[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                            H. Wang
Internet-Draft                                                V. Nagaraj
Intended status: Standards Track                                 X. Chen
Expires: November 23, 2015                           Huawei Technologies
                                                            May 22, 2015


                        Yang Data Model for IKE
                     draft-wang-ipsecme-ike-yang-00

Abstract

   This document describes a YANG data model for the IKE (Internet Key
   Exchange) protocol.  The model covers the IKE protocol configuration,
   operational state, remote procedural calls, and event notifications
   data.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 23, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Wang, et al.            Expires November 23, 2015               [Page 1]


Internet-Draft           Yang Data Model for IKE                May 2015


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  IKE YANG Model Organization . . . . . . . . . . . . . . . . .   3
     2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  Configuration . . . . . . . . . . . . . . . . . . . . . .   5
       2.2.1.  IPsec Global Configuration  . . . . . . . . . . . . .   5
       2.2.2.  IPsec Proposal Configuration  . . . . . . . . . . . .   5
       2.2.3.  IKE Proposal Configuration  . . . . . . . . . . . . .   6
       2.2.4.  IKE Peer Configuration  . . . . . . . . . . . . . . .   6
       2.2.5.  IPsec Policy Configuration  . . . . . . . . . . . . .   7
       2.2.6.  IPsec Interface Map Configuration . . . . . . . . . .   9
     2.3.  Operational State . . . . . . . . . . . . . . . . . . . .   9
       2.3.1.  IKE SA Container State  . . . . . . . . . . . . . . .   9
       2.3.2.  IPsec SA State  . . . . . . . . . . . . . . . . . . .  10
     2.4.  Actions . . . . . . . . . . . . . . . . . . . . . . . . .  10
       2.4.1.  IKE SA reset action . . . . . . . . . . . . . . . . .  10
       2.4.2.  IPsec SA reset action . . . . . . . . . . . . . . . .  11
     2.5.  Notifications . . . . . . . . . . . . . . . . . . . . . .  11
       2.5.1.  DPD failure . . . . . . . . . . . . . . . . . . . . .  12
       2.5.2.  Peer Authentication failure . . . . . . . . . . . . .  12
       2.5.3.  IKE Reauth failure  . . . . . . . . . . . . . . . . .  12
       2.5.4.  IKE Rekey failure . . . . . . . . . . . . . . . . . .  12
       2.5.5.  IPsec Rekey failure . . . . . . . . . . . . . . . . .  12
   3.  IKE Yang Module . . . . . . . . . . . . . . . . . . . . . . .  13
     3.1.  IKE Basic Yang Module . . . . . . . . . . . . . . . . . .  13
     3.2.  IKE Algorithm Yang Module . . . . . . . . . . . . . . . .  30
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  33
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  33
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  33
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .  34
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  34

1.  Introduction

   The Network Configuration Protocol (NETCONF) [RFC6241] is a network
   management protocol that defines mechanisms to manage network
   devices.  YANG [RFC6020] is a modular language that represents data
   structures in an XML tree format, and is used as a data modeling
   language for the NETCONF.




Wang, et al.            Expires November 23, 2015               [Page 2]


Internet-Draft           Yang Data Model for IKE                May 2015


   This document introduces a YANG data model for the IKE (Internet Key
   Exchange) protocol.  There are two IKE protocols defined in IETF
   namely IKEv1(IKE version 1) and IKEv2(IKE version 2).  IKEv1 protocol
   is obsolete now.  The model discussed in this document covers IKEv2
   [RFC7296] and other generic enhancements that pertain to the base
   protocol operation.

   The data model is defined for following constructs that are used for
   managing the IKE protocol: configuration, operational state, remote
   procedural calls, and event notifications data.

2.  IKE YANG Model Organization

2.1.  Overview

   The model discussd in this document covers IKEv2 [RFC7296] and other
   generic enhancements that pertain to the base protocol operation.
   The cryptographic algorithms are deliberately separated from ietf-ike
   model so that these algorithms can be updated or replaced without
   affecting the standardization progress of the rest of the IKE yang
   model.  IPsec yang model, basic cryptographic algorithms for IPsec
   and basic IPsec type defines will be left out of this model to
   support IPsec basic information defined in [RFC4301].  IPsec yang
   model will be defined in separate document.  IKE data model has the
   following relationship with IPsec module and other modules.

   ^: import
             IPsec Crypto Module            IPsec Type Module
            +--------------------+        +-------------------+
            | ietf-ipsec-crypto  |        | ietf-ipsec-type   |
            +--------------------+        +-------------------+
                      |     |              |   |
                      |     |              |   |
                      |     |              |   |
   INET Basic Type    |     v IPsec Module v   |  IKE Crypto Module
   +----------------+ |   +-----------------+  |  +---------------+
   |ietf-inet-types | |   | ietf-ipsec      |  |  |ietf-ike-crypto|
   +----------------+ |   +-----------------+  |  +---------------+
           |          |          |             |          |
           |          |          |             |          |
           |          v          v             v          |
           |         +---------------------------+        |
           +-------->|          ietf-ike         | <------+
                     +---------------------------+
       Figure 1: Relationship of IKE with IPsec module and other modules

   This model aims to address only the core IKE parameters as per RFC
   7296 [RFC7296].



Wang, et al.            Expires November 23, 2015               [Page 3]


Internet-Draft           Yang Data Model for IKE                May 2015


   This model does not cover any applications running on top of IKE nor
   does it cover any OAM procedures for IKE.  Current revision only
   describes one address family of type "ipv4".  The "ipv6" specific IKE
   configuration will be covered in later revision.

   The figure below describes the overall structure of the IKE Yang
   model :

   module: ietf-ike
      +--rw ike-global-configuration
      |  ...
      +--rw ipsec-proposal
      |  ...
      +--rw ike-proposal
      |  ...
      +--rw ike-peer
      |  ...
      +--rw ipsec-policy
      |  +--rw policy-entries* [policy-name sequence-number]
      |  |  ...
      |  +--rw policy-template-entries* [policy-name sequence-number]
      |     ...
      +--rw ipsec-interface-map
      |  ...
      +--ro ike-sa
      |  ...
      +--ro ipsec-sa
         ...
   rpcs:
      +---x reset-ike-sa
      |  ...
      +---x reset-ipsec-sa
         ...
   notifications:
      +---n dpd-failure
      |  ...
      +---n peer-authentication-failure
      |  ...
      +---n ike-reauth-failure
      |  ...
      +---n ike-rekey-failure
      |  ...
      +---n ipsec-rekey-failure
         ...







