
       }
       container authentication {
         description
           "Specify IKE Proposal authentication configuration";
         leaf preshared-key {
           type empty;
           description
             "Use pre-shared key based authentication";
         }
         leaf rsa-signature {
           type empty;
           description
             "Use signature based authentication by using
             PKI certificates";
         }
       }
       leaf lifetime {
         type uint32;
         mandatory true;
         description
           "Configure lifetime for IKE SAs
            0: for no timeout.
            300 .. 99999999:  IKE SA lifetime in seconds.";
       }

       container address-allocation {
         must "../connection-type = 'responder-only'" {
           description
             "address-allocation can be configured only with
             responder-only in ike2 policy";
         }
         leaf aaa {
           type empty;
           description



Tran, et al.          Expires September 18, 2016              [Page 58]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "IRAC address allocation by AAA";
         }
         description
           "Specify IKE IRAS address allocation option";
       }
       uses ike-general-policy-profile-grouping;

       leaf description {
         type string;
         description
           "Specify the description.";
       }
     }

     grouping ipsec-policy-grouping {
       description
         "Holds configuration information for IPSec policies.";
       leaf name {
         type string;
         mandatory true;
         description
           "IPSec Policy Identification";
       }
       leaf description {
         type string;
         description
           "Specify the description.";
       }

       leaf anti-replay-window {
         type uint32 {
           range "0 | 32..1024";
         }
         description
           "Configure replay window size
           0: to disable anti-replay-window
           32..1024: IPSec anti-replay-window size in multiple of 32";
       }
       container perfect-forward-secrecy {
         description
           "Configure Perfect Forward Secrecy (PFS) for IPSec Policy";
         leaf dh-group {
           type diffie-hellman-group-t;
           description
             "Configure Diffie-Hellman group for
              perfect-forward-secrecy";
         }
       }
       list seq {



Tran, et al.          Expires September 18, 2016              [Page 59]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         key seq-id;
         description
           "Specify IPSEC proposal sequence number";
         leaf seq-id {
           type uint32;
           description
             "Sequence ID";
         }
         leaf description {
           type string;
           description
             "Specify the description.";
         }

         leaf proposal {
           type leafref {
             path "/eipsec:ipsec/"+
                  "eipsec:proposal/eipsec:ipsec-proposal/eipsec:name";
           }
           description
             "IKE proposal reference.";
         }
       }
     }

     grouping key-string-grouping {
       description
         "Configure key for authentication algorithm";
       leaf key-str {
         type union {
           type string {
             length "16";
           }
           type yang:hex-string {
             length "40";
           }
         }
         description
           "Key string input is either string value (length of 16)
           or hexadecimal (length of 40)";
       }
     }

     grouping ipsec-sa-ah-grouping {
       description
         "Configure Authentication Header (AH) for
          Security Association (SA)";
       container ah {
         description



Tran, et al.          Expires September 18, 2016              [Page 60]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           "Configure Authentication Header (AH) for SA";
         choice authentication-algorithm {
           description
             "choice for authentication algorithm to set for AH";
           case hmac-aes-xcbc {
             container hmac-aes-xcbc {
               description
                 "Set the authentication algorithm to hmac-aes-xcbc";
               uses key-string-grouping;
             }
           }
           case hmac-md5-96 {
             container hmac-md5-96 {
               description
                 "Set the authentication algorithm to hmac-md5-96";
               uses key-string-grouping;
             }
           }
           case hmac-sha1-96 {
             container hmac-sha1-96 {
               description
                 "Set the authentication algorithm to hmac-sha1-96";
               uses key-string-grouping;
             }
           }
           case key-string {
             container key-string {
               description
                 "Configure key for authentication algorithm";
               uses key-string-grouping;
             }
           }
         }
       }
     }

     grouping ipsec-sa-esp-grouping {
       description
         "Configure IPSec Encapsulation Security Payload (ESP)";
       container esp {
         description
           "Set IPSec Encapsulation Security Payloer (ESP)";
         container authentication {
           description
             "Configure authentication for IPSec
              Encapsulation Secutiry Payload (ESP)";
           choice authentication-algorithm {
             description
               "choice for authentication algorithm to set";



Tran, et al.          Expires September 18, 2016              [Page 61]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             case hmac-aes-xcbc {
               container hmac-aes-xcbc {
                 description
                   "Set the authentication algorithm to hmac-aes-xcbc";
                 uses key-string-grouping;
               }
             }
             case hmac-md5-96 {
               container hmac-md5-96 {
                 description
                   "Set the authentication algorithm to hmac-md5-96";
                 uses key-string-grouping;
               }
             }
             case hmac-sha1-96 {
               container hmac-sha1-96 {
                 description
                   "Set the authentication algorithm to hmac-sha1-96";
                 uses key-string-grouping;
               }
             }
             case key-string {
               container key-string {
                 description
                   "Configure key for authentication algorithm";
                 uses key-string-grouping;
               }
             }
           }
         }
         container encryption {
           description
             "Configure encryption for IPSec
              Encapsulation Secutiry Payload (ESP)";
           choice encryption-algorithm {
             description
               "type of encryption";
             case des3-cbc {
               container des3-cbd {
                 description
                   "Set the encryption algorithm to des3-cbc";
                 uses key-string-grouping;
               }
             }
             case aes-128-cbc {
               container aes-128-cbc {
                 description
                   "Set the encryption algorithm to aes-128-cbc";
                 uses key-string-grouping;



Tran, et al.          Expires September 18, 2016              [Page 62]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


