idnits 2.17.00 (12 Aug 2021) /tmp/idnits19187/draft-ietf-ipsecme-yang-iptfs-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (25 October 2021) is 207 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-ipsecme-iptfs-11 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 28 April 2022 25 October 2021 7 A YANG Data Model for IP Traffic Flow Security 8 draft-ietf-ipsecme-yang-iptfs-02 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on 28 April 2022. 32 Copyright Notice 34 Copyright (c) 2021 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 39 license-info) in effect on the date of publication of this document. 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. Code Components 42 extracted from this document must include Simplified BSD License text 43 as described in Section 4.e of the Trust Legal Provisions and are 44 provided without warranty as described in the Simplified BSD License. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 50 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 52 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 54 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 55 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 18 56 4.2. Updates to the YANG Module Names Registry . . . . . . . . 18 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 60 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 61 7.2. Informative References . . . . . . . . . . . . . . . . . 20 62 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 21 63 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 21 64 A.2. Example XML Operational Data . . . . . . . . . . . . . . 22 65 A.3. Example JSON Configuration . . . . . . . . . . . . . . . 23 66 A.4. Example JSON Operational Data . . . . . . . . . . . . . . 24 67 A.5. Example JSON Operational Statistics . . . . . . . . . . . 25 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 70 1. Introduction 72 This document defines a YANG module [RFC7950] for the management of 73 the IP Traffic Flow Security (IP-TFS) extensions as defined in 74 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 75 tunnel Security Association to provide improved traffic 76 confidentiality. Traffic confidentiality reduces the ability of 77 traffic analysis to determine identity and correlate observable 78 traffic patterns. IP-TFS offers efficiency when aggregating traffic 79 in fixed size IPsec tunnel packets. 81 The YANG data model in this document conforms to the Network 82 Management Datastore Architecture (NMDA) defined in [RFC8342]. 84 The published YANG modules for IPsec are defined in [RFC9061]. This 85 document uses these models as a general IPsec model that is augmented 86 for IP-TFS. The models in [RFC9061] provide for both an IKE and an 87 IKELESS model. 89 1.1. Terminology & Concepts 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 93 "OPTIONAL" in this document are to be interpreted as described in 94 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 95 as shown here. 97 2. Overview 99 This document defines configuration and operational parameters of IP 100 traffic flow security (IP-TFS). IP-TFS, defined in 101 [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel 102 mode IPsec with characteristics that improve traffic confidentiality 103 and reduce bandwidth efficiency loss. These documents assume 104 familiarity with IP security concepts described in [RFC4301]. 106 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 107 packet identifiable information, packet size and packet timing. IP- 108 TFS provides a general capability allowing aggregation of multiple 109 packets in uniform size outer tunnel ipsec packets. It maintains the 110 outer packet size by utilizing combinations of aggregating, padding 111 and fragmentating inner packets to fll out the IPsec outer tunnel 112 packet. Zero byte padding is used to fill the packet when no data is 113 available to send. 115 This document specifies an extensible configuration model for IP-TFS. 116 This version utilizes the capabilities of IP-TFS to configure fixed 117 size IP-TFS Packets that are transmitted at a constant rate. This 118 model is structured to allow for different types of operation through 119 future augmentation. 