idnits 2.17.00 (12 Aug 2021) /tmp/idnits14691/draft-ietf-babel-yang-model-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1739 has weird spacing: '...ty-time yan...' == Line 1768 has weird spacing: '...-verify boo...' == Line 1773 has weird spacing: '...-string bin...' == Line 1776 has weird spacing: '...ication boo...' == Line 1779 has weird spacing: '...t-apply boo...' == (1 more instance...) -- The document date (22 September 2021) is 234 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-22) exists of draft-ietf-netconf-crypto-types-21 == Outdated reference: draft-ietf-tls-dtls13 has been published as RFC 9147 ** Downref: Normative reference to an Informational RFC: RFC 7693 ** Downref: Normative reference to an Informational RFC: RFC 9046 Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Babel Working Group M. Jethanandani 3 Internet-Draft Kloud Services 4 Intended status: Standards Track B. Stark 5 Expires: 26 March 2022 AT&T 6 22 September 2021 8 YANG Data Model for Babel 9 draft-ietf-babel-yang-model-13 11 Abstract 13 This document defines a data model for the Babel routing protocol. 14 The data model is defined using the YANG data modeling language. 16 Requirements Language 18 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 19 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 20 "OPTIONAL" in this document are to be interpreted as described in BCP 21 14 [RFC2119][RFC8174] when, and only when, they appear in all 22 capitals, as shown here. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 26 March 2022. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Note to RFC Editor . . . . . . . . . . . . . . . . . . . 2 59 1.2. Tree Diagram Annotations . . . . . . . . . . . . . . . . 3 60 2. Babel Module . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.1. Information Model . . . . . . . . . . . . . . . . . . . . 3 62 2.2. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 63 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 5 64 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 65 3.1. URI Registrations . . . . . . . . . . . . . . . . . . . . 32 66 3.2. YANG Module Name Registration . . . . . . . . . . . . . . 32 67 4. Security Considerations . . . . . . . . . . . . . . . . . . . 32 68 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 69 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 70 6.1. Normative References . . . . . . . . . . . . . . . . . . 34 71 6.2. Informative References . . . . . . . . . . . . . . . . . 35 72 Appendix A. Tree Diagram and Example Configurations . . . . . . 36 73 A.1. Complete Tree Diagram . . . . . . . . . . . . . . . . . . 36 74 A.2. Statistics Gathering Enabled . . . . . . . . . . . . . . 38 75 A.3. Automatic Detection of Properties . . . . . . . . . . . . 39 76 A.4. Override Default Properties . . . . . . . . . . . . . . . 41 77 A.5. Configuring other Properties . . . . . . . . . . . . . . 42 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 43 80 1. Introduction 82 This document defines a data model for The Babel Routing Protocol 83 [RFC8966]. The data model is defined using YANG 1.1 [RFC7950] and is 84 Network Management Datastore Architecture (NDMA) [RFC8342] 85 compatible. It is based on the Babel Information Model [RFC9046]. 86 The data model only includes data nodes that are useful for managing 87 Babel over IPv6. 89 1.1. Note to RFC Editor 91 Artwork in this document contains shorthand references to drafts in 92 progress. Please apply the following replacements and remove this 93 note before publication. 95 * "XXXX" --> the assigned RFC value for this draft both in this 96 draft and in the YANG models under the revision statement. 98 * Revision date in model, in the format 2021-09-20 needs to get 99 updated with the date the draft gets approved. The date also 100 needs to get reflected on the line with . 102 1.2. Tree Diagram Annotations 104 For a reference to the annotations used in tree diagrams included in 105 this draft, please see YANG Tree Diagrams [RFC8340]. 107 2. Babel Module 109 This document defines a YANG 1.1 [RFC7950] data model for the 110 configuration and management of Babel. The YANG module is based on 111 the Babel Information Model [RFC9046]. 113 2.1. Information Model 115 There are a few things that should be noted between the Babel 116 Information Model and this data module. The information model 117 mandates the definition of some of the attributes, e.g., 'babel- 118 implementation-version' or the 'babel-self-router-id'. These 119 attributes are marked as read-only objects in the information module 120 as well as in this data module. However, there is no way in the data 121 module to mandate that a read-only attribute be present. It is up to 122 the implementation of this data module to make sure that the 123 attributes that are marked read-only and are mandatory are indeed 124 present. 126 2.2. Tree Diagram 128 The following diagram illustrates a top level hierarchy of the model. 129 In addition to the version implemented by this device, the model 130 contains subtrees on 'constants', 'interfaces', 'mac-key-set', 131 'dtls', and 'routes'. 133 module: ietf-babel 135 augment /rt:routing/rt:control-plane-protocols 136 /rt:control-plane-protocol: 137 +--rw babel! 138 +--ro version? string 139 +--rw enable boolean 140 +--ro router-id? binary 141 +--ro seqno? uint16 142 +--rw statistics-enabled? boolean 143 +--rw constants 144 | ... 145 +--rw interfaces* [reference] 146 | ... 147 +--rw mac-key-set* [name] 148 | ... 149 +--rw dtls* [name] 150 | ... 151 +--ro routes* [prefix] 152 ... 154 The 'interfaces' subtree describes attributes such as the 'interface' 155 object that is being referenced, the type of link, e.g., wired, 156 wireless or tunnel, as enumerated by 'metric-algorithm' and 'split- 157 horizon' and whether the interface is enabled or not. 159 The 'constants' subtree describes the UDP port used for sending and 160 receiving Babel messages, and the multicast group used to send and 161 receive announcements on IPv6. 163 The 'routes' subtree describes objects such as the prefix for which 164 the route is advertised, a reference to the neighboring route, and 165 'next-hop' address. 167 Finally, for security two subtrees are defined to contain MAC keys 168 and DTLS certificates. The 'mac-key-set' subtree contains keys used 169 with the MAC security mechanism. The boolean flag 'default-apply' 170 indicates whether the set of MAC keys is automatically applied to new 171 interfaces. The 'dtls' subtree contains certificates used with DTLS 172 security mechanism. Similar to the MAC mechanism, the boolean flag 173 'default-apply' indicates whether the set of DTLS certificates is 174 automatically applied to new interfaces. 176 2.3. YANG Module 178 This YANG module augments the YANG Routing Management [RFC8349] 179 module to provide a common framework for all routing subsystems. By 180 augmenting the module it provides a common building block for routes, 181 and Routing Information Bases (RIBs). It also has a reference to an 182 interface defined by A YANG Data Model for Interface Management 183 [RFC8343]. 