Wang, et al.            Expires November 23, 2015               [Page 4]


Internet-Draft           Yang Data Model for IKE                May 2015


2.2.  Configuration

   This specification defines the configuration parameters for IKE
   protocols version2 (IKEv2).  This specification only supports ipv4
   address type for IKE.

2.2.1.  IPsec Global Configuration

   The IKE global configuration includes some configuration that is
   common and applicable for all the IKE peers.  This includes IKE local
   name, NAT-Keep-Alive interval, DPD Idle timeout, DPD interval, DPD
   retry count etc.

    +--rw ike-global-configuration
         +--rw (df-flag)?
         |  +--:(set)
         |  |  +--rw set?                      empty
         |  +--:(clear)
         |  |  +--rw clear?                    empty
         |  +--:(copy)
         |     +--rw copy?                     empty
         +--rw stateful-frag-check?      boolean
         +--rw life-time-kb?             uint32
         +--rw life-time-second?         uint32
         +--rw (anti-replay)?
         |  +--:(enable)
         |  |  +--rw enable?                   empty
         |  |  +--rw (anti-replay-windows-size)?
         |  |     +--:(size-32)
         |  |     +--:(size-64)
         |  |     +--:(size-128)
         |  |     +--:(size-256)
         |  |     +--:(size-512)
         |  |     +--:(size-1024)
         |  +--:(disable)
         |     +--rw disable?                  empty
         +--rw inbound-dscp?             uint16
         +--rw outbound-dscp?            uint16
         +--rw local-name?               string
         +--rw nat-keepalive-interval?   uint16
         +--rw dpd-interval?             uint16

2.2.2.  IPsec Proposal Configuration

   The IPsec proposal container will be used to include the
   configuration items related to the IPsec tunnel like tunnel protocol
   (sp, ah), tunnel encapsulation mode (tunnel/transport),




Wang, et al.            Expires November 23, 2015               [Page 5]


Internet-Draft           Yang Data Model for IKE                May 2015


   authentication algorithm for ah/esp and encryption algorithm for esp
   etc

   +--rw ipsec-proposal
      +--rw ipsec-proposal-entries* [proposal-name]
         +--rw proposal-name                   string
         +--rw (protocol)?
            +--:(ah)
            |  +--rw ah                              empty
            |  +--rw ah-authentication-algorithm?    ipsec-crypto:ipsec-authentication-algorithm
            +--:(esp)
               +--rw esp                             empty
               +--rw esp-authentication-algorithm?   ipsec-crypto:ipsec-authentication-algorithm
               +--rw esp-encryption-algorithm?       ipsec-crypto:ipsec-encryption-algorithm

2.2.3.  IKE Proposal Configuration

   The IKE proposal container is mainly use to hold information related
   to the IKE SA establishment parameters.  These parameters are mainly
   negotiated between the IKE peers at the time of SA establishment.
   The various parameters in this container are proposal number,
   authentication method, integrity algorithm, encryption algorithm,
   Psuedo-Random function (prf), dh group, reauth , rekey lifetime etc

    +--rw ike-proposal
      +--rw ike-proposal-entries* [proposal-number]
         +--rw proposal-number        uint32
         +--rw auth-method?           ike-auth-method
         +--rw integrity-algorithm?   ike-crypto:ike-integrity-algorithm
         +--rw encrypt-algorithm?     ike-crypto:ike-encryption-algorithm
         +--rw prf-algorithm?         ike-crypto:ike-prf-algorithm
         +--rw dh-group?              ike-crypto:ike-dh-group
         +--rw reauth-interval?       uint32
         +--rw life-time?             uint32

2.2.4.  IKE Peer Configuration

   The IKE peer container will hold information about peer.  The IKE
   peer is an entity that is going to establish security association
   with the remote peer.  The main configuration parameters related to
   the IKE peer are: Key information, Name, proposal number, ID type,
   remote address, local address, certificate information etc









Wang, et al.            Expires November 23, 2015               [Page 6]


Internet-Draft           Yang Data Model for IKE                May 2015


      +--rw ike-peer
         +--rw ike-peer-entries* [peer-name]
            +--rw peer-name              string
            +--rw ike-proposal-number?   ike-proposal-number-ref
            +--rw PresharedKey?          string
            +--rw nat-traversal?         boolean
            +--rw (local-id-type)?
            |  +--:(ip)
            |  |  +--rw ip?                    empty
            |  +--:(fqdn)
            |  |  +--rw fqdn?                  empty
            |  +--:(dn)
            |  |  +--rw dn?                    empty
            |  +--:(user_fqdn)
            |     +--rw user_fqdn?             empty
            +--rw local-id?              string
            +--rw remote-id?             string
            +--rw low-remote-address?    inet:ip-address
            +--rw high-remote-address?   inet:ip-address
            +--rw certificate?           string
            +--rw auth-address-begin?    inet:ip-address
            +--rw auth-address-end?      inet:ip-address

2.2.5.  IPsec Policy Configuration

   The IPsec policy container will hold values related to the IPsec
   policy that is bound to an interface (tunnel or physical interface).
   The information contained in the IPsec policy will determine the
   characteristics of the tunnel that is going to be establishment.  The
   main attributes related to IPsec policy are: ACL, PFS (to do an
   additional DH exchange), peer name, IPsec proposal number, policy
   name, sequence number, policy-mode (ISAKMP, Template etc)

    +--rw ipsec-policy
      +--rw policy-entries* [policy-name sequence-number]
      |  +--rw policy-name               string
      |  +--rw sequence-number           uint32
      |  +--rw (policy-mode)?
      |     +--:(isakmp)
      |     |  +--rw isakmp?                   empty
      |     |  +--rw local-address?            inet:ip-address
      |     |  +--rw binding-interface-name?   string
      |     |  +--rw (acl)?
      |     |  |  +--:(acl-number)
      |     |  |  |  +--rw acl-number?               uint32
      |     |  |  +--:(advance-acl)
      |     |  |     +--rw advance-acl?              string
      |     |  +--rw pfs?                      ike-crypto:ike-dh-group



