idnits 2.17.00 (12 Aug 2021) /tmp/idnits18023/draft-ietf-ipsecme-yang-iptfs-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (4 October 2021) is 228 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-i2nsf-sdn-ipsec-flow-protection has been published as RFC 9061 == Outdated reference: A later version (-12) exists of draft-ietf-ipsecme-iptfs-10 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 7 April 2022 4 October 2021 7 IP Traffic Flow Security YANG Module 8 draft-ietf-ipsecme-yang-iptfs-01 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on 7 April 2022. 32 Copyright Notice 34 Copyright (c) 2021 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 39 license-info) in effect on the date of publication of this document. 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. Code Components 42 extracted from this document must include Simplified BSD License text 43 as described in Section 4.e of the Trust Legal Provisions and are 44 provided without warranty as described in the Simplified BSD License. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 50 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 52 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 54 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 55 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 18 56 4.2. Updates to the YANG Module Names Registry . . . . . . . . 18 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 60 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 61 7.2. Informative References . . . . . . . . . . . . . . . . . 20 62 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 21 63 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 21 64 A.2. Example XML Operational Data . . . . . . . . . . . . . . 22 65 A.3. Example JSON Configuration . . . . . . . . . . . . . . . 23 66 A.4. Example JSON Operational Data . . . . . . . . . . . . . . 24 67 A.5. Example JSON Operational Statistics . . . . . . . . . . . 25 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 70 1. Introduction 72 This document defines a YANG module [RFC7950] for the management of 73 the IP Traffic Flow Security (IP-TFS) extensions as defined in 74 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 75 tunnel Security Association to provide improved traffic 76 confidentiality. Traffic confidentiality reduces the ability of 77 traffic analysis to determine identity and correlate observable 78 traffic patterns. IP-TFS offers efficiency when aggregating traffic 79 in fixed size IPsec tunnel packets. 81 The YANG data model in this document conforms to the Network 82 Management Datastore Architecture defined in [RFC8342]. 84 The only actively published YANG modules for IPsec are found in 85 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. This document uses these 86 models as a general IPsec model that can be augmented. The models in 87 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] provide for an ike and an 88 ikeless model. 90 1.1. Terminology & Concepts 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 94 "OPTIONAL" in this document are to be interpreted as described in 95 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 96 as shown here. 98 2. Overview 100 This document defines configuration and operational parameters of IP 101 traffic flow security (IP-TFS). IP-TFS, defined in 102 [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel 103 mode IPsec with characteristics that improve traffic confidentiality 104 and reduce bandwidth efficiency loss. These documents assume 105 familiarity with IP security concepts described in [RFC4301]. 107 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 108 packet identifiable information, packet size and packet timing. IP- 109 TFS provides a general capability allowing aggregation of multiple 110 packets in uniform size outer tunnel ipsec packets. It maintains the 111 outer packet size by utilizing combinations of aggregating, padding 112 and fragmentating inner packets to fll out the IPsec outer tunnel 113 packet. Zero byte padding is used to fill the packet when no data is 114 available to send. 116 This document specifies an extensible configuration model for IP-TFS. 117 This version utilizes the capabilities of IP-TFS to configure fixed 118 size IP-TFS Packets that are transmitted at a constant rate. This 119 model is structured to allow for different types of operation through 120 future augmentation. 