idnits 2.17.00 (12 Aug 2021) /tmp/idnits18514/draft-ietf-ipsecme-yang-iptfs-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (16 November 2021) is 185 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Fedyk 3 Internet-Draft C. Hopps 4 Intended status: Standards Track LabN Consulting, L.L.C. 5 Expires: 20 May 2022 16 November 2021 7 A YANG Data Model for IP Traffic Flow Security 8 draft-ietf-ipsecme-yang-iptfs-04 10 Abstract 12 This document describes a yang module for the management of IP 13 Traffic Flow Security additions to IKEv2 and IPsec. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on 20 May 2022. 32 Copyright Notice 34 Copyright (c) 2021 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 39 license-info) in effect on the date of publication of this document. 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. Code Components 42 extracted from this document must include Simplified BSD License text 43 as described in Section 4.e of the Trust Legal Provisions and are 44 provided without warranty as described in the Simplified BSD License. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 49 1.1. Terminology & Concepts . . . . . . . . . . . . . . . . . 3 50 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 5 52 3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 54 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 55 4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 19 56 4.2. Updates to the YANG Module Names Registry . . . . . . . . 19 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 60 7.1. Normative References . . . . . . . . . . . . . . . . . . 20 61 7.2. Informative References . . . . . . . . . . . . . . . . . 21 62 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22 63 A.1. Example XML Configuration . . . . . . . . . . . . . . . . 22 64 A.2. Example XML Operational Data . . . . . . . . . . . . . . 23 65 A.3. Example JSON Configuration . . . . . . . . . . . . . . . 24 66 A.4. Example JSON Operational Data . . . . . . . . . . . . . . 26 67 A.5. Example JSON Operational Statistics . . . . . . . . . . . 27 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 70 1. Introduction 72 This document defines a YANG module [RFC7950] for the management of 73 the IP Traffic Flow Security (IP-TFS) extensions as defined in 74 [I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec 75 tunnel Security Association to provide improved traffic 76 confidentiality. Traffic confidentiality reduces the ability of 77 traffic analysis to determine identity and correlate observable 78 traffic patterns. IP-TFS offers efficiency when aggregating traffic 79 in fixed size IPsec tunnel packets. 81 The YANG data model in this document conforms to the Network 82 Management Datastore Architecture (NMDA) defined in [RFC8342]. 84 The published YANG modules for IPsec are defined in [RFC9061]. This 85 document uses these models as a general IPsec model that is augmented 86 for IP-TFS. The models in [RFC9061] provide for both an IKE and an 87 IKELESS model. 89 1.1. Terminology & Concepts 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 93 "OPTIONAL" in this document are to be interpreted as described in 94 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, 95 as shown here. 97 2. Overview 99 This document defines configuration and operational parameters of IP 100 traffic flow security (IP-TFS). IP-TFS, defined in 101 [I-D.ietf-ipsecme-iptfs], defines a security association for tunnel 102 mode IPsec with characteristics that improve traffic confidentiality 103 and reduce bandwidth efficiency loss. These documents assume 104 familiarity with IP security concepts described in [RFC4301]. 106 IP-TFS uses tunnel mode to improve confidentiality by hiding inner 107 packet identifiable information, packet size and packet timing. IP- 108 TFS provides a general capability allowing aggregation of multiple 109 packets in uniform size outer tunnel ipsec packets. It maintains the 110 outer packet size by utilizing combinations of aggregating, padding 111 and fragmenting inner packets to fll out the IPsec outer tunnel 112 packet. Zero byte padding is used to fill the packet when no data is 113 available to send. 115 This document specifies an extensible configuration model for IP-TFS. 116 This version utilizes the capabilities of IP-TFS to configure fixed 117 size IP-TFS Packets that are transmitted at a constant rate. This 118 model is structured to allow for different types of operation through 119 future augmentation. 121 IP-TFS YANG augments IPsec YANG model from [RFC9061]. IP-TFS makes 122 use of IPsec tunnel mode and adds a small number configuration items 123 to tunnel mode IPsec. As defined in [I-D.ietf-ipsecme-iptfs], any SA 124 configured to use IP-TFS supports only IP-TFS packets i.e. no mixed 125 IPsec modes. 