Wang, et al.            Expires November 23, 2015               [Page 7]


Internet-Draft           Yang Data Model for IKE                May 2015


      |     |  +--rw peer-name?                ike-peer-name-ref
      |     |  +--rw (df-flag)?
      |     |  |  +--:(set)
      |     |  |  |  +--rw set?                      empty
      |     |  |  +--:(clear)
      |     |  |  |  +--rw clear?                    empty
      |     |  |  +--:(copy)
      |     |  |     +--rw copy?                     empty
      |     |  +--rw stateful-frag-check?      boolean
      |     |  +--rw life-time-kb?             uint32
      |     |  +--rw life-time-second?         uint32
      |     |  +--rw (anti-replay)?
      |     |  |  +--:(enable)
      |     |  |  |  +--rw enable?                   empty
      |     |  |  |  +--rw (anti-replay-windows-size)?
      |     |  |  |     +--:(size-32)
      |     |  |  |     +--:(size-64)
      |     |  |  |     +--:(size-128)
      |     |  |  |     +--:(size-256)
      |     |  |  |     +--:(size-512)
      |     |  |  |     +--:(size-1024)
      |     |  |  +--:(disable)
      |     |  |     +--rw disable?                  empty
      |     |  +--rw inbound-dscp?             uint16
      |     |  +--rw outbound-dscp?            uint16
      |     |  +--rw ipsec-proposal* [proposal-name]
      |     |     +--rw proposal-name    ipsec-proposal-name-ref
      |     +--:(template)
      |        +--rw template?                 empty
      |        +--rw template-name             ipsec-policy-template-name-ref
      +--rw policy-template-entries* [policy-name sequence-number]
         +--rw policy-name               string
         +--rw sequence-number           uint32
         +--rw local-address?            inet:ip-address
         +--rw binding-interface-name?   string
         +--rw (acl)?
         |  +--:(acl-number)
         |  |  +--rw acl-number?               uint32
         |  +--:(advance-acl)
         |     +--rw advance-acl?              string
         +--rw pfs?                      ike-crypto:ike-dh-group
         +--rw peer-name?                ike-peer-name-ref
         +--rw (df-flag)?
         |  +--:(set)
         |  |  +--rw set?                      empty
         |  +--:(clear)
         |  |  +--rw clear?                    empty
         |  +--:(copy)



Wang, et al.            Expires November 23, 2015               [Page 8]


Internet-Draft           Yang Data Model for IKE                May 2015


         |     +--rw copy?                     empty
         +--rw stateful-frag-check?      boolean
         +--rw life-time-kb?             uint32
         +--rw life-time-second?         uint32
         +--rw (anti-replay)?
         |  +--:(enable)
         |  |  +--rw enable?                   empty
         |  |  +--rw (anti-replay-windows-size)?
         |  |     +--:(size-32)
         |  |     +--:(size-64)
         |  |     +--:(size-128)
         |  |     +--:(size-256)
         |  |     +--:(size-512)
         |  |     +--:(size-1024)
         |  +--:(disable)
         |     +--rw disable?                  empty
         +--rw inbound-dscp?             uint16
         +--rw outbound-dscp?            uint16
         +--rw ipsec-proposal* [proposal-name]
            +--rw proposal-name    ipsec-proposal-name-ref

2.2.6.  IPsec Interface Map Configuration

   The IPsec interface map container will have information related to
   the interface on which IPsec policy will be applied.  It will have
   information like IPsec policy name, tunnel protocol, tunnel name ,
   enable-disable UNR route generation etc

       +--rw ipsec-interface-map
         +--rw policy-interface* [interface-name]
            +--rw interface-name        string
            +--rw policy-name           ipsec-policy-name-ref
            +--rw generate-unr-route?   boolean

2.3.  Operational State

   The Operational state of the IKE SA or IPsec SA can be queried and
   obtained from the respective container.  All the attributes/items in
   this container are read-only attributes and they reflect the run-time
   information of any established IKE SA.

2.3.1.  IKE SA Container State

   The IKE SA container is used to maintain information related to the
   IKE SA established.  This SA is a run-time data structure that is
   created and has information about established SA like SPI, local and
   remote address, established time, remaining life time, dh group, auth
   method, prf, encryption algorithm , integrity algorithm etc



Wang, et al.            Expires November 23, 2015               [Page 9]


Internet-Draft           Yang Data Model for IKE                May 2015


   +--ro ike-sa
      +--ro ike-sa-entries* [initiator-spi responder-spi]
         +--ro remote-address?         inet:ip-address
         +--ro local-address?          inet:ip-address
         +--ro initiator-spi           uint64
         +--ro responder-spi           uint64
         +--ro remote-id?              string
         +--ro local-id?               string
         +--ro auth-method?            ike-auth-method
         +--ro integrity-algorithm?    ike-crypto:ike-integrity-algorithm
         +--ro encryption-algorithm?   ike-crypto:ike-encryption-algorithm
         +--ro prf-algorithm?          ike-crypto:ike-prf-algorithm
         +--ro dh-group?               ike-crypto:ike-dh-group
         +--ro sa-established-time?    string
         +--ro remaining-time?         uint32

2.3.2.  IPsec SA State

   The IPsec SA container is used to maintain information related to the
   IPsec SA established.  This is a run-time data structure that is
   created and has information about established SA like SPI, local and
   remote address, remaining life time, protocol etc

   +--ro ipsec-sa
         +--ro ipsec-sa-entries*
            +--ro remote-address?   inet:ip-address
            +--ro local-address?    inet:ip-address
            +--ro responder-spi?    uint32
            +--ro remaining-time?   uint32

2.4.  Actions

   This model defines a list of RPCs that allow performing an action or
   executing a command on the protocol.  For example, it allows clearing
   (reset) IKE SAs, IPsec SAs, statistics etc.  The model makes an
   effort to provide different level of control so that a user is able
   to either clear all, or clear all of a given type, or clear a
   specific entity.

