draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt   draft-ietf-i2nsf-sdn-ipsec-flow-protection-10.txt 
I2NSF R. Marin-Lopez I2NSF R. Marin-Lopez
Internet-Draft G. Lopez-Millan Internet-Draft G. Lopez-Millan
Intended status: Standards Track University of Murcia Intended status: Standards Track University of Murcia
Expires: April 15, 2021 F. Pereniguez-Garcia Expires: April 24, 2021 F. Pereniguez-Garcia
University Defense Center University Defense Center
October 12, 2020 October 21, 2020
Software-Defined Networking (SDN)-based IPsec Flow Protection Software-Defined Networking (SDN)-based IPsec Flow Protection
draft-ietf-i2nsf-sdn-ipsec-flow-protection-09 draft-ietf-i2nsf-sdn-ipsec-flow-protection-10
Abstract Abstract
This document describes how to provide IPsec-based flow protection This document describes how to provide IPsec-based flow protection
(integrity and confidentiality) by means of an Interface to Network (integrity and confidentiality) by means of an Interface to Network
Security Function (I2NSF) controller. It considers two main well- Security Function (I2NSF) controller. It considers two main well-
known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to- known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to-
host. The service described in this document allows the host. The service described in this document allows the
configuration and monitoring of IPsec Security Associations (SAs) configuration and monitoring of IPsec Security Associations (SAs)
from a I2NSF Controller to one or several flow-based Network Security from a I2NSF Controller to one or several flow-based Network Security
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 15, 2021. This Internet-Draft will expire on April 24, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 51 skipping to change at page 2, line 51
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
10.1. Normative References . . . . . . . . . . . . . . . . . . 26 10.1. Normative References . . . . . . . . . . . . . . . . . . 26
10.2. Informative References . . . . . . . . . . . . . . . . . 29 10.2. Informative References . . . . . . . . . . . . . . . . . 29
Appendix A. Common YANG model for IKE and IKE-less cases . . . . 31 Appendix A. Common YANG model for IKE and IKE-less cases . . . . 31
Appendix B. YANG model for IKE case . . . . . . . . . . . . . . 46 Appendix B. YANG model for IKE case . . . . . . . . . . . . . . 46
Appendix C. YANG model for IKE-less case . . . . . . . . . . . . 65 Appendix C. YANG model for IKE-less case . . . . . . . . . . . . 65
Appendix D. XML configuration example for IKE case (gateway-to- Appendix D. XML configuration example for IKE case (gateway-to-
gateway) . . . . . . . . . . . . . . . . . . . . . . 76 gateway) . . . . . . . . . . . . . . . . . . . . . . 76
Appendix E. XML configuration example for IKE-less case (host- Appendix E. XML configuration example for IKE-less case (host-
to-host) . . . . . . . . . . . . . . . . . . . . . . 79 to-host) . . . . . . . . . . . . . . . . . . . . . . 80
Appendix F. XML notification examples . . . . . . . . . . . . . 84 Appendix F. XML notification examples . . . . . . . . . . . . . 84
Appendix G. Operational use cases examples . . . . . . . . . . . 85 Appendix G. Operational use cases examples . . . . . . . . . . . 86
G.1. Example of IPsec SA establishment . . . . . . . . . . . . 85 G.1. Example of IPsec SA establishment . . . . . . . . . . . . 86
G.1.1. IKE case . . . . . . . . . . . . . . . . . . . . . . 86 G.1.1. IKE case . . . . . . . . . . . . . . . . . . . . . . 86
G.1.2. IKE-less case . . . . . . . . . . . . . . . . . . . . 88 G.1.2. IKE-less case . . . . . . . . . . . . . . . . . . . . 88
G.2. Example of the rekeying process in IKE-less case . . . . 90 G.2. Example of the rekeying process in IKE-less case . . . . 90
G.3. Example of managing NSF state loss in IKE-less case . . . 91 G.3. Example of managing NSF state loss in IKE-less case . . . 91
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91
1. Introduction 1. Introduction
Software-Defined Networking (SDN) is an architecture that enables Software-Defined Networking (SDN) is an architecture that enables
users to directly program, orchestrate, control and manage network users to directly program, orchestrate, control and manage network
skipping to change at page 13, line 27 skipping to change at page 13, line 27
The definition of the PAD model has been extracted from the The definition of the PAD model has been extracted from the
specification in section 4.4.3 in [RFC4301] (NOTE: We have observed specification in section 4.4.3 in [RFC4301] (NOTE: We have observed
that many implementations integrate PAD configuration as part of the that many implementations integrate PAD configuration as part of the
IKEv2 configuration). IKEv2 configuration).
The data model for the IKE case is defined by YANG model "ietf-i2nsf- The data model for the IKE case is defined by YANG model "ietf-i2nsf-
ike". Its structure is depicted in the following diagram, using the ike". Its structure is depicted in the following diagram, using the
notation syntax for YANG tree diagrams ([RFC8340]). notation syntax for YANG tree diagrams ([RFC8340]).
module: ietf-i2nsf-ike module: ietf-i2nsf-ike
+--rw ipsec-ike +--rw ipsec-ike
+--rw pad +--rw pad
| +--rw pad-entry* [name] | +--rw pad-entry* [name]
| +--rw name string | +--rw name string
| +--rw (identity) | +--rw (identity)
| | +--:(ipv4-address) | | +--:(ipv4-address)
| | | +--rw ipv4-address? inet:ipv4-address | | | +--rw ipv4-address? inet:ipv4-address
| | +--:(ipv6-address) | | +--:(ipv6-address)
| | | +--rw ipv6-address? inet:ipv6-address | | | +--rw ipv6-address? inet:ipv6-address
| | +--:(fqdn-string) | | +--:(fqdn-string)
| | | +--rw fqdn-string? inet:domain-name | | | +--rw fqdn-string? inet:domain-name
| | +--:(rfc822-address-string) | | +--:(rfc822-address-string)
| | | +--rw rfc822-address-string? string | | | +--rw rfc822-address-string? string
| | +--:(dnx509) | | +--:(dnx509)
| | | +--rw dnx509? string | | | +--rw dnx509? string
| | +--:(gnx509) | | +--:(gnx509)
| | | +--rw gnx509? string | | | +--rw gnx509? string
| | +--:(id-key) | | +--:(id-key)
| | | +--rw id-key? string | | | +--rw id-key? string
| | +--:(id-null) | | +--:(id-null)
| | +--rw id-null? empty | | +--rw id-null? empty
| +--rw auth-protocol? auth-protocol-type | +--rw auth-protocol? auth-protocol-type
| +--rw peer-authentication | +--rw peer-authentication
| +--rw auth-method? auth-method-type | +--rw auth-method? auth-method-type
| +--rw eap-method | +--rw eap-method
| | +--rw eap-type uint8 | | +--rw eap-type uint8
| +--rw pre-shared | +--rw pre-shared
| | +--rw secret yang:hex-string | | +--rw secret yang:hex-string
| +--rw digital-signature | +--rw digital-signature
| +--rw ds-algorithm? uint8 | +--rw ds-algorithm? uint8
| +--rw (public-key) | +--rw (public-key)
| | +--:(raw-public-key) | | +--:(raw-public-key)
| | | +--rw raw-public-key? binary | | | +--rw raw-public-key? binary
| | +--:(cert-data) | | +--:(cert-data)
| | +--rw cert-data? ct:x509 | | +--rw cert-data? ct:x509
| +--rw private-key? binary | +--rw private-key? binary
| +--rw ca-data* ct:x509 | +--rw ca-data* ct:x509