122 IP-TFS YANG augments IPsec YANG model from 123 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection]. IP-TFS makes use of 124 IPsec tunnel mode and adds a small number configuration items to 125 tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA 126 configured to use IP-TFS supports only IP-TFS packets i.e. no mixed 127 IPsec modes. 129 The behavior for IP-TFS is controlled by the source. The self- 130 describing format of an IP-TFS packets allows a sending side to 131 adjust the packet-size and timing independently from any receiver. 132 Both directions are also independent, e.g. IP-TFS may be run only in 133 one direction. This means that counters, which are created here for 134 both directions may be 0 or not updated in the case of an SA that 135 uses IP-TFS only in on direction. 137 Cases where IP-TFS statistics are active for one direction: 139 * SA one direction - IP-TFS enabled 141 * SA both directions - IP-TFS only enabled in one direction 143 Case where IP-TFS statistics are for both directions: 145 * SA both directions - IP-TFS enable for both directions 147 The data model uses following constructs for configuration and 148 management: 150 o Configuration 152 o Operational State 154 This YANG module supports configuration of fixed size and fixed rate 155 packets, and elements that may be augmented to support future 156 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 157 goes beyond this simple fixed mode of operation by defining a general 158 format for any type of scheme. In this document the outer IPsec 159 packets can be sent with fixed or variable size (without padding). 160 The configuration allows the fixed packet size to be determined by 161 the path MTU. The fixed packet size can also be configured if a 162 value lower than the path MTU is desired. 164 Other configuration items include: 166 * Congestion Control. A congestion control setting to allow IP-TFS 167 to reduce the packet rate when congestion is detected. 169 * Fixed Rate configuration. The IP-TFS tunnel rate can be 170 configured taking into account either layer 2 overhead or layer 3 171 overhead. Layer 3 overhead is the IP data rate and layer 2 172 overhead is the rate of bits on the link. The combination of 173 packet size and rate determines the nominal maximum bandwidth and 174 the transmission interval when fixed size packets are used. 176 * User packet Fragmentation Control. While fragmentation is 177 recommended for improved efficiency, a configuration is provided 178 if users wish to observe the effect no-fragmentation on their data 179 flows. 181 The YANG operational data allows the readout of the configured 182 parameters as well as the per SA statistics and error counters for 183 IP-TFS. Per SA IPsec packet statistics are provided as a feature and 184 per SA IP-TFS specific statistics as another feature. Both sets of 185 statistics augment the IPsec YANG models with counters that allow 186 observation of IP-TFS packet efficiency. 188 Draft [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] has a mature set of 189 IPsec YANG management objects. 191 IP-TFS YANG augments: 193 * Yang catalog entry for ietf-i2nsf-ike@2021-07-14.yang 195 * Yang catalog entry for ietf-i2nsf-ikeless@20202-07-14.yang 197 The Security Policy database entry and Security Association entry for 198 an IPsec Tunnel can be augmented with IP-TFS. 200 3. YANG Management 202 3.1. YANG Tree 204 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 205 extensions. 207 module: ietf-ipsecme-iptfs 208 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd 209 /nsfike:spd-entry/nsfike:ipsec-policy-config 210 /nsfike:processing-info/nsfike:ipsec-sa-cfg: 211 +--rw traffic-flow-security 212 +--rw congestion-control? boolean 213 +--rw packet-size 214 | +--rw use-path-mtu-discovery? boolean 215 | +--rw outer-packet-size? uint16 216 +--rw (tunnel-rate)? 