               }
             }
             case aes-192-cbc {
               container aes-192-cbc {
                 description
                   "Set the encryption algorithm to aes-192-cbc";
                 uses key-string-grouping;
               }
             }
             case aes-256-cbc {
               container aes-256-cbc {
                 description
                   "Set the encryption algorithm to aes-256-cbc";
                 uses key-string-grouping;
               }
             }
             case des-cbc {
               container des-cbc {
                 description
                   "Set the encryption algorithm to des-cbc";
                 uses key-string-grouping;
               }
             }
             case key-string {
               container key-string {
                 description
                   "Configure key for encryption algorithm";
                 uses key-string-grouping;
               }
             }
           }
         }
       }
     }

     grouping ipsec-acl-dest-grouping {
       description
         "IPSEC ACL destination.";
       /* For destination */
       choice dest-address {
         description
           "destination address.";
         case dest-ipv4-address {
           leaf destination-ipv4-address {
             type inet:ipv4-address;
             description
               "Destination IPv4 Address A.B.C.D/0..32.";
           }
         }



Tran, et al.          Expires September 18, 2016              [Page 63]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         case dest-any {
           leaf dest-any {
             type empty;
             description
               "Match Any Destination IPv4 Address.";
           }
         }
       }
     }

     grouping ipsec-acl-seq-protocol-number-grouping {
       description
         "IPSec ACL Sequence protocol number.";
       leaf number {
         type uint16 {
           range "0..255";
         }
         description
           "Specify protocol number.";
       }
       choice argument {
         description
           "Source IPv4 address.";
         case source-ipv4-address {
           leaf source-ipv4-address {
             type inet:ipv4-address;
             description
               "Source IPv4 Address A.B.C.D/0..32.";
           }
         }
         case any {
           /* For source */
           leaf source-any {
             type empty;
             description
               "Match Any Source IPv4 Address.";
           }
         }
       }
     }

     grouping ipsec-acl-seq-ip-address-grouping {
       description
         "IPSec ACL Sequence IP Address.";
       leaf source-ipv4-address {
         type inet:ipv4-address;
         description
           "Source is IPv4 Address A.B.C.D/0..32.";
       }



Tran, et al.          Expires September 18, 2016              [Page 64]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     }

     grouping ipsec-acl-seq-any-grouping {
       description
         "IPSec ACL Sequence Any.";
       leaf any {
         type empty;
         description
           "Source is Any.";
       }
     }

     grouping ipsec-acl-seq-tcp-grouping {
       description
         "IPSec ACL Sequence TCP.";
       leaf tcp {
         type empty;
         description
           "Source is TCP protocol.";
       }
     }

     grouping ipsec-acl-seq-udp-grouping {
       description
         "IPSec ACL Sequence for UDP.";
       leaf udp {
         type empty;
         description
           "Source is UDP protocol.";
       }
     }

     grouping ipsec-acl-grouping {
       description
         "IPSec ACL";
       list access-list {
         if-feature ipsec-acl;
         key "name sequence-number";
         uses name-grouping;
         uses sequence-number-grouping;
         description
           "Configure the IPSec access-list.";
         choice protocol {
           description
             "IPSec ACL protocol.";
           case number {
             uses ipsec-acl-seq-protocol-number-grouping;
           }
           case source-ipv4-address {



Tran, et al.          Expires September 18, 2016              [Page 65]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             uses ipsec-acl-seq-ip-address-grouping;
           }
           case any {
             uses ipsec-acl-seq-any-grouping;
           }
           case tcp {
             uses ipsec-acl-seq-tcp-grouping;
           }
           case udp {
             uses ipsec-acl-seq-udp-grouping;
           }
         }
         uses ipsec-acl-dest-grouping;
       }
     }

     grouping ipsec-df-bit-grouping {
       description
         "IPSec Dont Fragment (DF) bit for IP header.";
       container df-bit {
         description
           "Configure Don't Fragment (DF) bit for IP Header.";
         leaf clear {
           type empty;
           description
             "Clear DF bit for outer IP header.";
         }
         leaf propagate {
           type empty;
           description
             "Propagate DF bit for outer IP header.";
         }
         leaf set {
           type empty;
           description
             "Set DF bit for outer IP header.";
         }
       }
     }

     grouping ipsec-profile-grouping {
       description
         "IPSec profile.";
       list profile {
         key "name";
         uses name-grouping;
         uses ipsec-df-bit-grouping;
         description
           "Configure the IPSec Profile.";



Tran, et al.          Expires September 18, 2016              [Page 66]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         leaf mtu {
           type uint32 {
             range "256..1600";
           }
           description
             "Set the MTU.";
         }
         list seq {
           key "sequence-number";
           uses sequence-number-grouping;
           description
             "IPSec Access List sequence number.";
           leaf policy {
             type leafref {
               path "/eipsec:ipsec/eipsec:policy"+
                    "/eipsec:ipsec-policy/eipsec:name";
             }
             description
               "Specify IPSec policy name.";
           }
         }
       }
     }


     grouping ip-address-grouping {
       description
         "IP Address grouping";

       choice ip-address {
         description
           "Choice of IPv4 or IPv6.";
         leaf ipv4-address {
           type inet:ipv4-address;
           description
             "Specifies the identity as a single four (4)
              octet IPv4 address.
              An example is, 10.10.10.10. ";
         }
         leaf ipv6-address {
           type inet:ipv6-address;
           description
             "Specifies the identity as a single sixteen (16) "+
             "octet IPv6 address. "+
             "An example is, "+
             "FF01::101, 2001:DB8:0:0:8:800:200C:417A .";
         }
       }
     }



Tran, et al.          Expires September 18, 2016              [Page 67]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016



     grouping ipsec-sa-grouping {
       description
         "Configure Security Association (SA)";
       leaf spi {
         type uint32;
         description
           "Specify Security Parameter Index";
       }
       leaf anti-replay-window {
         type uint16 {
           range "0 | 32..1024";
         }
         description
           "Specify replay window size";
       }
       leaf ip-comp {
         type empty;
         description
           "Enables IPCOMP, which uses the IP payload compression
            protocol to compress IP security (IPsec) packets
            before encryption";
       }

       container local-peer {
         description
           "Specify the local peer IP address";
         uses ip-address-grouping;
       }
       container remote-peer {
         description
           "Specify the remote peer IP address";
         uses ip-address-grouping;
       }
       leaf sa-mode {
         type ipsec-mode;
         description
           "SA Mode: tunnel or transport mode";
       }
       leaf security-protocol {
         type ipsec-protocol;
         description
           "Security protocol of IPsec SA: Either AH or ESP.";
       }
       leaf sequence-number {
         type uint64;
         description
           "Current sequence number of IPsec packet.";
       }