185 A router running Babel routing protocol can sometimes determine the 186 parameters it needs to use for an interface based on the interface 187 name. For example, it can detect that eth0 is a wired interface, and 188 that wlan0 is a wireless interface. This is not true for a tunnel 189 interface, where the link parameters need to be configured 190 explicitly. 192 For a wired interface, it will assume 'two-out-of-three' for 'metric- 193 algorithm', and 'split-horizon' set to true. On the other hand, for 194 a wireless interface it will assume 'etx' for 'metric-algorithm', and 195 'split-horizon' set to false. However, if the wired link is 196 connected to a wireless radio, the values can be overriden by setting 197 'metric-algorithm' to 'etx', and 'split-horizon' to false. 198 Similarly, an interface that is a metered 3G link, and used for 199 fallback connectivity needs much higher default time constants, e.g., 200 'mcast-hello-interval', and 'update-interval', in order to avoid 201 carrying control traffic as much as possible. 203 In addition to the modules used above, this module imports 204 definitions from Common YANG Data Types [RFC6991], and references 205 HMAC: Keyed-Hashing for Message Authentication [RFC2104], Using 206 HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec [RFC4868], 207 The Datagram Transport Layer Security (DTLS) Version 1.3 208 [I-D.ietf-tls-dtls13], The Blake2 Cryptographic Hash and Message 209 Authentication Code (MAC) [RFC7693], Babel Information Model 210 [RFC9046], The Babel Routing Protocol [RFC8966], YANG Data Types and 211 Groupings for Cryptography [I-D.ietf-netconf-crypto-types], Network 212 Configuration Access Control Model [RFC8341] and MAC Authentication 213 for Babel [RFC8967]. 215 file "ietf-babel@2021-09-20.yang" 216 module ietf-babel { 217 yang-version 1.1; 218 namespace "urn:ietf:params:xml:ns:yang:ietf-babel"; 219 prefix babel; 221 import ietf-yang-types { 222 prefix yang; 223 reference 224 "RFC 6991: Common YANG Data Types."; 225 } 226 import ietf-inet-types { 227 prefix inet; 228 reference 229 "RFC 6991: Common YANG Data Types."; 230 } 231 import ietf-interfaces { 232 prefix if; 233 reference 234 "RFC 8343: A YANG Data Model for Interface Management"; 235 } 236 import ietf-routing { 237 prefix rt; 238 reference 239 "RFC 8349: YANG Routing Management"; 240 } 241 import ietf-crypto-types { 242 prefix ct; 243 reference 244 "I-D.ietf-netconf-crypto-types: YANG Data Types and Groupings 245 for Cryptographay."; 246 } 247 import ietf-netconf-acm { 248 prefix nacm; 249 reference 250 "RFC 8341: Network Configuration Access Control Model"; 251 } 253 organization 254 "IETF Babel routing protocol Working Group"; 256 contact 257 "WG Web: http://tools.ietf.org/wg/babel/ 258 WG List: babel@ietf.org 260 Editor: Mahesh Jethanandani 261 mjethanandani@gmail.com 262 Editor: Barbara Stark 263 bs7652@att.com"; 265 description 266 "This YANG module defines a model for the Babel routing 267 protocol. 269 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL 270 NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 271 'MAY', and 'OPTIONAL' in this document are to be interpreted as 272 described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, 273 they appear in all capitals, as shown here. 275 Copyright (c) 2021 IETF Trust and the persons identified as 276 authors of the code. All rights reserved. 278 Redistribution and use in source and binary forms, with or 279 without modification, is permitted pursuant to, and subject to 280 the license terms contained in, the Simplified BSD License set 281 forth in Section 4.c of the IETF Trust's Legal Provisions 282 Relating to IETF Documents 283 (https://trustee.ietf.org/license-info). 285 This version of this YANG module is part of RFC XXXX 286 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself 287 for full legal notices."; 289 revision 2021-09-20 { 290 description 291 "Initial version."; 292 reference 293 "RFC XXXX: Babel YANG Data Model."; 294 } 296 /* 297 * Features 298 */ 300 feature two-out-of-three-supported { 301 description 302 "This implementation supports the '2-out-of-3' 303 computation algorithm."; 304 } 306 feature etx-supported { 307 description 308 "This implementation supports the Expected Transmission Count 309 (ETX) metric computation algorithm."; 310 } 312 feature mac-supported { 313 description 314 "This implementation supports MAC-based security."; 315 reference 316 "RFC 8967: MAC authentication for Babel Routing 317 Protocol."; 318 } 319 feature dtls-supported { 320 description 321 "This implementation supports DTLS based security."; 322 reference 323 "RFC 8968: Babel Routing Protocol over Datagram 324 Transport Layer Security."; 325 } 327 feature hmac-sha256-supported { 328 description 329 "This implementation supports the HMAC-SHA256 MAC algorithm."; 330 reference 331 "RFC 8967: MAC authentication for Babel Routing 332 Protocol."; 333 } 335 feature blake2s-supported { 336 description 337 "This implementation supports BLAKE2s MAC algorithms."; 338 reference 339 "RFC 8967: MAC authentication for Babel Routing 340 Protocol."; 341 } 343 feature x-509-supported { 344 description 345 "This implementation supports the X.509 certificate type."; 346 reference 347 "RFC 8968: Babel Routing Protocol over Datagram 348 Transport Layer Security."; 349 } 351 feature raw-public-key-supported { 352 description 353 "This implementation supports the Raw Public Key certificate 354 type."; 355 reference 356 "RFC 8968: Babel Routing Protocol over Datagram 357 Transport Layer Security."; 358 } 360 /* 361 * Identities 362 */ 364 identity metric-comp-algorithms { 365 description 366 "Base identity from which all Babel metric computation 367 algorithms MUST be derived."; 368 } 370 identity two-out-of-three { 371 if-feature "two-out-of-three-supported"; 372 base metric-comp-algorithms; 373 description 374 "2-out-of-3 algorithm."; 375 reference 376 "RFC 8966: The Babel Routing Protocol, Section A.2.1."; 377 } 379 identity etx { 380 if-feature "etx-supported"; 381 base metric-comp-algorithms; 382 description 383 "Expected Transmission Count (ETX) metric computation 384 algorithm."; 385 reference 386 "RFC 8966: The Babel Routing Protocol, Section A.2.2."; 387 } 389 /* 390 * Babel MAC algorithms identities. 391 */ 393 identity mac-algorithms { 394 description 395 "Base identity for all Babel MAC algorithms."; 396 } 398 identity hmac-sha256 { 399 if-feature "mac-supported"; 400 if-feature "hmac-sha256-supported"; 401 base mac-algorithms; 402 description 403 "HMAC-SHA256 algorithm supported."; 404 reference 405 "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 406 with IPsec."; 407 } 409 identity blake2s { 410 if-feature "mac-supported"; 411 if-feature "blake2s-supported"; 412 base mac-algorithms; 413 description 414 "BLAKE2s algorithms supported. Specifically, BLAKE2-128 is 415 supported."; 416 reference 417 "RFC 7693: The BLAKE2 Cryptographic Hash and Message 418 Authentication Code (MAC)."; 419 } 421 /* 422 * Babel Cert Types 423 */ 425 identity dtls-cert-types { 426 description 427 "Base identity for Babel DTLS certificate types."; 428 } 430 identity x-509 { 431 if-feature "dtls-supported"; 432 if-feature "x-509-supported"; 433 base dtls-cert-types; 434 description 435 "X.509 certificate type."; 436 } 438 identity raw-public-key { 439 if-feature "dtls-supported"; 440 if-feature "raw-public-key-supported"; 441 base dtls-cert-types; 442 description 443 "Raw Public Key certificate type."; 444 } 446 /* 447 * Babel routing protocol identity. 