idnits 2.17.00 (12 Aug 2021) /tmp/idnits17054/draft-ietf-ipsecme-yang-iptfs-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (11 November 2021) is 190 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 15 May 2022 11 November 2021 7 A YANG Data Model for IP Traffic Flow Security 8 draft-ietf-ipsecme-yang-iptfs-03 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on 15 May 2022. 32 Copyright Notice 34 Copyright (c) 2021 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 39 license-info) in effect on the date of publication of this document. 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. Code Components 42 extracted from this document must include Simplified BSD License text 43 as described in Section 4.e of the Trust Legal Provisions and are 44 provided without warranty as described in the Simplified BSD License. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 50 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 52 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 54 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 55 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 19 56 4.2. Updates to the YANG Module Names Registry . . . . . . . . 19 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 60 7.1. Normative References . . . . . . . . . . . . . . . . . . 20 61 7.2. Informative References . . . . . . . . . . . . . . . . . 21 62 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22 63 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 22 64 A.2. Example XML Operational Data . . . . . . . . . . . . . . 23 65 A.3. Example JSON Configuration . . . . . . . . . . . . . . . 24 66 A.4. Example JSON Operational Data . . . . . . . . . . . . . . 26 67 A.5. Example JSON Operational Statistics . . . . . . . . . . . 27 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 70 1. Introduction 72 This document defines a YANG module [RFC7950] for the management of 73 the IP Traffic Flow Security (IP-TFS) extensions as defined in 74 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 75 tunnel Security Association to provide improved traffic 76 confidentiality. Traffic confidentiality reduces the ability of 77 traffic analysis to determine identity and correlate observable 78 traffic patterns. IP-TFS offers efficiency when aggregating traffic 79 in fixed size IPsec tunnel packets. 81 The YANG data model in this document conforms to the Network 82 Management Datastore Architecture (NMDA) defined in [RFC8342]. 84 The published YANG modules for IPsec are defined in [RFC9061]. This 85 document uses these models as a general IPsec model that is augmented 86 for IP-TFS. The models in [RFC9061] provide for both an IKE and an 87 IKELESS model. 89 1.1. Terminology & Concepts 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 93 "OPTIONAL" in this document are to be interpreted as described in 94 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 95 as shown here. 97 2. Overview 99 This document defines configuration and operational parameters of IP 100 traffic flow security (IP-TFS). IP-TFS, defined in 101 [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel 102 mode IPsec with characteristics that improve traffic confidentiality 103 and reduce bandwidth efficiency loss. These documents assume 104 familiarity with IP security concepts described in [RFC4301]. 106 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 107 packet identifiable information, packet size and packet timing. IP- 108 TFS provides a general capability allowing aggregation of multiple 109 packets in uniform size outer tunnel ipsec packets. It maintains the 110 outer packet size by utilizing combinations of aggregating, padding 111 and fragmenting inner packets to fll out the IPsec outer tunnel 112 packet. Zero byte padding is used to fill the packet when no data is 113 available to send. 115 This document specifies an extensible configuration model for IP-TFS. 116 This version utilizes the capabilities of IP-TFS to configure fixed 117 size IP-TFS Packets that are transmitted at a constant rate. This 118 model is structured to allow for different types of operation through 119 future augmentation. 121 IP-TFS YANG augments IPsec YANG model from [RFC9061]. IP-TFS makes 122 use of IPsec tunnel mode and adds a small number configuration items 123 to tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA 124 configured to use IP-TFS supports only IP-TFS packets i.e. no mixed 125 IPsec modes. 127 The behavior for IP-TFS is controlled by the source. The self- 128 describing format of an IP-TFS packets allows a sending side to 129 adjust the packet-size and timing independently from any receiver. 