217 | +--:(l2-fixed-rate) 218 | | +--rw l2-fixed-rate? uint64 219 | +--:(l3-fixed-rate) 220 | +--rw l3-fixed-rate? uint64 221 +--rw dont-fragment? boolean 222 +--rw max-aggregation-time? decimal64 223 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 224 +--ro traffic-flow-security 225 +--ro congestion-control? boolean 226 +--ro packet-size 227 | +--ro use-path-mtu-discovery? boolean 228 | +--ro outer-packet-size? uint16 229 +--ro (tunnel-rate)? 230 | +--:(l2-fixed-rate) 231 | | +--ro l2-fixed-rate? uint64 232 | +--:(l3-fixed-rate) 233 | +--ro l3-fixed-rate? uint64 234 +--ro dont-fragment? boolean 235 +--ro max-aggregation-time? decimal64 237 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry 238 /nsfikels:ipsec-policy-config/nsfikels:processing-info 239 /nsfikels:ipsec-sa-cfg: 240 +--rw traffic-flow-security 241 +--rw congestion-control? boolean 242 +--rw packet-size 243 | +--rw use-path-mtu-discovery? boolean 244 | +--rw outer-packet-size? uint16 245 +--rw (tunnel-rate)? 246 | +--:(l2-fixed-rate) 247 | | +--rw l2-fixed-rate? uint64 248 | +--:(l3-fixed-rate) 249 | +--rw l3-fixed-rate? uint64 250 +--rw dont-fragment? boolean 251 +--rw max-aggregation-time? decimal64 252 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 253 +--ro traffic-flow-security 254 +--ro congestion-control? boolean 255 +--ro packet-size 256 | +--ro use-path-mtu-discovery? boolean 257 | +--ro outer-packet-size? uint16 258 +--ro (tunnel-rate)? 259 | +--:(l2-fixed-rate) 260 | | +--ro l2-fixed-rate? uint64 261 | +--:(l3-fixed-rate) 262 | +--ro l3-fixed-rate? uint64 263 +--ro dont-fragment? boolean 264 +--ro max-aggregation-time? decimal64 265 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 266 +--ro ipsec-stats {ipsec-stats}? 267 | +--ro tx-pkts? uint64 268 | +--ro tx-octets? uint64 269 | +--ro tx-drop-pkts? uint64 270 | +--ro rx-pkts? uint64 271 | +--ro rx-octets? uint64 272 | +--ro rx-drop-pkts? uint64 273 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 274 | +--ro tx-pkts? uint64 275 | +--ro tx-octets? uint64 276 | +--ro rx-pkts? uint64 277 | +--ro rx-octets? uint64 278 | +--ro rx-incomplete-pkts? uint64 279 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 280 +--ro tx-all-pad-pkts? uint64 281 +--ro tx-all-pad-octets? uint64 282 +--ro tx-extra-pad-pkts? uint64 283 +--ro tx-extra-pad-octets? uint64 284 +--ro rx-all-pad-pkts? uint64 285 +--ro rx-all-pad-octets? uint64 286 +--ro rx-extra-pad-pkts? uint64 287 +--ro rx-extra-pad-octets? uint64 288 +--ro rx-errored-pkts? uint64 289 +--ro rx-missed-pkts? uint64 290 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 291 +--rw ipsec-stats {ipsec-stats}? 292 | +--ro tx-pkts? uint64 293 | +--ro tx-octets? uint64 294 | +--ro tx-drop-pkts? uint64 295 | +--ro rx-pkts? uint64 296 | +--ro rx-octets? uint64 297 | +--ro rx-drop-pkts? uint64 298 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 299 | +--ro tx-pkts? uint64 300 | +--ro tx-octets? uint64 301 | +--ro rx-pkts? uint64 302 | +--ro rx-octets? uint64 303 | +--ro rx-incomplete-pkts? uint64 304 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 305 +--ro tx-all-pad-pkts? uint64 306 +--ro tx-all-pad-octets? uint64 307 +--ro tx-extra-pad-pkts? uint64 308 +--ro tx-extra-pad-octets? uint64 309 +--ro rx-all-pad-pkts? uint64 310 +--ro rx-all-pad-octets? uint64 311 +--ro rx-extra-pad-pkts? uint64 312 +--ro rx-extra-pad-octets? uint64 313 +--ro rx-errored-pkts? uint64 314 +--ro rx-missed-pkts? uint64 316 3.2. YANG Module 318 The following is the YANG module for managing the IP-TFS extensions. 320 file "ietf-ipsecme-iptfs@2021-10-04.yang" 321 module ietf-ipsecme-iptfs { 322 yang-version 1.1; 323 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs"; 324 prefix iptfs; 326 import ietf-i2nsf-ike { 327 prefix nsfike; 328 } 329 import ietf-i2nsf-ikeless { 330 prefix nsfikels; 331 } 332 organization 333 "IETF IPSECME Working Group (IPSECME)"; 334 contact 335 "WG Web: 336 WG List: 338 Author: Don Fedyk 339 341 Author: Christian Hopps 342 "; 344 // RFC Ed.: replace XXXX with actual RFC number and 345 // remove this note. 347 description 348 "This module defines the configuration and operational state for 349 managing the IP Traffic Flow Security functionality [RFC XXXX]. 351 Copyright (c) 2020 IETF Trust and the persons identified as 352 authors of the code. All rights reserved. 