| +--rw crl-data? ct:crl | +--rw crl-data? ct:crl
| +--rw crl-uri? inet:uri | +--rw crl-uri? inet:uri
| +--rw oscp-uri? inet:uri | +--rw oscp-uri? inet:uri
+--rw conn-entry* [name] +--rw conn-entry* [name]
| +--rw name string | +--rw name string
| +--rw autostartup? autostartup-type | +--rw autostartup? autostartup-type
| +--rw initial-contact? boolean | +--rw initial-contact? boolean
| +--rw version? auth-protocol-type | +--rw version? auth-protocol-type
| +--rw fragmentation? boolean | +--rw fragmentation? boolean
| +--rw ike-sa-lifetime-soft | +--rw ike-sa-lifetime-soft
| | +--rw rekey-time? uint32 | | +--rw rekey-time? uint32
| | +--rw reauth-time? uint32 | | +--rw reauth-time? uint32
| +--rw ike-sa-lifetime-hard | +--rw ike-sa-lifetime-hard
| | +--rw over-time? uint32 | | +--rw over-time? uint32
| +--rw authalg* ic:integrity-algorithm-type | +--rw authalg* nsfikec:integrity-algorithm-type
| +--rw encalg* [id] | +--rw encalg* [id]
| | +--rw id uint8 | | +--rw id uint8
| | +--rw algorithm-type? ic:encryption-algorithm-type | | +--rw algorithm-type? nsfikec:encryption-algorithm-type
| | +--rw key-length? uint16 | | +--rw key-length? uint16
| +--rw dh-group? pfs-group | +--rw dh-group? pfs-group
| +--rw half-open-ike-sa-timer? uint32 | +--rw half-open-ike-sa-timer? uint32
| +--rw half-open-ike-sa-cookie-threshold? uint32 | +--rw half-open-ike-sa-cookie-threshold? uint32
| +--rw local | +--rw local
| | +--rw local-pad-entry-name string | | +--rw local-pad-entry-name string
| +--rw remote | +--rw remote
| | +--rw remote-pad-entry-name string | | +--rw remote-pad-entry-name string
| +--rw encapsulation-type | +--rw encapsulation-type
| | +--rw espencap? esp-encap | | +--rw espencap? esp-encap
| | +--rw sport? inet:port-number | | +--rw sport? inet:port-number
| | +--rw dport? inet:port-number | | +--rw dport? inet:port-number
| | +--rw oaddr* inet:ip-address | | +--rw oaddr* inet:ip-address
| +--rw spd | +--rw spd
| | +--rw spd-entry* [name] | | +--rw spd-entry* [name]
| | +--rw name string | | +--rw name string
| | +--rw ipsec-policy-config | | +--rw ipsec-policy-config
| | +--rw anti-replay-window? uint64 | | +--rw anti-replay-window? uint64
| | +--rw traffic-selector | | +--rw traffic-selector
| | | +--rw local-subnet inet:ip-prefix | | | +--rw local-subnet inet:ip-prefix
| | | +--rw remote-subnet inet:ip-prefix | | | +--rw remote-subnet inet:ip-prefix
| | | +--rw inner-protocol? ipsec-inner-protocol | | | +--rw inner-protocol? ipsec-inner-protocol
| | | +--rw local-ports* [start end] | | | +--rw local-ports* [start end]
| | | | +--rw start inet:port-number | | | | +--rw start inet:port-number
| | | | +--rw end inet:port-number | | | | +--rw end inet:port-number
| | | +--rw remote-ports* [start end] | | | +--rw remote-ports* [start end]
| | | +--rw start inet:port-number | | | +--rw start inet:port-number
| | | +--rw end inet:port-number | | | +--rw end inet:port-number
| | +--rw processing-info | | +--rw processing-info
| | | +--rw action? ipsec-spd-action | | |+--rw action? ipsec-spd-action
| | | +--rw ipsec-sa-cfg | | |+--rw ipsec-sa-cfg
| | | +--rw pfp-flag? boolean | | | +--rw pfp-flag? boolean
| | | +--rw ext-seq-num? boolean | | | +--rw ext-seq-num? boolean
| | | +--rw seq-overflow? boolean | | | +--rw seq-overflow? boolean
| | | +--rw stateful-frag-check? boolean | | | +--rw stateful-frag-check? boolean
| | | +--rw mode? ipsec-mode | | | +--rw mode? ipsec-mode
| | | +--rw protocol-parameters? ipsec-protocol-parameters | | | +--rw protocol-parameters? ipsec-protocol-parameters
| | | +--rw esp-algorithms | | | +--rw esp-algorithms
| | | | +--rw integrity* integrity-algorithm-type | | | | +--rw integrity* integrity-algorithm-type
| | | | +--rw encryption* [id] | | | | +--rw encryption* [id]
| | | | | +--rw id uint8 | | | | | +--rw id uint8
| | | | | +--rw algorithm-type? ic:encryption-algorithm-type | | | | | +--rw algorithm-type? nsfikec:encryption-algorithm-type
| | | | | +--rw key-length? uint16 | | | | | +--rw key-length? uint16
| | | | +--rw tfc-pad? boolean | | | | +--rw tfc-pad? boolean
| | | +--rw tunnel | | | +--rw tunnel
| | | +--rw local inet:ip-address | | | +--rw local inet:ip-address
| | | +--rw remote inet:ip-address | | | +--rw remote inet:ip-address
| | | +--rw df-bit? enumeration | | | +--rw df-bit? enumeration
| | | +--rw bypass-dscp? boolean | | | +--rw bypass-dscp? boolean
| | | +--rw dscp-mapping? yang:hex-string | | | +--rw dscp-mapping? yang:hex-string
| | | +--rw ecn? boolean | | | +--rw ecn? boolean
| | +--rw spd-mark | | +--rw spd-mark
| | +--rw mark? uint32 | | +--rw mark? uint32
| | +--rw mask? yang:hex-string | | +--rw mask? yang:hex-string
| +--rw child-sa-info | +--rw child-sa-info
| | +--rw pfs-groups* pfs-group | | +--rw pfs-groups* pfs-group
| | +--rw child-sa-lifetime-soft | | +--rw child-sa-lifetime-soft
| | | +--rw time? uint32 | | | +--rw time? uint32
| | | +--rw bytes? uint32 | | | +--rw bytes? uint32
| | | +--rw packets? uint32 | | | +--rw packets? uint32
| | | +--rw idle? uint32 | | | +--rw idle? uint32
| | | +--rw action? ic:lifetime-action | | | +--rw action? nsfikec:lifetime-action
| | +--rw child-sa-lifetime-hard | | +--rw child-sa-lifetime-hard
| | +--rw time? uint32 | | +--rw time? uint32
| | +--rw bytes? uint32 | | +--rw bytes? uint32
| | +--rw packets? uint32 | | +--rw packets? uint32
| | +--rw idle? uint32 | | +--rw idle? uint32
| +--ro state | +--ro state
| +--ro initiator? boolean | +--ro initiator? boolean
| +--ro initiator-ikesa-spi? ike-spi | +--ro initiator-ikesa-spi? ike-spi
| +--ro responder-ikesa-spi? ike-spi | +--ro responder-ikesa-spi? ike-spi
| +--ro nat-local? boolean | +--ro nat-local? boolean
| +--ro nat-remote? boolean | +--ro nat-remote? boolean
| +--ro encapsulation-type | +--ro encapsulation-type
| | +--ro espencap? esp-encap | | +--ro espencap? esp-encap
| | +--ro sport? inet:port-number | | +--ro sport? inet:port-number
| | +--ro dport? inet:port-number | | +--ro dport? inet:port-number
| | +--ro oaddr* inet:ip-address | | +--ro oaddr* inet:ip-address
| +--ro established? uint64 | +--ro established? uint64
| +--ro current-rekey-time? uint64 | +--ro current-rekey-time? uint64
| +--ro current-reauth-time? uint64 | +--ro current-reauth-time? uint64
+--ro number-ike-sas +--ro number-ike-sas
+--ro total? uint64 +--ro total? uint64
+--ro half-open? uint64 +--ro half-open? uint64
+--ro half-open-cookies? uint64 +--ro half-open-cookies? uint64
The data model consists of a unique "ipsec-ike" container defined as The data model consists of a unique "ipsec-ike" container defined as
follows. Firstly, it contains a "pad" container that serves to follows. Firstly, it contains a "pad" container that serves to
configure the Peer Authentication Database with authentication configure the Peer Authentication Database with authentication
information about local and remote peers. More precisely, it information about local and remote peers. More precisely, it
consists of a list of entries, each one indicating the identity, consists of a list of entries, each one indicating the identity,
authentication method and credentials that will use a particular authentication method and credentials that will use a particular
peer. peer.