130 Both directions are also independent, e.g. IP-TFS may be run only in 131 one direction. This means that counters, which are created here for 132 both directions may be 0 or not updated in the case of an SA that 133 uses IP-TFS only in on direction. 135 Cases where IP-TFS statistics are active for one direction: 137 * SA one direction - IP-TFS enabled 139 * SA both directions - IP-TFS only enabled in one direction 141 Case where IP-TFS statistics are for both directions: 143 * SA both directions - IP-TFS enable for both directions 145 The IP-TFS model support IP-TFS configuration and operational data. 147 This YANG module supports configuration of fixed size and fixed rate 148 packets, and elements that may be augmented to support future 149 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 150 goes beyond this simple fixed mode of operation by defining a general 151 format for any type of scheme. In this document the outer IPsec 152 packets can be sent with fixed or variable size (without padding). 153 The configuration allows the fixed packet size to be determined by 154 the path MTU. The fixed packet size can also be configured if a 155 value lower than the path MTU is desired. 157 Other configuration items include: 159 * Congestion Control. A congestion control setting to allow IP-TFS 160 to reduce the packet rate when congestion is detected. 162 * Fixed Rate configuration. The IP-TFS tunnel rate can be 163 configured taking into account either layer 2 overhead or layer 3 164 overhead. Layer 3 overhead is the IP data rate and layer 2 165 overhead is the rate of bits on the link. The combination of 166 packet size and rate determines the nominal maximum bandwidth and 167 the transmission interval when fixed size packets are used. 169 * User packet Fragmentation Control. While fragmentation is 170 recommended for improved efficiency, a configuration is provided 171 if users wish to observe the effect no-fragmentation on their data 172 flows. 174 The YANG operational data allows the readout of the configured 175 parameters as well as the per SA statistics and error counters for 176 IP-TFS. Per SA IPsec packet statistics are provided as a feature and 177 per SA IP-TFS specific statistics as another feature. Both sets of 178 statistics augment the IPsec YANG models with counters that allow 179 observation of IP-TFS packet efficiency. 181 RFC [RFC9061] has a set of IPsec YANG management objects. IP-TFS 182 YANG augments the IKE and the IKELESS models. In these models the 183 Security Policy database entry and Security Association entry for an 184 IPsec Tunnel can be augmented with IP-TFS. 186 3. YANG Management 188 3.1. YANG Tree 190 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 191 extensions. 193 module: ietf-ipsec-iptfs 194 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd 195 /nsfike:spd-entry/nsfike:ipsec-policy-config 196 /nsfike:processing-info/nsfike:ipsec-sa-cfg: 197 +--rw traffic-flow-security 198 +--rw congestion-control? boolean 199 +--rw packet-size 200 | +--rw use-path-mtu-discovery? boolean 201 | +--rw outer-packet-size? uint16 202 +--rw (tunnel-rate)? 203 | +--:(l2-fixed-rate) 204 | | +--rw l2-fixed-rate? yang:counter64 205 | +--:(l3-fixed-rate) 206 | +--rw l3-fixed-rate? yang:counter64 207 +--rw dont-fragment? boolean 208 +--rw max-aggregation-time? decimal64 209 +--rw window-size? uint16 210 +--rw send-immediately? boolean 211 +--rw lost-packet-timer-interval? decimal64 212 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 213 +--ro traffic-flow-security 214 +--ro congestion-control? boolean 215 +--ro packet-size 216 | +--ro use-path-mtu-discovery? boolean 217 | +--ro outer-packet-size? uint16 218 +--ro (tunnel-rate)? 219 | +--:(l2-fixed-rate) 220 | | +--ro l2-fixed-rate? yang:counter64 221 | +--:(l3-fixed-rate) 222 | +--ro l3-fixed-rate? yang:counter64 223 +--ro dont-fragment? boolean 224 +--ro max-aggregation-time? decimal64 225 +--ro window-size? uint16 226 +--ro send-immediately? boolean 227 +--ro lost-packet-timer-interval? decimal64 228 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry 229 /nsfikels:ipsec-policy-config/nsfikels:processing-info 230 /nsfikels:ipsec-sa-cfg: 231 +--rw traffic-flow-security 232 +--rw congestion-control? boolean 233 +--rw packet-size 234 | +--rw use-path-mtu-discovery? boolean 235 | +--rw outer-packet-size? uint16 236 +--rw (tunnel-rate)? 