127 The behavior for IP-TFS is controlled by the source. The self- 128 describing format of an IP-TFS packets allows a sending side to 129 adjust the packet-size and timing independently from any receiver. 130 Both directions are also independent, e.g. IP-TFS may be run only in 131 one direction. This means that counters, which are created here for 132 both directions may be 0 or not updated in the case of an SA that 133 uses IP-TFS only in on direction. 135 Cases where IP-TFS statistics are active for one direction: 137 * SA one direction - IP-TFS enabled 139 * SA both directions - IP-TFS only enabled in one direction 141 Case where IP-TFS statistics are for both directions: 143 * SA both directions - IP-TFS enable for both directions 145 The IP-TFS model support IP-TFS configuration and operational data. 147 This YANG module supports configuration of fixed size and fixed rate 148 packets, and elements that may be augmented to support future 149 configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], 150 goes beyond this simple fixed mode of operation by defining a general 151 format for any type of scheme. In this document the outer IPsec 152 packets can be sent with fixed or variable size (without padding). 153 The configuration allows the fixed packet size to be determined by 154 the path MTU. The fixed packet size can also be configured if a 155 value lower than the path MTU is desired. 157 Other configuration items include: 159 * Congestion Control. A congestion control setting to allow IP-TFS 160 to reduce the packet rate when congestion is detected. 162 * Fixed Rate configuration. The IP-TFS tunnel rate can be 163 configured taking into account either layer 2 overhead or layer 3 164 overhead. Layer 3 overhead is the IP data rate and layer 2 165 overhead is the rate of bits on the link. The combination of 166 packet size and rate determines the nominal maximum bandwidth and 167 the transmission interval when fixed size packets are used. 169 * User packet Fragmentation Control. While fragmentation is 170 recommended for improved efficiency, a configuration is provided 171 if users wish to observe the effect no-fragmentation on their data 172 flows. 174 The YANG operational data allows the readout of the configured 175 parameters as well as the per SA statistics and error counters for 176 IP-TFS. Per SA IPsec packet statistics are provided as a feature and 177 per SA IP-TFS specific statistics as another feature. Both sets of 178 statistics augment the IPsec YANG models with counters that allow 179 observation of IP-TFS packet efficiency. 181 RFC [RFC9061] has a set of IPsec YANG management objects. IP-TFS 182 YANG augments the IKE and the IKELESS models. In these models the 183 Security Policy database entry and Security Association entry for an 184 IPsec Tunnel can be augmented with IP-TFS. 186 3. YANG Management 188 3.1. YANG Tree 190 The following is the YANG tree diagram ([RFC8340]) for the IP-TFS 191 extensions. 193 module: ietf-ipsec-iptfs 194 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd 195 /nsfike:spd-entry/nsfike:ipsec-policy-config 196 /nsfike:processing-info/nsfike:ipsec-sa-cfg: 197 +--rw traffic-flow-security 198 +--rw congestion-control? boolean 199 +--rw packet-size 200 | +--rw use-path-mtu-discovery? boolean 201 | +--rw outer-packet-size? uint16 202 +--rw (tunnel-rate)? 203 | +--:(l2-fixed-rate) 204 | | +--rw l2-fixed-rate? yang:counter64 205 | +--:(l3-fixed-rate) 206 | +--rw l3-fixed-rate? yang:counter64 207 +--rw dont-fragment? boolean 208 +--rw max-aggregation-time? decimal64 209 +--rw window-size? uint16 210 +--rw send-immediately? boolean 211 +--rw lost-packet-timer-interval? decimal64 212 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 213 +--ro traffic-flow-security 214 +--ro congestion-control? boolean 215 +--ro packet-size 216 | +--ro use-path-mtu-discovery? boolean 217 | +--ro outer-packet-size? uint16 218 +--ro (tunnel-rate)? 219 | +--:(l2-fixed-rate) 220 | | +--ro l2-fixed-rate? yang:counter64 221 | +--:(l3-fixed-rate) 222 | +--ro l3-fixed-rate? yang:counter64 223 +--ro dont-fragment? boolean 224 +--ro max-aggregation-time? decimal64 225 +--ro window-size? uint16 226 +--ro send-immediately? boolean 227 +--ro lost-packet-timer-interval? decimal64 228 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry 229 /nsfikels:ipsec-policy-config/nsfikels:processing-info 230 /nsfikels:ipsec-sa-cfg: 231 +--rw traffic-flow-security 232 +--rw congestion-control? boolean 233 +--rw packet-size 234 | +--rw use-path-mtu-discovery? boolean 235 | +--rw outer-packet-size? uint16 236 +--rw (tunnel-rate)? 