448 */ 450 identity babel { 451 base rt:routing-protocol; 452 description 453 "Babel routing protocol"; 454 } 456 /* 457 * Groupings 458 */ 460 grouping routes { 461 list routes { 462 key "prefix"; 463 config false; 465 leaf prefix { 466 type inet:ip-prefix; 467 description 468 "Prefix (expressed in ip-address/prefix-length format) for 469 which this route is advertised."; 470 reference 471 "RFC 9046: Babel Information Model, Section 3.6."; 472 } 474 leaf router-id { 475 type binary { 476 length 8; 477 } 478 description 479 "router-id of the source router for which this route is 480 advertised."; 481 reference 482 "RFC 9046: Babel Information Model, Section 3.6."; 483 } 485 leaf neighbor { 486 type leafref { 487 path "/rt:routing/rt:control-plane-protocols/" 488 + "rt:control-plane-protocol/babel/interfaces/" 489 + "neighbor-objects/neighbor-address"; 490 } 491 description 492 "Reference to the neighbor-objects entry for the neighbor 493 that advertised this route."; 494 reference 495 "RFC 9046: Babel Information Model, Section 3.6."; 496 } 498 leaf received-metric { 499 type union { 500 type enumeration { 501 enum null { 502 description 503 "Route was not received from a neighbor."; 504 } 505 } 506 type uint16; 507 } 508 description 509 "The metric with which this route was advertised by the 510 neighbor, or maximum value (infinity) to indicate the 511 route was recently retracted and is temporarily 512 unreachable. This metric will be NULL if the 513 route was not received from a neighbor but instead was 514 injected through means external to the Babel routing 515 protocol. At least one of calculated-metric or 516 received-metric MUST be non-NULL."; 517 reference 518 "RFC 9046: Babel Information Model, Section 3.6, 519 RFC 8966: The Babel Routing Protocol, Section 2.1."; 520 } 522 leaf calculated-metric { 523 type union { 524 type enumeration { 525 enum null { 526 description 527 "Route has not been calculated."; 528 } 529 } 530 type uint16; 531 } 532 description 533 "A calculated metric for this route. How the metric is 534 calculated is implementation-specific. Maximum value 535 (infinity) indicates the route was recently retracted 536 and is temporarily unreachable. At least one of 537 calculated-metric or received-metric MUST be non-NULL."; 538 reference 539 "RFC 9046: Babel Information Model, Section 3.6, 540 RFC 8966: The Babel Routing Protocol, Section 2.1."; 541 } 543 leaf seqno { 544 type uint16; 545 description 546 "The sequence number with which this route was 547 advertised."; 548 reference 549 "RFC 9046: Babel Information Model, Section 3.6."; 550 } 552 leaf next-hop { 553 type union { 554 type enumeration { 555 enum null { 556 description 557 "Route has no next-hop address."; 558 } 560 } 561 type inet:ip-address; 562 } 563 description 564 "The next-hop address of this route. This will be NULL 565 if this route has no next-hop address."; 566 reference 567 "RFC 9046: Babel Information Model, Section 3.6."; 568 } 570 leaf feasible { 571 type boolean; 572 description 573 "A boolean flag indicating whether this route is 574 feasible."; 575 reference 576 "RFC 9046: Babel Information Model, Section 3.6, 577 RFC 8966, The Babel Routing Protocol, Section 3.5.1."; 578 } 580 leaf selected { 581 type boolean; 582 description 583 "A boolean flag indicating whether this route is selected, 584 i.e., whether it is currently being used for forwarding 585 and is being advertised."; 586 reference 587 "RFC 9046: Babel Information Model, Section 3.6."; 588 } 589 description 590 "A set of babel-route-obj objects. Contains routes known to 591 this node."; 592 reference 593 "RFC 9046: Babel Information Model, Section 3.1."; 594 } 595 description 596 "Common grouping for routing used in RIB."; 597 } 599 /* 600 * Data model 601 */ 603 augment "/rt:routing/rt:control-plane-protocols/" 604 + "rt:control-plane-protocol" { 605 when "derived-from-or-self(rt:type, 'babel')" { 606 description 607 "Augmentation is valid only when the instance of routing type 608 is of type 'babel'."; 609 } 610 description 611 "Augment the routing module to support a common structure 612 between routing protocols."; 613 reference 614 "YANG Routing Management, RFC 8349, Lhotka & Lindem, March 615 2018."; 617 container babel { 618 presence "A Babel container."; 619 description 620 "Babel Information Objects."; 621 reference 622 "RFC 9046: Babel Information Model, Section 3."; 624 leaf version { 625 type string; 626 config false; 627 description 628 "The name and version of this implementation of the Babel 629 protocol."; 630 reference 631 "RFC 9046: Babel Information Model, Section 3.1."; 632 } 634 leaf enable { 635 type boolean; 636 mandatory true; 637 description 638 "When written, it configures whether the protocol should be 639 enabled. A read from the or datastore 640 therefore indicates the configured administrative value of 641 whether the protocol is enabled or not. 643 A read from the datastore indicates whether 644 the protocol is actually running or not, i.e. it indicates 645 the operational state of the protocol."; 646 reference 647 "RFC 9046: Babel Information Model, Section 3.1."; 648 } 650 leaf router-id { 651 type binary; 652 must '../enable = "true"'; 653 config false; 654 description 655 "Every Babel speaker is assigned a router-id, which is an 656 arbitrary string of 8 octets that is assumed to be unique 657 across the routing domain. 659 The router-id is valid only if the protocol is enabled, 660 at which time a non-zero value is assigned."; 661 reference 662 "RFC 9046: Babel Information Model, Section 3.1, 663 RFC 8966: The Babel Routing Protocol, 664 Section 3."; 665 } 667 leaf seqno { 668 type uint16; 669 config false; 670 description 671 "Sequence number included in route updates for routes 672 originated by this node."; 673 reference 674 "RFC 9046: Babel Information Model, Section 3.1."; 675 } 677 leaf statistics-enabled { 678 type boolean; 679 description 680 "Indicates whether statistics collection is enabled (true) 681 or disabled (false) on all interfaces. On transition to 682 enabled, existing statistics values are not cleared and 683 will be incremented as new packets are counted."; 684 } 686 container constants { 687 description 688 "Babel Constants object."; 689 reference 690 "RFC 9046: Babel Information Model, Section 3.1."; 692 leaf udp-port { 693 type inet:port-number; 694 default "6696"; 695 description 696 "UDP port for sending and receiving Babel messages. The 697 default port is 6696."; 698 reference 699 "RFC 9046: Babel Information Model, Section 3.2."; 700 } 702 leaf mcast-group { 703 type inet:ip-address; 704 default "ff02::1:6"; 705 description 706 "Multicast group for sending and receiving multicast 707 announcements on IPv6."; 708 reference 709 "RFC 9046: Babel Information Model, Section 3.2."; 710 } 711 } 713 list interfaces { 714 key "reference"; 716 description 717 "A set of Babel Interface objects."; 718 reference 719 "RFC 9046: Babel Information Model, Section 3.3."; 721 leaf reference { 722 type if:interface-ref; 723 description 724 "References the name of the interface over which Babel 725 packets are sent and received."; 726 reference 727 "RFC 9046: Babel Information Model, Section 3.3."; 728 } 730 leaf enable { 731 type boolean; 732 default "true"; 733 description 734 "If true, babel sends and receives messages on this 735 interface. If false, babel messages received on this 736 interface are ignored and none are sent."; 737 reference 738 "RFC 9046: Babel Information Model, Section 3.3."; 739 } 741 leaf metric-algorithm { 742 type identityref { 743 base metric-comp-algorithms; 744 } 745 mandatory true; 746 description 747 "Indicates the metric computation algorithm used on this 748 interface. The value MUST be one of those identities 749 based on 'metric-comp-algorithms'."; 750 reference 751 "RFC 9046: Babel Information Model, Section 3.3."; 753 } 755 leaf split-horizon { 756 type boolean; 757 description 758 "Indicates whether or not the split horizon optimization 759 is used when calculating metrics on this interface. 