237 | +--:(l2-fixed-rate) 238 | | +--rw l2-fixed-rate? yang:counter64 239 | +--:(l3-fixed-rate) 240 | +--rw l3-fixed-rate? yang:counter64 241 +--rw dont-fragment? boolean 242 +--rw max-aggregation-time? decimal64 243 +--rw window-size? uint16 244 +--rw send-immediately? boolean 245 +--rw lost-packet-timer-interval? decimal64 246 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 247 +--ro traffic-flow-security 248 +--ro congestion-control? boolean 249 +--ro packet-size 250 | +--ro use-path-mtu-discovery? boolean 251 | +--ro outer-packet-size? uint16 252 +--ro (tunnel-rate)? 253 | +--:(l2-fixed-rate) 254 | | +--ro l2-fixed-rate? yang:counter64 255 | +--:(l3-fixed-rate) 256 | +--ro l3-fixed-rate? yang:counter64 257 +--ro dont-fragment? boolean 258 +--ro max-aggregation-time? decimal64 259 +--ro window-size? uint16 260 +--ro send-immediately? boolean 261 +--ro lost-packet-timer-interval? decimal64 262 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 263 +--ro ipsec-stats {ipsec-stats}? 264 | +--ro tx-pkts? yang:counter64 265 | +--ro tx-octets? yang:counter64 266 | +--ro tx-drop-pkts? yang:counter64 267 | +--ro rx-pkts? yang:counter64 268 | +--ro rx-octets? yang:counter64 269 | +--ro rx-drop-pkts? yang:counter64 270 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 271 | +--ro tx-pkts? yang:counter64 272 | +--ro tx-octets? yang:counter64 273 | +--ro rx-pkts? yang:counter64 274 | +--ro rx-octets? yang:counter64 275 | +--ro rx-incomplete-pkts? yang:counter64 276 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 277 +--ro tx-all-pad-pkts? yang:counter64 278 +--ro tx-all-pad-octets? yang:counter64 279 +--ro tx-extra-pad-pkts? yang:counter64 280 +--ro tx-extra-pad-octets? yang:counter64 281 +--ro rx-all-pad-pkts? yang:counter64 282 +--ro rx-all-pad-octets? yang:counter64 283 +--ro rx-extra-pad-pkts? yang:counter64 284 +--ro rx-extra-pad-octets? yang:counter64 285 +--ro rx-errored-pkts? yang:counter64 286 +--ro rx-missed-pkts? yang:counter64 287 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 288 +--rw ipsec-stats {ipsec-stats}? 289 | +--ro tx-pkts? yang:counter64 290 | +--ro tx-octets? yang:counter64 291 | +--ro tx-drop-pkts? yang:counter64 292 | +--ro rx-pkts? yang:counter64 293 | +--ro rx-octets? yang:counter64 294 | +--ro rx-drop-pkts? yang:counter64 295 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 296 | +--ro tx-pkts? yang:counter64 297 | +--ro tx-octets? yang:counter64 298 | +--ro rx-pkts? yang:counter64 299 | +--ro rx-octets? yang:counter64 300 | +--ro rx-incomplete-pkts? yang:counter64 301 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 302 +--ro tx-all-pad-pkts? yang:counter64 303 +--ro tx-all-pad-octets? yang:counter64 304 +--ro tx-extra-pad-pkts? yang:counter64 305 +--ro tx-extra-pad-octets? yang:counter64 306 +--ro rx-all-pad-pkts? yang:counter64 307 +--ro rx-all-pad-octets? yang:counter64 308 +--ro rx-extra-pad-pkts? yang:counter64 309 +--ro rx-extra-pad-octets? yang:counter64 310 +--ro rx-errored-pkts? yang:counter64 311 +--ro rx-missed-pkts? yang:counter64 313 3.2. YANG Module 315 The following is the YANG module for managing the IP-TFS extensions. 316 The model contains references to [I-D.ietf-ipsecme-iptfs] and 317 [RFC5348]. 319 file "ietf-ipsec-iptfs@2021-11-11.yang" 320 module ietf-ipsec-iptfs { 321 yang-version 1.1; 322 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; 323 prefix iptfs; 325 import ietf-i2nsf-ike { 326 prefix nsfike; 327 } 328 import ietf-i2nsf-ikeless { 329 prefix nsfikels; 331 } 332 import ietf-yang-types { 333 prefix yang; 334 } 336 organization 337 "IETF IPSECME Working Group (IPSECME)"; 338 contact 339 "WG Web: 340 WG List: 342 Author: Don Fedyk 343 345 Author: Christian Hopps 346 "; 348 // RFC Ed.: replace XXXX with actual RFC number and 349 // remove this note. 351 description 352 "This module defines the configuration and operational state for 353 managing the IP Traffic Flow Security functionality [RFC XXXX]. 355 Copyright (c) 2021 IETF Trust and the persons identified as 356 authors of the code. All rights reserved. 358 Redistribution and use in source and binary forms, with or 359 without modification, is permitted pursuant to, and subject to 360 the license terms contained in, the Simplified BSD License set 361 forth in Section 4.c of the IETF Trust's Legal Provisions 362 Relating to IETF Documents 363 (https://trustee.ietf.org/license-info). 