Tran, et al.          Expires September 18, 2016              [Page 68]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       leaf sequence-number-overflow-flag {
         type boolean;
         description
           "The flag indicating whether overflow of the sequence
            number counter should prevent transmission of additional
            packets on the SA, or whether rollover is permitted.";
       }
       leaf path-mtu {
         type uint16;
         description
           "maximum size of an IPsec packet that can be transmitted
            without fragmentation";
       }
       container life-time {
         leaf life-time-in-seconds {
           type uint32;
           description
             "SA life time in seconds";
         }
         leaf remain-life-time-in-seconds {
           type uint32;
           description
             "Remain SA life time in seconds";
         }
         leaf life-time-in-byte {
           type uint32;
           description
             "SA life time in bytes";
         }
         leaf remain-life-time-in-byte {
           type uint32;
           description
             "Remain SA life time in bytes";
         }
         description
           "SA life time information";
       }
       leaf upper-protocol {
         type string;
         description
           "Upper-layer protocol to be used";
       }
       leaf direction {
         type ipsec-traffic-direction;
         description
           "It indicates whether the SA is inbound SA or
            out bound SA.";
       }
       container source-address {



Tran, et al.          Expires September 18, 2016              [Page 69]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         description
           "Specify the source IP address and
            port of protected traffic";
         uses ip-address-grouping;
         leaf port-number {
           type uint32;
           description
             "port of protected traffic";
         }
       }
       container destination-address {
         description
           "Specify the destination IP address and
            port of protected traffic";
         uses ip-address-grouping;
         leaf port-number {
           type uint32;
           description
             "port of protected traffic";
         }
       }
       leaf nat-traversal-flag {
         type boolean;
         description
           "Whether the SA is used to protect traffic that needs
            nat traversal";
       }
       uses ipsec-sa-ah-grouping;
       uses ipsec-sa-esp-grouping;
     }


     /* draft-wang-ipsecme-ike-yang-00 */
     grouping ipsec-common-configuration {
       choice df-flag {
         default copy;
         case set {
           leaf set {
             type empty;
             description
               "Set the df bit when encapsulate IPsec tunnel.";
           }
         }
         case clear {
           leaf clear {
             type empty;
             description
               "Clear the df bit when encapsulate IPsec tunnel.";
           }



Tran, et al.          Expires September 18, 2016              [Page 70]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         }
         case copy {
           leaf copy {
             type empty;
             description
               "Copy the inner IP header df bit.";
           }
         }
         description
           "It indicates how to process the df bit when encapsulate
            IPsec tunnel.";
       }
       leaf stateful-frag-check {
         type boolean;
         default false;
         description "Whether stateful fragment checking applies.";
       }
       leaf life-time-kb {
         type uint32;
         units "KB";
         default 2000000;
         description "IPsec SA Life time in KB.";
       }
       leaf life-time-second {
         type uint32;
         units "Second";
         default 18400;
         description "IPsec SA Life time in Seconds";
       }
       choice anti-replay {
         default enable;
         case enable {
           leaf enable {
             type empty;
             description "Enable Anti-replay";
           }
           choice anti-replay-windows-size {
             case size-32;
             case size-64;
             case size-128;
             case size-256;
             case size-512;
             case size-1024;
             default size-1024;
             description "It indicate the size of anti-replay window";
           }
         }
         case disable {
           leaf disable {



Tran, et al.          Expires September 18, 2016              [Page 71]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             type empty;
             description "Disable Anti-replay";
           }
         }
         description "Whether enable or disable anti-replay";
       }
       leaf inbound-dscp {
         type uint16 {
           range "0..63";
         }
         default 0;
         description "Inbound DSCP value";
       }
       leaf outbound-dscp {
         type uint16 {
           range "0..63";
         }
         default 0;
         description "Outbound DSCP value";
       }
       description "Common IPsec configurations";
     }

     /*--------------------*/
     /* Configuration Data */
     /*--------------------*/
     container ikev1 {
       if-feature ikev1;
       description
         "Configuration IPSec IKEv1";
       /* The following is for <configure> */
       list proposal {
          key "name";
          uses ike-proposal-grouping;
          description
            "Configure IKE proposal";
       }
       leaf keepalive {
         type empty;
         description
           "Enables sending Dead Peer Detection (DPD) messages "+
           "to Internet Key Exchange (IKE) peers.";
       }
       list policy {
         key "name";
         uses ike-policy-profile-grouping;
         description
           "Configure IKE Policy Profile.";
       }



Tran, et al.          Expires September 18, 2016              [Page 72]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     }

     container ikev2 {
       if-feature ikev2;
       description
         "Configuration IPSec IKEv2";
       /* The following is for <configure> */
       /* draft-wang-ipsecme-ike-yang-00 */
       container ike-global-configuration {
         if-feature ikev2-global;
         description "Global IKE configurations";
         uses ipsec-common-configuration;
         leaf local-name {
           type string;
           description
             "Global local name configuration, if it is not configed,
              ip address will be used as default. If configing special
              local name for special peer, it will overwrite the global
              name configuration when negotion with that peer.";
         }
         leaf nat-keepalive-interval {
           type uint16 {
             range "5..300";
           }
           units "Seconds";
           default 20;
           description "Global nat keepalive interval";
         }
         leaf dpd-interval {
           type uint16 {
             range "10..3600";
           }
           units "Seconds";
           default 30;
           description "Global DPD interval";
         }
       }
       container ike-peer {
         if-feature ikev2-peer;
         description "IKE peer information";
         list ike-peer-entries {
           key "peer-name";
           description "IKE peer information";
           leaf peer-name {
             type string;
             mandatory true;
             description "Name of IKE peer";
           }
           leaf ike-proposal-number {