Next, we find a list "conn-entry" with information about the Next, we find a list "conn-entry" with information about the
skipping to change at page 17, line 42 skipping to change at page 17, line 42
The definition of the SAD model has been mainly extracted from the The definition of the SAD model has been mainly extracted from the
specification in section 4.4.2 in [RFC4301] though with some changes, specification in section 4.4.2 in [RFC4301] though with some changes,
namely: namely:
o Each IPsec SA (sad-entry) contains one traffic selector, instead o Each IPsec SA (sad-entry) contains one traffic selector, instead
of a list of them. The reason is that we have observed actual of a list of them. The reason is that we have observed actual
kernel implementations only admit a single traffic selector per kernel implementations only admit a single traffic selector per
IPsec SA. IPsec SA.
o Each IPsec SA contains a identifier (reqid) to relate the policy o Each IPsec SA contains a identifier (reqid) to relate the IPsec SA
with the IPsec Policy. The reason is that we have observed real with the IPsec Policy. The reason is that we have observed real
kernel implementations allow to include this value. kernel implementations allow to include this value.
o Each IPsec SA has also a name in the same way as IPsec policies. o Each IPsec SA has also a name in the same way as IPsec policies.
o Combined algorithm has been removed because encryption algorithm o Combined algorithm has been removed because encryption algorithm
MAY include authenticated encryption with associated data (AEAD). MAY include authenticated encryption with associated data (AEAD).
o Tunnel information has been extended with information about o Tunnel information has been extended with information about
Differentiated Services Code Point (DSCP) mapping and Explicit Differentiated Services Code Point (DSCP) mapping and Explicit
skipping to change at page 18, line 26 skipping to change at page 18, line 26
The notifications model has been defined using as reference the The notifications model has been defined using as reference the
PF_KEYv2 standard in [RFC2367]. PF_KEYv2 standard in [RFC2367].
The data model for the IKE-less case is defined by YANG model "ietf- The data model for the IKE-less case is defined by YANG model "ietf-
i2nsf-ikeless". Its structure is depicted in the following diagram, i2nsf-ikeless". Its structure is depicted in the following diagram,
using the notation syntax for YANG tree diagrams ([RFC8340]). using the notation syntax for YANG tree diagrams ([RFC8340]).
module: ietf-i2nsf-ikeless module: ietf-i2nsf-ikeless
+--rw ipsec-ikeless +--rw ipsec-ikeless
+--rw spd +--rw spd
| +--rw spd-entry* [name] | +--rw spd-entry* [name]
| +--rw name string | +--rw name string
| +--rw direction ic:ipsec-traffic-direction | +--rw direction nsfikec:ipsec-traffic-direction
| +--rw reqid? uint64 | +--rw reqid? uint64
| +--rw ipsec-policy-config | +--rw ipsec-policy-config
| +--rw anti-replay-window? uint64 | +--rw anti-replay-window? uint64
| +--rw traffic-selector | +--rw traffic-selector
| | +--rw local-subnet inet:ip-prefix | | +--rw local-subnet inet:ip-prefix
| | +--rw remote-subnet inet:ip-prefix | | +--rw remote-subnet inet:ip-prefix
| | +--rw inner-protocol? ipsec-inner-protocol | | +--rw inner-protocol? ipsec-inner-protocol
| | +--rw local-ports* [start end] | | +--rw local-ports* [start end]
| | | +--rw start inet:port-number | | | +--rw start inet:port-number
| | | +--rw end inet:port-number | | | +--rw end inet:port-number
| | +--rw remote-ports* [start end] | | +--rw remote-ports* [start end]
| | +--rw start inet:port-number | | +--rw start inet:port-number
| | +--rw end inet:port-number | | +--rw end inet:port-number
| +--rw processing-info | +--rw processing-info
| | +--rw action? ipsec-spd-action | | +--rw action? ipsec-spd-action
| | +--rw ipsec-sa-cfg | | +--rw ipsec-sa-cfg
| | +--rw pfp-flag? boolean | | +--rw pfp-flag? boolean
| | +--rw ext-seq-num? boolean | | +--rw ext-seq-num? boolean
| | +--rw seq-overflow? boolean | | +--rw seq-overflow? boolean
| | +--rw stateful-frag-check? boolean | | +--rw stateful-frag-check? boolean
| | +--rw mode? ipsec-mode | | +--rw mode? ipsec-mode
| | +--rw protocol-parameters? ipsec-protocol-parameters | | +--rw protocol-parameters? ipsec-protocol-parameters
| | +--rw esp-algorithms | | +--rw esp-algorithms
| | | +--rw integrity* integrity-algorithm-type | | | +--rw integrity* integrity-algorithm-type
| | | +--rw encryption* [id] | | | +--rw encryption* [id]
| | | | +--rw id uint8 | | | |+--rw id uint8
| | | | +--rw algorithm-type?ic:encryption-algorithm-type | | | |+--rw algorithm-type? nsfikec:encryption-algorithm-type
| | | | +--rw key-length? uint16 | | | |+--rw key-length? uint16
| | | +--rw tfc-pad? boolean | | | +--rw tfc-pad? boolean
| | +--rw tunnel | | +--rw tunnel
| | +--rw local inet:ip-address | | +--rw local inet:ip-address
| | +--rw remote inet:ip-address | | +--rw remote inet:ip-address
| | +--rw df-bit? enumeration | | +--rw df-bit? enumeration
| | +--rw bypass-dscp? boolean | | +--rw bypass-dscp? boolean
| | +--rw dscp-mapping? yang:hex-string | | +--rw dscp-mapping? yang:hex-string
| | +--rw ecn? boolean | | +--rw ecn? boolean
| +--rw spd-mark | +--rw spd-mark
| +--rw mark? uint32 | +--rw mark? uint32
| +--rw mask? yang:hex-string | +--rw mask? yang:hex-string
+--rw sad +--rw sad
+--rw sad-entry* [name] +--rw sad-entry* [name]
+--rw name string +--rw name string
+--rw reqid? uint64 +--rw reqid? uint64
+--rw ipsec-sa-config +--rw ipsec-sa-config
| +--rw spi uint32 | +--rw spi uint32
| +--rw ext-seq-num? boolean | +--rw ext-seq-num? boolean
| +--rw seq-number-counter? uint64 | +--rw seq-number-counter? uint64
| +--rw seq-overflow? boolean | +--rw seq-overflow? boolean
| +--rw anti-replay-window? uint32 | +--rw anti-replay-window? uint32
| +--rw traffic-selector | +--rw traffic-selector
| | +--rw local-subnet inet:ip-prefix | | +--rw local-subnet inet:ip-prefix
| | +--rw remote-subnet inet:ip-prefix | | +--rw remote-subnet inet:ip-prefix
| | +--rw inner-protocol? ipsec-inner-protocol | | +--rw inner-protocol? ipsec-inner-protocol
| | +--rw local-ports* [start end] | | +--rw local-ports* [start end]
| | | +--rw start inet:port-number | | | +--rw start inet:port-number
| | | +--rw end inet:port-number | | | +--rw end inet:port-number
| | +--rw remote-ports* [start end] | | +--rw remote-ports* [start end]
| | +--rw start inet:port-number | | +--rw start inet:port-number
| | +--rw end inet:port-number | | +--rw end inet:port-number
| +--rw protocol-parameters? ic:ipsec-protocol-parameters | +--rw protocol-parameters? nsfikec:ipsec-protocol-parameters
| +--rw mode? ic:ipsec-mode | +--rw mode? nsfikec:ipsec-mode
| +--rw esp-sa | +--rw esp-sa
| | +--rw encryption | | +--rw encryption
| | | +--rw encryption-algorithm? ic:encryption-algorithm-type | | |+--rw encryption-algorithm? nsfikec:encryption-algorithm-type
| | | +--rw key? yang:hex-string | | |+--rw key? yang:hex-string
| | | +--rw iv? yang:hex-string | | |+--rw iv? yang:hex-string
| | +--rw integrity | | +--rw integrity
| | +--rw integrity-algorithm? ic:integrity-algorithm-type | | +--rw integrity-algorithm? nsfikec:integrity-algorithm-type