365 This version of this YANG module is part of RFC XXXX 366 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 367 full legal notices."; 369 revision 2021-11-11 { 370 description 371 "Initial Revision"; 372 reference 373 "RFC XXXX: IP Traffic Flow Security YANG Module"; 374 } 376 feature ipsec-stats { 377 description 378 "This feature indicates the device supports 379 per SA IPsec statistics"; 380 } 382 feature iptfs-stats { 383 description 384 "This feature indicates the device supports 385 per SA IP Traffic Flow Security statistics"; 386 } 388 /*--------------------*/ 389 /* groupings */ 390 /*--------------------*/ 392 grouping ipsec-tx-stat-grouping { 393 description 394 "IPsec outbound statistics"; 395 leaf tx-pkts { 396 type yang:counter64; 397 config false; 398 description 399 "Outbound Packet count"; 400 } 401 leaf tx-octets { 402 type yang:counter64; 403 config false; 404 description 405 "Outbound Packet bytes"; 406 } 407 leaf tx-drop-pkts { 408 type yang:counter64; 409 config false; 410 description 411 "Outbound dropped packets count"; 412 } 413 } 415 grouping ipsec-rx-stat-grouping { 416 description 417 "IPsec inbound statistics"; 418 leaf rx-pkts { 419 type yang:counter64; 420 config false; 421 description 422 "Inbound Packet count"; 423 } 424 leaf rx-octets { 425 type yang:counter64; 426 config false; 427 description 428 "Inbound Packet bytes"; 429 } 430 leaf rx-drop-pkts { 431 type yang:counter64; 432 config false; 433 description 434 "Inbound dropped packets count"; 435 } 436 } 438 grouping iptfs-inner-tx-stat-grouping { 439 description 440 "IP-TFS outbound inner packet statistics"; 441 leaf tx-pkts { 442 type yang:counter64; 443 config false; 444 description 445 "Total number of IP-TFS inner packets sent. This 446 count is whole packets only. A fragmented packet 447 counts as one packet"; 448 reference 449 "draft-ietf-ipsecme-iptfs"; 450 } 451 leaf tx-octets { 452 type yang:counter64; 453 config false; 454 description 455 "Total number of IP-TFS inner octets sent. This is 456 inner packet octets only. Does not count padding."; 457 reference 458 "draft-ietf-ipsecme-iptfs"; 459 } 460 } 462 grouping iptfs-outer-tx-stat-grouping { 463 description 464 "IP-TFS outbound inner packet statistics"; 465 leaf tx-all-pad-pkts { 466 type yang:counter64; 467 config false; 468 description 469 "Total number of transmitted IP-TFS packets that 470 were all padding with no inner packet data."; 471 reference 472 "draft-ietf-ipsecme-iptfs section 2.2.3"; 473 } 474 leaf tx-all-pad-octets { 475 type yang:counter64; 476 config false; 477 description 478 "Total number transmitted octets of padding added to 479 IP-TFS packets with no inner packet data."; 480 reference 481 "draft-ietf-ipsecme-iptfs section 2.2.3"; 482 } 483 leaf tx-extra-pad-pkts { 484 type yang:counter64; 485 config false; 486 description 487 "Total number of transmitted outer IP-TFS packets 488 that included some padding."; 489 reference 490 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 491 } 492 leaf tx-extra-pad-octets { 493 type yang:counter64; 494 config false; 495 description 496 "Total number of transmitted octets of padding added 497 to outer IP-TFS packets with data."; 498 reference 499 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 500 } 501 } 503 grouping iptfs-inner-rx-stat-grouping { 504 description 505 "IP-TFS inner packet inbound statistics"; 506 leaf rx-pkts { 507 type yang:counter64; 508 config false; 509 description 510 "Total number of IP-TFS inner packets received."; 511 reference 512 "draft-ietf-ipsecme-iptfs section 2.2"; 513 } 514 leaf rx-octets { 515 type yang:counter64; 516 config false; 517 description 518 "Total number of IP-TFS inner octets received. Does 519 not include padding or overhead"; 520 reference 521 "draft-ietf-ipsecme-iptfs section 2.2"; 522 } 523 leaf rx-incomplete-pkts { 524 type yang:counter64; 525 config false; 526 description 527 "Total number of IP-TFS inner packets that were 528 incomplete. Usually this is due to fragments not 529 received. Also, this may be due to misordering or 530 errors in received outer packets."; 531 reference 532 "draft-ietf-ipsecme-iptfs"; 533 } 534 } 536 grouping iptfs-outer-rx-stat-grouping { 537 description 538 "IP-TFS outer packet inbound statistics"; 539 leaf rx-all-pad-pkts { 540 type yang:counter64; 541 config false; 542 description 543 "Total number of received IP-TFS packets that were 544 all padding with no inner packet data."; 545 reference 546 "draft-ietf-ipsecme-iptfs section 2.2.3"; 547 } 548 leaf rx-all-pad-octets { 549 type yang:counter64; 550 config false; 551 description 552 "Total number received octets of padding added to 553 IP-TFS packets with no inner packet data."; 554 reference 555 "draft-ietf-ipsecme-iptfs section 2.2.3"; 556 } 557 leaf rx-extra-pad-pkts { 558 type yang:counter64; 559 config false; 560 description 561 "Total number of received outer IP-TFS