Tran, et al.          Expires September 18, 2016              [Page 73]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             type ike-proposal-number-ref;
             description "IKE proposal number referenced by IKE peer";
           }
           leaf PresharedKey {
             type string;
             description "Preshare key";
           }
           leaf nat-traversal {
             type boolean;
             default false;
             description "Enable/Disable nat traversal";
           }
           choice local-id-type {
             default ip;
             case ip {
               leaf ip {
                 type empty;
                 description "IP address";
               }
             }
             case fqdn {
               leaf fqdn {
                 type empty;
                 description "Fully Qualifed Domain name ";
               }
             }
             case dn {
               leaf dn {
                 type empty;
                 description "Domain name";
               }
             }
             case user_fqdn {
               leaf user_fqdn {
                 type empty;
                 description "User FQDN";
               }
             }
             description "Local ID type";
           }
           leaf local-id {
             type string;
             description
               "Local ID Name. When IP is used as local ID type,
                it is ignored. If it is not configurated,
                global local name will be used.";
           }
           leaf remote-id {
             type "string";



Tran, et al.          Expires September 18, 2016              [Page 74]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             description "ID of IKE peer";
           }
           leaf low-remote-address {
             type inet:ip-address;
             description "Low range of remote address";
           }
           leaf high-remote-address {
             type inet:ip-address;
             description "High range of remote address";
           }
           leaf certificate {
             type string;
             description "Certificate file name";
           }
           leaf auth-address-begin {
             type inet:ip-address;
             description
               "The begin range of authenticated peer address";
           }
           leaf auth-address-end {
             type inet:ip-address;
             description
               "The end range of authenticated peer address";
           }
         }
       }//End of IKEPeerEntries


       list proposal {
          if-feature ikev2-proposal;
          key "name";
          uses ikev2-proposal-grouping;
          description
            "Configure IKEv2 proposal";
       }
       list policy {
         if-feature ikev2-policy;
         key "name";
         uses ikev2-policy-profile-grouping;
         description
           "IKEv2 Policy Profile";
       }
     }

     container ipsec {
       if-feature ipsec;
       description
         "Configuration IPsec";
       container sad {



Tran, et al.          Expires September 18, 2016              [Page 75]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         if-feature ipsec-sad;
         description
           "Configure the IPSec Security Association Database (SAD)";
         list sad-entries {
           key "spi direction";
           description
             "Configure IPsec Security Association Database(SAD)";
           uses ipsec-sa-grouping;
         }
       }
       container proposal {
         if-feature ipsec-proposal;
         description
           "IPSec Proposal Profile";
         list ipsec-proposal {
           key "name";
           uses ipsec-proposal-grouping;
           description
             "Configure the IP Security (IPSec) proposal";
         }
       }
       container spd {
         if-feature ipsec-spd;
         description
           "Configure the Security Policy Database (SPD)";
         list spd-entries {
           key "name";
           ordered-by user;
           uses ipsec-policy-grouping;
           description
             "Specify an IPSec policy name";
         }
       }
       container pad {
         description
           "Configure Peer Authorization Database (PAD)";
         list pad-entries {
           key "pad-type pad-id";
           ordered-by user;
           uses identity-grouping;
           description
             "Peer Authorization Database (PAD)";
           leaf pad-id {
             type uint32;
              description
                "PAD identity";
           }
           leaf pad-type {
             type pad-type-t;



Tran, et al.          Expires September 18, 2016              [Page 76]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             description
               " PAD type";
           }
           leaf ike-peer-name {
             type string;
             description
               "IKE Peer Name";
           }
           container peer-authentication {
             description
               "Specify IKE peer authentication configuration";
             leaf algorithm {
               type ike-integrity-algorithm-t;
               description
                 "Specify the authentication algorithm";
             }
             leaf preshared-key {
               type empty;
               description
                 "Use pre-shared key based authentication";
             }
             leaf rsa-signature {
               type empty;
               description
                 "Use signature based authentication by using
                  PKI certificates";
             }
           }
         }
       }
     }



     /*--------------------------*/
     /* Operational State Data   */
     /*--------------------------*/
     grouping ike-proposal-state-components {
       description
         "IKE Proposal operational state";
       list proposal {
         if-feature ike-proposal-state;
         description
           "Operational data for IKE Proposal";
         leaf name {
           type string {
             length "1..50";
           }
           description



Tran, et al.          Expires September 18, 2016              [Page 77]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


             "Name of the IKE proposal.";
         }
         leaf lifetime {
           type uint32;
           units "seconds";
           description
             "lifetime";
         }
         leaf encryption {
           type ike-encryption-algorithm-t;
           description
             "Encryption algorithm";
         }
         leaf dh-group {
           type diffie-hellman-group-t;
           description
             "Diffie-Hellman group.";
         }
         leaf authentication {
           type ike-integrity-algorithm-t;
           description
             "authentication";
         }
       }
     }

     grouping ike-policy-state-grouping {
       description
         "IKE Policy State.";
       list policy {
         if-feature ike-policy-state;
         description
           "Operational data for IKE policy";
         leaf name {
           type string {
             length "1..50";
           }
           description
             "Name of the IKE Policy.";
         }
         leaf description {
           type string;
           description
             "Description for IKE Policy.";
         }
         leaf mode {
           type enumeration {
             enum aggressive {
               description



Tran, et al.          Expires September 18, 2016              [Page 78]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