760 A value of true indicates the split horizon optimization 761 is used."; 762 reference 763 "RFC 9046: Babel Information Model, Section 3.3."; 764 } 766 leaf mcast-hello-seqno { 767 type uint16; 768 config false; 769 description 770 "The current sequence number in use for multicast hellos 771 sent on this interface."; 772 reference 773 "RFC 9046: Babel Information Model, Section 3.3."; 774 } 776 leaf mcast-hello-interval { 777 type uint16; 778 units "centiseconds"; 779 description 780 "The current multicast hello interval in use for hellos 781 sent on this interface."; 782 reference 783 "RFC 9046: Babel Information Model, Section 3.3."; 784 } 786 leaf update-interval { 787 type uint16; 788 units "centiseconds"; 789 description 790 "The current update interval in use for this interface. 791 Units are centiseconds."; 792 reference 793 "RFC 9046: Babel Information Model, Section 3.3."; 794 } 796 leaf mac-enable { 797 type boolean; 798 description 799 "Indicates whether the MAC security mechanism is enabled 800 (true) or disabled (false)."; 802 reference 803 "RFC 9046: Babel Information Model, Section 3.3."; 804 } 806 leaf-list mac-key-sets { 807 type leafref { 808 path "../../mac-key-set/name"; 809 } 810 description 811 "List of references to the MAC entries that apply 812 to this interface. When an interface instance is 813 created, all MAC instances with default-apply 'true' 814 will be included in this list."; 815 reference 816 "RFC 9046: Babel Information Model, Section 3.3."; 817 } 819 leaf mac-verify { 820 type boolean; 821 description 822 "A Boolean flag indicating whether MACs in 823 incoming Babel packets are required to be present and 824 are verified. If this parameter is 'true', incoming 825 packets are required to have a valid MAC."; 826 reference 827 "RFC 9046: Babel Information Model, Section 3.3."; 828 } 830 leaf dtls-enable { 831 type boolean; 832 description 833 "Indicates whether the DTLS security mechanism is enabled 834 (true) or disabled (false)."; 835 reference 836 "RFC 9046: Babel Information Model, Section 3.3."; 837 } 839 leaf-list dtls-certs { 840 type leafref { 841 path "../../dtls/name"; 842 } 843 description 844 "List of references to the dtls entries that apply to 845 this interface. When an interface instance 846 is created, all dtls instances with default-apply 847 'true' will be included in this list."; 848 reference 849 "RFC 9046: Babel Information Model, Section 3.3."; 851 } 853 leaf dtls-cached-info { 854 type boolean; 855 description 856 "Indicates whether the cached_info extension is enabled. 857 The extension is enabled for inclusion in ClientHello 858 and ServerHello messages if the value is 'true'."; 859 reference 860 "RFC 9046: Babel Information Model, Section 3.3. 861 RFC 8968: Babel Routing Protocol over 862 Datagram Transport Layer Security, Appendix A."; 863 } 865 leaf-list dtls-cert-prefer { 866 type leafref { 867 path "../../dtls/certs/type"; 868 } 869 ordered-by user; 870 description 871 "List of supported certificate types, in order of 872 preference. The values MUST be the 'type' attribute 873 in the list 'certs' of the list 'dtls' 874 (../../dtls/certs/type). This list is used to populate 875 the server_certificate_type extension in a ClientHello. 876 Values that are present in at least one instance in the 877 certs object under dtls of a referenced dtls instance 878 and that have a non-empty private-key will be used to 879 populate the client_certificate_type extension in a 880 ClientHello."; 881 reference 882 "RFC 9046: Babel Information Model, Section 3.3 883 RFC 8968: Babel Routing Protocol over 884 Datagram Transport Layer Security, Appendix A."; 885 } 887 leaf packet-log-enable { 888 type boolean; 889 description 890 "If true, logging of babel packets received on this 891 interface is enabled; if false, babel packets are not 892 logged."; 893 reference 894 "RFC 9046: Babel Information Model, Section 3.3."; 895 } 897 leaf packet-log { 898 type inet:uri; 899 config false; 900 description 901 "A reference or url link to a file that contains a 902 timestamped log of packets received and sent on 903 udp-port on this interface. The [libpcap] file 904 format with .pcap file extension SHOULD be supported for 905 packet log files. Logging is enabled / disabled by 906 packet-log-enable."; 907 reference 908 "RFC 9046: Babel Information Model, Section 3.3."; 909 } 911 container statistics { 912 config false; 913 description 914 "Statistics collection object for this interface."; 915 reference 916 "RFC 9046: Babel Information Model, Section 3.3."; 918 leaf discontinuity-time { 919 type yang:date-and-time; 920 mandatory true; 921 description 922 "The time on the most recent occasion at which any one 923 or more of counters suffered a discontinuity. If no 924 such discontinuities have occurred since the last 925 re-initialization of the local management subsystem, 926 then this node contains the time the local management 927 subsystem re-initialized itself."; 928 } 930 leaf sent-mcast-hello { 931 type yang:counter32; 932 description 933 "A count of the number of multicast Hello packets sent 934 on this interface."; 935 reference 936 "RFC 9046: Babel Information Model, Section 3.4."; 937 } 939 leaf sent-mcast-update { 940 type yang:counter32; 941 description 942 "A count of the number of multicast update packets sent 943 on this interface."; 944 reference 945 "RFC 9046: Babel Information Model, Section 3.4."; 946 } 947 leaf sent-ucast-hello { 948 type yang:counter32; 949 description 950 "A count of the number of unicast Hello packets sent 951 on this interface."; 952 reference 953 "RFC 9046: Babel Information Model, Section 3.6."; 954 } 956 leaf sent-ucast-update { 957 type yang:counter32; 958 description 959 "A count of the number of unicast update packets sent 960 on this interface."; 961 reference 962 "RFC 9046: Babel Information Model, Section 3.6."; 963 } 965 leaf sent-ihu { 966 type yang:counter32; 967 description 968 "A count of the number of IHU packets sent on this 969 interface."; 970 reference 971 "RFC 9046: Babel Information Model, Section 3.6."; 972 } 974 leaf received-packets { 975 type yang:counter32; 976 description 977 "A count of the number of Babel packets received on 978 this interface."; 979 reference 980 "RFC 9046: Babel Information Model, Section 3.4."; 981 } 983 action reset { 984 description 985 "The information model [RFC 9046] defines reset 986 action as a system-wide reset of Babel statistics. 