121 IP-TFS YANG augments IPsec YANG model from [RFC9061]. IP-TFS makes 122 use of IPsec tunnel mode and adds a small number configuration items 123 to tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA 124 configured to use IP-TFS supports only IP-TFS packets i.e. no mixed 125 IPsec modes. 127 The behavior for IP-TFS is controlled by the source. The self- 128 describing format of an IP-TFS packets allows a sending side to 129 adjust the packet-size and timing independently from any receiver. 130 Both directions are also independent, e.g. IP-TFS may be run only in 131 one direction. This means that counters, which are created here for 132 both directions may be 0 or not updated in the case of an SA that 133 uses IP-TFS only in on direction. 135 Cases where IP-TFS statistics are active for one direction: 137 * SA one direction - IP-TFS enabled 139 * SA both directions - IP-TFS only enabled in one direction 141 Case where IP-TFS statistics are for both directions: 143 * SA both directions - IP-TFS enable for both directions 145 The IP-TFS model support IP-TFS configuration and operational data. 147 This YANG module supports configuration of fixed size and fixed rate 148 packets, and elements that may be augmented to support future 149 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 150 goes beyond this simple fixed mode of operation by defining a general 151 format for any type of scheme. In this document the outer IPsec 152 packets can be sent with fixed or variable size (without padding). 153 The configuration allows the fixed packet size to be determined by 154 the path MTU. The fixed packet size can also be configured if a 155 value lower than the path MTU is desired. 157 Other configuration items include: 159 * Congestion Control. A congestion control setting to allow IP-TFS 160 to reduce the packet rate when congestion is detected. 162 * Fixed Rate configuration. The IP-TFS tunnel rate can be 163 configured taking into account either layer 2 overhead or layer 3 164 overhead. Layer 3 overhead is the IP data rate and layer 2 165 overhead is the rate of bits on the link. The combination of 166 packet size and rate determines the nominal maximum bandwidth and 167 the transmission interval when fixed size packets are used. 169 * User packet Fragmentation Control. While fragmentation is 170 recommended for improved efficiency, a configuration is provided 171 if users wish to observe the effect no-fragmentation on their data 172 flows. 174 The YANG operational data allows the readout of the configured 175 parameters as well as the per SA statistics and error counters for 176 IP-TFS. Per SA IPsec packet statistics are provided as a feature and 177 per SA IP-TFS specific statistics as another feature. Both sets of 178 statistics augment the IPsec YANG models with counters that allow 179 observation of IP-TFS packet efficiency. 181 RFC [RFC9061] has a set of IPsec YANG management objects. IP-TFS 182 YANG augments the IKE and the IKELESS models. In these models the 183 Security Policy database entry and Security Association entry for an 184 IPsec Tunnel can be augmented with IP-TFS. 186 3. YANG Management 188 3.1. YANG Tree 190 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 191 extensions. 193 module: ietf-ipsec-iptfs 194 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd 195 /nsfike:spd-entry/nsfike:ipsec-policy-config 196 /nsfike:processing-info/nsfike:ipsec-sa-cfg: 197 +--rw traffic-flow-security 198 +--rw congestion-control? boolean 199 +--rw packet-size 200 | +--rw use-path-mtu-discovery? boolean 201 | +--rw outer-packet-size? uint16 202 +--rw (tunnel-rate)? 203 | +--:(l2-fixed-rate) 204 | | +--rw l2-fixed-rate? yang:counter64 205 | +--:(l3-fixed-rate) 206 | +--rw l3-fixed-rate? yang:counter64 207 +--rw dont-fragment? boolean 208 +--rw max-aggregation-time? decimal64 209 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 210 +--ro traffic-flow-security 211 +--ro congestion-control? boolean 212 +--ro packet-size 213 | +--ro use-path-mtu-discovery? boolean 214 | +--ro outer-packet-size? uint16 215 +--ro (tunnel-rate)? 