packets that 562 included some padding."; 563 reference 564 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 565 } 566 leaf rx-extra-pad-octets { 567 type yang:counter64; 568 config false; 569 description 570 "Total number of received octets of padding added to 571 outer IP-TFS packets with data."; 572 reference 573 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 574 } 575 leaf rx-errored-pkts { 576 type yang:counter64; 577 config false; 578 description 579 "Total number of IP-TFS outer packets dropped due to 580 errors."; 581 reference 582 "draft-ietf-ipsecme-iptfs"; 583 } 584 leaf rx-missed-pkts { 585 type yang:counter64; 586 config false; 587 description 588 "Total number of IP-TFS outer packets missing 589 indicated by missing sequence number."; 590 reference 591 "draft-ietf-ipsecme-iptfs"; 592 } 593 } 595 grouping iptfs-config { 596 description 597 "This is the grouping for iptfs configuration"; 598 container traffic-flow-security { 599 description 600 "Configure the IPSec TFS in Security 601 Association Database (SAD)"; 602 leaf congestion-control { 603 type boolean; 604 default "true"; 605 description 606 "When set to true, the default, this enables the 607 congestion control on-the-wire exchange of data that is 608 required by congestion control algorithms as defined by 609 RFC 5348. When set to false, IP-TFS sends fixed-sized 610 packets over an IP-TFS tunnel at a constant rate."; 611 reference 612 "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; 613 } 614 container packet-size { 615 description 616 "Packet size is either auto-discovered or manually 617 configured."; 618 leaf use-path-mtu-discovery { 619 type boolean; 620 default "true"; 621 description 622 "Utilize path mtu discovery to determine maximum 623 IP-TFS packet size. If the packet size is explicitly 624 configured, then it will only be adjusted downward if 625 use-path-mtu-discovery is set."; 626 reference 627 "draft-ietf-ipsecme-iptfs section 4.2"; 628 } 629 leaf outer-packet-size { 630 type uint16; 631 description 632 "The size of the outer encapsulating tunnel packet (i.e., 633 the IP packet containing the ESP payload)."; 634 reference 635 "draft-ietf-ipsecme-iptfs section 4.2"; 636 } 637 } 638 choice tunnel-rate { 639 description 640 "TFS bit rate may be specified at layer 2 wire 641 rate or layer 3 packet rate"; 642 leaf l2-fixed-rate { 643 type yang:counter64; 644 description 645 "Target bandwidth/bit rate in bps for iptfs tunnel. 646 This fixed rate is the nominal timing for the fixed 647 size packet. If congestion control is enabled the 648 rate may be adjusted down (or up if unset)."; 649 reference 650 "draft-ietf-ipsecme-iptfs section 4.1"; 651 } 652 leaf l3-fixed-rate { 653 type yang:counter64; 654 description 655 "Target bandwidth/bit rate in bps for iptfs tunnel. 656 This fixed rate is the nominal timing for the fixed 657 size packet. If congestion control is enabled the 658 rate may be adjusted down (or up if unset)."; 659 reference 660 "draft-ietf-ipsecme-iptfs section 4.1"; 661 } 662 } 663 leaf dont-fragment { 664 type boolean; 665 default "false"; 666 description 667 "Disable packet fragmentation across consecutive iptfs 668 tunnel packets"; 669 reference 670 "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; 671 } 672 leaf max-aggregation-time { 673 type decimal64 { 674 fraction-digits 6; 675 } 676 units "milliseconds"; 677 description 678 "Maximum aggregation time is the maximum length of time 679 a received inner packet can be held prior to 680 transmission in the iptfs tunnel. Inner packets that 681 would be held longer than this time, based on the 682 current tunnel configuration will be dropped rather 683 than be queued for transmission. Maximum aggregation 684 time is configurable in milliseconds or fractional 685 milliseconds down to 1 nanosecond."; 686 } 687 leaf window-size { 688 type uint16 { 689 range "0..65535"; 690 } 691 description 692 "The maximum number of out-of-order packets that will be 693 reordered by an iptfs receiver while performing the 694 reordering operation. The value 0 disables any 695 reordering."; 696 reference 697 "draft-ietf-ipsecme-iptfs section 2.2.3"; 698 } 699 leaf send-immediately { 700 type boolean; 701 default false; 702 description 703 "Send inner packets as soon as possible, do not wait for 704 lost or misordered outer packets. Selecting this 705 option reduces the inner (user) packet delay but can 706 amplify out-of-order delivery of the inner packet 707 stream in the presence of packet aggregation and any 708 reordering."; 709 reference 710 "draft-ietf-ipsecme-iptfs