237 | +--:(l2-fixed-rate) 238 | | +--rw l2-fixed-rate? yang:counter64 239 | +--:(l3-fixed-rate) 240 | +--rw l3-fixed-rate? yang:counter64 241 +--rw dont-fragment? boolean 242 +--rw max-aggregation-time? decimal64 243 +--rw window-size? uint16 244 +--rw send-immediately? boolean 245 +--rw lost-packet-timer-interval? decimal64 246 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 247 +--ro traffic-flow-security 248 +--ro congestion-control? boolean 249 +--ro packet-size 250 | +--ro use-path-mtu-discovery? boolean 251 | +--ro outer-packet-size? uint16 252 +--ro (tunnel-rate)? 253 | +--:(l2-fixed-rate) 254 | | +--ro l2-fixed-rate? yang:counter64 255 | +--:(l3-fixed-rate) 256 | +--ro l3-fixed-rate? yang:counter64 257 +--ro dont-fragment? boolean 258 +--ro max-aggregation-time? decimal64 259 +--ro window-size? uint16 260 +--ro send-immediately? boolean 261 +--ro lost-packet-timer-interval? decimal64 262 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: 263 +--ro ipsec-stats {ipsec-stats}? 264 | +--ro tx-pkts? yang:counter64 265 | +--ro tx-octets? yang:counter64 266 | +--ro tx-drop-pkts? yang:counter64 267 | +--ro rx-pkts? yang:counter64 268 | +--ro rx-octets? yang:counter64 269 | +--ro rx-drop-pkts? yang:counter64 270 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 271 | +--ro tx-pkts? yang:counter64 272 | +--ro tx-octets? yang:counter64 273 | +--ro rx-pkts? yang:counter64 274 | +--ro rx-octets? yang:counter64 275 | +--ro rx-incomplete-pkts? yang:counter64 276 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 277 +--ro tx-all-pad-pkts? yang:counter64 278 +--ro tx-all-pad-octets? yang:counter64 279 +--ro tx-extra-pad-pkts? yang:counter64 280 +--ro tx-extra-pad-octets? yang:counter64 281 +--ro rx-all-pad-pkts? yang:counter64 282 +--ro rx-all-pad-octets? yang:counter64 283 +--ro rx-extra-pad-pkts? yang:counter64 284 +--ro rx-extra-pad-octets? yang:counter64 285 +--ro rx-errored-pkts? yang:counter64 286 +--ro rx-missed-pkts? yang:counter64 287 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: 288 +--rw ipsec-stats {ipsec-stats}? 289 | +--ro tx-pkts? yang:counter64 290 | +--ro tx-octets? yang:counter64 291 | +--ro tx-drop-pkts? yang:counter64 292 | +--ro rx-pkts? yang:counter64 293 | +--ro rx-octets? yang:counter64 294 | +--ro rx-drop-pkts? yang:counter64 295 +--ro iptfs-inner-pkt-stats {iptfs-stats}? 296 | +--ro tx-pkts? yang:counter64 297 | +--ro tx-octets? yang:counter64 298 | +--ro rx-pkts? yang:counter64 299 | +--ro rx-octets? yang:counter64 300 | +--ro rx-incomplete-pkts? yang:counter64 301 +--ro iptfs-outer-pkt-stats {iptfs-stats}? 302 +--ro tx-all-pad-pkts? yang:counter64 303 +--ro tx-all-pad-octets? yang:counter64 304 +--ro tx-extra-pad-pkts? yang:counter64 305 +--ro tx-extra-pad-octets? yang:counter64 306 +--ro rx-all-pad-pkts? yang:counter64 307 +--ro rx-all-pad-octets? yang:counter64 308 +--ro rx-extra-pad-pkts? yang:counter64 309 +--ro rx-extra-pad-octets? yang:counter64 310 +--ro rx-errored-pkts? yang:counter64 311 +--ro rx-missed-pkts? yang:counter64 313 3.2. YANG Module 315 The following is the YANG module for managing the IP-TFS extensions. 316 The model contains references to [I-D.ietf-ipsecme-iptfs] and 317 [RFC5348]. 319 file "ietf-ipsec-iptfs@2021-11-16.yang" 320 module ietf-ipsec-iptfs { 321 yang-version 1.1; 322 namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; 323 prefix iptfs; 325 import ietf-i2nsf-ike { 326 prefix nsfike; 327 } 328 import ietf-i2nsf-ikeless { 329 prefix nsfikels; 331 } 332 import ietf-yang-types { 333 prefix yang; 334 } 336 organization 337 "IETF IPSECME Working Group (IPSECME)"; 338 contact 339 "WG Web: 340 WG List: 342 Author: Don Fedyk 343 345 Author: Christian Hopps 346 "; 348 // RFC Ed.: replace XXXX with actual RFC number and 349 // remove this note. 351 description 352 "This module defines the configuration and operational state for 353 managing the IP Traffic Flow Security functionality [RFC XXXX]. 355 Copyright (c) 2021 IETF Trust and the persons identified as 356 authors of the code. All rights reserved. 358 Redistribution and use in source and binary forms, with or 359 without modification, is permitted pursuant to, and subject to 360 the license terms contained in, the Simplified BSD License set 361 forth in Section 4.c of the IETF Trust's Legal Provisions 362 Relating to IETF Documents 363 (https://trustee.ietf.org/license-info). 