216 | +--:(l2-fixed-rate) 217 | | +--ro l2-fixed-rate? yang:counter64 218 | +--:(l3-fixed-rate) 219 | +--ro l3-fixed-rate? yang:counter64 220 +--ro dont-fragment? boolean 221 +--ro max-aggregation-time? decimal64 222 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry 223 /nsfikels:ipsec-policy-config/nsfikels:processing-info 224 /nsfikels:ipsec-sa-cfg: 225 +--rw traffic-flow-security 226 +--rw congestion-control? boolean 227 +--rw packet-size 228 | +--rw use-path-mtu-discovery? boolean 229 | +--rw outer-packet-size? uint16 230 +--rw (tunnel-rate)? 231 | +--:(l2-fixed-rate) 232 | | +--rw l2-fixed-rate? yang:counter64 233 | +--:(l3-fixed-rate) 234 | +--rw l3-fixed-rate? yang:counter64 235 +--rw dont-fragment? boolean 236 +--rw max-aggregation-time? decimal64 237 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 238 +--ro traffic-flow-security 239 +--ro congestion-control? boolean 240 +--ro packet-size 241 | +--ro use-path-mtu-discovery? boolean 242 | +--ro outer-packet-size? uint16 243 +--ro (tunnel-rate)? 244 | +--:(l2-fixed-rate) 245 | | +--ro l2-fixed-rate? yang:counter64 246 | +--:(l3-fixed-rate) 247 | +--ro l3-fixed-rate? yang:counter64 248 +--ro dont-fragment? boolean 249 +--ro max-aggregation-time? decimal64 250 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 251 +--ro ipsec-stats {ipsec-stats}? 252 | +--ro tx-pkts? yang:counter64 253 | +--ro tx-octets? yang:counter64 254 | +--ro tx-drop-pkts? yang:counter64 255 | +--ro rx-pkts? yang:counter64 256 | +--ro rx-octets? yang:counter64 257 | +--ro rx-drop-pkts? yang:counter64 258 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 259 | +--ro tx-pkts? yang:counter64 260 | +--ro tx-octets? yang:counter64 261 | +--ro rx-pkts? yang:counter64 262 | +--ro rx-octets? yang:counter64 263 | +--ro rx-incomplete-pkts? yang:counter64 264 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 265 +--ro tx-all-pad-pkts? yang:counter64 266 +--ro tx-all-pad-octets? yang:counter64 267 +--ro tx-extra-pad-pkts? yang:counter64 268 +--ro tx-extra-pad-octets? yang:counter64 269 +--ro rx-all-pad-pkts? yang:counter64 270 +--ro rx-all-pad-octets? yang:counter64 271 +--ro rx-extra-pad-pkts? yang:counter64 272 +--ro rx-extra-pad-octets? yang:counter64 273 +--ro rx-errored-pkts? yang:counter64 274 +--ro rx-missed-pkts? yang:counter64 275 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 276 +--rw ipsec-stats {ipsec-stats}? 277 | +--ro tx-pkts? yang:counter64 278 | +--ro tx-octets? yang:counter64 279 | +--ro tx-drop-pkts? yang:counter64 280 | +--ro rx-pkts? yang:counter64 281 | +--ro rx-octets? yang:counter64 282 | +--ro rx-drop-pkts? yang:counter64 283 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 284 | +--ro tx-pkts? yang:counter64 285 | +--ro tx-octets? yang:counter64 286 | +--ro rx-pkts? yang:counter64 287 | +--ro rx-octets? yang:counter64 288 | +--ro rx-incomplete-pkts? yang:counter64 289 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 290 +--ro tx-all-pad-pkts? yang:counter64 291 +--ro tx-all-pad-octets? yang:counter64 292 +--ro tx-extra-pad-pkts? yang:counter64 293 +--ro tx-extra-pad-octets? yang:counter64 294 +--ro rx-all-pad-pkts? yang:counter64 295 +--ro rx-all-pad-octets? yang:counter64 296 +--ro rx-extra-pad-pkts? yang:counter64 297 +--ro rx-extra-pad-octets? yang:counter64 298 +--ro rx-errored-pkts? yang:counter64 299 +--ro rx-missed-pkts? yang:counter64 301 3.2. YANG Module 303 The following is the YANG module for managing the IP-TFS extensions. 304 The model contains references to [I-D.ietf-ipsecme-iptfs] and 305 [RFC5348]. 307 file "ietf-ipsec-iptfs@2021-10-25.yang" 308 module ietf-ipsec-iptfs { 309 yang-version 1.1; 310 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; 311 prefix iptfs; 313 import ietf-i2nsf-ike { 314 prefix nsfike; 315 } 316 import ietf-i2nsf-ikeless { 317 prefix nsfikels; 318 } 319 import ietf-yang-types { 320 prefix yang; 321 } 323 organization 324 "IETF IPSECME Working Group (IPSECME)"; 325 contact 326 "WG Web: 327 WG List: 329 Author: Don Fedyk 330 332 Author: Christian Hopps 333 "; 335 // RFC Ed.: replace XXXX with actual RFC number and 336 // remove this note. 338 description 339 "This module defines the configuration and operational state for 340 managing the IP Traffic Flow Security functionality [RFC XXXX]. 342 Copyright (c) 2021 IETF Trust and the persons identified as 343 authors of the code. All rights reserved. 