section 2.5"; 711 } 712 leaf lost-packet-timer-interval { 713 type decimal64 { 714 fraction-digits 6; 716 } 717 units "milliseconds"; 718 description 719 "This interval defines the length of time an iptfs 720 receiver will wait for a missing packet before 721 considering it lost. Setting this value too low can 722 impact reordering and reassembly. The value is 723 configurable in milliseconds or fractional milliseconds 724 down to 1 nanosecond."; 725 reference 726 "draft-ietf-ipsecme-iptfs section 2.2.3"; 727 } 728 } 729 } 731 /* 732 * IP-TFS ike configuration 733 */ 735 augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" 736 + "nsfike:spd-entry/" 737 + "nsfike:ipsec-policy-config/" 738 + "nsfike:processing-info/" 739 + "nsfike:ipsec-sa-cfg" { 740 description 741 "IP-TFS configuration for this policy."; 742 uses iptfs-config; 743 } 745 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 746 + "nsfike:child-sa-info" { 747 description 748 "IP-TFS configured on this SA."; 749 uses iptfs-config { 750 refine "traffic-flow-security" { 751 config false; 752 } 753 } 754 } 756 /* 757 * IP-TFS ikeless configuration 758 */ 760 augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" 761 + "nsfikels:spd-entry/" 762 + "nsfikels:ipsec-policy-config/" 763 + "nsfikels:processing-info/" 764 + "nsfikels:ipsec-sa-cfg" { 765 description 766 "IP-TFS configuration for this policy."; 767 uses iptfs-config; 768 } 770 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 771 + "nsfikels:sad-entry" { 772 description 773 "IP-TFS configured on this SA."; 774 uses iptfs-config { 775 refine "traffic-flow-security" { 776 config false; 777 } 778 } 779 } 781 /* 782 * packet counters 783 */ 785 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 786 + "nsfike:child-sa-info" { 787 description 788 "Per SA Counters"; 789 container ipsec-stats { 790 if-feature "ipsec-stats"; 791 config false; 792 description 793 "IPsec per SA packet counters."; 794 uses ipsec-tx-stat-grouping { 795 //when "direction = 'outbound'"; 796 } 797 uses ipsec-rx-stat-grouping { 798 //when "direction = 'inbound'"; 799 } 800 } 801 container iptfs-inner-pkt-stats { 802 if-feature "iptfs-stats"; 803 config false; 804 description 805 "IPTFS per SA inner packet counters."; 806 uses iptfs-inner-tx-stat-grouping { 807 //when "direction = 'outbound'"; 808 } 809 uses iptfs-inner-rx-stat-grouping { 810 //when "direction = 'inbound'"; 811 } 813 } 814 container iptfs-outer-pkt-stats { 815 if-feature "iptfs-stats"; 816 config false; 817 description 818 "IPTFS per SA outer packets counters."; 819 uses iptfs-outer-tx-stat-grouping { 820 //when "direction = 'outbound'"; 821 } 822 uses iptfs-outer-rx-stat-grouping { 823 //when "direction = 'inbound'"; 824 } 825 } 826 } 828 /* 829 * packet counters 830 */ 832 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 833 + "nsfikels:sad-entry" { 834 description 835 "Per SA Counters"; 836 container ipsec-stats { 837 if-feature "ipsec-stats"; 838 description 839 "IPsec per SA packet counters."; 840 uses ipsec-tx-stat-grouping { 841 //when "direction = 'outbound'"; 842 } 843 uses ipsec-rx-stat-grouping { 844 //when "direction = 'inbound'"; 845 } 846 } 847 container iptfs-inner-pkt-stats { 848 if-feature "iptfs-stats"; 849 config false; 850 description 851 "IPTFS per SA inner packet counters."; 852 uses iptfs-inner-tx-stat-grouping { 853 //when "direction = 'outbound'"; 854 } 855 uses iptfs-inner-rx-stat-grouping { 856 //when "direction = 'inbound'"; 857 } 858 } 859 container iptfs-outer-pkt-stats { 860 if-feature "iptfs-stats"; 861 config false; 862 description 863 "IPTFS per SA outer packets counters."; 864 uses iptfs-outer-tx-stat-grouping { 865 //when "direction = 'outbound'"; 866 } 867 uses iptfs-outer-rx-stat-grouping { 868 //when "direction = 'inbound'"; 869 } 870 } 872 } 873 } 874 876 4. IANA Considerations 878 4.1. Updates to the IETF XML Registry 880 This document registers a URI in the "IETF XML Registry" [RFC3688]. 881 Following the format in [RFC3688], the following registration has 882 been made: 884 URI: 885 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 887 Registrant Contact: 888 The IESG. 890 XML: 891 N/A; the requested URI is an XML namespace. 