354 Redistribution and use in source and binary forms, with or 355 without modification, is permitted pursuant to, and subject to 356 the license terms contained in, the Simplified BSD License set 357 forth in Section 4.c of the IETF Trust's Legal Provisions 358 Relating to IETF Documents 359 (https://trustee.ietf.org/license-info). 361 This version of this YANG module is part of RFC XXXX 362 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 363 full legal notices."; 365 revision 2021-10-04 { 366 description 367 "Initial Revision"; 368 reference 369 "RFC XXXX: IP Traffic Flow Security YANG Module"; 370 } 372 feature ipsec-stats { 373 description 374 "This feature indicates the device supports 375 per SA IPsec statistics"; 376 } 378 feature iptfs-stats { 379 description 380 "This feature indicates the device supports 381 per SA IP Traffic Flow Security statistics"; 382 } 384 /*--------------------*/ 385 /* groupings */ 386 /*--------------------*/ 388 grouping ipsec-tx-stat-grouping { 389 description 390 "IPsec outbound statistics"; 391 leaf tx-pkts { 392 type uint64; 393 config false; 394 description 395 "Outbound Packet count"; 396 } 397 leaf tx-octets { 398 type uint64; 399 config false; 400 description 401 "Outbound Packet bytes"; 402 } 403 leaf tx-drop-pkts { 404 type uint64; 405 config false; 406 description 407 "Outbound dropped packets count"; 408 } 409 } 411 grouping ipsec-rx-stat-grouping { 412 description 413 "IPsec inbound statistics"; 414 leaf rx-pkts { 415 type uint64; 416 config false; 417 description 418 "Inbound Packet count"; 419 } 420 leaf rx-octets { 421 type uint64; 422 config false; 423 description 424 "Inbound Packet bytes"; 425 } 426 leaf rx-drop-pkts { 427 type uint64; 428 config false; 429 description 430 "Inbound dropped packets count"; 431 } 432 } 434 grouping iptfs-inner-tx-stat-grouping { 435 description 436 "IP-TFS outbound inner packet statistics"; 437 leaf tx-pkts { 438 type uint64; 439 config false; 440 description 441 "Total number of IP-TFS inner packets sent. This 442 count is whole packets only. A fragmented packet 443 counts as one packet"; 444 reference 445 "draft-ietf-ipsecme-iptfs"; 446 } 447 leaf tx-octets { 448 type uint64; 449 config false; 450 description 451 "Total number of IP-TFS inner octets sent. This is 452 inner packet octets only. Does not count padding."; 453 reference 454 "draft-ietf-ipsecme-iptfs"; 455 } 456 } 458 grouping iptfs-outer-tx-stat-grouping { 459 description 460 "IP-TFS outbound inner packet statistics"; 461 leaf tx-all-pad-pkts { 462 type uint64; 463 config false; 464 description 465 "Total number of transmitted IP-TFS packets that 466 were all padding with no inner packet data."; 467 reference 468 "draft-ietf-ipsecme-iptfs section 2.2.3"; 469 } 470 leaf tx-all-pad-octets { 471 type uint64; 472 config false; 473 description 474 "Total number transmitted octets of padding added to 475 IP-TFS packets with no inner packet data."; 477 reference 478 "draft-ietf-ipsecme-iptfs section 2.2.3"; 479 } 480 leaf tx-extra-pad-pkts { 481 type uint64; 482 config false; 483 description 484 "Total number of transmitted outer IP-TFS packets 485 that included some padding."; 486 reference 487 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 488 } 489 leaf tx-extra-pad-octets { 490 type uint64; 491 config false; 492 description 493 "Total number of transmitted octets of padding added 494 to outer IP-TFS packets with data."; 495 reference 496 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 497 } 498 } 500 grouping iptfs-inner-rx-stat-grouping { 501 description 502 "IP-TFS inner packet inbound statistics"; 503 leaf rx-pkts { 504 type uint64; 505 config false; 506 description 507 "Total number of IP-TFS inner packets received."; 508 reference 509 "draft-ietf-ipsecme-iptfs section 2.2"; 510 } 511 leaf rx-octets { 512 type uint64; 513 config false; 514 description 515 "Total number of IP-TFS inner octets received. Does 516 not include padding or overhead"; 517 reference 518 "draft-ietf-ipsecme-iptfs section 2.2"; 519 } 520 leaf rx-incomplete-pkts { 521 type uint64; 522 config false; 523 description 524 "Total number of IP-TFS inner packets that were 525 incomplete. Usually this is due to fragments not 526 received. Also, this may be due to misordering