365 This version of this YANG module is part of RFC XXXX 366 (https://tools.ietf.org/html/rfcXXXX); see the RFC itself for 367 full legal notices."; 369 revision 2021-11-16 { 370 description 371 "Initial Revision"; 372 reference 373 "RFC XXXX: IP Traffic Flow Security YANG Module"; 374 } 376 feature ipsec-stats { 377 description 378 "This feature indicates the device supports 379 per SA IPsec statistics"; 380 } 382 feature iptfs-stats { 383 description 384 "This feature indicates the device supports 385 per SA IP Traffic Flow Security statistics"; 386 } 388 /*--------------------*/ 389 /* groupings */ 390 /*--------------------*/ 392 grouping ipsec-tx-stat-grouping { 393 description 394 "IPsec outbound statistics"; 395 leaf tx-pkts { 396 type yang:counter64; 397 config false; 398 description 399 "Outbound Packet count"; 400 } 401 leaf tx-octets { 402 type yang:counter64; 403 config false; 404 description 405 "Outbound Packet bytes"; 406 } 407 leaf tx-drop-pkts { 408 type yang:counter64; 409 config false; 410 description 411 "Outbound dropped packets count"; 412 } 413 } 415 grouping ipsec-rx-stat-grouping { 416 description 417 "IPsec inbound statistics"; 418 leaf rx-pkts { 419 type yang:counter64; 420 config false; 421 description 422 "Inbound Packet count"; 423 } 424 leaf rx-octets { 425 type yang:counter64; 426 config false; 427 description 428 "Inbound Packet bytes"; 429 } 430 leaf rx-drop-pkts { 431 type yang:counter64; 432 config false; 433 description 434 "Inbound dropped packets count"; 435 } 436 } 438 grouping iptfs-inner-tx-stat-grouping { 439 description 440 "IP-TFS outbound inner packet statistics"; 441 leaf tx-pkts { 442 type yang:counter64; 443 config false; 444 description 445 "Total number of IP-TFS inner packets sent. This 446 count is whole packets only. A fragmented packet 447 counts as one packet"; 448 reference 449 "draft-ietf-ipsecme-iptfs"; 450 } 451 leaf tx-octets { 452 type yang:counter64; 453 config false; 454 description 455 "Total number of IP-TFS inner octets sent. This is 456 inner packet octets only. Does not count padding."; 457 reference 458 "draft-ietf-ipsecme-iptfs"; 459 } 460 } 462 grouping iptfs-outer-tx-stat-grouping { 463 description 464 "IP-TFS outbound inner packet statistics"; 465 leaf tx-all-pad-pkts { 466 type yang:counter64; 467 config false; 468 description 469 "Total number of transmitted IP-TFS packets that 470 were all padding with no inner packet data."; 471 reference 472 "draft-ietf-ipsecme-iptfs section 2.2.3"; 473 } 474 leaf tx-all-pad-octets { 475 type yang:counter64; 476 config false; 477 description 478 "Total number transmitted octets of padding added to 479 IP-TFS packets with no inner packet data."; 480 reference 481 "draft-ietf-ipsecme-iptfs section 2.2.3"; 482 } 483 leaf tx-extra-pad-pkts { 484 type yang:counter64; 485 config false; 486 description 487 "Total number of transmitted outer IP-TFS packets 488 that included some padding."; 489 reference 490 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 491 } 492 leaf tx-extra-pad-octets { 493 type yang:counter64; 494 config false; 495 description 496 "Total number of transmitted octets of padding added 497 to outer IP-TFS packets with data."; 498 reference 499 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 500 } 501 } 503 grouping iptfs-inner-rx-stat-grouping { 504 description 505 "IP-TFS inner packet inbound statistics"; 506 leaf rx-pkts { 507 type yang:counter64; 508 config false; 509 description 510 "Total number of IP-TFS inner packets received."; 511 reference 512 "draft-ietf-ipsecme-iptfs section 2.2"; 513 } 514 leaf rx-octets { 515 type yang:counter64; 516 config false; 517 description 518 "Total number of IP-TFS inner octets received. Does 519 not include padding or overhead"; 520 reference 521 "draft-ietf-ipsecme-iptfs section 2.2"; 522 } 523 leaf rx-incomplete-pkts { 524 type yang:counter64; 525 config false; 526 description 527 "Total number of IP-TFS inner packets that were 528 incomplete. Usually this is due to fragments not 529 received. Also, this may be due to misordering or 530 errors in received outer packets."; 531 reference 532 "draft-ietf-ipsecme-iptfs"; 533 } 534 } 536 grouping iptfs-outer-rx-stat-grouping { 537 description 538 "IP-TFS outer packet inbound statistics"; 539 leaf rx-all-pad-pkts { 540 type yang:counter64; 541 config false; 542 description 543 "Total number of received IP-TFS packets that were 544 all padding with no inner packet data."; 545 reference 546 "draft-ietf-ipsecme-iptfs section 2.2.3"; 547 } 548 leaf rx-all-pad-octets { 549 type yang:counter64; 550 config false; 551 description 552 "Total number received octets of padding added to 553 IP-TFS packets with no inner packet data."; 554 reference 555 "draft-ietf-ipsecme-iptfs section 2.2.3"; 556 } 557 leaf rx-extra-pad-pkts { 558 type yang:counter64; 559 config false; 560 description 561 "Total number of received outer IP-TFS packets that 562 included some padding."; 563 reference 564 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 