| | +--rw key? yang:hex-string | | +--rw key? yang:hex-string
| +--rw sa-lifetime-hard | +--rw sa-lifetime-hard
| | +--rw time? uint32 | | +--rw time? uint32
| | +--rw bytes? uint32 | | +--rw bytes? uint32
| | +--rw packets? uint32 | | +--rw packets? uint32
| | +--rw idle? uint32 | | +--rw idle? uint32
| +--rw sa-lifetime-soft | +--rw sa-lifetime-soft
| | +--rw time? uint32 | | +--rw time? uint32
| | +--rw bytes? uint32 | | +--rw bytes? uint32
| | +--rw packets? uint32 | | +--rw packets? uint32
| | +--rw idle? uint32 | | +--rw idle? uint32
| | +--rw action? ic:lifetime-action | | +--rw action? nsfikec:lifetime-action
| +--rw tunnel | +--rw tunnel
| | +--rw local inet:ip-address | | +--rw local inet:ip-address
| | +--rw remote inet:ip-address | | +--rw remote inet:ip-address
| | +--rw df-bit? enumeration | | +--rw df-bit? enumeration
| | +--rw bypass-dscp? boolean | | +--rw bypass-dscp? boolean
| | +--rw dscp-mapping? yang:hex-string | | +--rw dscp-mapping? yang:hex-string
| | +--rw ecn? boolean | | +--rw ecn? boolean
| +--rw encapsulation-type | +--rw encapsulation-type
| +--rw espencap? esp-encap | +--rw espencap? esp-encap
| +--rw sport? inet:port-number | +--rw sport? inet:port-number
| +--rw dport? inet:port-number | +--rw dport? inet:port-number
| +--rw oaddr* inet:ip-address | +--rw oaddr* inet:ip-address
+--ro ipsec-sa-state +--ro ipsec-sa-state
+--ro sa-lifetime-current +--ro sa-lifetime-current
| +--ro time? uint32 | +--ro time? uint32
| +--ro bytes? uint32 | +--ro bytes? uint32
| +--ro packets? uint32 | +--ro packets? uint32
| +--ro idle? uint32 | +--ro idle? uint32
+--ro replay-stats +--ro replay-stats
+--ro replay-window? uint64 +--ro replay-window? uint64
+--ro packet-dropped? uint64 +--ro packet-dropped? uint64
+--ro failed? uint32 +--ro failed? uint32
+--ro seq-number-counter? uint64 +--ro seq-number-counter? uint64
notifications: notifications:
+---n sadb-acquire +---n sadb-acquire {ikeless-notification}?
| +--ro ipsec-policy-name string | +--ro ipsec-policy-name string
| +--ro traffic-selector | +--ro traffic-selector
| +--ro local-subnet inet:ip-prefix | +--ro local-subnet inet:ip-prefix
| +--ro remote-subnet inet:ip-prefix | +--ro remote-subnet inet:ip-prefix
| +--ro inner-protocol? ipsec-inner-protocol | +--ro inner-protocol? ipsec-inner-protocol
| +--ro local-ports* [start end] | +--ro local-ports* [start end]
| | +--ro start inet:port-number | | +--ro start inet:port-number
| | +--ro end inet:port-number | | +--ro end inet:port-number
| +--ro remote-ports* [start end] | +--ro remote-ports* [start end]
| +--ro start inet:port-number | +--ro start inet:port-number
| +--ro end inet:port-number | +--ro end inet:port-number
+---n sadb-expire +---n sadb-expire {ikeless-notification}?
| +--ro ipsec-sa-name string | +--ro ipsec-sa-name string
| +--ro soft-lifetime-expire? boolean | +--ro soft-lifetime-expire? boolean
| +--ro lifetime-current | +--ro lifetime-current
| +--ro time? uint32 | +--ro time? uint32
| +--ro bytes? uint32 | +--ro bytes? uint32
| +--ro packets? uint32 | +--ro packets? uint32
| +--ro idle? uint32 | +--ro idle? uint32
+---n sadb-seq-overflow +---n sadb-seq-overflow {ikeless-notification}?
| +--ro ipsec-sa-name string | +--ro ipsec-sa-name string
+---n sadb-bad-spi +---n sadb-bad-spi {ikeless-notification}?
+--ro spi uint32 +--ro spi uint32
The data model consists of a unique "ipsec-ikeless" container which, The data model consists of a unique "ipsec-ikeless" container which,
in turn, is integrated by two additional containers: "spd" and "sad". in turn, is integrated by two additional containers: "spd" and "sad".
The "spd" container consists of a list of entries that conform the The "spd" container consists of a list of entries that conform the
Security Policy Database. Compared to the IKE case data model, this Security Policy Database. Compared to the IKE case data model, this
part specifies a few additional parameters necessary due to the part specifies a few additional parameters necessary due to the
absence of an IKE software in the NSF: traffic direction to apply the absence of an IKE software in the NSF: traffic direction to apply the
IPsec policy, and a value to link an IPsec policy with its associated IPsec policy, and a value to link an IPsec policy with its associated
IPsec SAs. The "sad" container is a list of entries that conform the IPsec SAs. The "sad" container is a list of entries that conform the
skipping to change at page 22, line 23 skipping to change at page 22, line 23
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers three YANG modules in the "YANG Module Names" This document registers three YANG modules in the "YANG Module Names"
registry [RFC6020]. Following the format in [RFC6020], the following registry [RFC6020]. Following the format in [RFC6020], the following
registrations are requested: registrations are requested:
Name: ietf-i2nsf-ikec Name: ietf-i2nsf-ikec
Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec
Prefix: ic Prefix: nsfikec
Reference: RFC XXXX Reference: RFC XXXX
Name: ietf-i2nsf-ike Name: ietf-i2nsf-ike
Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike
Prefix: ike Prefix: nsfike
Reference: RFC XXXX Reference: RFC XXXX
Name: ietf-i2nsf-ikeless Name: ietf-i2nsf-ikeless
Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless
Prefix: ikeless Prefix: nsfikels
Reference: RFC XXXX Reference: RFC XXXX
8. Security Considerations 8. Security Considerations
First of all, this document shares all the security issues of SDN First of all, this document shares all the security issues of SDN
that are specified in the "Security Considerations" section of that are specified in the "Security Considerations" section of
[ITU-T.Y.3300] and [RFC7426]. [ITU-T.Y.3300] and [RFC7426].
On the one hand, it is important to note that there MUST exist a On the one hand, it is important to note that there MUST exist a
security association between the I2NSF Controller and the NSFs to security association between the I2NSF Controller and the NSFs to
skipping to change at page 24, line 30 skipping to change at page 24, line 30
any other entity (including the I2NSF Controller itself) once they any other entity (including the I2NSF Controller itself) once they
have been applied (i.e. write only operations) into the NSFs. have been applied (i.e. write only operations) into the NSFs.
Nevertheless, if the attacker has access to the I2NSF Controller Nevertheless, if the attacker has access to the I2NSF Controller
during the period of time that key material is generated, it may during the period of time that key material is generated, it may
obtain these values. In other words, the attacker might be able to obtain these values. In other words, the attacker might be able to
observe the IPsec traffic and decrypt, or even modify and re-encrypt, observe the IPsec traffic and decrypt, or even modify and re-encrypt,
the traffic between peers. the traffic between peers.
8.3. YANG modules 8.3. YANG modules
The YANG modules specified in this document defines a schema for data The YANG modules specified in this document define a schema for data
that is designed to be accessed via network management protocols such that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446]. [RFC8446].