2.4.1.  IKE SA reset action

   This operation type is executed when the user wants to delete IKE
   SAs.  The command gives a flexibility to delete all SAs or a
   particular SA only based on remote address, connection-id etc.







Wang, et al.            Expires November 23, 2015              [Page 10]


Internet-Draft           Yang Data Model for IKE                May 2015


      +---x reset-ike-sa
         +---w input
         |  +---w (peer-info)?
         |     +--:(peer-id)
         |     |  +---w peer-id?        string
         |     +--:(peer-address)
         |        +---w peer-address?   inet:ip-address
         +--ro output
            +--ro status?   string

2.4.2.  IPsec SA reset action

   This operation type is executed when the user wants to delete IPsec
   SAs.  The command gives a flexibility to delete all SAs or a
   particular SA only based on remote address, policy sequence number,
   remote peer address etc.

   +---x reset-ipsec-sa
         +---w input
         |  +---w (sa-info)?
         |     +--:(parameters)
         |     |  +---w (peer-info)
         |     |  |  +--:(peer-id)
         |     |  |  |  +---w peer-id?        string
         |     |  |  +--:(peer-address)
         |     |  |     +---w peer-address?   inet:ip-address
         |     |  +---w protocol        ipsec-type:ipsec-protocol
         |     |  +---w spi             ipsec-type:ipsec-spi
         |     +--:(remote-peer)
         |     |  +---w remote-peer
         |     |     +---w (peer-info)?
         |     |        +--:(peer-id)
         |     |        |  +---w peer-id?        string
         |     |        +--:(peer-address)
         |     |           +---w peer-address?   inet:ip-address
         |     +--:(policy)
         |        +---w policy?         ipsec-policy-name-ref
         +--ro output
            +--ro status?   string

2.5.  Notifications

   This model defines a list of notifications to inform client of
   important events detected during the protocol operation.  These
   events include events related to changes in the operational state of
   an IKE SA, IPsec SA, Statistics etc.





Wang, et al.            Expires November 23, 2015              [Page 11]


Internet-Draft           Yang Data Model for IKE                May 2015


2.5.1.  DPD failure

   This notification type is reported to the NETCONF client when there
   is a peer that is not responding to the DPD Keep Alive messages.

       +---n dpd-failure
            +--ro peer-id?   string

2.5.2.  Peer Authentication failure

   This notification type is reported to the NETCONF client when the
   peer authentication has failed due to either invalid key,
   certificate, invalid id etc

   +---n peer-authentication-failure
       +--ro peer-id?   string

2.5.3.  IKE Reauth failure

   This notification type is reported to the NETCONF client when the re-
   authentication of the peer has failed.  Reauth can fail due to many
   reasons like proposal mismatch during re-auth procedure, packet drop,
   dead peer etc

   +---n ike-reauth-failure
     +--ro peer-id?   string

2.5.4.  IKE Rekey failure

   This notification type is reported to the NETCONF client when the IKE
   SA rekey has failed.  The rekey is an operation used to refresh the
   IKE SA keys.  It can fail due to proposal mismatch during rekey
   procedure, packet drop, dead peer etc

   +---n ike-rekey-failure
       +--ro peer-id?     string
       +--ro old-i-spi?   uint64
     +--ro old-r-spi?   uint64

2.5.5.  IPsec Rekey failure

   This notification type is reported to the NETCONF client when the IKE
   SA rekey has failed.  The rekey is an operation used to refresh the
   IPsec SA keys.  It can fail due to proposal mismatch during rekey
   procedure, packet drop, dead peer etc






Wang, et al.            Expires November 23, 2015              [Page 12]


Internet-Draft           Yang Data Model for IKE                May 2015


    +---n ipsec-rekey-failure
         +--ro peer-id?            string
         +--ro old-inbound-spi?    ipsec-type:ipsec-spi
         +--ro old-outbound-spi?   ipsec-type:ipsec-spi

3.  IKE Yang Module

   To support separately upgrade the algorithm part, the base data model
   and the algorithm part are defined as two separately parts.

3.1.  IKE Basic Yang Module

module ietf-ike {
    namespace "urn:ietf:params:xml:ns:yang:ietf-ike";
    // replace with IANA namespace when assigned
    prefix "ike";

    import "ietf-ipsec-crypto" {
        prefix "ipsec-crypto";
    }

    import "ietf-ike-crypto" {
        prefix "ike-crypto";
    }

    import "ietf-inet-types" {
        prefix "inet";
    }

    import "ietf-ipsec-type" {
        prefix "ipsec-type";
    }

    import "ietf-ipsec" {
        prefix "ipsec";
    }

    organization "Huawei Technologies India Pvt Ltd";
    contact "stonewater.wang@huawei.com";
    description "IKE Yang module define";

    revision 2015-04-18 {
        description "Initial revision.";
        reference "RFC XXXX: IKE Yang Modules";
    }






Wang, et al.            Expires November 23, 2015              [Page 13]


Internet-Draft           Yang Data Model for IKE                May 2015


    grouping ipsec-common-configuration {
        choice df-flag {
            default copy;
            case set {
                leaf set {
                    type empty;
                    description
                        "Set the df bit when encapsulate IPsec tunnel.";
                }
            }
            case clear {
                leaf clear {
                    type empty;
                    description
                        "Clear the df bit when encapsulate IPsec tunnel.";
                }
            }
            case copy {
                leaf copy {
                    type empty;
                    description
                        "Copy the inner IP header df bit.";
                }
            }

            description
                "It indicates how to process the df bit when encapsulate IPsec tunnel.";
        }
        leaf stateful-frag-check {
            type boolean;
            default false;
            description "Whether stateful fragment checking applies.";
        }
        leaf life-time-kb {
            type uint32;
            units "KB";
            default 2000000;

            description "IPsec SA Life time in KB.";
        }
        leaf life-time-second {
            type uint32;
            units "Second";
            default 18400;
            description "IPsec SA Life time in Seconds";
        }
        choice anti-replay {
            default enable;



Wang, et al.            Expires November 23, 2015              [Page 14]