893 4.2. Updates to the YANG Module Names Registry 895 This document registers one YANG module in the "YANG Module Names" 896 registry [RFC6020]. Following the format in [RFC6020], the following 897 registration has been made: 899 name: 900 ietf-ipsec-iptfs 902 namespace: 903 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 905 prefix: 906 iptfs 908 reference: 909 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 910 this note.) 912 5. Security Considerations 914 The YANG module specified in this document defines a schema for data 915 that is designed to be accessed via network management protocols such 916 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 917 is the secure transport layer, and the mandatory-to-implement secure 918 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 919 is HTTPS, and the mandatory-to-implement secure transport is TLS 920 [RFC8446]. 922 The Network Configuration Access Control Model (NACM) [RFC8341] 923 provides the means to restrict access for particular NETCONF or 924 RESTCONF users to a preconfigured subset of all available NETCONF or 925 RESTCONF protocol operations and content. 927 The YANG module defined in this document can enable, disable and 928 modify the behavior of IP traffic flow security, for the implications 929 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 930 which defines the functionality. 932 6. Acknowledgements 934 The authors would like to thank Eric Kinzie and Juergen Schoenwaelder 935 for their feedback and review on the YANG model. 937 7. References 939 7.1. Normative References 941 [I-D.ietf-ipsecme-iptfs] 942 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 943 ESP and its Use for IP Traffic Flow Security", Work in 944 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 945 November 2021, . 948 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 949 Requirement Levels", BCP 14, RFC 2119, 950 DOI 10.17487/RFC2119, March 1997, 951 . 953 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 954 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 955 December 2005, . 957 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 958 the Network Configuration Protocol (NETCONF)", RFC 6020, 959 DOI 10.17487/RFC6020, October 2010, 960 . 962 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 963 RFC 7950, DOI 10.17487/RFC7950, August 2016, 964 . 966 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 967 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 968 May 2017, . 970 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 971 and R. Wilton, "Network Management Datastore Architecture 972 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 973 . 975 [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 976 Garcia, "A YANG Data Model for IPsec Flow Protection Based 977 on Software-Defined Networking (SDN)", RFC 9061, 978 DOI 10.17487/RFC9061, July 2021, 979 . 981 7.2. Informative References 983 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 984 DOI 10.17487/RFC3688, January 2004, 985 . 987 [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP 988 Friendly Rate Control (TFRC): Protocol Specification", 989 RFC 5348, DOI 10.17487/RFC5348, September 2008, 990 . 992 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 993 and A. Bierman, Ed., "Network Configuration Protocol 994 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 995 . 997 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 998 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 999 . 1001 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1002 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1003 . 1005 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1006 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1007 . 1009 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1010 Access Control Model", STD 91, RFC 8341, 1011 DOI 10.17487/RFC8341, March 2018, 1012 . 1014 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1015 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1016 . 1018 Appendix A. Examples 1020 The following examples show configuration and operational data for 1021 the ikeless and ike cases using xml and json. Also, the operational 1022 statistics for the ikeless case is illustrated. 1024 A.1. Example XML Configuration 1026 This example illustrates configuration for IP-TFS in the ikeless 1027 case. Note that since this augments the ipsec ikeless schema only 1028 minimal a ikeless configuration to satisfy the schema has been 1029 populated. 1031 1034 1035 1036 protect-policy-1 1037 outbound 1038 1039 1040 192.0.2.0/16 1041 198.51.100.0/16 1042 1043 1044 protect 1045 1046 1047 true 1048 1049 true 1051 1052 1000000000 1053 0.1 1055 5 1056 false 1057 0.2 1059 1060 1061 1062 1063 1064 1065 1067 Figure 1: Example IP-TFS XML configuration 1069 A.2. Example XML Operational Data 1071 This example illustrates operational data for IP-TFS in the ikeless 1072 case. Note that since this augments the ipsec ikeless schema only 1073 minimal ikeless configuration to satisfy the schema has been 1074 populated. 