or 527 errors in received outer packets."; 528 reference 529 "draft-ietf-ipsecme-iptfs"; 530 } 531 } 533 grouping iptfs-outer-rx-stat-grouping { 534 description 535 "IP-TFS outer packet inbound statistics"; 536 leaf rx-all-pad-pkts { 537 type uint64; 538 config false; 539 description 540 "Total number of received IP-TFS packets that were 541 all padding with no inner packet data."; 542 reference 543 "draft-ietf-ipsecme-iptfs section 2.2.3"; 544 } 545 leaf rx-all-pad-octets { 546 type uint64; 547 config false; 548 description 549 "Total number received octets of padding added to 550 IP-TFS packets with no inner packet data."; 551 reference 552 "draft-ietf-ipsecme-iptfs section 2.2.3"; 553 } 554 leaf rx-extra-pad-pkts { 555 type uint64; 556 config false; 557 description 558 "Total number of received outer IP-TFS packets that 559 included some padding."; 560 reference 561 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 562 } 563 leaf rx-extra-pad-octets { 564 type uint64; 565 config false; 566 description 567 "Total number of received octets of padding added to 568 outer IP-TFS packets with data."; 569 reference 570 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 571 } 572 leaf rx-errored-pkts { 573 type uint64; 574 config false; 575 description 576 "Total number of IP-TFS outer packets dropped due to 577 errors."; 578 reference 579 "draft-ietf-ipsecme-iptfs"; 580 } 581 leaf rx-missed-pkts { 582 type uint64; 583 config false; 584 description 585 "Total number of IP-TFS outer packets missing 586 indicated by missing sequence number."; 587 reference 588 "draft-ietf-ipsecme-iptfs"; 589 } 590 } 592 grouping iptfs-config { 593 description 594 "This is the grouping for iptfs configuration"; 595 container traffic-flow-security { 596 // config true; want this so we can refine? 597 description 598 "Configure the IPSec TFS in Security 599 Association Database (SAD)"; 600 leaf congestion-control { 601 type boolean; 602 default "true"; 603 description 604 "Congestion Control With the congestion controlled 605 mode, IP-TFS adapts to network congestion by 606 lowering the packet send rate to accommodate the 607 congestion, as well as raising the rate when 608 congestion subsides."; 609 reference 610 "draft-ietf-ipsecme-iptfs section 2.5.2"; 611 } 612 container packet-size { 613 description 614 "Packet size is either auto-discovered or manually 615 configured."; 616 leaf use-path-mtu-discovery { 617 type boolean; 618 default "true"; 619 description 620 "Utilize path mtu discovery to determine maximum IP-TFS 621 packet size. If the packet size is explicitly 622 configured, then it will only be adjusted downward 623 if use-path-mtu-discovery is set."; 624 reference 625 "draft-ietf-ipsecme-iptfs section 4.2"; 626 } 627 leaf outer-packet-size { 628 type uint16; 629 description 630 "The size of the outer encapsulating tunnel packet (i.e., 631 the IP packet containing the ESP payload)."; 632 reference 633 "draft-ietf-ipsecme-iptfs section 4.2"; 634 } 635 } 636 choice tunnel-rate { 637 description 638 "TFS bit rate may be specified at layer 2 wire 639 rate or layer 3 packet rate"; 640 leaf l2-fixed-rate { 641 type uint64; 642 description 643 "Target bandwidth/bit rate in bps for iptfs tunnel. This 644 fixed rate is the nominal timing for the fixed size packet. 645 If congestion control is enabled the rate may be adjusted 646 down (or up if unset)."; 647 reference 648 "draft-ietf-ipsecme-iptfs section 4.1"; 649 } 650 leaf l3-fixed-rate { 651 type uint64; 652 description 653 "Target bandwidth/bit rate in bps for iptfs tunnel. This 654 fixed rate is the nominal timing for the fixed size packet. 