987 In YANG the reset action is associated with the 988 container where the action is defined. In this case 989 the action is associated with the statistics container 990 inside an interface. The action will therefore 991 reset statistics at an interface level. 993 Implementations that want to support a system-wide 994 reset of Babel statistics need to call this action 995 for every instance of the interface."; 997 input { 998 leaf reset-at { 999 type yang:date-and-time; 1000 description 1001 "The time when the reset was issued."; 1002 } 1003 } 1005 output { 1006 leaf reset-finished-at { 1007 type yang:date-and-time; 1008 description 1009 "The time when the reset finished."; 1010 } 1011 } 1012 } 1013 } 1015 list neighbor-objects { 1016 key "neighbor-address"; 1017 config false; 1018 description 1019 "A set of Babel Neighbor Object."; 1020 reference 1021 "RFC 9046: Babel Information Model, Section 3.5."; 1023 leaf neighbor-address { 1024 type inet:ip-address; 1025 description 1026 "IPv4 or v6 address the neighbor sends packets from."; 1027 reference 1028 "RFC 9046: Babel Information Model, Section 3.5."; 1029 } 1031 leaf hello-mcast-history { 1032 type string; 1033 description 1034 "The multicast Hello history of whether or not the 1035 multicast Hello packets prior to exp-mcast- 1036 hello-seqno were received, with a '1' for the most 1037 recent Hello placed in the most significant bit and 1038 prior Hellos shifted right (with '0' bits placed 1039 between prior Hellos and most recent Hello for any 1040 not-received Hellos); represented as a string of 1041 utf-8 encoded hex digits. A bit that is set indicates 1042 that the corresponding Hello was received, and a bit 1043 that is cleared indicates that the corresponding Hello 1044 was not received."; 1045 reference 1046 "RFC 9046: Babel Information Model, Section 3.5."; 1047 } 1049 leaf hello-ucast-history { 1050 type string; 1051 description 1052 "The unicast Hello history of whether or not the 1053 unicast Hello packets prior to exp-ucast-hello-seqno 1054 were received, with a '1' for the most 1055 recent Hello placed in the most significant bit and 1056 prior Hellos shifted right (with '0' bits placed 1057 between prior Hellos and most recent Hello for any 1058 not-received Hellos); represented as a string using 1059 utf-8 encoded hex digits where a '1' bit = Hello 1060 received and a '0' bit = Hello not received."; 1061 reference 1062 "RFC 9046: Babel Information Model, Section 3.5."; 1063 } 1065 leaf txcost { 1066 type int32; 1067 default "0"; 1068 description 1069 "Transmission cost value from the last IHU packet 1070 received from this neighbor, or maximum value 1071 (infinity) to indicate the IHU hold timer for this 1072 neighbor has expired description."; 1073 reference 1074 "RFC 9046: Babel Information Model, Section 3.5."; 1075 } 1077 leaf exp-mcast-hello-seqno { 1078 type union { 1079 type enumeration { 1080 enum null { 1081 description 1082 "Multicast Hello packets are not expected, or 1083 processing of multicast packets is not 1084 enabled."; 1085 } 1086 } 1087 type uint16; 1088 } 1089 description 1090 "Expected multicast Hello sequence number of next Hello 1091 to be received from this neighbor; if multicast Hello 1092 packets are not expected, or processing of multicast 1093 packets is not enabled, this MUST be NULL."; 1094 reference 1095 "RFC 9046: Babel Information Model, Section 3.5."; 1096 } 1098 leaf exp-ucast-hello-seqno { 1099 type union { 1100 type enumeration { 1101 enum null { 1102 description 1103 "Unicast Hello packets are not expected, or 1104 processing of unicast packets is not enabled."; 1105 } 1106 } 1107 type uint16; 1108 } 1109 default null; 1110 description 1111 "Expected unicast Hello sequence number of next Hello 1112 to be received from this neighbor; if unicast Hello 1113 packets are not expected, or processing of unicast 1114 packets is not enabled, this MUST be NULL."; 1115 reference 1116 "RFC 9046: Babel Information Model, Section 3.5."; 1117 } 1119 leaf ucast-hello-seqno { 1120 type union { 1121 type enumeration { 1122 enum null { 1123 description 1124 "Unicast Hello packets are not being sent."; 1125 } 1126 } 1127 type uint16; 1128 } 1129 default null; 1130 description 1131 "The current sequence number in use for unicast Hellos 1132 sent to this neighbor. If unicast Hellos are not being 1133 sent, this MUST be NULL."; 1134 reference 1135 "RFC 9046: Babel Information Model, Section 3.5."; 1136 } 1138 leaf ucast-hello-interval { 1139 type uint16; 1140 units "centiseconds"; 1141 description 1142 "The current interval in use for unicast hellos sent to 1143 this neighbor. Units are centiseconds."; 1144 reference 1145 "RFC 9046: Babel Information Model, Section 3.5."; 1146 } 1148 leaf rxcost { 1149 type uint16; 1150 description 1151 "Reception cost calculated for this neighbor. This 1152 value is usually derived from the Hello history, which 1153 may be combined with other data, such as statistics 1154 maintained by the link layer. The rxcost is sent to a 1155 neighbor in each IHU."; 1156 reference 1157 "RFC 9046: Babel Information Model, Section 3.5."; 1158 } 1160 leaf cost { 1161 type int32; 1162 description 1163 "Link cost is computed from the values maintained in 1164 the neighbor table. The statistics kept in the 1165 neighbor table about the reception of Hellos, and the 1166 txcost computed from received IHU packets."; 1167 reference 1168 "RFC 9046: Babel Information Model, Section 3.5."; 1169 } 1170 } 1171 } 1173 list mac-key-set { 1174 key "name"; 1176 description 1177 "A MAC key set object. If this object is implemented, it 1178 provides access to parameters related to the MAC security 1179 mechanism."; 1180 reference 1181 "RFC 9046: Babel Information Model, Section 3.7."; 1183 leaf name { 1184 type string; 1185 description 1186 "A string that uniquely identifies the MAC object."; 1188 } 1190 leaf default-apply { 1191 type boolean; 1192 description 1193 "A Boolean flag indicating whether this object 1194 instance is applied to all new interfaces, by default. 