                 "Aggressive mode.";
             }
             enum main {
               description
                 "Main mode.";
             }
           }
           description
             "IKE policy mode.";
         }
         leaf connection-type {
           type connection-type-t;
           description
             "IKE policy connection type.";
         }
         leaf local-identity {
           type inet:ipv4-address-no-zone;
           description
             "IP address of the local identity.";
         }
         leaf remote-identity {
           type inet:ipv4-address-no-zone;
           description
             "IP address of the remote identity.";
         }
         leaf pre-shared-key {
           type string;
           description
             "Pre-shared key";
         }
         leaf seq {
           type uint32;
           description
             "sequence number";
         }
         leaf proposal {
           type string;
           description
             "proposal name";
         }
       }
     }

     grouping ikev2-proposal-state-components {
       description
         "IKEv2 Operational state";
       list proposal {
         if-feature ikev2-proposal-state;
         description



Tran, et al.          Expires September 18, 2016              [Page 79]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           "IKEv2 proposal operational data";
         leaf name {
           type string;
           description
             "Name of IKEv2 Proposal.";
         }
         leaf pseudo-random-function {
           type pseudo-random-function-t;
           description
             "Pseudo Random Function for IKEv2.";
         }
         leaf authentication {
           type ike-integrity-algorithm-t;
           description
             "authentication";
         }
         leaf encryption {
           type ike-encryption-algorithm-t;
           description
             "Encryption algorithm";
         }
         leaf dh-group {
           type diffie-hellman-group-t;
           mandatory true;
           description
             "Diffie-Hellman group.";
         }
       }
     }

     grouping ipsec-policy-state-grouping {
       description
         "IPSec operational state";
       list policy {
         if-feature ipsec-policy-state;
         description
           "IPSec policy operational data";
         leaf name {
           type string;
           description
             "IPSec Policy name.";
         }
         leaf anti-replay-window {
           type uint32;
           description
             "replay window size";
         }
         leaf perfect-forward-secrecy {
           type diffie-hellman-group-t;



Tran, et al.          Expires September 18, 2016              [Page 80]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "Diffie-Hellman group for perfect-forward-secrecy";
         }
         list seq {
           description
             "Sequence number";
           leaf seq-id {
             type uint32;
             description
               "Sequence number";
           }
           leaf proposal-name {
             type string;
             description
               "IPSec proposal name";
           }
         }
       }
     }
     grouping ipsec-proposal-state-grouping {
       description
         "IPSec proposal operational data";
       list proposal {
         if-feature ipsec-proposal-state;
         description
           "IPSec proposal operational data";
         leaf name {
           type string;
           description
             "IPSec Proposal name";
         }
         leaf ah {
           type ike-integrity-algorithm-t;
           description
             "Authentication Header (AH).";
         }
         container esp {
           description
             "Encapsulating Security Payload (ESP).";
           leaf authentication {
             type ike-integrity-algorithm-t;
             description
               "ESP authentication";
           }
           leaf encryption {
             type ike-encryption-algorithm-t;
             description
               "ESP encryption";
           }



Tran, et al.          Expires September 18, 2016              [Page 81]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         }
         leaf ip-comp{
           type empty;
           description
             "IPSec proposal IP-COMP which uses the IP Payload "+
             "compression protocol to compress IP Security (IPSec) "+
             "packets before encryption";
         }
         container lifetime {
           description
             "lifetime for IPSEC SAs";
           leaf kbytes {
             type uint32;
             description
               "lifetime kbytes for IPSEC SAs";

           }
           leaf seconds {
             type uint32;
             description
               "lifetime seconds for IPSEC SAs";
           }
         }
       }
     }

     grouping ipsec-alarms-state-grouping {
       description
         "IPSec alarms operational data";
       leaf hold-down {
         if-feature ipsec-alarms-state;
         type uint32;
         description
           "Hold-down value";
       }
     }

     grouping ipsec-sa-ah-state-grouping {
       description
         "IPSec SA's AH operational data";

       leaf spi {
         if-feature ipsec-sa-ah-state;
         type uint32;
         description
           "Security Parameter Index (SPI) value";
       }
       leaf description {
         if-feature ipsec-sa-ah-state;



Tran, et al.          Expires September 18, 2016              [Page 82]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         type string;
         description
           "the description.";
       }
       leaf authentication-algorithm {
         if-feature ipsec-sa-ah-state;
         type ike-integrity-algorithm-t;
         description
           "Authentication algorithm";
       }
       leaf encryption-algorithm {
         if-feature ipsec-sa-ah-state;
         type ike-encryption-algorithm-t;
         description
           "Encryption algorithm";
       }
     }

     grouping ipsec-sa-state-grouping {
       description
         "IPSec Security Association Operational data";
       list sa {
         if-feature ipsec-sa-state;
         description
           "IPSec SA operational data";
         leaf name {
           type string;
           description
             "Specify IPSec Security Association (SA) name";
         }
         leaf anti-replay-window {
           type uint16;
           description
             "replay window size";
         }
         leaf ip-comp {
           type empty;
           description
             "Enables IPCOMP, which uses the IP payload compression
              protocol to compress IP security (IPsec) packets before
              encryption";
         }
         uses ipsec-sa-ah-state-grouping;
       }
     }

     /* draft-wang-ipsecme-ipsec-yang-00 */
     grouping ipsec-tunnel-mode-info {
       description



Tran, et al.          Expires September 18, 2016              [Page 83]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         "common infomations when using IPsec tunnel mode";
       leaf local-address {
         if-feature ipsec-tunnel;
         type string;
         description
           "Local address of IPsec tunnel mode";
       }
       leaf remote-address {
         if-feature ipsec-tunnel;
         type string;
         description
           "Remote address of IPsec tunnel mode";
       }
       leaf bypass-df {
         if-feature ipsec-tunnel;
         type enumeration {
           enum "set" {
             description
               "Set the df bit";
           }
           enum "clear" {
             description
               "Clear the df bit";
           }
           enum "copy" {
             description
               "Copy the df bit from inner header";
           }
         }
         description
           "This flag indicates how to process tunnel mode df flag";
       }
       leaf dscp-flag {
         if-feature ipsec-tunnel;
         type boolean;
         description
           "This flag indicate whether bypass DSCP or map to
            unprotected DSCP values (array) if needed to
            restrict bypass of DSCP values.";
       }
       leaf stateful-frag-check-flag {
         if-feature ipsec-tunnel;
         type boolean;
         description
           "This flag indicates whether stateful fragment checking
            will be used.";
       }
     }
     grouping traffic-selector {