655 If congestion control is enabled the rate may be adjusted 656 down (or up if unset)."; 657 reference 658 "draft-ietf-ipsecme-iptfs section 4.1"; 659 } 660 } 661 leaf dont-fragment { 662 type boolean; 663 default "false"; 664 description 665 "Disable packet fragmentation across consecutive iptfs 666 tunnel packets"; 667 reference 668 "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; 670 } 671 leaf max-aggregation-time { 672 type decimal64 { 673 fraction-digits 6; 674 } 675 units "milliseconds"; 676 description 677 "Maximum Aggregation Time in Milliseconds 678 or fractional milliseconds down to 1 nanosecond"; 679 } 680 } 681 } 683 /* 684 * IP-TFS ike configuration 685 */ 687 augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" 688 + "nsfike:spd-entry/" 689 + "nsfike:ipsec-policy-config/" 690 + "nsfike:processing-info/" 691 + "nsfike:ipsec-sa-cfg" { 692 description 693 "IP-TFS configuration for this policy."; 694 uses iptfs-config; 695 } 697 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 698 + "nsfike:child-sa-info" { 699 description 700 "IP-TFS configured on this SA."; 701 uses iptfs-config { 702 refine "traffic-flow-security" { 703 config false; 704 } 705 } 706 } 708 /* 709 * IP-TFS ikeless configuration 710 */ 712 augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" 713 + "nsfikels:spd-entry/" 714 + "nsfikels:ipsec-policy-config/" 715 + "nsfikels:processing-info/" 716 + "nsfikels:ipsec-sa-cfg" { 717 description 718 "IP-TFS configuration for this policy."; 719 uses iptfs-config; 720 } 722 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 723 + "nsfikels:sad-entry" { 724 description 725 "IP-TFS configured on this SA."; 726 uses iptfs-config { 727 refine "traffic-flow-security" { 728 config false; 729 } 730 } 731 } 733 /* 734 * packet counters 735 */ 737 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 738 + "nsfike:child-sa-info" { 739 description 740 "Per SA Counters"; 741 container ipsec-stats { 742 if-feature "ipsec-stats"; 743 config false; 744 description 745 "IPsec per SA packet counters."; 746 uses ipsec-tx-stat-grouping { 747 //when "direction = 'outbound'"; 748 } 749 uses ipsec-rx-stat-grouping { 750 //when "direction = 'inbound'"; 751 } 752 } 753 container iptfs-inner-pkt-stats { 754 if-feature "iptfs-stats"; 755 config false; 756 description 757 "IPTFS per SA inner packet counters."; 758 uses iptfs-inner-tx-stat-grouping { 759 //when "direction = 'outbound'"; 760 } 761 uses iptfs-inner-rx-stat-grouping { 762 //when "direction = 'inbound'"; 763 } 764 } 765 container iptfs-outer-pkt-stats { 766 if-feature "iptfs-stats"; 767 config false; 768 description 769 "IPTFS per SA outer packets counters."; 770 uses iptfs-outer-tx-stat-grouping { 771 //when "direction = 'outbound'"; 772 } 773 uses iptfs-outer-rx-stat-grouping { 774 //when "direction = 'inbound'"; 775 } 776 } 777 } 779 /* 780 * packet counters 781 */ 783 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 784 + "nsfikels:sad-entry" { 785 description 786 "Per SA Counters"; 787 container ipsec-stats { 788 if-feature "ipsec-stats"; 789 description 790 "IPsec per SA packet counters."; 791 uses ipsec-tx-stat-grouping { 792 //when "direction = 'outbound'"; 793 } 794 uses ipsec-rx-stat-grouping { 795 //when "direction = 'inbound'"; 796 } 797 } 798 container iptfs-inner-pkt-stats { 799 if-feature "iptfs-stats"; 800 config false; 801 description 802 "IPTFS per SA inner packet counters."; 803 uses iptfs-inner-tx-stat-grouping { 804 //when "direction = 'outbound'"; 805 } 806 uses iptfs-inner-rx-stat-grouping { 807 //when "direction = 'inbound'"; 808 } 809 } 810 container iptfs-outer-pkt-stats { 811 if-feature "iptfs-stats"; 812 config false; 813 description 814 "IPTFS per SA outer packets counters."; 815 uses iptfs-outer-tx-stat-grouping { 816 //when "direction = 'outbound'"; 817 } 818 uses iptfs-outer-rx-stat-grouping { 819 //when "direction = 'inbound'"; 820 } 821 } 823 } 824 } 825 827 4. IANA Considerations 829 4.1. Updates to the IETF XML Registry 831 This document registers a URI in the "IETF XML Registry" [RFC3688]. 832 Following the format in [RFC3688], the following registration has 833 been made: 835 URI: 836 urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs 838 Registrant Contact: 839 The IESG. 841 XML: 842 N/A; the requested URI is an XML namespace. 844 4.2. Updates to the YANG Module Names Registry 846 This document registers one YANG module in the "YANG Module Names" 847 registry [RFC6020]. Following the format in [RFC6020], the following 848 registration has been made: 850 name: 851 ietf-ipsecme-iptfs 853 namespace: 854 urn:ietf:params:xml:ns:yang:ietf-ipsecme-iptfs 856 prefix: 857 iptfs 859 reference: 860 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 861 this note.) 863 5. Security Considerations 865 The YANG module specified in this document defines a schema for data 866 that is designed to be accessed via network management protocols such 867 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 868 is the secure transport layer, and the mandatory-to-implement secure 869 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 870 is HTTPS, and the mandatory-to-implement secure transport is TLS 871 [RFC8446]. 