1195 If 'true', this instance is applied to new babel- 1196 interfaces instances at the time they are created, 1197 by including it in the mac-key-sets list under 1198 the interface. If 'false', this instance is not applied 1199 to new interface instances when they are created."; 1200 reference 1201 "RFC 9046: Babel Information Model, Section 3.7."; 1202 } 1204 list keys { 1205 key "name"; 1206 min-elements 1; 1207 description 1208 "A set of keys objects."; 1209 reference 1210 "RFC 9046: Babel Information Model, Section 3.8."; 1212 leaf name { 1213 type string; 1214 description 1215 "A unique name for this MAC key that can be used to 1216 identify the key in this object instance, since the 1217 key value is not allowed to be read. This value can 1218 only be provided when this instance is created, and is 1219 not subsequently writable."; 1220 reference 1221 "RFC 9046: Babel Information Model, Section 3.8."; 1222 } 1224 leaf use-send { 1225 type boolean; 1226 mandatory true; 1227 description 1228 "Indicates whether this key value is used to compute a 1229 MAC and include that MAC in the sent Babel packet. A 1230 MAC for sent packets is computed using this key if the 1231 value is 'true'. If the value is 'false', this key is 1232 not used to compute a MAC to include in sent Babel 1233 packets."; 1234 reference 1235 "RFC 9046: Babel Information Model, Section 3.8."; 1237 } 1239 leaf use-verify { 1240 type boolean; 1241 mandatory true; 1242 description 1243 "Indicates whether this key value is used to verify 1244 incoming Babel packets. This key is used to verify 1245 incoming packets if the value is 'true'. If the value 1246 is 'false', no MAC is computed from this key for 1247 comparing an incoming packet."; 1248 reference 1249 "RFC 9046: Babel Information Model, Section 3.8."; 1250 } 1252 leaf value { 1253 nacm:default-deny-all; 1254 type binary; 1255 mandatory true; 1256 description 1257 "The value of the MAC key. 1259 This value is of a length suitable for the associated 1260 babel-mac-key-algorithm. If the algorithm is based on 1261 the HMAC construction [RFC2104], the length MUST be 1262 between 0 and an upper limit that is at least the size 1263 of the output length (where 'HMAC-SHA256' output 1264 length is 32 octets as described in [RFC4868]). Longer 1265 lengths MAY be supported but are not necessary if the 1266 management system has the ability to generate a 1267 suitably random value (e.g., by randomly generating a 1268 value or by using a key derivation technique as 1269 recommended in [RFC8967] Security Considerations). If 1270 the algorithm is 'BLAKE2s-128', the length MUST be 1271 between 0 and 32 bytes inclusive as specified by 1272 [RFC7693]."; 1273 reference 1274 "RFC 9046: Babel Information Model, Section 3.8, 1275 RFC 2104: HMAC: Keyed-Hashing for Message 1276 Authentication 1277 RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and 1278 HMAC-SHA-512 with IPsec, 1279 RFC 7693: The BLAKE2 Cryptographic Hash and Message 1280 Authentication Code (MAC). 1281 RFC 8967: MAC Authentication for Babel."; 1282 } 1284 leaf algorithm { 1285 type identityref { 1286 base mac-algorithms; 1287 } 1288 mandatory true; 1289 description 1290 "The MAC algorithm used with this key. The 1291 value MUST be one of the identities 1292 listed with the base of 'mac-algorithms'."; 1293 reference 1294 "RFC 9046: Babel Information Model, Section 3.8."; 1295 } 1297 action test { 1298 description 1299 "An operation that allows the MAC key and MAC 1300 algorithm to be tested to see if they produce an 1301 expected outcome. Input to this operation are a 1302 binary string and a calculated MAC (also in the 1303 format of a binary string) for the binary string. 1304 The implementation is expected to create a MAC over 1305 the binary string using the value and algorithm. 1306 The output of this operation is a binary indication 1307 that the calculated MAC matched the input MAC (true) 1308 or the MACs did not match (false)."; 1309 reference 1310 "RFC 9046: Babel Information Model, Section 3.8."; 1312 input { 1313 leaf test-string { 1314 type binary; 1315 mandatory true; 1316 description 1317 "Input to this operation is a binary string. 1318 The implementation is expected to create 1319 a MAC over this string using the value and 1320 the algorithm defined as part of the 1321 mac-key-set."; 1322 reference 1323 "RFC 9046: Babel Information Model, Section 3.8."; 1324 } 1326 leaf mac { 1327 type binary; 1328 mandatory true; 1329 description 1330 "Input to this operation includes a MAC. 1331 The implementation is expected to calculate a MAC 1332 over the string using the value and algorithm of 1333 this key object and compare its calculated MAC to 1334 this input MAC."; 1335 reference 1336 "RFC 9046: Babel Information Model, Section 3.8."; 1337 } 1338 } 1340 output { 1341 leaf indication { 1342 type boolean; 1343 mandatory true; 1344 description 1345 "The output of this operation is a binary 1346 indication that the calculated MAC matched the 1347 input MAC (true) or the MACs did not match 1348 (false)."; 1349 reference 1350 "RFC 9046: Babel Information Model, Section 3.8."; 1351 } 1352 } 1353 } 1354 } 1355 } 1357 list dtls { 1358 key "name"; 1360 description 1361 "A dtls object. If this object is implemented, 1362 it provides access to parameters related to the DTLS 1363 security mechanism."; 1364 reference 1365 "RFC 9046: Babel Information Model, Section 3.9"; 1367 leaf name { 1368 type string; 1369 description 1370 "A string that uniquely identifies a dtls object."; 1371 } 1373 leaf default-apply { 1374 type boolean; 1375 mandatory true; 1376 description 1377 "A Boolean flag indicating whether this object 1378 instance is applied to all new interfaces, by default. 1379 If 'true', this instance is applied to new interfaces 1380 instances at the time they are created, by including it 1381 in the dtls-certs list under the interface. If 'false', 1382 this instance is not applied to new interface 1383 instances when they are created."; 1384 reference 1385 "RFC 9046: Babel Information Model, Section 3.9."; 1386 } 1388 list certs { 1389 key "name"; 1391 min-elements 1; 1392 description 1393 "A set of cert objects. This contains 1394 both certificates for this implementation to present 1395 for authentication, and to accept from others. 1396 Certificates with a non-empty private-key 1397 can be presented by this implementation for 1398 authentication."; 1399 reference 1400 "RFC 9046: Babel Information Model, Section 3.10."; 1402 leaf name { 1403 type string; 1404 description 1405 "A unique name for this certificate that can be 1406 used to identify the certificate in this object 1407 instance, since the value is too long to be useful 1408 for identification. This value MUST NOT be empty 1409 and can only be provided when this instance is created 1410 (i.e., it is not subsequently writable)."; 1411 reference 1412 "RFC 9046: Babel Information Model, Section 3.10."; 1413 } 1415 leaf value { 1416 nacm:default-deny-write; 1417 type string; 1418 mandatory true; 1419 description 1420 "The certificate in PEM format [RFC7468]. This 1421 value can only be provided when this instance is 1422 created, and is not subsequently writable."; 1423 reference 1424 "RFC 9046: Babel Information Model, Section 3.10."; 1425 } 1427 leaf type { 1428 nacm:default-deny-write; 1429 type identityref { 1430 base dtls-cert-types; 1431 } 1432 mandatory true; 1433 description 1434 "The certificate type of this object instance. 1435 The value MUST be the same as one of the 1436 identities listed with the base 'dtls-cert-types'. 1437 This value can only be provided when this 1438 instance is created, and is not subsequently 1439 writable."; 1440 reference 1441 "RFC 9046: Babel Information Model, Section 3.10."; 1442 } 1444 leaf private-key { 1445 nacm:default-deny-all; 1446 type binary; 1447 mandatory true; 1448 description 1449 "The value of the private key. If this is non-empty, 1450 this certificate can be used by this implementation to 1451 provide a certificate during DTLS handshaking."; 1452 reference 1453 "RFC 9046: Babel Information Model, Section 3.10."; 1454 } 1456 leaf algorithm { 1457 nacm:default-deny-write; 1458 type identityref { 1459 base ct:private-key-format; 1460 } 1461 mandatory true; 1462 description 1463 "Identifies the algorithm identity with which the 1464 private-key has been encoded. This value can only be 1465 provided when this instance is created, and is not 1466 subsequently writable."; 1467 } 1468 } 1469 } 1470 uses routes; 1471 } 1472 } 1473 } 1474 1476 3. IANA Considerations 1478 This document registers a URI and a YANG module. 