1076 1079 1080 1081 sad-1 1082 1083 1 1084 1085 2001:DB8::0/16 1086 2001:DB8::1:0/16 1087 1088 1089 1090 true 1091 1092 true 1094 1095 1000000000 1096 0.100 1097 0 1098 true 1099 0.200 1101 1102 1103 1104 1106 Figure 2: Example IP-TFS XML Operational data 1108 A.3. Example JSON Configuration 1110 This example illustrates config data for IP-TFS in the ike case. 1111 Note that since this augments the ipsec ike schema only minimal ike 1112 configuration to satisfy the schema has been populated. 1114 { 1115 "ietf-i2nsf-ike:ipsec-ike": { 1116 "ietf-i2nsf-ike:conn-entry": [ 1117 { 1118 "name": "my-peer-connection", 1119 "ike-sa-encr-alg": [ 1120 { 1121 "id": 1, 1122 "algorithm-type": 12, 1123 "key-length": 128 1125 } 1126 ], 1127 "local": { 1128 "local-pad-entry-name": "local-1" 1129 }, 1130 "remote": { 1131 "remote-pad-entry-name": "remote-1" 1132 }, 1133 "ietf-i2nsf-ike:spd": { 1134 "spd-entry": [ 1135 { 1136 "name": "protect-policy-1", 1137 "ipsec-policy-config": { 1138 "traffic-selector": { 1139 "local-prefix": "192.0.2.0/16", 1140 "remote-prefix": "198.51.100.0/16" 1141 }, 1142 "processing-info": { 1143 "action": "protect", 1144 "ipsec-sa-cfg": { 1145 "ietf-ipsec-iptfs:traffic-flow-security": { 1146 "congestion-control": "true", 1147 "l2-fixed-rate": 1000000000, 1148 "packet-size": { 1149 "use-path-mtu-discovery": "true" 1150 }, 1151 "max-aggregation-time": "0.1", 1152 "window-size": "1", 1153 "send-immediately": "false", 1154 "lost-packet-timer-interval": "0.2" 1155 } 1156 } 1157 } 1158 } 1159 } 1160 ] 1161 } 1162 } 1163 ] 1164 } 1165 } 1167 Figure 3: Example IP-TFS JSON configuration 1169 A.4. Example JSON Operational Data 1171 This example illustrates operational data for IP-TFS in the ike case. 1172 Note that since this augments the ipsec ike tree only minimal ike 1173 configuration to satisfy the schema has been populated. 1175 { 1176 "ietf-i2nsf-ike:ipsec-ike": { 1177 "ietf-i2nsf-ike:conn-entry": [ 1178 { 1179 "name": "my-peer-connection", 1180 "ike-sa-encr-alg": [ 1181 { 1182 "id": 1, 1183 "algorithm-type": 12, 1184 "key-length": 128 1185 } 1186 ], 1187 "local": { 1188 "local-pad-entry-name": "local-1" 1189 }, 1190 "remote": { 1191 "remote-pad-entry-name": "remote-1" 1192 }, 1193 "ietf-i2nsf-ike:child-sa-info": { 1194 "ietf-ipsec-iptfs:traffic-flow-security": { 1195 "congestion-control": "true", 1196 "l2-fixed-rate": 1000000000, 1197 "packet-size": { 1198 "use-path-mtu-discovery": "true" 1199 }, 1200 "max-aggregation-time": "0.1", 1201 "window-size": "5", 1202 "send-immediately": "false", 1203 "lost-packet-timer-interval": "0.2" 1204 } 1205 } 1206 } 1207 ] 1208 } 1209 } 1211 Figure 4: Example IP-TFS JSON Operational data 1213 A.5. Example JSON Operational Statistics 1215 This example shows the json formated statistics for IP-TFS. Note a 1216 unidirectional IP-TFS transmit side is illustrated, with arbitrary 1217 numbers for transmit. 1219 { 1220 "ietf-i2nsf-ikeless:ipsec-ikeless": { 1221 "sad": { 1222 "sad-entry": [ 1223 { 1224 "name": "sad-1", 1225 "ipsec-sa-config": { 1226 "spi": 1, 1227 "traffic-selector": { 1228 "local-prefix": "192.0.2.1/16", 1229 "remote-prefix": "198.51.100.0/16" 1230 } 1231 }, 1232 "ietf-ipsec-iptfs:traffic-flow-security": { 1233 "window-size": "5", 1234 "send-immediately": "false", 1235 "lost-packet-timer-interval": "0.2" 1236 }, 1237 "ietf-ipsec-iptfs:ipsec-stats": { 1238 "tx-pkts": "300", 1239 "tx-octets": "80000", 1240 "tx-drop-pkts": "2", 1241 "rx-pkts": "0", 1242 "rx-octets": "0", 1243 "rx-drop-pkts": "0" 1244 }, 1245 "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { 1246 "tx-pkts": "250", 1247 "tx-octets": "75000", 1248 "rx-pkts": "0", 1249 "rx-octets": "0", 1250 "rx-incomplete-pkts": "0" 1251 }, 1252 "ietf-ipsec-iptfs:iptfs-outer-pkt-stats": { 1253 "tx-all-pad-pkts": "40", 1254 "tx-all-pad-octets": "40000", 1255 "tx-extra-pad-pkts": "200", 1256 "tx-extra-pad-octets": "30000", 1257 "rx-all-pad-pkts": "0", 1258 "rx-all-pad-octets": "0", 1259 "rx-extra-pad-pkts": "0", 1260 "rx-extra-pad-octets": "0", 1261 "rx-errored-pkts": "0", 1262 "rx-missed-pkts": "0" 1263 }, 1264 "ipsec-sa-state": { 1265 "sa-lifetime-current": { 1266 "time": 80000, 1267 "bytes": 4000606, 1268 "packets": 1000, 1269 "idle": 5 1270 } 1271 } 1272 } 1273 ] 1274 } 1275 } 1276 } 1278 Figure 5: Example IP-TFS JSON Statistics 1280 300 1283 Authors' Addresses 1285 Don Fedyk 1286 LabN Consulting, L.L.C. 1288 Email: dfedyk@labn.net 1290 Christian Hopps 1291 LabN Consulting, L.L.C. 1293 Email: chopps@chopps.org