873 The Network Configuration Access Control Model (NACM) [RFC8341] 874 provides the means to restrict access for particular NETCONF or 875 RESTCONF users to a preconfigured subset of all available NETCONF or 876 RESTCONF protocol operations and content. 878 The YANG module defined in this document can enable, disable and 879 modify the behavior of IP traffic flow security, for the implications 880 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 881 which defines the functionality. 883 6. Acknowledgements 885 The authors would like to thank Eric Kinzie for his feedback on the 886 YANG model. 888 7. References 890 7.1. Normative References 892 [I-D.ietf-i2nsf-sdn-ipsec-flow-protection] 893 Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 894 Garcia, "A YANG Data Model for IPsec Flow Protection Based 895 on Software-Defined Networking (SDN)", Work in Progress, 896 Internet-Draft, draft-ietf-i2nsf-sdn-ipsec-flow- 897 protection-14, 25 March 2021, 898 . 901 [I-D.ietf-ipsecme-iptfs] 902 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 903 ESP and its Use for IP Traffic Flow Security", Work in 904 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-10, 3 905 September 2021, . 908 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 909 Requirement Levels", BCP 14, RFC 2119, 910 DOI 10.17487/RFC2119, March 1997, 911 . 913 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 914 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 915 December 2005, . 917 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 918 the Network Configuration Protocol (NETCONF)", RFC 6020, 919 DOI 10.17487/RFC6020, October 2010, 920 . 922 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 923 RFC 7950, DOI 10.17487/RFC7950, August 2016, 924 . 926 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 927 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 928 May 2017, . 930 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 931 and R. Wilton, "Network Management Datastore Architecture 932 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 933 . 935 7.2. Informative References 937 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 938 DOI 10.17487/RFC3688, January 2004, 939 . 941 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 942 and A. Bierman, Ed., "Network Configuration Protocol 943 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 944 . 946 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 947 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 948 . 950 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 951 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 952 . 954 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 955 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 956 . 958 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 959 Access Control Model", STD 91, RFC 8341, 960 DOI 10.17487/RFC8341, March 2018, 961 . 963 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 964 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 965 . 967 Appendix A. Examples 969 The following examples show configuration and operational data for 970 the ikeless case in xml and ike case in json. Also, the operational 971 statistics for the ikeless case are shown using xml. 973 A.1. Example XML Configuration 975 This example illustrates configuration for IP-TFS in the ikeless 976 case. Note that since this augments the ipsec ikeless schema only 977 minimal ikeless configuration to satisfy the schema has been 978 populated. 980 983 984 985 protect-policy-1 986 outbound 987 988 989 1.1.1.1/32 990 2.2.2.2/32 991 992 993 protect 994 995 996 true 997 998 true 1000 1001 1000000000 1002 0.1 1004 1005 1006 1007 1008 1009 1010 1012 Figure 1: Example IP-TFS XML configuration 1014 A.2. Example XML Operational Data 1016 This example illustrates operational data for IP-TFS in the ikeless 1017 case. Note that since this augments the ipsec ikeless schema only 1018 minimal ikeless configuration to satisfy the schema has been 1019 populated. 