345 Redistribution and use in source and binary forms, with or 346 without modification, is permitted pursuant to, and subject to 347 the license terms contained in, the Simplified BSD License set 348 forth in Section 4.c of the IETF Trust's Legal Provisions 349 Relating to IETF Documents 350 (https://trustee.ietf.org/license-info). 352 This version of this YANG module is part of RFC XXXX 353 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 354 full legal notices."; 356 revision 2021-10-25 { 357 description 358 "Initial Revision"; 359 reference 360 "RFC XXXX: IP Traffic Flow Security YANG Module"; 361 } 363 feature ipsec-stats { 364 description 365 "This feature indicates the device supports 366 per SA IPsec statistics"; 367 } 369 feature iptfs-stats { 370 description 371 "This feature indicates the device supports 372 per SA IP Traffic Flow Security statistics"; 373 } 375 /*--------------------*/ 376 /* groupings */ 377 /*--------------------*/ 378 grouping ipsec-tx-stat-grouping { 379 description 380 "IPsec outbound statistics"; 381 leaf tx-pkts { 382 type yang:counter64; 383 config false; 384 description 385 "Outbound Packet count"; 386 } 387 leaf tx-octets { 388 type yang:counter64; 389 config false; 390 description 391 "Outbound Packet bytes"; 392 } 393 leaf tx-drop-pkts { 394 type yang:counter64; 395 config false; 396 description 397 "Outbound dropped packets count"; 398 } 399 } 401 grouping ipsec-rx-stat-grouping { 402 description 403 "IPsec inbound statistics"; 404 leaf rx-pkts { 405 type yang:counter64; 406 config false; 407 description 408 "Inbound Packet count"; 409 } 410 leaf rx-octets { 411 type yang:counter64; 412 config false; 413 description 414 "Inbound Packet bytes"; 415 } 416 leaf rx-drop-pkts { 417 type yang:counter64; 418 config false; 419 description 420 "Inbound dropped packets count"; 421 } 422 } 424 grouping iptfs-inner-tx-stat-grouping { 425 description 426 "IP-TFS outbound inner packet statistics"; 427 leaf tx-pkts { 428 type yang:counter64; 429 config false; 430 description 431 "Total number of IP-TFS inner packets sent. This 432 count is whole packets only. A fragmented packet 433 counts as one packet"; 434 reference 435 "draft-ietf-ipsecme-iptfs"; 436 } 437 leaf tx-octets { 438 type yang:counter64; 439 config false; 440 description 441 "Total number of IP-TFS inner octets sent. This is 442 inner packet octets only. Does not count padding."; 443 reference 444 "draft-ietf-ipsecme-iptfs"; 445 } 446 } 448 grouping iptfs-outer-tx-stat-grouping { 449 description 450 "IP-TFS outbound inner packet statistics"; 451 leaf tx-all-pad-pkts { 452 type yang:counter64; 453 config false; 454 description 455 "Total number of transmitted IP-TFS packets that 456 were all padding with no inner packet data."; 457 reference 458 "draft-ietf-ipsecme-iptfs section 2.2.3"; 459 } 460 leaf tx-all-pad-octets { 461 type yang:counter64; 462 config false; 463 description 464 "Total number transmitted octets of padding added to 465 IP-TFS packets with no inner packet data."; 466 reference 467 "draft-ietf-ipsecme-iptfs section 2.2.3"; 468 } 469 leaf tx-extra-pad-pkts { 470 type yang:counter64; 471 config false; 472 description 473 "Total number of transmitted outer IP-TFS packets 474 that included some padding."; 475 reference 476 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 477 } 478 leaf tx-extra-pad-octets { 479 type yang:counter64; 480 config false; 481 description 482 "Total number of transmitted octets of padding added 483 to outer IP-TFS packets with data."; 484 reference 485 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 486 } 487 } 489 grouping iptfs-inner-rx-stat-grouping { 490 description 491 "IP-TFS inner packet inbound statistics"; 492 leaf rx-pkts { 493 type yang:counter64; 494 config false; 495 description 496 "Total number of IP-TFS inner packets received."; 497 reference 498 "draft-ietf-ipsecme-iptfs section 2.2"; 499 } 500 leaf rx-octets { 501 type yang:counter64; 502 config false; 503 description 504 "Total number of IP-TFS inner octets received. Does 505 not include padding or overhead"; 506 reference 507 "draft-ietf-ipsecme-iptfs section 2.2"; 508 } 509 leaf rx-incomplete-pkts { 510 type yang:counter64; 511 config false; 512 description 513 "Total number of IP-TFS inner packets that were 514 incomplete. Usually this is due to fragments not 515 received. Also, this may be due to misordering or 516 errors