The Network Configuration Access Control Model (NACM) [RFC8341] The Network Configuration Access Control Model (NACM) [RFC8341]
provides the means to restrict access for particular NETCONF or provides the means to restrict access for particular NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or
skipping to change at page 25, line 42 skipping to change at page 25, line 42
/ipsec-ike/pad: This container includes sensitive information /ipsec-ike/pad: This container includes sensitive information
to read operations. This information should never be returned to read operations. This information should never be returned
to a client. For example, cryptographic material configured in to a client. For example, cryptographic material configured in
the NSFs: peer-authentication/pre-shared/secret and peer- the NSFs: peer-authentication/pre-shared/secret and peer-
authentication/digital-signature/private-key are already authentication/digital-signature/private-key are already
protected by the NACM extension "default-deny-all" in this protected by the NACM extension "default-deny-all" in this
document. document.
For the IKE-less case (ietf-i2nsf-ikeless): For the IKE-less case (ietf-i2nsf-ikeless):
/ipsec-ikeless/sad/ipsec-sa-config/esp-sa: This container /ipsec-ikeless/sad/sad-entry/ipsec-sa-config/esp-sa: This
includes symmetric keys for the IPsec SAs. For example, container includes symmetric keys for the IPsec SAs. For
encryption/key contains a ESP encryption key value and example, encryption/key contains a ESP encryption key value and
encryption/iv contains a initialization vector value. encryption/iv contains a initialization vector value.
Similarly, integrity/key has ESP integrity key value. Those Similarly, integrity/key has ESP integrity key value. Those
values must not be read by anyone and are protected by the NACM values must not be read by anyone and are protected by the NACM
extension "default-deny-all" in this document. extension "default-deny-all" in this document.
9. Acknowledgements 9. Acknowledgements
Authors want to thank Paul Wouters, Valery Smyslov, Sowmini Varadhan, Authors want to thank Paul Wouters, Valery Smyslov, Sowmini Varadhan,
David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham
Bartlett, Sandeep Kampati, Linda Dunbar, Mohit Sethi, Martin Bartlett, Sandeep Kampati, Linda Dunbar, Mohit Sethi, Martin
skipping to change at page 31, line 15 skipping to change at page 31, line 15
Appendix A. Common YANG model for IKE and IKE-less cases Appendix A. Common YANG model for IKE and IKE-less cases
This Appendix is Normative. This Appendix is Normative.
This YANG module has normative references to [RFC3947], [RFC4301], This YANG module has normative references to [RFC3947], [RFC4301],
[RFC4303], [RFC8174], [RFC8221] and [IKEv2-Parameters]. [RFC4303], [RFC8174], [RFC8221] and [IKEv2-Parameters].
This YANG module has informative references to [RFC3948] and This YANG module has informative references to [RFC3948] and
[RFC8229]. [RFC8229].
<CODE BEGINS> file "ietf-i2nsf-ikec@2020-10-12.yang" <CODE BEGINS> file "ietf-i2nsf-ikec@2020-10-21.yang"
module ietf-i2nsf-ikec { module ietf-i2nsf-ikec {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec";
prefix "ic"; prefix "nsfikec";
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
skipping to change at page 32, line 24 skipping to change at page 32, line 24
This version of this YANG module is part of RFC XXXX;; This version of this YANG module is part of RFC XXXX;;
see the RFC itself for full legal notices. see the RFC itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14 document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear (RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here."; in all capitals, as shown here.";
revision "2020-10-12" { revision "2020-10-21" {
description "Initial version."; description "Initial version.";
reference "RFC XXXX: Software-Defined Networking reference "RFC XXXX: Software-Defined Networking
(SDN)-based IPsec Flow Protection."; (SDN)-based IPsec Flow Protection.";
} }
typedef encryption-algorithm-type { typedef encryption-algorithm-type {
type uint16; type uint16;
description description
"The encryption algorithm is specified with a 16-bit "The encryption algorithm is specified with a 16-bit
number extracted from IANA Registry. The acceptable number extracted from IANA Registry. The acceptable
skipping to change at page 44, line 17 skipping to change at page 44, line 17
key id; key id;
ordered-by user; ordered-by user;
leaf id { leaf id {
type uint8; type uint8;
description description
"The index of list with the "The index of list with the
different encryption algorithms and different encryption algorithms and
its key-length (if required)."; its key-length (if required).";
} }
leaf algorithm-type { leaf algorithm-type {
type ic:encryption-algorithm-type; type nsfikec:encryption-algorithm-type;
default 20; default 20;
description description
"Default value 20 "Default value 20 (ENCR_AES_GCM_16)";
(ENCR_AES_GCM_16)";
} }
leaf key-length { leaf key-length {
type uint16; type uint16;
default 128; default 128;
description description
"By default key length is 128 "By default key length is 128
bits"; bits";
} }
description description
"Encryption or AEAD algorithm for the "Encryption or AEAD algorithm for the
skipping to change at page 46, line 16 skipping to change at page 46, line 16
This Appendix is Normative. This Appendix is Normative.
This YANG module has normative references to [RFC2247], [RFC5280], This YANG module has normative references to [RFC2247], [RFC5280],
[RFC4301], [RFC5280], [RFC5915], [RFC6991], [RFC7296], [RFC7383], [RFC4301], [RFC5280], [RFC5915], [RFC6991], [RFC7296], [RFC7383],
[RFC7427], [RFC7619], [RFC8017], [RFC8174], [RFC8341], [ITU-T.X.690], [RFC7427], [RFC7619], [RFC8017], [RFC8174], [RFC8341], [ITU-T.X.690],
[I-D.draft-ietf-netconf-crypto-types] and [IKEv2-Parameters]. [I-D.draft-ietf-netconf-crypto-types] and [IKEv2-Parameters].
This YANG module has informative references to [RFC8229]. This YANG module has informative references to [RFC8229].
<CODE BEGINS> file "ietf-i2nsf-ike@2020-10-12.yang" <CODE BEGINS> file "ietf-i2nsf-ike@2020-10-21.yang"
module ietf-i2nsf-ike { module ietf-i2nsf-ike {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike";
prefix "nsfike"; prefix "nsfike";
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
skipping to change at page 46, line 40 skipping to change at page 46, line 40
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference "RFC XXXX: YANG Data Types and Groupings reference "RFC XXXX: YANG Data Types and Groupings
for Cryptography."; for Cryptography.";
} }
import ietf-i2nsf-ikec { import ietf-i2nsf-ikec {
prefix ic; prefix nsfikec;
reference reference
"Common Data model for SDN-based IPsec "Common Data model for SDN-based IPsec
configuration."; configuration.";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control "RFC 8341: Network Configuration Access Control
Model."; Model.";
skipping to change at page 47, line 49 skipping to change at page 47, line 49
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices. the RFC itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14 document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear (RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here."; in all capitals, as shown here.";
revision "2020-10-12" { revision "2020-10-21" {
description "Initial version."; description "Initial version.";
reference "RFC XXXX: Software-Defined Networking reference "RFC XXXX: Software-Defined Networking
(SDN)-based IPsec Flow Protection."; (SDN)-based IPsec Flow Protection.";
} }
typedef ike-spi { typedef ike-spi {
type uint64 { range "0..max"; } type uint64 { range "0..max"; }
description description
"Security Parameter Index (SPI)'s IKE SA."; "Security Parameter Index (SPI)'s IKE SA.";
skipping to change at page 59, line 17 skipping to change at page 59, line 17
type uint32; type uint32;
default 0; default 0;
description description
"Time in seconds before the IKE SA is "Time in seconds before the IKE SA is
removed. The value 0 means infinite."; removed. The value 0 means infinite.";
} }
reference reference
"RFC 7296."; "RFC 7296.";
} }
leaf-list authalg { leaf-list authalg {
type ic:integrity-algorithm-type; type nsfikec:integrity-algorithm-type;
default 12; default 12;
ordered-by user; ordered-by user;
description description
"Authentication algorithm for establishing "Authentication algorithm for establishing
the IKE SA. This list is ordered following the IKE SA. This list is ordered following
from the higher priority to lower priority. from the higher priority to lower priority.