Internet-Draft           Yang Data Model for IKE                May 2015


            case enable {
               leaf enable {
                    type empty;
                    description "Enable Anti-replay";
               }
               choice anti-replay-windows-size {

                    case size-32;
                    case size-64;
                    case size-128;
                    case size-256;
                    case size-512;
                    case size-1024;
                    default size-1024;
                    description "It indicate the size of anti-replay window";
               }
            }
            case disable {
                leaf disable {
                    type empty;
                    description "Disable Anti-replay";
                }
            }
            description "Whether enable or disable anti-replay";
        }

        leaf inbound-dscp {
            type uint16 {
                range "0..63";
            }
            default 0;
            description "Inbound DSCP value";
        }
        leaf outbound-dscp {
            type uint16 {
                range "0..63";
            }
            default 0;
            description "Outbound DSCP value";
        }
        description "Common IPsec configurations";
    }

    grouping choose-ipsec-peer {
        choice peer-info {
            case peer-id {
                leaf peer-id {
                    type string;



Wang, et al.            Expires November 23, 2015              [Page 15]


Internet-Draft           Yang Data Model for IKE                May 2015


                    description "Peer ID";
                }
            }
            case peer-address {
                leaf peer-address {
                    type inet:ip-address;
                    description "Peer IP Address";
                }
            }
            description "Reset according to peer information";
        }
        description "IKE peer information when do reset operation";
    }

    typedef ike-peer-name-ref {
        type leafref {
            path "/ike-peer/ike-peer-entries/peer-name";
        }
        description "reference to ike peer name";
    }

    typedef ike-proposal-number-ref {
        type leafref {
            path "/ike-proposal/ike-proposal-entries/proposal-number";
        }
        description "reference to ike proposal number";
    }

    typedef ipsec-proposal-name-ref{
        type leafref {
            path "/ipsec-proposal/ipsec-proposal-entries/proposal-name";
        }
        description "reference to ike proposal name";
    }

    typedef ipsec-policy-template-name-ref {
        type leafref {
            path "/ipsec-policy/policy-template-entries/policy-name";
        }
        description "reference to ipsec policy template name";
    }

    typedef ike-auth-method {
        type enumeration {
            enum pre-share {
                description "Select pre-shared key message as the authentication method";
            }
            enum rsa-digital-signature {



Wang, et al.            Expires November 23, 2015              [Page 16]


Internet-Draft           Yang Data Model for IKE                May 2015


                description "Select rsa digital signature as the authentication method";
            }
            enum dss-digital-signature {
                description "Select dss digital signature as the authentication method";
            }
        }
        description "IKE authentication methods";
    }

    typedef ipsec-policy-name-ref {
        type leafref {
            path "/ipsec-policy/policy-entries/policy-name";
        }
        description "reference to ipsec policy name";
    }

    container ike-global-configuration {
        description "Global IKE configurations";

        uses ipsec-common-configuration;

        leaf local-name {
            type string;
            description "Global local name configuration, if it is not configed,
                        ip address will be used as default. If configing special
                        local name for special peer, it will overwrite the global
                        name configuration when negotion with that peer.";
        }
        leaf nat-keepalive-interval {

            type uint16 {
                range "5..300";
            }
            units "Seconds";
            default 20;
            description "Global nat keepalive interval";
        }
        leaf dpd-interval {
            type uint16 {
                range "10..3600";
            }

            units "Seconds";
            default 30;
            description "Global DPD interval";
        }
    }




Wang, et al.            Expires November 23, 2015              [Page 17]


Internet-Draft           Yang Data Model for IKE                May 2015


    container ipsec-proposal {
        description "IPsec proposal information";

        list ipsec-proposal-entries {
            key "proposal-name";
            description "IPsec proposal information";

            leaf proposal-name {
                type string;
                mandatory true;
                description "Name of IPsec proposal.";
            }
            choice protocol {
                default esp;
                case ah {
                    leaf ah {
                        type empty;
                        mandatory true;
                        description "Choose AH as IPsec protocol";
                    }
                    leaf ah-authentication-algorithm {
                        type ipsec-crypto:ipsec-authentication-algorithm;
                        must "ah-authentication-algorithm != 'null'" {
                            error-message "AH authentication algorithm MUST not be null";
                            description "AH authentication algorithm MUST not be null";

                        }
                        default sha2-256;
                        description "IPsec authentication algorithm for AH";
                    }
                    description "Choose AH as IPsec protocol";
                }
                case esp {
                    leaf esp {
                        type empty;
                        description "Choose ESP as IPsec protocol";
                    }
                    leaf esp-authentication-algorithm {
                        type ipsec-crypto:ipsec-authentication-algorithm;
                        default sha2-256;
                        description "IPsec authentication algorithm for ESP";
                    }

                    leaf esp-encryption-algorithm {
                        type ipsec-crypto:ipsec-encryption-algorithm;
                        default aes-256;
                        description "IPsec encryption algorithm for ESP";




Wang, et al.            Expires November 23, 2015              [Page 18]


Internet-Draft           Yang Data Model for IKE                May 2015


                    }
                    must "esp-authentication-algorithm != 'null' or esp-encryption-algorithm != 'null'" {

                        error-message "ESP authentication algorithm and encryption algorithm can not be both null";
                        description "ESP authentication algorithm and encryption algorithm can not be both null";
                    }
                    description "Choose ESP as IPsec protocol";
                }
                description "Choose IPsec protocol";
            }

        } //End of IPsecProposalEntries
    }//End of IPsec Proposal

    container ike-proposal {
        description "IKE proposal information";

        list ike-proposal-entries {

            key "proposal-number";
            description "IKE proposal information";

            leaf proposal-number {
                type uint32;
                mandatory true;
                description "Proposal seq-number of ike proposal";
            }
            leaf auth-method {

                type ike-auth-method;
                default pre-share;
                description "authentication method of ike peer";
            }
            leaf integrity-algorithm {

                type ike-crypto:ike-integrity-algorithm;
                default hmac-sha2-256;
                description "integrity algorithm of ike protocol";
            }
            leaf encrypt-algorithm {

                type ike-crypto:ike-encryption-algorithm;
                default aes-cbc-256;
                description "Encryption algorithm of ike protocol";
            }
            leaf prf-algorithm {
                type ike-crypto:ike-prf-algorithm;
                default hmac-sha2-256;