565 } 566 leaf rx-extra-pad-octets { 567 type yang:counter64; 568 config false; 569 description 570 "Total number of received octets of padding added to 571 outer IP-TFS packets with data."; 572 reference 573 "draft-ietf-ipsecme-iptfs section 2.2.3.1"; 574 } 575 leaf rx-errored-pkts { 576 type yang:counter64; 577 config false; 578 description 579 "Total number of IP-TFS outer packets dropped due to 580 errors."; 581 reference 582 "draft-ietf-ipsecme-iptfs"; 583 } 584 leaf rx-missed-pkts { 585 type yang:counter64; 586 config false; 587 description 588 "Total number of IP-TFS outer packets missing 589 indicated by missing sequence number."; 590 reference 591 "draft-ietf-ipsecme-iptfs"; 592 } 593 } 595 grouping iptfs-config { 596 description 597 "This is the grouping for iptfs configuration"; 598 container traffic-flow-security { 599 description 600 "Configure the IPSec TFS in Security 601 Association Database (SAD)"; 602 leaf congestion-control { 603 type boolean; 604 default "true"; 605 description 606 "When set to true, the default, this enables the 607 congestion control on-the-wire exchange of data that is 608 required by congestion control algorithms as defined by 609 RFC 5348. When set to false, IP-TFS sends fixed-sized 610 packets over an IP-TFS tunnel at a constant rate."; 611 reference 612 "draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; 613 } 614 container packet-size { 615 description 616 "Packet size is either auto-discovered or manually 617 configured."; 618 leaf use-path-mtu-discovery { 619 type boolean; 620 default "true"; 621 description 622 "Utilize path mtu discovery to determine maximum 623 IP-TFS packet size. If the packet size is explicitly 624 configured, then it will only be adjusted downward if 625 use-path-mtu-discovery is set."; 626 reference 627 "draft-ietf-ipsecme-iptfs section 4.2"; 628 } 629 leaf outer-packet-size { 630 type uint16; 631 description 632 "On transmission, the size of the outer encapsulating 633 tunnel packet (i.e., the IP packet containing the ESP 634 payload)."; 635 reference 636 "draft-ietf-ipsecme-iptfs section 4.2"; 637 } 638 } 639 choice tunnel-rate { 640 description 641 "TFS bit rate may be specified at layer 2 wire 642 rate or layer 3 packet rate"; 643 leaf l2-fixed-rate { 644 type yang:counter64; 645 description 646 "On transmission, target bandwidth/bit rate in bps 647 for iptfs tunnel. This fixed rate is the nominal 648 timing for the fixed size packet. If congestion 649 control is enabled the rate may be adjusted down (or 650 up if unset)."; 651 reference 652 "draft-ietf-ipsecme-iptfs section 4.1"; 653 } 654 leaf l3-fixed-rate { 655 type yang:counter64; 656 description 657 "On transmission, target bandwidth/bit rate in bps 658 for iptfs tunnel. This fixed rate is the nominal 659 timing for the fixed size packet. If congestion 660 control is enabled the rate may be adjusted down (or 661 up if unset)."; 662 reference 663 "draft-ietf-ipsecme-iptfs section 4.1"; 664 } 665 } 666 leaf dont-fragment { 667 type boolean; 668 default "false"; 669 description 670 "On transmission, disable packet fragmentation across 671 consecutive iptfs tunnel packets; inner packets larger 672 than what can be transmitted in outer packets will be 673 dropped."; 674 reference 675 "draft-ietf-ipsecme-iptfs section 2.2.4 and 6.4.1"; 676 } 677 leaf max-aggregation-time { 678 type decimal64 { 679 fraction-digits 6; 680 } 681 units "milliseconds"; 682 description 683 "On transmission, maximum aggregation time is the 684 maximum length of time a received inner packet can be 685 held prior to transmission in the iptfs tunnel. Inner 686 packets that would be held longer than this time, based 687 on the current tunnel configuration will be dropped 688 rather than be queued for transmission. Maximum 689 aggregation time is configurable in milliseconds or 690 fractional milliseconds down to 1 nanosecond."; 691 } 692 leaf window-size { 693 type uint16 { 694 range "0..65535"; 695 } 696 description 697 "On reception, the maximum number of out-of-order 698 packets that will be reordered by an iptfs receiver 699 while performing the reordering operation. The value 0 700 disables any reordering."; 701 reference 702 "draft-ietf-ipsecme-iptfs section 2.2.3"; 703 } 704 leaf send-immediately { 705 type boolean; 706 default false; 707 description 708 "On reception, end inner packets as soon as possible, do 709 not wait for lost or misordered outer packets. 