in received outer packets."; 517 reference 518 "draft-ietf-ipsecme-iptfs"; 519 } 520 } 521 grouping iptfs-outer-rx-stat-grouping { 522 description 523 "IP-TFS outer packet inbound statistics"; 524 leaf rx-all-pad-pkts { 525 type yang:counter64; 526 config false; 527 description 528 "Total number of received IP-TFS packets that were 529 all padding with no inner packet data."; 530 reference 531 "draft-ietf-ipsecme-iptfs section 2.2.3"; 532 } 533 leaf rx-all-pad-octets { 534 type yang:counter64; 535 config false; 536 description 537 "Total number received octets of padding added to 538 IP-TFS packets with no inner packet data."; 539 reference 540 "draft-ietf-ipsecme-iptfs section 2.2.3"; 541 } 542 leaf rx-extra-pad-pkts { 543 type yang:counter64; 544 config false; 545 description 546 "Total number of received outer IP-TFS packets that 547 included some padding."; 548 reference 549 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 550 } 551 leaf rx-extra-pad-octets { 552 type yang:counter64; 553 config false; 554 description 555 "Total number of received octets of padding added to 556 outer IP-TFS packets with data."; 557 reference 558 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 559 } 560 leaf rx-errored-pkts { 561 type yang:counter64; 562 config false; 563 description 564 "Total number of IP-TFS outer packets dropped due to 565 errors."; 566 reference 567 "draft-ietf-ipsecme-iptfs"; 568 } 569 leaf rx-missed-pkts { 570 type yang:counter64; 571 config false; 572 description 573 "Total number of IP-TFS outer packets missing 574 indicated by missing sequence number."; 575 reference 576 "draft-ietf-ipsecme-iptfs"; 577 } 578 } 580 grouping iptfs-config { 581 description 582 "This is the grouping for iptfs configuration"; 583 container traffic-flow-security { 584 description 585 "Configure the IPSec TFS in Security 586 Association Database (SAD)"; 587 leaf congestion-control { 588 type boolean; 589 default "true"; 590 description 591 "When set to true, the default, this enables the 592 congestion control on-the-wire exchange of data that 593 is required by congestion control algorithms as 594 defined by RFC 5348. When set to false, IP-TFS 595 sends fixed-sized packets over an IP-TFS tunnel 596 at a constant rate."; 597 reference 598 "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; 599 } 600 container packet-size { 601 description 602 "Packet size is either auto-discovered or manually 603 configured."; 604 leaf use-path-mtu-discovery { 605 type boolean; 606 default "true"; 607 description 608 "Utilize path mtu discovery to determine maximum IP-TFS 609 packet size. If the packet size is explicitly 610 configured, then it will only be adjusted downward 611 if use-path-mtu-discovery is set."; 612 reference 613 "draft-ietf-ipsecme-iptfs section 4.2"; 614 } 615 leaf outer-packet-size { 616 type uint16; 617 description 618 "The size of the outer encapsulating tunnel packet (i.e., 619 the IP packet containing the ESP payload)."; 620 reference 621 "draft-ietf-ipsecme-iptfs section 4.2"; 622 } 623 } 624 choice tunnel-rate { 625 description 626 "TFS bit rate may be specified at layer 2 wire 627 rate or layer 3 packet rate"; 628 leaf l2-fixed-rate { 629 type yang:counter64; 630 description 631 "Target bandwidth/bit rate in bps for iptfs tunnel. This 632 fixed rate is the nominal timing for the fixed size packet. 633 If congestion control is enabled the rate may be adjusted 634 down (or up if unset)."; 635 reference 636 "draft-ietf-ipsecme-iptfs section 4.1"; 637 } 638 leaf l3-fixed-rate { 639 type yang:counter64; 640 description 641 "Target bandwidth/bit rate in bps for iptfs tunnel. This 642 fixed rate is the nominal timing for the fixed size packet. 