Tran, et al.          Expires September 18, 2016              [Page 84]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       description
         "IPsec traffic selector information";
       leaf local-address-low {
         if-feature ipsec-local-address-range;
         type inet:ip-address;
         description
           "Low range of local address";
       }
       leaf local-address-high {
         if-feature ipsec-local-address-range;
         type inet:ip-address;
         description
           "High range of local address";
       }
       leaf remote-address-low {
         if-feature ipsec-remote-address-range;
         type inet:ip-address;
         description
           "Low range of remote address";
       }
       leaf remote-address-high {
         if-feature ipsec-remote-address-range;
         type inet:ip-address;
         description
           "High range of remote address";
       }
       leaf next-protocol-low {
         if-feature ipsec-next-protocol-range;
         type uint16;
         description
           "Low range of next protocol";
       }
       leaf next-protocol-high {
         if-feature ipsec-next-protocol-range;
         type uint16;
         description
           "High range of next protocol";
       }
       leaf local-port-low {
         if-feature ipsec-local-port-range;
         type inet:port-number;
         description
           "Low range of local port";
       }
       leaf local-port-high {
         if-feature ipsec-local-port-range;
         type inet:port-number;
         description
           "High range of local port";



Tran, et al.          Expires September 18, 2016              [Page 85]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       }
       leaf remote-port-high {
         if-feature ipsec-remote-port-range;
         type inet:port-number;
         description
           "Low range of remote port";
       }
       leaf remote-port-low {
         if-feature ipsec-remote-port-range;
         type inet:port-number;
         description
           "High range of remote port";
       }
     }
     grouping ipsec-algorithm-info {
       description
         "IPsec algorithm information used by SPD and SAD";
       leaf ah-auth-algorithm {
         if-feature ipsec-ah-authentication;
         type ipsec-authentication-algorithm;
         description
           "Authentication algorithm used by AH";
       }
       leaf esp-integrity-algorithm {
         if-feature ipsec-esp-integrity;
         type ipsec-authentication-algorithm;
         description
           "Integrity algorithm used by ESP";
       }
       leaf esp-encrypt-algorithm {
         if-feature ipsec-esp-encrypt;
         type ipsec-encryption-algorithm;
         description
           "Encryption algorithm used by ESP";
       }
     }
     grouping ipsec-stat {
       leaf inbound-packets {
         if-feature ipsec-stat;
         type uint64;
         config false;
         description "Inbound Packet count";
       }
       leaf outbound-packets {
         if-feature ipsec-stat;
         type uint64;
         config false;
         description "Outbound Packet count";
       }



Tran, et al.          Expires September 18, 2016              [Page 86]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


       leaf inbound-bytes {
         if-feature ipsec-stat;
         type uint64;
         config false;
         description "Inbound Packet bytes";
       }
       leaf outbound-bytes {
         if-feature ipsec-stat;
         type uint64;
         config false;
         description "Outbound Packet bytes";
       }
       leaf inbound-drop-packets {
         if-feature ipsec-stat;
         type uint64;
         config false;
         description "Inbound dropped packets count";
       }
       leaf outbound-drop-packets {
         if-feature ipsec-stat;
         type uint64;
         config false;
         description "Outbound dropped packets count";
       }
       container dropped-packet-detail {
         if-feature ipsec-stat;
         description "The detail information of dropped packets";
         leaf sa-non-exist {
           type uint64;
           config false;
           description
             "The dropped packets counts caused by SA non-exist.";
         }
         leaf queue-full {
           type uint64;
           config false;
           description
             "The dropped packets counts caused by full processing
              queue";
         }
         leaf auth-failure {
           type uint64;
           config false;
           description
             "The dropped packets counts caused by authentication
              failure";
         }
         leaf malform {
           type uint64;



Tran, et al.          Expires September 18, 2016              [Page 87]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           config false;
           description "The dropped packets counts of malform";
         }
         leaf replay {
           type uint64;
           config false;
           description "The dropped packets counts of replay";
         }
         leaf large-packet {
           type uint64;
           config false;
           description "The dropped packets counts of too large";
         }
         leaf invalid-sa {
           type uint64;
           config false;
           description "The dropped packets counts of invalid SA";
         }
         leaf policy-deny {
           type uint64;
           config false;
           description
             "The dropped packets counts of denyed by policy";
         }
         leaf other-reason {
           type uint64;
           config false;
           description
             "The dropped packets counts of other reason";
         }
       }
       description "IPsec statistics information";
     }


     container ike-state {
       if-feature ikev1-state;
       config "false";
       uses ike-proposal-state-components;
       uses ike-policy-state-grouping;
       description
         "Contain the operational data for IKE.";
     }
     container ikev2-state {
       if-feature ikev2-state;
       config "false";
       uses ikev2-proposal-state-components;
       uses ike-policy-state-grouping;
       description