First node of the list will be the algorithm First node of the list will be the algorithm
with higher priority."; with higher priority.";
} }
skipping to change at page 59, line 41 skipping to change at page 59, line 41
ordered-by user; ordered-by user;
leaf id { leaf id {
type uint8; type uint8;
description description
"The index of the list with the "The index of the list with the
different encryption algorithms and its different encryption algorithms and its
key-length (if required). E.g. AES-CBC, key-length (if required). E.g. AES-CBC,
128 bits"; 128 bits";
} }
leaf algorithm-type { leaf algorithm-type {
type ic:encryption-algorithm-type; type nsfikec:encryption-algorithm-type;
default 12; default 12;
description description
"Default value 12 (ENCR_AES_CBC)"; "Default value 12 (ENCR_AES_CBC)";
} }
leaf key-length { leaf key-length {
type uint16; type uint16;
default 128; default 128;
description description
"By default key length is 128 bits"; "By default key length is 128 bits";
} }
skipping to change at page 61, line 23 skipping to change at page 61, line 23
the PAD where the authorization the PAD where the authorization
information about this particular information about this particular
remote peer is stored. It MUST match a remote peer is stored. It MUST match a
pad-entry-name."; pad-entry-name.";
} }
description description
"Remote peer authentication information."; "Remote peer authentication information.";
} }
container encapsulation-type container encapsulation-type
{ {
uses ic:encap; uses nsfikec:encap;
description description
"This container carries configuration "This container carries configuration
information about the source and destination information about the source and destination
ports of encapsulation that IKE should use ports of encapsulation that IKE should use
and the type of encapsulation that and the type of encapsulation that
should use when NAT traversal is required. should use when NAT traversal is required.
However, this is just a best effort since However, this is just a best effort since
the IKE implementation may need to use a the IKE implementation may need to use a
different encapsulation as different encapsulation as
described in RFC 8229."; described in RFC 8229.";
skipping to change at page 62, line 7 skipping to change at page 62, line 7
leaf name { leaf name {
type string; type string;
description description
"SPD entry unique name to identify "SPD entry unique name to identify
the IPsec policy."; the IPsec policy.";
} }
container ipsec-policy-config { container ipsec-policy-config {
description description
"This container carries the "This container carries the
configuration of a IPsec policy."; configuration of a IPsec policy.";
uses ic:ipsec-policy-grouping; uses nsfikec:ipsec-policy-grouping;
} }
description description
"List of entries which will constitute "List of entries which will constitute
the representation of the SPD. Since we the representation of the SPD. Since we
have IKE in this case, it is only have IKE in this case, it is only
required to send a IPsec policy from required to send a IPsec policy from
this NSF where 'local' is this NSF and this NSF where 'local' is this NSF and
'remote' the other NSF. The IKE 'remote' the other NSF. The IKE
implementation will install IPsec implementation will install IPsec
policies in the NSF's kernel in both policies in the NSF's kernel in both
skipping to change at page 62, line 46 skipping to change at page 62, line 46
priority to lower priority. First node priority to lower priority. First node
of the list will be the algorithm of the list will be the algorithm
with higher priority."; with higher priority.";
} }
container child-sa-lifetime-soft { container child-sa-lifetime-soft {
description description
"Soft IPsec SA lifetime soft. "Soft IPsec SA lifetime soft.
After the lifetime the action is After the lifetime the action is
defined in this container defined in this container
in the leaf action."; in the leaf action.";
uses ic:lifetime; uses nsfikec:lifetime;
leaf action { leaf action {
type ic:lifetime-action; type nsfikec:lifetime-action;
default replace; default replace;
description description
"When the lifetime of an IPsec SA "When the lifetime of an IPsec SA
expires an action needs to be expires an action needs to be
performed over the IPsec SA that performed over the IPsec SA that
reached the lifetime. There are reached the lifetime. There are
three possible options: three possible options:
terminate-clear, terminate-hold and terminate-clear, terminate-hold and
replace."; replace.";
reference reference
"Section 4.5 in RFC 4301 and Section 2.8 "Section 4.5 in RFC 4301 and Section 2.8
in RFC 7296."; in RFC 7296.";
} }
} }
container child-sa-lifetime-hard { container child-sa-lifetime-hard {
description description
"IPsec SA lifetime hard. The action will "IPsec SA lifetime hard. The action will
be to terminate the IPsec SA."; be to terminate the IPsec SA.";
uses ic:lifetime; uses nsfikec:lifetime;
reference reference
"Section 2.8 in RFC 7296."; "Section 2.8 in RFC 7296.";
} }
description description
"Specific information for IPsec SAs "Specific information for IPsec SAs
SAs. It includes PFS group and IPsec SAs SAs. It includes PFS group and IPsec SAs
rekey lifetimes."; rekey lifetimes.";
} }
container state { container state {
config false; config false;
skipping to change at page 64, line 15 skipping to change at page 64, line 15
} }
leaf nat-remote { leaf nat-remote {
type boolean; type boolean;
description description
"True, if remote endpoint is behind "True, if remote endpoint is behind
a NAT."; a NAT.";
} }
container encapsulation-type container encapsulation-type
{ {
uses ic:encap; uses nsfikec:encap;
description description
"This container provides information "This container provides information
about the source and destination about the source and destination
ports of encapsulation that IKE is ports of encapsulation that IKE is
using, and the type of encapsulation using, and the type of encapsulation
when NAT traversal is required."; when NAT traversal is required.";
reference reference
"RFC 8229."; "RFC 8229.";
} }
leaf established { leaf established {
skipping to change at page 65, line 34 skipping to change at page 65, line 34
<CODE ENDS> <CODE ENDS>
Appendix C. YANG model for IKE-less case Appendix C. YANG model for IKE-less case
This Appendix is Normative. This Appendix is Normative.
This YANG module has normative references to [RFC4301], [RFC6991], This YANG module has normative references to [RFC4301], [RFC6991],
[RFC8174] and [RFC8341]. [RFC8174] and [RFC8341].
<CODE BEGINS> file "ietf-i2nsf-ikeless@2020-10-12.yang" <CODE BEGINS> file "ietf-i2nsf-ikeless@2020-10-21.yang"
module ietf-i2nsf-ikeless { module ietf-i2nsf-ikeless {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless";
prefix "nsfikels"; prefix "nsfikels";
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference "RFC 6991: Common YANG Data Types"; reference "RFC 6991: Common YANG Data Types";
} }
import ietf-i2nsf-ikec { import ietf-i2nsf-ikec {
prefix ic; prefix nsfikec;
reference reference
"Common Data model for SDN-based IPsec "Common Data model for SDN-based IPsec
configuration."; configuration.";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control "RFC 8341: Network Configuration Access Control
Model."; Model.";
skipping to change at page 67, line 9 skipping to change at page 67, line 9
This version of this YANG module is part of RFC XXXX;; This version of this YANG module is part of RFC XXXX;;
see the RFC itself for full legal notices. see the RFC itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in BCP 14 document are to be interpreted as described in BCP 14
(RFC 2119) (RFC 8174) when, and only when, they appear (RFC 2119) (RFC 8174) when, and only when, they appear
in all capitals, as shown here."; in all capitals, as shown here.";
revision "2020-10-12" { revision "2020-10-21" {
description "Initial version."; description "Initial version.";
reference "RFC XXXX: Software-Defined Networking reference "RFC XXXX: Software-Defined Networking
(SDN)-based IPsec Flow Protection."; (SDN)-based IPsec Flow Protection.";
} }
feature ikeless-notification {
description
"To ensure broader applicability of this module,
the notifications are marked as a feature.