Wang, et al.            Expires November 23, 2015              [Page 19]


Internet-Draft           Yang Data Model for IKE                May 2015


                description "Prf algorithm of ike protocol";
            }
            leaf dh-group {

                type ike-crypto:ike-dh-group;
                must "dh-group != 'dh-group-none'" {
                    error-message "DH Group MUST be configurated";
                    description "DH Group MUST be configurated";
                }
                default dh-group-2;

                description "DH group of ike protocol";
            }
            leaf reauth-interval {

                type uint32 {
                    range "60..604800";
                }
                units "Seconds";
                default 86400;
                description "Reauth interval time of IKE protocol";
            }
            leaf life-time {
                type uint32 {
                    range "60..604800";
                }
                units "Seconds";
                default 86400;
                description "IKE SA life time";
            }

        } //End of IKEProposal
    }
    container ike-peer {
        description "IKE peer information";

        list ike-peer-entries {

            key "peer-name";
            description "IKE peer information";

            leaf peer-name {
                type string;
                mandatory true;
                description "Name of IKE peer";
            }

            leaf ike-proposal-number {



Wang, et al.            Expires November 23, 2015              [Page 20]


Internet-Draft           Yang Data Model for IKE                May 2015


                type ike-proposal-number-ref;
                description "IKE proposal number referenced by IKE peer";
            }

            leaf PresharedKey {
                type string;
                description "Preshare key";
            }

            leaf nat-traversal {
                type boolean;
                default false;
                description "Enable/Disable nat traversal";
            }

            choice local-id-type {
                default ip;
                case ip {
                    leaf ip {
                        type empty;
                        description "IP address";
                    }
                }
                case fqdn {
                    leaf fqdn {
                        type empty;
                        description "Fully Qualifed Domain name ";
                    }
                }
                case dn {
                    leaf dn {
                        type empty;
                        description "Domain name";
                    }
                }
                case user_fqdn {
                    leaf user_fqdn {
                        type empty;
                        description "User FQDN";
                    }
                }
                description "Local ID type";
            }
            leaf local-id {
                type string;
                description "Local ID Name. When IP is used as local ID type,
                            it is ignored. If it is not configurated,
                            global local name will be used.";



Wang, et al.            Expires November 23, 2015              [Page 21]


Internet-Draft           Yang Data Model for IKE                May 2015


            }
            leaf remote-id {
                type "string";
                description "ID of IKE peer";
            }
            leaf low-remote-address {
                type inet:ip-address;
                description "Low range of remote address";
            }
            leaf high-remote-address {
                type inet:ip-address;
                description "High range of remote address";
            }
            leaf certificate {
                type string;
                description "Certificate file name";
            }
            leaf auth-address-begin {
                type inet:ip-address;
                description "The begin range of authenticated peer address";
            }
            leaf auth-address-end {
                type inet:ip-address;
                description "The end range of authenticated peer address";
            }
        }

    }//End of IKEPeerEntries
    container ipsec-policy {
        description "IPsec policy information";

        grouping policy-content {
            leaf local-address {
                type inet:ip-address;
                description
                    "Local address used by IKE when negotiate with peer,
                     if it is not configed, the interface address with bind
                     this ipsec policy will be used.";
            }
            leaf binding-interface-name {
                type string;
                description "The interface that the policy is already bind with";
            }
            choice acl {
                case acl-number {
                    leaf acl-number {
                        type uint32 {
                            range "3000..3999";



Wang, et al.            Expires November 23, 2015              [Page 22]


Internet-Draft           Yang Data Model for IKE                May 2015


                        }
                        description "Config common acl as IPsec traffic selector";
                    }

                }
                case advance-acl {
                    leaf advance-acl {
                        type string {
                            length "1..32";
                        }
                        description "Config advance acl as IPsec traffic selector";
                    }
                }
                description "Config acl as IPsec traffic selector";
            }


            leaf pfs {
                type ike-crypto:ike-dh-group;
                default dh-group-none;
                description
                    "Whether choose different DH group with IKE SA when create
                     ipsec SA to increase perfect forwarding security";
            }

            leaf peer-name {
                type ike-peer-name-ref;
                description "The ike peer binding with this policy";
            }

            uses ipsec-common-configuration {
                description "The common configuration of IPsec SA";
            }

            list ipsec-proposal {
                key "proposal-name";
                max-elements "6";
                description "The ipsec-proposals binding with the policy";

                leaf proposal-name {
                    type ipsec-proposal-name-ref;
                    description "The ipsec-proposals binding with the policy";
                }
            }
            description "IPsec policy content";
        }

        list policy-entries {



Wang, et al.            Expires November 23, 2015              [Page 23]


Internet-Draft           Yang Data Model for IKE                May 2015


            key "policy-name sequence-number";
            description "IPsec policy information";

            leaf policy-name {
                type string;
                mandatory true;
                description "IPsec policy group name";

            }
            leaf sequence-number {
                type uint32;
                mandatory true;
                description "IPsec policy sequence number";
            }
            choice policy-mode {

                case isakmp {
                    leaf isakmp {
                        type empty;
                        description "Common ISAKMP IPsec policy";
                    }
                    uses policy-content {
                        description "common ipsec policy content";
                    }
                }
                case template {
                    leaf template {
                        type empty;
                        description "ISAKMP IPsec policy created using template";
                    }
                    leaf template-name {
                        type ipsec-policy-template-name-ref;
                        mandatory true;
                        description
                            "The IPsec policy template name which is used to create this policy";
                    }
                }
                default isakmp;
                description "IPsec policy mode";

            }

        }

        list policy-template-entries {
            key "policy-name sequence-number";
            description "IPsec policy template define";




Wang, et al.            Expires November 23, 2015              [Page 24]


Internet-Draft           Yang Data Model for IKE                May 2015


            leaf policy-name {
                type string {
                    length "1..15";
                }
                mandatory true;
                description "IPsec policy template name";
            }
            leaf sequence-number {
                type uint32;
                mandatory true;
                description "Sequence number of policy template";

            }
            uses policy-content {
                description "common ipsec policy content";
            }
        }