Tran, et al.          Expires September 18, 2016              [Page 88]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         "Contain the operational data for IKEv2.";
     }
     container ipsec-state {
       if-feature ipsec-state;
       config "false";
       uses ipsec-policy-state-grouping;
       uses ipsec-proposal-state-grouping;
       uses ipsec-alarms-state-grouping;
       uses ipsec-sa-state-grouping;
       container redundancy {
         if-feature ipsec-redundancy;
         description
           "Configure redundancy for IPSec";
         leaf inter-chassis {
           type empty;
           description
             "Set redundancy at chassis level";
         }
       }

       description
         "Contain the operational data for IPSec.";
     }

     /* draft-wang-ipsecme-ipsec-yang-00 */
     container sad {
       if-feature sad;
       config false;
       description
         "The IPsec SA database";
       list sad-entries {
         key "spi security-protocol direction";
         description
           "The SA entries information";
         leaf spi {
           type ipsec-spi;
           description
             "Security parameter index of SA entry.";
         }
         leaf security-protocol {
           type ipsec-protocol;
           description
             "Security protocol of IPsec SA.";
         }
         leaf direction {
           type ipsec-traffic-direction;
           description
             "It indicates whether the SA is inbound SA or
              out bound SA.";



Tran, et al.          Expires September 18, 2016              [Page 89]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         }
         leaf sa-type {
           type enumeration {
             enum "manual" {
               description
                 "Manual IPsec SA";
             }
             enum "isakmp" {
               description
                 "ISAKMP IPsec SA";
             }
           }
           description
             "It indicates whether the SA is created by manual
              or by dynamic protocol.";
         }
         leaf sequence-number {
           type uint64;
           description
             "Current sequence number of IPsec packet.";
         }
         leaf sequence-number-overflow-flag {
           type boolean;
           description
             "The flag indicating whether overflow of the sequence
              number counter should prevent transmission of additional
              packets on the SA, or whether rollover is permitted.";
         }
         leaf anti-replay-enable-flag {
           type boolean;
           description
             "It indicates whether anti-replay is enable or disable.";
         }
         leaf anti-replay-window-size {
           type uint64;
           description
             "The size of anti-replay window.";
         }
         uses ipsec-algorithm-info;
         container life-time {
           leaf life-time-in-seconds {
             type uint32;
             description
               "SA life time in seconds";
           }
           leaf remain-life-time-in-seconds {
             type uint32;
             description
               "Remain SA life time in seconds";



Tran, et al.          Expires September 18, 2016              [Page 90]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           }
           leaf life-time-in-byte {
             type uint32;
             description
               "SA life time in bytes";
           }
           leaf remain-life-time-in-byte {
             type uint32;
             description
               "Remain SA life time in bytes";
           }
           description
             "SA life time information";
         }
         leaf protocol-mode {
           type ipsec-mode;
           description
             "It indicates whether tunnel mode or transport mode
              will be used.";
         }
         container tunnel-mode-process-info {
           when "../protocol-mode = 'tunnel'" {
             description
               "External information of SA when SA works in
                tunnel mode.";
           }
           uses ipsec-tunnel-mode-info;
           description
             "External information of SA when SA works in
              tunnel mode.";
         }
         leaf-list dscp {
           type uint8 {
             range "0..63";
           }
           description
             "When traffic matchs SPD, the DSCP values used to
              filter traffic";
         }
         leaf path-mtu {
           type uint16;
           description
             "Path MTU valie";
         }
         leaf nat-traversal-flag {
           type boolean;
           description
             "Whether the SA is used to protect traffic that needs
              nat traversal";



Tran, et al.          Expires September 18, 2016              [Page 91]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


         }
       }
     }
     container spd {
       if-feature spd;
       config false;
       description
         "IPsec security policy database information";
       list spd-entries {
         description
           "IPsec SPD entry information";
         list name {
           description
             "SPD name information.";
           leaf name-type {
             type ipsec-spd-name;
             description
               "SPD name type.";
           }
           leaf name-string {
             when "../name-type = 'id_rfc_822_addr' or ../name-type =
                   'id_fqdn'" {
               description
                 "when name type is id_rfc_822_addr or id_fqdn, the
                  name are saved in string";
             }
             type string;
             description
               "SPD name content";
           }
           leaf name-binary {
             when "../name-type = 'id_der_asn1_dn' or ../name-type =
                   'id_key'" {
               description
                 "when name type is id_der_asn1_dn or id_key, the name
                  are saved in binary";
             }
             type binary;
             description
               "SPD name content";
           }
         }
         leaf pfp-flag {
           type boolean;
           description
             "populate from packet flag";
         }
         list traffic-selector {
           min-elements 1;



Tran, et al.          Expires September 18, 2016              [Page 92]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           uses traffic-selector;
           description
             "Traffic selectors of SAD entry";
         }
         leaf operation {
           type ipsec-spd-operation;
           description
             "It indicates how to process the traffic when it matches
              the security policy.";
         }
         container protect-operation {
           when "../operation = 'protect'" {
             description
               "How to protect the traffic when the SPD operation
                is protect";
           }
           leaf spd-ipsec-mode {
             type ipsec-mode;
             description
               "It indicates which mode is chosen when the traffic need
               be protected by IPsec.";
           }
           leaf esn-flag {
             type boolean;
             description
               "It indicates whether ESN is used.";
           }
           leaf spd-ipsec-protocol {
             type ipsec-protocol;
             description
               "It indicates which protocol (AH or ESP) is chosen.";
           }
           container tunnel-mode-additional {
             when "../spd-ipsec-mode = 'tunnel'" {
               description
                 "Additional informations when choose tunnel mode";
             }
             uses ipsec-tunnel-mode-info;
             description
               "When use tunnel mode, the additional information of
                SPD.";
           }
           list spd-algorithm {
             min-elements 1;
             uses ipsec-algorithm-info;
             description
               "Algorithms defined in SPD, ordered by decreasing
                priority.";
           }



Tran, et al.          Expires September 18, 2016              [Page 93]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


           description
             "How to protect the traffic when the SPD operation is
              protect";
         }
       }
     }

     container ipsec-global-statistics {
       if-feature ipsec-global-stats;
       config false;
       description "IPsec global statistics";
       container ipv4 {
         description "IPsec statistics of IPv4";
         uses ipsec-stat;
       }
       container ipv6 {
         description "IPsec statistics of IPv6";
         uses ipsec-stat;
       }
       container global {
         description "IPsec statistics of global";
         uses ipsec-stat;
       }
     }