For the implementation of ikeless case,
the NSF is expected to implement this
feature.";
}
container ipsec-ikeless { container ipsec-ikeless {
description description
"Container for configuration of the IKE-less "Container for configuration of the IKE-less
case. The container contains two additional case. The container contains two additional
containers: 'spd' and 'sad'. The first allows the containers: 'spd' and 'sad'. The first allows the
I2NSF Controller to configure IPsec policies in I2NSF Controller to configure IPsec policies in
the Security Policy Database SPD, and the second the Security Policy Database SPD, and the second
allows to configure IPsec Security Associations allows to configure IPsec Security Associations
(IPsec SAs) in the Security Association Database (IPsec SAs) in the Security Association Database
(SAD)."; (SAD).";
skipping to change at page 67, line 42 skipping to change at page 67, line 51
list spd-entry { list spd-entry {
key "name"; key "name";
ordered-by user; ordered-by user;
leaf name { leaf name {
type string; type string;
description description
"SPD entry unique name to identify this "SPD entry unique name to identify this
entry."; entry.";
} }
leaf direction { leaf direction {
type ic:ipsec-traffic-direction; type nsfikec:ipsec-traffic-direction;
mandatory true; mandatory true;
description description
"Inbound traffic or outbound "Inbound traffic or outbound
traffic. In the IKE-less case the traffic. In the IKE-less case the
I2NSF Controller needs to I2NSF Controller needs to
specify the policy direction to be specify the policy direction to be
applied in the NSF. In the IKE case applied in the NSF. In the IKE case
this direction does not need to be this direction does not need to be
specified since IKE specified since IKE
will determine the direction that will determine the direction that
skipping to change at page 68, line 23 skipping to change at page 68, line 32
same reqid. It is only required in same reqid. It is only required in
the IKE-less model since, in the IKE the IKE-less model since, in the IKE
case this link is handled internally case this link is handled internally
by IKE."; by IKE.";
} }
container ipsec-policy-config { container ipsec-policy-config {
description description
"This container carries the "This container carries the
configuration of a IPsec policy."; configuration of a IPsec policy.";
uses ic:ipsec-policy-grouping; uses nsfikec:ipsec-policy-grouping;
} }
description description
"The SPD is represented as a list of SPD "The SPD is represented as a list of SPD
entries, where each SPD entry represents an entries, where each SPD entry represents an
IPsec policy."; IPsec policy.";
} /*list spd-entry*/ } /*list spd-entry*/
} /*container spd*/ } /*container spd*/
container sad { container sad {
description description
skipping to change at page 70, line 15 skipping to change at page 70, line 24
type uint32; type uint32;
default 32; default 32;
description description
"A 32-bit counter and a bit-map (or "A 32-bit counter and a bit-map (or
equivalent) used to determine equivalent) used to determine
whether an inbound ESP packet is a whether an inbound ESP packet is a
replay. If set to 0 no anti-replay replay. If set to 0 no anti-replay
mechanism is performed."; mechanism is performed.";
} }
container traffic-selector { container traffic-selector {
uses ic:selector-grouping; uses nsfikec:selector-grouping;
description description
"The IPsec SA traffic selector."; "The IPsec SA traffic selector.";
} }
leaf protocol-parameters { leaf protocol-parameters {
type ic:ipsec-protocol-parameters; type nsfikec:ipsec-protocol-parameters;
default esp; default esp;
description description
"Security protocol of IPsec SA: Only "Security protocol of IPsec SA: Only
ESP so far."; ESP so far.";
} }
leaf mode { leaf mode {
type ic:ipsec-mode; type nsfikec:ipsec-mode;
default transport; default transport;
description description
"Tunnel or transport mode."; "Tunnel or transport mode.";
} }
container esp-sa { container esp-sa {
when "../protocol-parameters = when "../protocol-parameters =
'esp'"; 'esp'";
description description
"In case the IPsec SA is "In case the IPsec SA is
Encapsulation Security Payload Encapsulation Security Payload
(ESP), it is required to specify (ESP), it is required to specify
encryption and integrity encryption and integrity
algorithms, and key material."; algorithms, and key material.";
container encryption { container encryption {
description description
"Configuration of encryption or "Configuration of encryption or
AEAD algorithm for IPsec AEAD algorithm for IPsec
Encapsulation Security Payload Encapsulation Security Payload
(ESP)."; (ESP).";
leaf encryption-algorithm { leaf encryption-algorithm {
type ic:encryption-algorithm-type; type nsfikec:encryption-algorithm-type;
default 12; default 12;
description description
"Configuration of ESP "Configuration of ESP
encryption. With AEAD encryption. With AEAD
algorithms, the integrity algorithms, the integrity
leaf is not used."; leaf is not used.";
} }
leaf key { leaf key {
nacm:default-deny-all; nacm:default-deny-all;
type yang:hex-string; type yang:hex-string;
description description
"ESP encryption key value. "ESP encryption key value.
If this leaf is not defined If this leaf is not defined
the key is not defined the key is not defined
(e.g. encryption is NULL). (e.g. encryption is NULL).
The key length is The key length is
determined by the determined by the
length of the key set in length of the key set in
this leaf. By default is this leaf. By default is
128 bits."; 128 bits.";
} }
leaf iv { leaf iv {
nacm:default-deny-all; nacm:default-deny-all;
type yang:hex-string; type yang:hex-string;
description description
"ESP encryption IV value. If "ESP encryption IV value. If
this leaf is not defined the this leaf is not defined the
IV is not defined (e.g. IV is not defined (e.g.
encryption is NULL)"; encryption is NULL)";
}
} }
container integrity { }
description
container integrity {
description
"Configuration of integrity for "Configuration of integrity for
IPsec Encapsulation Security IPsec Encapsulation Security
Payload (ESP). This container Payload (ESP). This container
allows to configure integrity allows to configure integrity
algorithm when no AEAD algorithm when no AEAD
algorithms are used, and algorithms are used, and
integrity is required."; integrity is required.";
leaf integrity-algorithm { leaf integrity-algorithm {
type ic:integrity-algorithm-type; type nsfikec:integrity-algorithm-type;
default 12; default 12;
description description
"Message Authentication Code "Message Authentication Code
(MAC) algorithm to provide (MAC) algorithm to provide
integrity in ESP integrity in ESP
(default (default
AUTH_HMAC_SHA2_256_128). AUTH_HMAC_SHA2_256_128).
With AEAD algorithms, With AEAD algorithms,
the integrity leaf is not the integrity leaf is not
used."; used.";
} }
leaf key { leaf key {
nacm:default-deny-all; nacm:default-deny-all;
type yang:hex-string; type yang:hex-string;
description description
"ESP integrity key value. "ESP integrity key value.
If this leaf is not defined If this leaf is not defined
the key is not defined (e.g. the key is not defined (e.g.