1021 1024 1025 1026 sad-1 1027 1028 1 1029 1030 1.1.1.1/32 1031 2.2.2.2/32 1032 1033 1034 1035 true 1036 1037 true 1038 1039 1000000000 1040 0.100 1041 1042 1043 1044 1046 Figure 2: Example IP-TFS XML Operational data 1048 A.3. Example JSON Configuration 1050 This example illustrates config data for IP-TFS in the ike case. 1051 Note that since this augments the ipsec ike schema only minimal ike 1052 configuration to satisfy the schema has been populated. 1054 { 1055 "ietf-i2nsf-ike:ipsec-ike": { 1056 "ietf-i2nsf-ike:conn-entry": [ 1057 { 1058 "name": "my-peer-connection", 1059 "ike-sa-encr-alg": [ 1060 { 1061 "id": 1, 1062 "algorithm-type": 12, 1063 "key-length": 128 1064 } 1065 ], 1066 "local": { 1067 "local-pad-entry-name": "local-1" 1068 }, 1069 "remote": { 1070 "remote-pad-entry-name": "remote-1" 1071 }, 1072 "ietf-i2nsf-ike:spd": { 1073 "spd-entry": [ 1074 { 1075 "name": "protect-policy-1", 1076 "ipsec-policy-config": { 1077 "traffic-selector": { 1078 "local-prefix": "1.1.1.1/32", 1079 "remote-prefix": "2.2.2.2/32" 1080 }, 1081 "processing-info": { 1082 "action": "protect", 1083 "ipsec-sa-cfg": { 1084 "ietf-ipsecme-iptfs:traffic-flow-security": { 1085 "congestion-control": "true", 1086 "l2-fixed-rate": 1000000000, 1087 "packet-size": { 1088 "use-path-mtu-discovery": "true" 1089 }, 1090 "max-aggregation-time": "0.1" 1091 } 1092 } 1093 } 1094 } 1095 } 1096 ] 1097 } 1098 } 1099 ] 1100 } 1101 } 1103 Figure 3: Example IP-TFS JSON configuration 1105 A.4. Example JSON Operational Data 1107 This example illustrates operational data for IP-TFS in the ike case. 1108 Note that since this augments the ipsec ike tree only minimal ike 1109 configuration to satisfy the schema has been populated. 1111 { 1112 "ietf-i2nsf-ike:ipsec-ike": { 1113 "ietf-i2nsf-ike:conn-entry": [ 1114 { 1115 "name": "my-peer-connection", 1116 "ike-sa-encr-alg": [ 1117 { 1118 "id": 1, 1119 "algorithm-type": 12, 1120 "key-length": 128 1121 } 1122 ], 1123 "local": { 1124 "local-pad-entry-name": "local-1" 1125 }, 1126 "remote": { 1127 "remote-pad-entry-name": "remote-1" 1128 }, 1129 "ietf-i2nsf-ike:child-sa-info": { 1130 "ietf-ipsecme-iptfs:traffic-flow-security": { 1131 "congestion-control": "true", 1132 "l2-fixed-rate": 1000000000, 1133 "packet-size": { 1134 "use-path-mtu-discovery": "true" 1135 }, 1136 "max-aggregation-time": "0.1" 1137 } 1138 } 1139 } 1140 ] 1141 } 1142 } 1144 Figure 4: Example IP-TFS JSON Operational data 1146 A.5. Example JSON Operational Statistics 1148 This example shows the json formated statistics for IP-TFS. Note a 1149 unidirectional IP-TFS transmit side is illustrated, with arbitray 1150 numbers for transmit. 1152 { 1153 "ietf-i2nsf-ikeless:ipsec-ikeless": { 1154 "sad": { 1155 "sad-entry": [ 1156 { 1157 "name": "sad-1", 1158 "ipsec-sa-config": { 1159 "spi": 1, 1160 "traffic-selector": { 1161 "local-prefix": "1.1.1.1/32", 1162 "remote-prefix": "2.2.2.2/32" 1163 } 1164 }, 1165 "ietf-ipsecme-iptfs:ipsec-stats": { 1166 "tx-pkts": "300", 1167 "tx-octets": "80000", 1168 "tx-drop-pkts": "2", 1169 "rx-pkts": "0", 1170 "rx-octets": "0", 1171 "rx-drop-pkts": "0" 1172 }, 1173 "ietf-ipsecme-iptfs:iptfs-inner-pkt-stats": { 1174 "tx-pkts": "250", 1175 "tx-octets": "75000", 1176 "rx-pkts": "0", 1177 "rx-octets": "0", 1178 "rx-incomplete-pkts": "0" 1179 }, 1180 "ietf-ipsecme-iptfs:iptfs-outer-pkt-stats": { 1181 "tx-all-pad-pkts": "40", 1182 "tx-all-pad-octets": "40000", 1183 "tx-extra-pad-pkts": "200", 1184 "tx-extra-pad-octets": "30000", 1185 "rx-all-pad-pkts": "0", 1186 "rx-all-pad-octets": "0", 1187 "rx-extra-pad-pkts": "0", 1188 "rx-extra-pad-octets": "0", 1189 "rx-errored-pkts": "0", 1190 "rx-missed-pkts": "0" 1191 }, 1192 "ipsec-sa-state": { 1193 "sa-lifetime-current": { 1194 "time": 80000, 1195 "bytes": 4000606, 1196 "packets": 1000, 1197 "idle": 5 1198 } 1199 } 1200 } 1201 ] 1202 } 1203 } 1204 } 1206 Figure 5: Example IP-TFS JSON Statistics 1208 Authors' Addresses 1210 Don Fedyk 1211 LabN Consulting, L.L.C. 1213 Email: dfedyk@labn.net 1215 Christian Hopps 1216 LabN Consulting, L.L.C. 1218 Email: chopps@chopps.org