643 If congestion control is enabled the rate may be adjusted 644 down (or up if unset)."; 645 reference 646 "draft-ietf-ipsecme-iptfs section 4.1"; 647 } 648 } 649 leaf dont-fragment { 650 type boolean; 651 default "false"; 652 description 653 "Disable packet fragmentation across consecutive iptfs 654 tunnel packets"; 655 reference 656 "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; 657 } 658 leaf max-aggregation-time { 659 type decimal64 { 660 fraction-digits 6; 661 } 662 units "milliseconds"; 663 description 664 "Maximum Aggregation Time in Milliseconds 665 or fractional milliseconds down to 1 nanosecond"; 666 } 667 } 668 } 670 /* 671 * IP-TFS ike configuration 672 */ 674 augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" 675 + "nsfike:spd-entry/" 676 + "nsfike:ipsec-policy-config/" 677 + "nsfike:processing-info/" 678 + "nsfike:ipsec-sa-cfg" { 679 description 680 "IP-TFS configuration for this policy."; 681 uses iptfs-config; 682 } 684 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 685 + "nsfike:child-sa-info" { 686 description 687 "IP-TFS configured on this SA."; 688 uses iptfs-config { 689 refine "traffic-flow-security" { 690 config false; 691 } 692 } 693 } 695 /* 696 * IP-TFS ikeless configuration 697 */ 699 augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" 700 + "nsfikels:spd-entry/" 701 + "nsfikels:ipsec-policy-config/" 702 + "nsfikels:processing-info/" 703 + "nsfikels:ipsec-sa-cfg" { 704 description 705 "IP-TFS configuration for this policy."; 706 uses iptfs-config; 707 } 709 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 710 + "nsfikels:sad-entry" { 711 description 712 "IP-TFS configured on this SA."; 714 uses iptfs-config { 715 refine "traffic-flow-security" { 716 config false; 717 } 718 } 719 } 721 /* 722 * packet counters 723 */ 725 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 726 + "nsfike:child-sa-info" { 727 description 728 "Per SA Counters"; 729 container ipsec-stats { 730 if-feature "ipsec-stats"; 731 config false; 732 description 733 "IPsec per SA packet counters."; 734 uses ipsec-tx-stat-grouping { 735 //when "direction = 'outbound'"; 736 } 737 uses ipsec-rx-stat-grouping { 738 //when "direction = 'inbound'"; 739 } 740 } 741 container iptfs-inner-pkt-stats { 742 if-feature "iptfs-stats"; 743 config false; 744 description 745 "IPTFS per SA inner packet counters."; 746 uses iptfs-inner-tx-stat-grouping { 747 //when "direction = 'outbound'"; 748 } 749 uses iptfs-inner-rx-stat-grouping { 750 //when "direction = 'inbound'"; 751 } 752 } 753 container iptfs-outer-pkt-stats { 754 if-feature "iptfs-stats"; 755 config false; 756 description 757 "IPTFS per SA outer packets counters."; 758 uses iptfs-outer-tx-stat-grouping { 759 //when "direction = 'outbound'"; 760 } 761 uses iptfs-outer-rx-stat-grouping { 762 //when "direction = 'inbound'"; 763 } 764 } 765 } 767 /* 768 * packet counters 769 */ 771 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 772 + "nsfikels:sad-entry" { 773 description 774 "Per SA Counters"; 775 container ipsec-stats { 776 if-feature "ipsec-stats"; 777 description 778 "IPsec per SA packet counters."; 779 uses ipsec-tx-stat-grouping { 780 //when "direction = 'outbound'"; 781 } 782 uses ipsec-rx-stat-grouping { 783 //when "direction = 'inbound'"; 784 } 785 } 786 container iptfs-inner-pkt-stats { 787 if-feature "iptfs-stats"; 788 config false; 789 description 790 "IPTFS per SA inner packet counters."; 791 uses iptfs-inner-tx-stat-grouping { 792 //when "direction = 'outbound'"; 793 } 794 uses iptfs-inner-rx-stat-grouping { 795 //when "direction = 'inbound'"; 796 } 797 } 798 container iptfs-outer-pkt-stats { 799 if-feature "iptfs-stats"; 800 config false; 801 description 802 "IPTFS per SA outer packets counters."; 803 uses iptfs-outer-tx-stat-grouping { 804 //when "direction = 'outbound'"; 805 } 806 uses iptfs-outer-rx-stat-grouping { 807 //when "direction = 'inbound'"; 808 } 809 } 811 } 812 } 813 815 4. IANA Considerations 817 4.1. Updates to the IETF XML Registry 819 This document registers a URI in the "IETF XML Registry" [RFC3688]. 820 Following the format in [RFC3688], the following registration has 821 been made: 823 URI: 824 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 826 Registrant Contact: 827 The IESG. 829 XML: 830 N/A; the requested URI is an XML namespace. 832 4.2. Updates to the YANG Module Names Registry 834 This document registers one YANG module in the "YANG Module Names" 835 registry [RFC6020]. Following the format in [RFC6020], the following 836 registration has been made: 838 name: 839 ietf-ipsec-iptfs 841 namespace: 842 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 844 prefix: 845 iptfs 847 reference: 848 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 849 this note.) 851 5. Security Considerations 853 The YANG module specified in this document defines a schema for data 854 that is designed to be accessed via network management protocols such 855 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 856 is the secure transport layer, and the mandatory-to-implement secure 857 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 858 is HTTPS, and the mandatory-to-implement secure transport is TLS 859 [RFC8446]. 