710 Selecting this option reduces the inner (user) packet 711 delay but can amplify out-of-order delivery of the 712 inner packet stream in the presence of packet 713 aggregation and any reordering."; 714 reference 715 "draft-ietf-ipsecme-iptfs section 2.5"; 716 } 717 leaf lost-packet-timer-interval { 718 type decimal64 { 719 fraction-digits 6; 720 } 721 units "milliseconds"; 722 description 723 "On reception, this interval defines the length of time 724 an iptfs receiver will wait for a missing packet before 725 considering it lost. If not using send-immediately, 726 then each lost packet will delay inner (user) packets 727 until this timer expires. Setting this value too low 728 can impact reordering and reassembly. The value is 729 configurable in milliseconds or fractional milliseconds 730 down to 1 nanosecond."; 731 reference 732 "draft-ietf-ipsecme-iptfs section 2.2.3"; 733 } 734 } 735 } 737 /* 738 * IP-TFS ike configuration 739 */ 741 augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" 742 + "nsfike:spd-entry/" 743 + "nsfike:ipsec-policy-config/" 744 + "nsfike:processing-info/" 745 + "nsfike:ipsec-sa-cfg" { 746 description 747 "IP-TFS configuration for this policy."; 748 uses iptfs-config; 749 } 751 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 752 + "nsfike:child-sa-info" { 753 description 754 "IP-TFS configured on this SA."; 755 uses iptfs-config { 756 refine "traffic-flow-security" { 757 config false; 758 } 759 } 760 } 762 /* 763 * IP-TFS ikeless configuration 764 */ 766 augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" 767 + "nsfikels:spd-entry/" 768 + "nsfikels:ipsec-policy-config/" 769 + "nsfikels:processing-info/" 770 + "nsfikels:ipsec-sa-cfg" { 771 description 772 "IP-TFS configuration for this policy."; 773 uses iptfs-config; 774 } 776 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 777 + "nsfikels:sad-entry" { 778 description 779 "IP-TFS configured on this SA."; 780 uses iptfs-config { 781 refine "traffic-flow-security" { 782 config false; 783 } 784 } 785 } 787 /* 788 * packet counters 789 */ 791 augment "/nsfike:ipsec-ike/nsfike:conn-entry/" 792 + "nsfike:child-sa-info" { 793 description 794 "Per SA Counters"; 795 container ipsec-stats { 796 if-feature "ipsec-stats"; 797 config false; 798 description 799 "IPsec per SA packet counters."; 800 uses ipsec-tx-stat-grouping { 801 //when "direction = 'outbound'"; 802 } 803 uses ipsec-rx-stat-grouping { 804 //when "direction = 'inbound'"; 805 } 806 } 807 container iptfs-inner-pkt-stats { 808 if-feature "iptfs-stats"; 809 config false; 810 description 811 "IPTFS per SA inner packet counters."; 812 uses iptfs-inner-tx-stat-grouping { 813 //when "direction = 'outbound'"; 814 } 815 uses iptfs-inner-rx-stat-grouping { 816 //when "direction = 'inbound'"; 817 } 818 } 819 container iptfs-outer-pkt-stats { 820 if-feature "iptfs-stats"; 821 config false; 822 description 823 "IPTFS per SA outer packets counters."; 824 uses iptfs-outer-tx-stat-grouping { 825 //when "direction = 'outbound'"; 826 } 827 uses iptfs-outer-rx-stat-grouping { 828 //when "direction = 'inbound'"; 829 } 830 } 831 } 833 /* 834 * packet counters 835 */ 837 augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" 838 + "nsfikels:sad-entry" { 839 description 840 "Per SA Counters"; 841 container ipsec-stats { 842 if-feature "ipsec-stats"; 843 description 844 "IPsec per SA packet counters."; 845 uses ipsec-tx-stat-grouping { 846 //when "direction = 'outbound'"; 847 } 848 uses ipsec-rx-stat-grouping { 849 //when "direction = 'inbound'"; 850 } 851 } 852 container iptfs-inner-pkt-stats { 853 if-feature "iptfs-stats"; 854 config false; 855 description 856 "IPTFS per SA inner packet counters."; 857 uses iptfs-inner-tx-stat-grouping { 858 //when "direction = 'outbound'"; 860 } 861 uses iptfs-inner-rx-stat-grouping { 862 //when "direction = 'inbound'"; 863 } 864 } 865 container iptfs-outer-pkt-stats { 866 if-feature "iptfs-stats"; 867 config false; 868 description 869 "IPTFS per SA outer packets counters."; 870 uses iptfs-outer-tx-stat-grouping { 871 //when "direction = 'outbound'"; 872 } 873 uses iptfs-outer-rx-stat-grouping { 874 //when "direction = 'inbound'"; 875 } 876 } 878 } 879 } 880 882 4. IANA Considerations 884 4.1. Updates to the IETF XML Registry 886 This document registers a URI in the "IETF XML Registry" [RFC3688]. 887 Following the format in [RFC3688], the following registration has 888 been made: 890 URI: 891 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 893 Registrant Contact: 894 The IESG. 896 XML: 897 N/A; the requested URI is an XML namespace. 