1480 3.1. URI Registrations 1482 URI: urn:ietf:params:xml:ns:yang:ietf-babel 1484 3.2. YANG Module Name Registration 1486 This document registers a YANG module in the YANG Module Names 1487 registry YANG [RFC6020]. 1489 Name:ietf-babel 1490 Namespace: urn:ietf:params:xml:ns:yang:ietf-babel 1491 prefix: babel 1492 reference: RFC XXXX 1494 4. Security Considerations 1496 The YANG module specified in this document defines a schema for data 1497 that is designed to be accessed via network management protocol such 1498 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 1499 is the secure transport layer and the mandatory-to-implement secure 1500 transport is SSH [RFC6242]. The lowest RESTCONF layer is HTTPS, and 1501 the mandatory-to-implement secure transport is TLS [RFC8446]. 1503 The NETCONF Access Control Model (NACM [RFC8341]) provides the means 1504 to restrict access for particular NETCONF users to a pre-configured 1505 subset of all available NETCONF protocol operations and content. 1507 The security considerations outlined here are specific to the YANG 1508 data model, and do not cover security considerations of the Babel 1509 protocol or its security mechanisms in The Babel Routing Protocol 1510 [RFC8966], MAC Authentication for the Babel Routing Protocol 1511 [RFC8967], and Babel Routing Protocol over Data Transport Layer 1512 Security [RFC8968]. Each of these has its own Security 1513 Considerations section for considerations that are specific to it. 1515 There are a number of data nodes defined in the YANG module which are 1516 writable/created/deleted (i.e., config true, which is the default). 1517 These data nodes may be considered sensitive or vulnerable in some 1518 network environments. Write operations (e.g., ) to 1519 these data nodes without proper protection can have a negative effect 1520 on network operations. These are the subtrees and data nodes and 1521 their sensitivity/vulnerability from a config true perspective: 1523 'babel': This container includes an 'enable' parameter that can be 1524 used to enable or disable use of Babel on a router 1526 'babel/constants': This container includes configuration parameters 1527 that can prevent reachability if misconfigured. 1529 'babel/interfaces': This leaf-list has configuration parameters that 1530 can enable/disable security mechanisms and change performance 1531 characteristics of the Babel protocol. For example, enabling logging 1532 of packets and giving unintended access to the log files gives an 1533 attacker detailed knowledge of the network, and allows it to launch 1534 an attack on the traffic traversing the network device. 1536 'babel/hmac' and 'babel/dtls': These contain security credentials 1537 that influence whether incoming packets are trusted, and whether 1538 outgoing packets are produced in a way such that the receiver will 1539 treat them as trusted. 1541 Some of the readable data or config false nodes in this YANG module 1542 may be considered sensitive or vulnerable in some network 1543 environments. It is thus important to control read access (e.g., via 1544 get, get-config, or notification) to these data nodes. These are the 1545 subtrees and data nodes and their sensitivity/vulnerability from a 1546 config false perpective: 1548 'babel': Access to the information in the various nodes can disclose 1549 the network topology. Additionally, the routes used by a network 1550 device may be used to mount a subsequent attack on traffic traversing 1551 the network device. 1553 'babel/hmac' and 'babel/dtls': These contain security credentials, 1554 including private credentials of the router; however it is required 1555 that these values not be readable. 1557 Some of the RPC operations in this YANG module may be considered 1558 sensitive or vulnerable in some network environments. It is thus 1559 important to control access to these operations. These are the 1560 operations and their sensitivity/vulnerability from a RPC operation 1561 perspective: 1563 This model defines two actions. Resetting the statistics within an 1564 interface container would be visible to any monitoring processes, 1565 which should be designed to account for the possibility of such a 1566 reset. The "test" action allows for validation that a MAC key and 1567 MAC algorithm have been properly configured. The MAC key is a 1568 sensitive piece of information, and it is important to prevent an 1569 attacker that does not know the MAC key from being able to determine 1570 the MAC value by trying different input parameters. The "test" 1571 action has been designed to not reveal such information directly. 1572 Such information might also be revealed indirectly, due to side 1573 channels such as the time it takes to produce a response to the 1574 action. Implementations SHOULD use a constant-time comparison 1575 between the input mac and the locally generated MAC value for 1576 comparison, in order to avoid such side channel leakage. 1578 5. Acknowledgements 1580 Juliusz Chroboczek provided most of the example configurations for 1581 babel that are shown in the Appendix. 1583 6. References 1585 6.1. Normative References 1587 [I-D.ietf-netconf-crypto-types] 1588 Watsen, K., "YANG Data Types and Groupings for 1589 Cryptography", Work in Progress, Internet-Draft, draft- 1590 ietf-netconf-crypto-types-21, 14 September 2021, 1591 . 1594 [I-D.ietf-tls-dtls13] 1595 Rescorla, E., Tschofenig, H., and N. Modadugu, "The 1596 Datagram Transport Layer Security (DTLS) Protocol Version 1597 1.3", Work in Progress, Internet-Draft, draft-ietf-tls- 1598 dtls13-43, 30 April 2021, . 1601 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1602 Requirement Levels", BCP 14, RFC 2119, 1603 DOI 10.17487/RFC2119, March 1997, 1604 . 1606 [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 1607 384, and HMAC-SHA-512 with IPsec", RFC 4868, 1608 DOI 10.17487/RFC4868, May 2007, 1609 . 1611 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1612 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1613 . 1615 [RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 1616 Cryptographic Hash and Message Authentication Code (MAC)", 1617 RFC 7693, DOI 10.17487/RFC7693, November 2015, 1618 . 1620 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1621 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1622 . 1624 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1625 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1626 May 2017, . 1628 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1629 Access Control Model", STD 91, RFC 8341, 1630 DOI 10.17487/RFC8341, March 2018, 1631 . 1633 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 1634 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 1635 . 1637 [RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for 1638 Routing Management (NMDA Version)", RFC 8349, 1639 DOI 10.17487/RFC8349, March 2018, 1640 . 