    }
    container ipsec-interface-map {
        description "The map information between IPsec policy and interface";

        list policy-interface {
            key "interface-name";
            description "The map information between IPsec policy and interface";

            leaf interface-name {
                type string;
                mandatory true;
                description "Interface name which will bind IPsec policy";
            }
            leaf policy-name {
                type ipsec-policy-name-ref;
                mandatory true;
                description "IPsec policy name";
            }
            leaf generate-unr-route {
                type boolean;
                default false;
                description "Whether generate UNR route";
            }
        }
    }

    container ike-sa {
        config false;
        description "IKE SA informations";




Wang, et al.            Expires November 23, 2015              [Page 25]


Internet-Draft           Yang Data Model for IKE                May 2015


        list ike-sa-entries {

            key "initiator-spi responder-spi";

            description "IKE SA informations";

            leaf remote-address {
                type inet:ip-address;
                description "The IP address of the remote peer";
            }
            leaf local-address {
                type inet:ip-address;
                description "The IP address of local";
            }
            leaf initiator-spi {
                type uint64;
                description "The SPI of initiator";
            }
            leaf responder-spi {
                type uint64;
                description "The SPI of responder";
            }
            leaf remote-id {
                type string;
                description "The ID of the remote peer";
            }
            leaf local-id {
                type string;
                description "The ID of local";
            }
            leaf auth-method {
                type ike-auth-method;
                description "The authentication method of IKE peer";
            }
            leaf integrity-algorithm {
                type ike-crypto:ike-integrity-algorithm;
                description "The integrity algorithm chosen by IKE negotiation";
            }
            leaf encryption-algorithm {
                type ike-crypto:ike-encryption-algorithm;
                description "The encryption algorithm chosen by IKE negotiation";
            }
            leaf prf-algorithm {
                type ike-crypto:ike-prf-algorithm;
                description "The PRF algorithm chosen by IKE negotiation";
            }
            leaf dh-group {
                type ike-crypto:ike-dh-group;



Wang, et al.            Expires November 23, 2015              [Page 26]


Internet-Draft           Yang Data Model for IKE                May 2015


                description "The DH group chosen by IKE negotiation";
            }
            leaf sa-established-time {
                type string;
                description "The establish time of the IKE SA";
            }
            leaf remaining-time {
                type uint32;
                description "The remain life time of IKE SA";
            }

        }

    }
    container ipsec-sa {
        config false;
        description "IPsec SA information";

        list ipsec-sa-entries {

            description "IPsec SA information";

            leaf remote-address {
                type inet:ip-address;
                description "The IP address of the remote tunnel end-point";
            }
            leaf local-address {
                type inet:ip-address;
                description "The IP address of local tunnel end-point";
            }
            leaf responder-spi {
                type uint32;
                description "The SPI of responder";
            }

            leaf remaining-time {
                type uint32;
                description "The remain life time of IPsec SA";
            }

        }

    }

    rpc reset-ike-sa {
        description "Reset IKE SA";
        input {




Wang, et al.            Expires November 23, 2015              [Page 27]


Internet-Draft           Yang Data Model for IKE                May 2015


            uses choose-ipsec-peer;
            description "Reset IKE SA";
        }
        output {
            leaf status {
                type string;
                description "Operation status";
            }
        }
    }
    rpc reset-ipsec-sa {
        description "Reset IPsec SA";
        input {
            choice sa-info {
                case parameters {
                    uses choose-ipsec-peer {
                        refine "peer-info" {
                            mandatory true;
                        }
                    }
                    leaf protocol {
                        type ipsec-type:ipsec-protocol;
                        mandatory true;
                        description "SA protocol";
                    }
                    leaf spi {

                        type ipsec-type:ipsec-spi;
                        mandatory true;
                        description "SA SPI";
                    }
                    description "Reset according to special parameters";
                }

                case remote-peer {
                    container remote-peer {
                        uses choose-ipsec-peer;
                        description "Reset according to remote peer";
                    }
                }
                case policy {
                    leaf policy {
                        type ipsec-policy-name-ref;
                        description "Reset according to IPsec policy name";
                    }
                }
                description "Reset according to special information";




Wang, et al.            Expires November 23, 2015              [Page 28]


Internet-Draft           Yang Data Model for IKE                May 2015


            }

        }
        output {
            leaf status {
                type string;
                description "Operation status";
            }
        }
    }

    notification dpd-failure{
        description "IKE peer DPD detect failure";
        leaf peer-id {
            type string;
            description "Peer ID";
        }
    }

    notification peer-authentication-failure {
        description "Peer authentication fail when negotication";
        leaf peer-id {
            type string;
            description "The ID of remote peer";
        }
    }

    notification ike-reauth-failure {
        description "IKE peer reauthentication fail";
        leaf peer-id {
            type string;
            description "The ID of remote peer";
        }
    }

    notification ike-rekey-failure {
        description "IKE SA rekey failure";
        leaf peer-id {
            type string;
            description "The ID of remote peer";
        }
        leaf old-i-spi {
            type uint64;
            description "old SPI";
        }
        leaf old-r-spi {
            type uint64;
            description "old SPI";



Wang, et al.            Expires November 23, 2015              [Page 29]


Internet-Draft           Yang Data Model for IKE                May 2015


        }
    }

    notification ipsec-rekey-failure {
        description "IPsec SA rekey failure";
        leaf peer-id {
            type string;
            description "The ID of remote peer";
        }
        leaf old-inbound-spi {
            type ipsec-type:ipsec-spi;
            description "old inbound SPI";
        }
        leaf old-outbound-spi {
            type ipsec-type:ipsec-spi;
            description "old outbound SPI";
        }
    }


}

3.2.  IKE Algorithm Yang Module

   module ietf-ike-crypto {
     namespace "urn:ietf:params:xml:ns:yang:ietf-ike-crypto";
     prefix ike-crypto;

     organization "Huawei Technologies India Pvt Ltd";
     contact
       "stonewater.wang@huawei.com";
     description
       "IKE Crypto Yang";
     reference "RFC 7296: Internet Key Exchange Protocol Version 2";

     revision 2015-04-18 {
       description
         "Initial revision.";
       reference "RFC 7296: Internet Key Exchange Protocol Version 2";
     }

     typedef ike-integrity-algorithm {
       type enumeration {
         enum "hmac-md5-96" {
           description
             "HMAC-MD5-96 Integrity Algorithm";
         }
         enum "hmac-sha1-96" {