     /*--------------------*/
     /* RPC                */
     /*--------------------*/
     rpc clear-ipsec-group {
       if-feature clear-ipsec-group;
       description
         "RPC for clear ipsec states";
       input {
         leaf alarm-hold-down {
           type uint8;
           description
             "IPSec alarm hold-down";
         }
         leaf ipsec-policy-name {
           type leafref {
             path "/eipsec:ipsec/eipsec:spd/"+
                  "eipsec:spd-entries/eipsec:name";
           }
           description
             "IPSec Policy name.";
         }
       }
     }



Tran, et al.          Expires September 18, 2016              [Page 94]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016



     rpc clear-ike-group {
       if-feature clear-ike-group;
       description
         "RPC for clear IKE states";
       input {
         leaf proposal {
           type leafref {
             path "/eipsec:ikev1/eipsec:proposal/"+
                  "eipsec:name";
           }
           description
             "IPSec IKE Proposal name.";
         }
       }
     }

     rpc clear-ikev2-group {
       if-feature clear-ikev2-group;
       description
         "RPC for clear IKEv2 states";
       input {
         leaf proposal {
           type leafref {
             path "/eipsec:ikev2/eipsec:proposal/"+
                  "eipsec:name";
           }
           description
             "IPSec IKEv2 Proposal name.";
         }
       }
     }

     /* draft-wang-ipsecme-ipsec-yang-00 */
     rpc reset-ipv4 {
       if-feature reset-ipv4;
       description "Reset IPsec IPv4 statistics";
       input {
         leaf ipv4 {
           type empty;
           description "Reset IPsec IPv4 statistics";
         }
       }
       output {
         leaf status {
           type string;
           description "Operation status";
         }
       }



Tran, et al.          Expires September 18, 2016              [Page 95]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     }
     rpc reset-ipv6 {
       if-feature reset-ipv6;
       description "Reset IPsec IPv6 statistics";
       input {
         leaf ipv6 {
           type empty;
           description "Reset IPsec IPv6 statistics";
         }
       }
       output {
         leaf status {
           type string;
           description "Operation status";
         }
       }
     }
     rpc reset-global {
       if-feature reset-global;
       description "Reset IPsec global statistics";
       input {
         leaf ipv6 {
           type empty;
           description "Reset IPsec global statistics";
         }
       }
       output {
         leaf status {
           type string;
           description "Operation status";
         }
       }
     }

     notification dpd-failure{
       description "IKE peer DPD detect failure";
       leaf peer-id {
         type string;
         description "Peer ID";
       }
     }

     notification peer-authentication-failure {
       if-feature peer-authentication-failure;
       description "Peer authentication fail when negotication";
       leaf peer-id {
         type string;
         description "The ID of remote peer";
       }



Tran, et al.          Expires September 18, 2016              [Page 96]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


     }

     notification ike-reauth-failure {
       if-feature ike-reauth-failure;
       description "IKE peer reauthentication fail";
       leaf peer-id {
         type string;
         description "The ID of remote peer";
       }
     }

     notification ike-rekey-failure {
       if-feature ike-rekey-failure;
       description "IKE SA rekey failure";
       leaf peer-id {
         type string;
         description "The ID of remote peer";
       }
       leaf old-i-spi {
         type uint64;
         description "old SPI";
       }
       leaf old-r-spi {
         type uint64;
         description "old SPI";
       }
     }

     notification ipsec-rekey-failure {
       if-feature ipsec-rekey-failure;
       description "IPsec SA rekey failure";
       leaf peer-id {
         type string;
         description "The ID of remote peer";
       }
       leaf old-inbound-spi {
         type ipsec-spi;
         description "old inbound SPI";
       }
       leaf old-outbound-spi {
         type ipsec-spi;
         description "old outbound SPI";
       }
     }
   } /* module ericsson-ipsec */
   <CODE ENDS>





Tran, et al.          Expires September 18, 2016              [Page 97]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


5. Security Considerations

   The configuration, state, and action data defined in this document
   are designed to be accessed via the NETCONF protocol [RFC6241].  The
   data model by itself does not create any security implications.  The
   security considerations for the NETCONF protocol are applicable.
   The NETCONF protocol used for sending the data supports
   authentication and encryption.


6. References

6.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for
             Syntax Specifications: ABNF", RFC 2234, Internet Mail
             Consortium and Demon Internet Ltd., November 1997.

   [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
             Network Configuration Protocol (NETCONF)", RFC 6020,
             October 2010.

   [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021,
             October 2010.

   [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
             Bierman, "Network Configuration Protocol (NETCONF)", RFC
             6241, June 2011.

   [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen,
             T., "Internet Key Exchange Protocol Version 2 (IKEv2)",
             RFC 5996, October 2014.

   [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPsec) and
             Internet Key Exchange (IKE) Document Roadmap", February
             2011.



6.2. Informative References

   [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
             Data Model Documents", RFC 6087, January 2011.


Tran, et al.          Expires September 18, 2016              [Page 98]


Internet-Draft      draft-tran-ipsecme-yang-01.txt           March 2016


Authors' Addresses

   Khanh Tran
   Ericsson
   300 Holger Way
   San Jose, CA 95134
   USA
   Email: khanh.x.tran@ericsson.com


   Honglei Wang
   Huawei Technologies
   Huawei Bld., No.156 Beiqing Rd.
   Beijing  100095
   China
   Email: stonewater.wang@huawei.com


   Vijay Kumar Nagaraj
   Huawei Technologies
   Huawei Technologies India Pvt Ltd
   Bangalore  560008
   India
   Email: vijay.kn@huawei.com


   Xia Chen
   Huawei Technologies
   Huawei Bld., No.156 Beiqing Rd.
   Beijing  100095
   China
   Email: xiachen@huawei.com

















Tran, et al.          Expires September 18, 2016              [Page 99]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/