AEAD algorithm is chosen and AEAD algorithm is chosen and
integrity algorithm is not integrity algorithm is not
required). The key length is required). The key length is
determined by the length of determined by the length of
the key configured."; the key configured.";
}
} }
}
} /*container esp-sa*/ } /*container esp-sa*/
container sa-lifetime-hard { container sa-lifetime-hard {
description description
"IPsec SA hard lifetime. The action "IPsec SA hard lifetime. The action
associated is terminate and associated is terminate and
hold."; hold.";
uses ic:lifetime; uses nsfikec:lifetime;
} }
container sa-lifetime-soft { container sa-lifetime-soft {
description description
"IPsec SA soft lifetime."; "IPsec SA soft lifetime.";
uses ic:lifetime; uses nsfikec:lifetime;
leaf action { leaf action {
type ic:lifetime-action; type nsfikec:lifetime-action;
description description
"Action lifetime: "Action lifetime:
terminate-clear, terminate-clear,
terminate-hold or replace."; terminate-hold or replace.";
} }
} }
container tunnel { container tunnel {
when "../mode = 'tunnel'"; when "../mode = 'tunnel'";
uses ic:tunnel-grouping; uses nsfikec:tunnel-grouping;
description description
"Endpoints of the IPsec tunnel."; "Endpoints of the IPsec tunnel.";
} }
container encapsulation-type container encapsulation-type
{ {
uses ic:encap; uses nsfikec:encap;
description description
"This container carries "This container carries
configuration information about configuration information about
the source and destination ports the source and destination ports
which will be used for ESP which will be used for ESP
encapsulation that ESP packets the encapsulation that ESP packets the
type of encapsulation when NAT type of encapsulation when NAT
traversal is in place."; traversal is in place.";
} }
} /*ipsec-sa-config*/ } /*ipsec-sa-config*/
container ipsec-sa-state { container ipsec-sa-state {
config false; config false;
description description
"Container describing IPsec SA state "Container describing IPsec SA state
data."; data.";
container sa-lifetime-current { container sa-lifetime-current {
uses ic:lifetime; uses nsfikec:lifetime;
description description
"SAD lifetime current."; "SAD lifetime current.";
} }
container replay-stats { container replay-stats {
description description
"State data about the anti-replay "State data about the anti-replay
window."; window.";
leaf replay-window { leaf replay-window {
type uint64; type uint64;
description description
skipping to change at page 74, line 23 skipping to change at page 74, line 33
} /*ipsec-sa-state*/ } /*ipsec-sa-state*/
description description
"List of SAD entries that conforms the SAD."; "List of SAD entries that conforms the SAD.";
} /*list sad-entry*/ } /*list sad-entry*/
} /*container sad*/ } /*container sad*/
}/*container ipsec-ikeless*/ }/*container ipsec-ikeless*/
/* Notifications */ /* Notifications */
notification sadb-acquire { notification sadb-acquire {
if-feature ikeless-notification;
description description
"An IPsec SA is required. The traffic-selector "An IPsec SA is required. The traffic-selector
container contains information about the IP packet container contains information about the IP packet
that triggers the acquire notification."; that triggers the acquire notification.";
leaf ipsec-policy-name { leaf ipsec-policy-name {
type string; type string;
mandatory true; mandatory true;
description description
"It contains the SPD entry name (unique) of "It contains the SPD entry name (unique) of
the IPsec policy that hits the IP packet the IPsec policy that hits the IP packet
skipping to change at page 74, line 41 skipping to change at page 75, line 4
"It contains the SPD entry name (unique) of "It contains the SPD entry name (unique) of
the IPsec policy that hits the IP packet the IPsec policy that hits the IP packet
required IPsec SA. It is assumed the required IPsec SA. It is assumed the
I2NSF Controller will have a copy of the I2NSF Controller will have a copy of the
information of this policy so it can information of this policy so it can
extract all the information with this extract all the information with this
unique identifier. The type of IPsec SA is unique identifier. The type of IPsec SA is
defined in the policy so the Security defined in the policy so the Security
Controller can also know the type of IPsec Controller can also know the type of IPsec
SA that must be generated."; SA that must be generated.";
} }
container traffic-selector { container traffic-selector {
description description
"The IP packet that triggered the acquire "The IP packet that triggered the acquire
and requires an IPsec SA. Specifically it and requires an IPsec SA. Specifically it
will contain the IP source/mask and IP will contain the IP source/mask and IP
destination/mask; protocol (udp, tcp, destination/mask; protocol (udp, tcp,
etc...); and source and destination etc...); and source and destination
ports."; ports.";
uses ic:selector-grouping; uses nsfikec:selector-grouping;
} }
} }
notification sadb-expire { notification sadb-expire {
if-feature ikeless-notification;
description "An IPsec SA expiration (soft or hard)."; description "An IPsec SA expiration (soft or hard).";
leaf ipsec-sa-name { leaf ipsec-sa-name {
type string; type string;
mandatory true; mandatory true;
description description
"It contains the SAD entry name (unique) of "It contains the SAD entry name (unique) of
the IPsec SA that has expired. It is assumed the IPsec SA that has expired. It is assumed
the I2NSF Controller will have a copy of the the I2NSF Controller will have a copy of the
IPsec SA information (except the cryptographic IPsec SA information (except the cryptographic
material and state data) indexed by this name material and state data) indexed by this name
skipping to change at page 75, line 37 skipping to change at page 75, line 49
description description
"If this value is true the lifetime expired is "If this value is true the lifetime expired is
soft. If it is false is hard."; soft. If it is false is hard.";
} }
container lifetime-current { container lifetime-current {
description description
"IPsec SA current lifetime. If "IPsec SA current lifetime. If
soft-lifetime-expired is true this container is soft-lifetime-expired is true this container is
set with the lifetime information about current set with the lifetime information about current
soft lifetime."; soft lifetime.";
uses ic:lifetime; uses nsfikec:lifetime;
} }
} }
notification sadb-seq-overflow { notification sadb-seq-overflow {
if-feature ikeless-notification;
description "Sequence overflow notification."; description "Sequence overflow notification.";
leaf ipsec-sa-name { leaf ipsec-sa-name {
type string; type string;
mandatory true; mandatory true;
description description
"It contains the SAD entry name (unique) of "It contains the SAD entry name (unique) of
the IPsec SA that is about to have sequence the IPsec SA that is about to have sequence
number overflow and rollover is not permitted. number overflow and rollover is not permitted.
It is assumed the I2NSF Controller will have It is assumed the I2NSF Controller will have
a copy of the IPsec SA information (except the a copy of the IPsec SA information (except the
cryptographic material and state data) indexed cryptographic material and state data) indexed
by this name (unique identifier) so the it can by this name (unique identifier) so the it can
know all the information (crypto algorithms, know all the information (crypto algorithms,
etc.) about the IPsec SA that has expired in etc.) about the IPsec SA that has expired in
order to perform a rekey of the IPsec SA."; order to perform a rekey of the IPsec SA.";
} }
} }
notification sadb-bad-spi { notification sadb-bad-spi {
if-feature ikeless-notification;
description description
"Notify when the NSF receives a packet with an "Notify when the NSF receives a packet with an
incorrect SPI (i.e. not present in the SAD)."; incorrect SPI (i.e. not present in the SAD).";
leaf spi { leaf spi {
type uint32 { range "0..max"; } type uint32 { range "0..max"; }
mandatory true; mandatory true;
description description
"SPI number contained in the erroneous IPsec "SPI number contained in the erroneous IPsec
packet."; packet.";
} }
skipping to change at page 90, line 50 skipping to change at page 90, line 50
removing any new inbound SA that had been successfully installed removing any new inbound SA that had been successfully installed
during step 1. during step 1.
If step 1 is successful but some of the operations in step 2 fails If step 1 is successful but some of the operations in step 2 fails
(e.g. the NSF A reports an error when the I2NSF Controller is trying (e.g. the NSF A reports an error when the I2NSF Controller is trying
to install the new outbound IPsec SA), the I2NSF Controller must to install the new outbound IPsec SA), the I2NSF Controller must
perform a rollback operation by deleting any new outbound SA that had perform a rollback operation by deleting any new outbound SA that had
been successfully installed during step 2 and by deleting the inbound been successfully installed during step 2 and by deleting the inbound
SAs created in step 1. SAs created in step 1.
If the steps 1 an 2 are successful and the step 3 fails, the I2NSF If the steps 1 and 2 are successful but the step 3 fails, the I2NSF
Controller will avoid any rollback of the operations carried out in Controller will avoid any rollback of the operations carried out in
step 1 and step 2 since new and valid IPsec SAs were created and are step 1 and step 2 since new and valid IPsec SAs were created and are
functional. The I2NSF Controller may reattempt to remove the old functional. The I2NSF Controller may reattempt to remove the old
inbound and outbound SAs in NSF A and NSF B several times until it inbound and outbound SAs in NSF A and NSF B several times until it
receives a success or it gives up. In the last case, the old IPsec receives a success or it gives up. In the last case, the old IPsec
SAs will be removed when their corresponding hard lifetime is SAs will be removed when their corresponding hard lifetime is
reached. reached.
G.3. Example of managing NSF state loss in IKE-less case G.3. Example of managing NSF state loss in IKE-less case
 End of changes. 71 change blocks. 
325 lines changed or deleted 339 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/