861 The Network Configuration Access Control Model (NACM) [RFC8341] 862 provides the means to restrict access for particular NETCONF or 863 RESTCONF users to a preconfigured subset of all available NETCONF or 864 RESTCONF protocol operations and content. 866 The YANG module defined in this document can enable, disable and 867 modify the behavior of IP traffic flow security, for the implications 868 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 869 which defines the functionality. 871 6. Acknowledgements 873 The authors would like to thank Eric Kinzie and Juergen Schoenwaelder 874 for their feedback and review on the YANG model. 876 7. References 878 7.1. Normative References 880 [I-D.ietf-ipsecme-iptfs] 881 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 882 ESP and its Use for IP Traffic Flow Security", Work in 883 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-11, 24 884 October 2021, . 887 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 888 Requirement Levels", BCP 14, RFC 2119, 889 DOI 10.17487/RFC2119, March 1997, 890 . 892 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 893 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 894 December 2005, . 896 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 897 the Network Configuration Protocol (NETCONF)", RFC 6020, 898 DOI 10.17487/RFC6020, October 2010, 899 . 901 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 902 RFC 7950, DOI 10.17487/RFC7950, August 2016, 903 . 905 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 906 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 907 May 2017, . 909 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 910 and R. Wilton, "Network Management Datastore Architecture 911 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 912 . 914 [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 915 Garcia, "A YANG Data Model for IPsec Flow Protection Based 916 on Software-Defined Networking (SDN)", RFC 9061, 917 DOI 10.17487/RFC9061, July 2021, 918 . 920 7.2. Informative References 922 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 923 DOI 10.17487/RFC3688, January 2004, 924 . 926 [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP 927 Friendly Rate Control (TFRC): Protocol Specification", 928 RFC 5348, DOI 10.17487/RFC5348, September 2008, 929 . 931 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 932 and A. Bierman, Ed., "Network Configuration Protocol 933 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 934 . 936 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 937 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 938 . 940 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 941 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 942 . 944 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 945 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 946 . 948 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 949 Access Control Model", STD 91, RFC 8341, 950 DOI 10.17487/RFC8341, March 2018, 951 . 953 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 954 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 955 . 957 Appendix A. Examples 959 The following examples show configuration and operational data for 960 the ikeless case in xml and ike case in json. Also, the operational 961 statistics for the ikeless case are shown using xml. 963 A.1. Example XML Configuration 965 This example illustrates configuration for IP-TFS in the ikeless 966 case. Note that since this augments the ipsec ikeless schema only 967 minimal ikeless configuration to satisfy the schema has been 968 populated. 970 973 974 975 protect-policy-1 976 outbound 977 978 979 192.0.2.0/16 980 198.51.100.0/16 981 982 983 protect 984 985 986 true 987 988 true 990 991 1000000000 992 0.1 994 995 996 997 998 999 1000 1002 Figure 1: Example IP-TFS XML configuration 1004 A.2. Example XML Operational Data 1006 This example illustrates operational data for IP-TFS in the ikeless 1007 case. Note that since this augments the ipsec ikeless schema only 1008 minimal ikeless configuration to satisfy the schema has been 1009 populated. 