899 4.2. Updates to the YANG Module Names Registry 901 This document registers one YANG module in the "YANG Module Names" 902 registry [RFC6020]. Following the format in [RFC6020], the following 903 registration has been made: 905 name: 906 ietf-ipsec-iptfs 908 namespace: 909 urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs 911 prefix: 912 iptfs 914 reference: 915 RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove 916 this note.) 918 5. Security Considerations 920 The YANG module specified in this document defines a schema for data 921 that is designed to be accessed via network management protocols such 922 as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer 923 is the secure transport layer, and the mandatory-to-implement secure 924 transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer 925 is HTTPS, and the mandatory-to-implement secure transport is TLS 926 [RFC8446]. 928 The Network Configuration Access Control Model (NACM) [RFC8341] 929 provides the means to restrict access for particular NETCONF or 930 RESTCONF users to a preconfigured subset of all available NETCONF or 931 RESTCONF protocol operations and content. 933 The YANG module defined in this document can enable, disable and 934 modify the behavior of IP traffic flow security, for the implications 935 regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] 936 which defines the functionality. 938 IP-TFS hides the traffic flows through the network, anywhere that 939 access YANG statistics is enabled needs to be protected from third 940 party observation. 942 6. Acknowledgements 944 The authors would like to thank Eric Kinzie, Juergen Schoenwaelder, 945 Lou Berger and Tero Kivinen for their feedback and review on the YANG 946 model. 948 7. References 950 7.1. Normative References 952 [I-D.ietf-ipsecme-iptfs] 953 Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for 954 ESP and its Use for IP Traffic Flow Security", Work in 955 Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-12, 8 956 November 2021, . 959 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 960 Requirement Levels", BCP 14, RFC 2119, 961 DOI 10.17487/RFC2119, March 1997, 962 . 964 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 965 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 966 December 2005, . 968 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 969 the Network Configuration Protocol (NETCONF)", RFC 6020, 970 DOI 10.17487/RFC6020, October 2010, 971 . 973 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 974 RFC 7950, DOI 10.17487/RFC7950, August 2016, 975 . 977 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 978 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 979 May 2017, . 981 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 982 and R. Wilton, "Network Management Datastore Architecture 983 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 984 . 986 [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- 987 Garcia, "A YANG Data Model for IPsec Flow Protection Based 988 on Software-Defined Networking (SDN)", RFC 9061, 989 DOI 10.17487/RFC9061, July 2021, 990 . 992 7.2. Informative References 994 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 995 DOI 10.17487/RFC3688, January 2004, 996 . 998 [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP 999 Friendly Rate Control (TFRC): Protocol Specification", 1000 RFC 5348, DOI 10.17487/RFC5348, September 2008, 1001 . 1003 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1004 and A. Bierman, Ed., "Network Configuration Protocol 1005 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1006 . 1008 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1009 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1010 . 1012 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1013 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1014 . 1016 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1017 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1018 . 1020 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1021 Access Control Model", STD 91, RFC 8341, 1022 DOI 10.17487/RFC8341, March 2018, 1023 . 1025 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1026 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1027 . 1029 Appendix A. Examples 1031 The following examples show configuration and operational data for 1032 the ikeless and ike cases using xml and json. Also, the operational 1033 statistics for the ikeless case is illustrated. 1035 A.1. Example XML Configuration 1037 This example illustrates configuration for IP-TFS in the ikeless 1038 case. Note that since this augments the ipsec ikeless schema only 1039 minimal a ikeless configuration to satisfy the schema has been 1040 populated. 1042 1045 1046 1047 protect-policy-1 1048 outbound 1049 1050 1051 192.0.2.0/16 1052 198.51.100.0/16 1053 1054 1055 protect 1056 1057 1058 true 1059 1060 true 1062 1063 1000000000 1064 0.1 1066 5 1067 false 1068 0.2 1070 1071 1072 1073 1074 1075 1076 1078 Figure 1: Example IP-TFS XML configuration 1080 A.2. Example XML Operational Data 1082 This example illustrates operational data for IP-TFS in the ikeless 1083 case. Note that since this augments the ipsec ikeless schema only 1084 minimal ikeless configuration to satisfy the schema has been 1085 populated. 