1642 [RFC8966] Chroboczek, J. and D. Schinazi, "The Babel Routing 1643 Protocol", RFC 8966, DOI 10.17487/RFC8966, January 2021, 1644 . 1646 [RFC8967] Do, C., Kolodziejak, W., and J. Chroboczek, "MAC 1647 Authentication for the Babel Routing Protocol", RFC 8967, 1648 DOI 10.17487/RFC8967, January 2021, 1649 . 1651 [RFC8968] Decimo, A., Schinazi, D., and J. Chroboczek, "Babel 1652 Routing Protocol over Datagram Transport Layer Security", 1653 RFC 8968, DOI 10.17487/RFC8968, January 2021, 1654 . 1656 [RFC9046] Stark, B. and M. Jethanandani, "Babel Information Model", 1657 RFC 9046, DOI 10.17487/RFC9046, June 2021, 1658 . 1660 6.2. Informative References 1662 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 1663 Hashing for Message Authentication", RFC 2104, 1664 DOI 10.17487/RFC2104, February 1997, 1665 . 1667 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1668 the Network Configuration Protocol (NETCONF)", RFC 6020, 1669 DOI 10.17487/RFC6020, October 2010, 1670 . 1672 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1673 and A. Bierman, Ed., "Network Configuration Protocol 1674 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1675 . 1677 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1678 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1679 . 1681 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1682 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1683 . 1685 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1686 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1687 . 1689 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1690 and R. Wilton, "Network Management Datastore Architecture 1691 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 1692 . 1694 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1695 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1696 . 1698 Appendix A. Tree Diagram and Example Configurations 1700 This section is devoted to including a complete tree diagram and 1701 examples that demonstrate how Babel can be configured. 1703 A.1. Complete Tree Diagram 1705 This section includes the complete tree diagram for the Babel YANG 1706 module. 1708 module: ietf-babel 1710 augment /rt:routing/rt:control-plane-protocols 1711 /rt:control-plane-protocol: 1712 +--rw babel! 1713 +--ro version? string 1714 +--rw enable boolean 1715 +--ro router-id? binary 1716 +--ro seqno? uint16 1717 +--rw statistics-enabled? boolean 1718 +--rw constants 1719 | +--rw udp-port? inet:port-number 1720 | +--rw mcast-group? inet:ip-address 1721 +--rw interfaces* [reference] 1722 | +--rw reference if:interface-ref 1723 | +--rw enable? boolean 1724 | +--rw metric-algorithm identityref 1725 | +--rw split-horizon? boolean 1726 | +--ro mcast-hello-seqno? uint16 1727 | +--rw mcast-hello-interval? uint16 1728 | +--rw update-interval? uint16 1729 | +--rw mac-enable? boolean 1730 | +--rw mac-key-sets* -> ../../mac-key-set/name 1731 | +--rw mac-verify? boolean 1732 | +--rw dtls-enable? boolean 1733 | +--rw dtls-certs* -> ../../dtls/name 1734 | +--rw dtls-cached-info? boolean 1735 | +--rw dtls-cert-prefer* -> ../../dtls/certs/type 1736 | +--rw packet-log-enable? boolean 1737 | +--ro packet-log? inet:uri 1738 | +--ro statistics 1739 | | +--ro discontinuity-time yang:date-and-time 1740 | | +--ro sent-mcast-hello? yang:counter32 1741 | | +--ro sent-mcast-update? yang:counter32 1742 | | +--ro sent-ucast-hello? yang:counter32 1743 | | +--ro sent-ucast-update? yang:counter32 1744 | | +--ro sent-ihu? yang:counter32 1745 | | +--ro received-packets? yang:counter32 1746 | | +---x reset 1747 | | +---w input 1748 | | | +---w reset-at? yang:date-and-time 1749 | | +--ro output 1750 | | +--ro reset-finished-at? yang:date-and-time 1751 | +--ro neighbor-objects* [neighbor-address] 1752 | +--ro neighbor-address inet:ip-address 1753 | +--ro hello-mcast-history? string 1754 | +--ro hello-ucast-history? string 1755 | +--ro txcost? int32 1756 | +--ro exp-mcast-hello-seqno? union 1757 | +--ro exp-ucast-hello-seqno? union 1758 | +--ro ucast-hello-seqno? union 1759 | +--ro ucast-hello-interval? uint16 1760 | +--ro rxcost? uint16 1761 | +--ro cost? int32 1762 +--rw mac-key-set* [name] 1763 | +--rw name string 1764 | +--rw default-apply? boolean 1765 | +--rw keys* [name] 1766 | +--rw name string 1767 | +--rw use-send boolean 1768 | +--rw use-verify boolean 1769 | +--rw value binary 1770 | +--rw algorithm identityref 1771 | +---x test 1772 | +---w input 1773 | | +---w test-string binary 1774 | | +---w mac binary 1775 | +--ro output 1776 | +--ro indication boolean 1777 +--rw dtls* [name] 1778 | +--rw name string 1779 | +--rw default-apply boolean 1780 | +--rw certs* [name] 1781 | +--rw name string 1782 | +--rw value string 1783 | +--rw type identityref 1784 | +--rw private-key binary 1785 | +--rw algorithm identityref 1786 +--ro routes* [prefix] 1787 +--ro prefix inet:ip-prefix 1788 +--ro router-id? binary 1789 +--ro neighbor? leafref 1790 +--ro received-metric? union 1791 +--ro calculated-metric? union 1792 +--ro seqno? uint16 1793 +--ro next-hop? union 1794 +--ro feasible? boolean 1795 +--ro selected? boolean 1797 A.2. Statistics Gathering Enabled 1799 In this example, interface eth0 is being configured for routing 1800 protocol Babel, and statistics gathering is enabled. For security, 1801 HMAC-SHA256 is supported. Every sent Babel packets is signed with 1802 the key value provided, and every received Babel packet is verified 1803 with the same key value. 1805 1806 1808 1809 eth0 1810 ianaift:ethernetCsmacd 1811 true 1812 1813 1814 1816 1817 1818 babel:babel 1821 name:babel 1822 1824 true 1825 true 1826 1827 eth0 1828 two-out-of-three 1829 true 1830 1831 1832 hmac-sha256 1833 1834 hmac-sha256-keys 1835 true 1836 true 1837 base64encodedvalue== 1838 hmac-sha256 1839 1840 1841 1842 1843 1844 1846 A.3. Automatic Detection of Properties 1847 1857 1858 1860 1861 eth0 1862 ianaift:ethernetCsmacd 1863 true 1864 1865 1866 wlan0 1867 ianaift:ieee80211 1868 true 1869 1870 1871 1873 1874 1875 babel:babel 1878 name:babel 1879 1881 true 1882 1883 eth0 1884 true 1885 two-out-of-three 1886 true 1887 1888 1889 wlan0 1890 true 1891 etx 1892 false 1893 1894 1896 1897 1898 1900 A.4. Override Default Properties 1902 1920 1921 1923 1924 eth0 1925 ianaift:ethernetCsmacd 1926 true 1927 1928 1929 eth1 1930 ianaift:ethernetCsmacd 1931 true 1932 1933 1934 tun0 1935 ianaift:tunnel 1936 true 1937 1938 1939 1941 1942 1943 babel:babel 1946 name:babel 1947 1949 true 1950 1951 eth0 1952 true 1953 two-out-of-three 1954 true 1955 1956 1957 eth1 1958 true 1959 etx 1960 false 1961 1962 1963 tun0 1964 true 1965 two-out-of-three 1966 true 1967 1968 1969 1970 1971 1973 A.5. Configuring other Properties 1975 1985 1986 1988 1989 eth0 1990 ianaift:ethernetCsmacd 1991 true 1993 1994 1995 ppp0 1996 ianaift:ppp 1997 true 1998 1999 2000 2002 2003 2004 babel:babel 2007 name:babel 2008 2010 true 2011 2012 eth0 2013 true 2014 two-out-of-three 2015 true 2016 2017 2018 ppp0 2019 true 2020 30 2021 120 2022 two-out-of-three 2023 2024 2025 2026 2027 2029 Authors' Addresses 2031 Mahesh Jethanandani 2032 Kloud Services 2033 California 2034 United States of America 2036 Email: mjethanandani@gmail.com 2037 Barbara Stark 2038 AT&T 2039 Atlanta, GA 2040 United States of America 2042 Email: barbara.stark@att.com