1011 1014 1015 1016 sad-1 1017 1018 1 1019 1020 2001:DB8::0/16 1021 2001:DB8::1:0/16 1022 1023 1024 1025 true 1026 1027 true 1028 1029 1000000000 1030 0.100 1031 1032 1033 1034 1036 Figure 2: Example IP-TFS XML Operational data 1038 A.3. Example JSON Configuration 1040 This example illustrates config data for IP-TFS in the ike case. 1041 Note that since this augments the ipsec ike schema only minimal ike 1042 configuration to satisfy the schema has been populated. 1044 { 1045 "ietf-i2nsf-ike:ipsec-ike": { 1046 "ietf-i2nsf-ike:conn-entry": [ 1047 { 1048 "name": "my-peer-connection", 1049 "ike-sa-encr-alg": [ 1050 { 1051 "id": 1, 1052 "algorithm-type": 12, 1053 "key-length": 128 1054 } 1055 ], 1056 "local": { 1057 "local-pad-entry-name": "local-1" 1058 }, 1059 "remote": { 1060 "remote-pad-entry-name": "remote-1" 1061 }, 1062 "ietf-i2nsf-ike:spd": { 1063 "spd-entry": [ 1064 { 1065 "name": "protect-policy-1", 1066 "ipsec-policy-config": { 1067 "traffic-selector": { 1068 "local-prefix": "192.0.2.0/16", 1069 "remote-prefix": "198.51.100.0/16" 1070 }, 1071 "processing-info": { 1072 "action": "protect", 1073 "ipsec-sa-cfg": { 1074 "ietf-ipsec-iptfs:traffic-flow-security": { 1075 "congestion-control": "true", 1076 "l2-fixed-rate": 1000000000, 1077 "packet-size": { 1078 "use-path-mtu-discovery": "true" 1079 }, 1080 "max-aggregation-time": "0.1" 1081 } 1082 } 1083 } 1084 } 1085 } 1086 ] 1087 } 1088 } 1089 ] 1090 } 1091 } 1093 Figure 3: Example IP-TFS JSON configuration 1095 A.4. Example JSON Operational Data 1097 This example illustrates operational data for IP-TFS in the ike case. 1098 Note that since this augments the ipsec ike tree only minimal ike 1099 configuration to satisfy the schema has been populated. 1101 { 1102 "ietf-i2nsf-ike:ipsec-ike": { 1103 "ietf-i2nsf-ike:conn-entry": [ 1104 { 1105 "name": "my-peer-connection", 1106 "ike-sa-encr-alg": [ 1107 { 1108 "id": 1, 1109 "algorithm-type": 12, 1110 "key-length": 128 1111 } 1112 ], 1113 "local": { 1114 "local-pad-entry-name": "local-1" 1115 }, 1116 "remote": { 1117 "remote-pad-entry-name": "remote-1" 1118 }, 1119 "ietf-i2nsf-ike:child-sa-info": { 1120 "ietf-ipsec-iptfs:traffic-flow-security": { 1121 "congestion-control": "true", 1122 "l2-fixed-rate": 1000000000, 1123 "packet-size": { 1124 "use-path-mtu-discovery": "true" 1125 }, 1126 "max-aggregation-time": "0.1" 1127 } 1128 } 1129 } 1130 ] 1131 } 1132 } 1134 Figure 4: Example IP-TFS JSON Operational data 1136 A.5. Example JSON Operational Statistics 1138 This example shows the json formated statistics for IP-TFS. Note a 1139 unidirectional IP-TFS transmit side is illustrated, with arbitray 1140 numbers for transmit. 1142 { 1143 "ietf-i2nsf-ikeless:ipsec-ikeless": { 1144 "sad": { 1145 "sad-entry": [ 1146 { 1147 "name": "sad-1", 1148 "ipsec-sa-config": { 1149 "spi": 1, 1150 "traffic-selector": { 1151 "local-prefix": "192.0.2.1/16", 1152 "remote-prefix": "198.51.100.0/16" 1153 } 1154 }, 1155 "ietf-ipsec-iptfs:ipsec-stats": { 1156 "tx-pkts": "300", 1157 "tx-octets": "80000", 1158 "tx-drop-pkts": "2", 1159 "rx-pkts": "0", 1160 "rx-octets": "0", 1161 "rx-drop-pkts": "0" 1162 }, 1163 "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { 1164 "tx-pkts": "250", 1165 "tx-octets": "75000", 1166 "rx-pkts": "0", 1167 "rx-octets": "0", 1168 "rx-incomplete-pkts": "0" 1169 }, 1170 "ietf-ipsec-iptfs:iptfs-outer-pkt-stats": { 1171 "tx-all-pad-pkts": "40", 1172 "tx-all-pad-octets": "40000", 1173 "tx-extra-pad-pkts": "200", 1174 "tx-extra-pad-octets": "30000", 1175 "rx-all-pad-pkts": "0", 1176 "rx-all-pad-octets": "0", 1177 "rx-extra-pad-pkts": "0", 1178 "rx-extra-pad-octets": "0", 1179 "rx-errored-pkts": "0", 1180 "rx-missed-pkts": "0" 1181 }, 1182 "ipsec-sa-state": { 1183 "sa-lifetime-current": { 1184 "time": 80000, 1185 "bytes": 4000606, 1186 "packets": 1000, 1187 "idle": 5 1188 } 1189 } 1190 } 1191 ] 1192 } 1193 } 1194 } 1196 Figure 5: Example IP-TFS JSON Statistics 1198 Authors' Addresses 1200 Don Fedyk 1201 LabN Consulting, L.L.C. 1203 Email: dfedyk@labn.net 1205 Christian Hopps 1206 LabN Consulting, L.L.C. 1208 Email: chopps@chopps.org