1087 1090 1091 1092 sad-1 1093 1094 1 1095 1096 2001:DB8::0/16 1097 2001:DB8::1:0/16 1098 1099 1100 1101 true 1102 1103 true 1105 1106 1000000000 1107 0.100 1108 0 1109 true 1110 0.200 1112 1113 1114 1115 1117 Figure 2: Example IP-TFS XML Operational data 1119 A.3. Example JSON Configuration 1121 This example illustrates config data for IP-TFS in the ike case. 1122 Note that since this augments the ipsec ike schema only minimal ike 1123 configuration to satisfy the schema has been populated. 1125 { 1126 "ietf-i2nsf-ike:ipsec-ike": { 1127 "ietf-i2nsf-ike:conn-entry": [ 1128 { 1129 "name": "my-peer-connection", 1130 "ike-sa-encr-alg": [ 1131 { 1132 "id": 1, 1133 "algorithm-type": 12, 1134 "key-length": 128 1136 } 1137 ], 1138 "local": { 1139 "local-pad-entry-name": "local-1" 1140 }, 1141 "remote": { 1142 "remote-pad-entry-name": "remote-1" 1143 }, 1144 "ietf-i2nsf-ike:spd": { 1145 "spd-entry": [ 1146 { 1147 "name": "protect-policy-1", 1148 "ipsec-policy-config": { 1149 "traffic-selector": { 1150 "local-prefix": "192.0.2.0/16", 1151 "remote-prefix": "198.51.100.0/16" 1152 }, 1153 "processing-info": { 1154 "action": "protect", 1155 "ipsec-sa-cfg": { 1156 "ietf-ipsec-iptfs:traffic-flow-security": { 1157 "congestion-control": "true", 1158 "l2-fixed-rate": 1000000000, 1159 "packet-size": { 1160 "use-path-mtu-discovery": "true" 1161 }, 1162 "max-aggregation-time": "0.1", 1163 "window-size": "1", 1164 "send-immediately": "false", 1165 "lost-packet-timer-interval": "0.2" 1166 } 1167 } 1168 } 1169 } 1170 } 1171 ] 1172 } 1173 } 1174 ] 1175 } 1176 } 1178 Figure 3: Example IP-TFS JSON configuration 1180 A.4. Example JSON Operational Data 1182 This example illustrates operational data for IP-TFS in the ike case. 1183 Note that since this augments the ipsec ike tree only minimal ike 1184 configuration to satisfy the schema has been populated. 1186 { 1187 "ietf-i2nsf-ike:ipsec-ike": { 1188 "ietf-i2nsf-ike:conn-entry": [ 1189 { 1190 "name": "my-peer-connection", 1191 "ike-sa-encr-alg": [ 1192 { 1193 "id": 1, 1194 "algorithm-type": 12, 1195 "key-length": 128 1196 } 1197 ], 1198 "local": { 1199 "local-pad-entry-name": "local-1" 1200 }, 1201 "remote": { 1202 "remote-pad-entry-name": "remote-1" 1203 }, 1204 "ietf-i2nsf-ike:child-sa-info": { 1205 "ietf-ipsec-iptfs:traffic-flow-security": { 1206 "congestion-control": "true", 1207 "l2-fixed-rate": 1000000000, 1208 "packet-size": { 1209 "use-path-mtu-discovery": "true" 1210 }, 1211 "max-aggregation-time": "0.1", 1212 "window-size": "5", 1213 "send-immediately": "false", 1214 "lost-packet-timer-interval": "0.2" 1215 } 1216 } 1217 } 1218 ] 1219 } 1220 } 1222 Figure 4: Example IP-TFS JSON Operational data 1224 A.5. Example JSON Operational Statistics 1226 This example shows the json formated statistics for IP-TFS. Note a 1227 unidirectional IP-TFS transmit side is illustrated, with arbitrary 1228 numbers for transmit. 1230 { 1231 "ietf-i2nsf-ikeless:ipsec-ikeless": { 1232 "sad": { 1233 "sad-entry": [ 1234 { 1235 "name": "sad-1", 1236 "ipsec-sa-config": { 1237 "spi": 1, 1238 "traffic-selector": { 1239 "local-prefix": "192.0.2.1/16", 1240 "remote-prefix": "198.51.100.0/16" 1241 } 1242 }, 1243 "ietf-ipsec-iptfs:traffic-flow-security": { 1244 "window-size": "5", 1245 "send-immediately": "false", 1246 "lost-packet-timer-interval": "0.2" 1247 }, 1248 "ietf-ipsec-iptfs:ipsec-stats": { 1249 "tx-pkts": "300", 1250 "tx-octets": "80000", 1251 "tx-drop-pkts": "2", 1252 "rx-pkts": "0", 1253 "rx-octets": "0", 1254 "rx-drop-pkts": "0" 1255 }, 1256 "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { 1257 "tx-pkts": "250", 1258 "tx-octets": "75000", 1259 "rx-pkts": "0", 1260 "rx-octets": "0", 1261 "rx-incomplete-pkts": "0" 1262 }, 1263 "ietf-ipsec-iptfs:iptfs-outer-pkt-stats": { 1264 "tx-all-pad-pkts": "40", 1265 "tx-all-pad-octets": "40000", 1266 "tx-extra-pad-pkts": "200", 1267 "tx-extra-pad-octets": "30000", 1268 "rx-all-pad-pkts": "0", 1269 "rx-all-pad-octets": "0", 1270 "rx-extra-pad-pkts": "0", 1271 "rx-extra-pad-octets": "0", 1272 "rx-errored-pkts": "0", 1273 "rx-missed-pkts": "0" 1274 }, 1275 "ipsec-sa-state": { 1276 "sa-lifetime-current": { 1277 "time": 80000, 1278 "bytes": 4000606, 1279 "packets": 1000, 1280 "idle": 5 1281 } 1282 } 1283 } 1284 ] 1285 } 1286 } 1287 } 1289 Figure 5: Example IP-TFS JSON Statistics 1291 300 1294 Authors' Addresses 1296 Don Fedyk 1297 LabN Consulting, L.L.C. 1299 Email: dfedyk@labn.net 1301 Christian Hopps 1302 LabN Consulting, L.L.C. 1304 Email: chopps@chopps.org