Wang, et al.            Expires November 23, 2015              [Page 30]


Internet-Draft           Yang Data Model for IKE                May 2015


           description
             "HMAC-SHA1-96 Integrity Algorithm";
         }
         enum "hmac-sha2-256" {
           description
             "HMAC-SHA2-256 Integrity Algorithm";
         }
         enum "hmac-sha2-384" {
           description
             "HMAC-SHA2-384 Integrity Algorithm";
         }
         enum "hmac-sha2-512" {
           description
             "HMAC-SHA2-512 Integrity Algorithm";
         }
       }
       description
         "typedef for ike integrity algorithm.";
     }

     typedef ike-encryption-algorithm {
       type enumeration {
         enum "des-cbc" {
           description
             "DES-CBC Encryption algorithm";
         }
         enum "3des-cbc" {
           description
             "3DES-CBC Encryption algorithm";
         }
         enum "aes-cbc-128" {
           description
             "AES-CBC-128 Encryption algorithm";
         }
         enum "aes-cbc-192" {
           description
             "AES-CBC-192 Encryption algorithm";
         }
         enum "aes-cbc-256" {
           description
             "AES-CBC-256 Encryption algorithm";
         }
       }
       description
         "typedef for ike encryption algorithm.";
     }

     typedef ike-prf-algorithm {



Wang, et al.            Expires November 23, 2015              [Page 31]


Internet-Draft           Yang Data Model for IKE                May 2015


       type enumeration {
         enum "hmac-md5-96" {
           description
             "HMAC-MD5-96 PRF Algorithm";
         }
         enum "hmac-sha1-96" {
           description
             "HMAC-SHA1-96 PRF Algorithm";
         }
         enum "hmac-sha2-256" {
           description
             "HMAC-SHA2-256 PRF Algorithm";
         }
         enum "hmac-sha2-384" {
           description
             "HMAC-SHA2-384 PRF Algorithm";
         }
         enum "hmac-sha2-512" {
           description
             "HMAC-SHA2-512 PRF Algorithm";
         }
       }
       description
         "typedef for ike prf algorithm.";
     }

     typedef ike-dh-group {
       type enumeration {
         enum "dh-group-none" {
           description
             "None Diffie-Hellman group";
         }
         enum "dh-group-1" {
           description
             "768 bits Diffie-Hellman group";
         }
         enum "dh-group-2" {
           description
             "1024 bits Diffie-Hellman group";
         }
         enum "dh-group-5" {
           description
             "1536 bits Diffie-Hellman group";
         }
         enum "dh-group-14" {
           description
             "2048 bits Diffie-Hellman group";
         }



Wang, et al.            Expires November 23, 2015              [Page 32]


Internet-Draft           Yang Data Model for IKE                May 2015


       }
       description
         "typedef for ike dh group";
     }
   }

4.  IANA Considerations

   This document registers the following URIs in the IETF XML registry
   [RFC3688].  Following the format in [RFC3688], the following
   registration is requested to be made.

   URI: urn:ietf:params:xml:ns:yang:ietf-ike XML: N/A, the requested URI
   is an XML namespace.

   URI: urn:ietf:params:xml:ns:yang:ietf-ike-crypto XML: N/A, the
   requested URI is an XML namespace.

   This document registers a YANG module in the YANG Module Names
   registry [RFC6020].

   name: ietf-ike namespace: urn:ietf:params:xml:ns:yang:ietf-ike
   prefix: ike reference: [RFC7296]

   name: ietf-ike-crypto namespace: urn:ietf:params:xml:ns:yang:ietf-
   ike-crypto prefix: ike-crypto reference: [RFC7296]

5.  Security Considerations

   The YANG module defined in this memo is designed to be accessed via
   the NETCONF protocol[RFC6241].  The lowest NETCONF layer is the
   secure transport layer and the mandatory-to-implement secure
   transport is SSH [RFC6242].  The NETCONF access control model
   [RFC6536] provides means to restrict access for particular NETCONF
   users to a pre-configured subset of all available NETCONF protocol
   operations and content.  There are a number of data nodes defined in
   the YANG module which are writable/creatable/deletable (i.e., config
   true, which is the default).  These data nodes may be considered
   sensitive or vulnerable in some network environments.  Write
   operations (e.g., <edit-config>) to these data nodes without proper
   protection can have a negative effect on network operations.

6.  Acknowledgements








Wang, et al.            Expires November 23, 2015              [Page 33]


Internet-Draft           Yang Data Model for IKE                May 2015


7.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              January 2004.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.

   [RFC6020]  Bjorklund, M., "YANG - A Data Modeling Language for the
              Network Configuration Protocol (NETCONF)", RFC 6020,
              October 2010.

   [RFC6241]  Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
              Bierman, "Network Configuration Protocol (NETCONF)", RFC
              6241, June 2011.

   [RFC6242]  Wasserman, M., "Using the NETCONF Protocol over Secure
              Shell (SSH)", RFC 6242, June 2011.

   [RFC6536]  Bierman, A. and M. Bjorklund, "Network Configuration
              Protocol (NETCONF) Access Control Model", RFC 6536, March
              2012.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, October 2014.

Authors' Addresses

   Honglei Wang
   Huawei Technologies
   Huawei Bld., No.156 Beiqing Rd.
   Beijing  100095
   China

   Email: stonewater.wang@huawei.com


   Vijay Kumar Nagaraj
   Huawei Technologies
   Huawei Technologies India Pvt Ltd
   Bangalore  560008
   India

   Email: vijay.kn@huawei.com



Wang, et al.            Expires November 23, 2015              [Page 34]


Internet-Draft           Yang Data Model for IKE                May 2015


   Xia Chen
   Huawei Technologies
   Huawei Bld., No.156 Beiqing Rd.
   Beijing  100095
   China

   Email: xiachen@huawei.com












































Wang, et al.            Expires November 23, 2015              [Page 35]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/