Network Working Group K. Tran Internet Draft D. Migault Intended status: Standard Track Ericsson Expires: September 18, 2016 H. Wang V. Nagaraj X. Chen Huawei Technologies March 18, 2016 Yang Data Model for IKEv2 draft-tran-ipsecme-ikev2-yang-00.txt Abstract This document defines a YANG data model that can be used to configure and manage Internet Key Exchange version 2 (IKEv2). The model covers the IKEv2 protocol configuration and operational state. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on November 18, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. Tran, et al. Expires September 18, 2016 [Page 1] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction...................................................3 2. Conventions used in this document..............................3 3. IKEv2 protocol Overview........................................4 3.1. IKEv2 Transport Attributes................................4 3.2. IKEv2_INIT Exchange.......................................8 IKEv2_INIT Exchange Configuration Attributes:..................9 3.3. Creation of the IKE_SA...................................12 3.4. IKE_AUTH Exchange........................................14 3.5. IKEv2 Configuration Data Model...........................17 3.6. IKEv2 Operation Data Model...............................24 4. IKEv2 Crypto YANG Module......................................26 5. IKEv2 YANG Module.............................................46 6. Security Considerations.......................................75 7. References....................................................75 7.1. Normative References.....................................75 7.2. Informative References...................................76 Tran, et al. Expires September 18, 2016 [Page 2] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 1. Introduction This document introduces a YANG data model for the Internet Exchange Key version 2 (IKEv2) protocol. The model discussed in this document covers IKEv2 [RFC7296] and other generic enhancements that pertain to the base protocol operation. The YANG data model is defined for the following constructs that are used for managing the IKEv2 protocol including configuration and operational state. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying RFC-2119 significance. In this document, the characters ">>" preceding an indented line(s) indicates a compliance requirement statement using the key words listed above. This convention aids reviewers in quickly identifying or finding the explicit compliance requirements of this RFC. Tran, et al. Expires September 18, 2016 [Page 3] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 3. IKEv2 protocol Overview This section provides a high level overview of IKEv2 [RFC7296] to make the YANG model more comprehensive. The intent of this section is to fill the gap between the IKEv2 specifications and its associated YANG model. It is expected to clarify the YANG model, for those that are more familiar to the IKEv2 specifications, and provide some IKEv2 background for those that are more familiar to YANG models. Note that the purpose of IKEv2 standard is to provide interoperability whereas the YANG model provides an implementation independent way to configure IKEv2 daemons. With these different goals application-dependent parameters or parameters that interoperability-independent (like the life time of the IKE SA for example) are not mentioned in the IKEv2 standard but needs to be specified in the YANG model. IKEv2 can be designed as a single monolithic daemon that is configured in a single manner for all initiated and responding IKEv2 negotiation. On the other hand, IKEv2 can also be view as a daemon that can enable some specific configuration for each peer. This would mean for example that the IKE_SA could be set differently according to the peer. In addition to these different levels of configuration granularities, the IKEv2 daemon is not always aware of the peer identity. When it acts as a responder, for example, the peer ID is only known during the IKE_AUTH exchange, which means that during the previous exchange (IKE_INIT) the IKEv2 daemon is likely not to apply a per peer policy. In order to address the multiple possible configurations the IKEv2 configuration and variables are subdivided into different modules. An IKEv2 daemon needs to have all these modules to be specified, however, each module may be specified at different level in the tree. More specifically, module may be set for the global implementation or for each peer. 3.1. IKEv2 Transport Attributes This section provides the attributes used to enable the transport of the IKEv2 messages between the initiator and the peer. The transport often needs configuration attributes that define the behavior of the IKEv2 daemon according to operational attributes (or counters). IKEv2 Header defines the attributes that identifies the IKE session between the peers. Although the configuration attributes may be common for the whole implementation, it is expected that the Tran, et al. Expires September 18, 2016 [Page 4] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 operational attributes are defines from each session, that is for each IKE_SA. These attributes are provided in the header and are described in [RFC7296] section 3.1. Although the IKE header contains also attributes such as Message IDs, and flags for example that indicate if corresponds to a query or a response, these headers attributes are not considers as operational attributes of the IKE header, instead, these are considered as operational attribute of the Anti-Replay Mechanism. The attributes associated to the IKEv2 Header are thus: . MjVer: defines the major version. As defined in [RFC7296] section 3.1 implementations that of [RFC7296] MUST set this attribute to 2. . MnVer: defines the minor version. As defined in [RFC7296] section 3.1 implementations that of [RFC7296] MUST set this attribute to 0. . SPI-generation-policies: defines how the SPI are expected to be generated. Most likely SPIs will randomly generate. On the other hand, it may be needed for some deployment such as clusters to be able to reduce the spectrum of these SPIs. . Initiator SPI: defines the SPI assigned by the Initiator to index the inbound messages to the appropriated IKE_SA. The SPIs are agreed between the peers after the IKE_INIT exchange and are not part of the configuration parameters. . Responder SPI: defines the SPI assigned by the Responder to index the inbound messages to the appropriated IKE_SA. IKEv2 Header Configuration Attributes # [RFC7296] section 3.1 - MjVer: The IKEv2 Major version (set to 2) - MnVer: The IKEv2 Minor version (set to 0) - SPI-generation-policies IKEv2 Header Operational Attributes (1 per IKE_SA) - Initiator SPI - Responder SPI Anti-Replay Mechanism describes when message should be rejected or considered by the IKEv2 daemon. The anti-replay mechanism is defined for each session. Although the configuration attributed may be shared for the whole IKEv2 daemon, the operational attributes are expected to be duplicated for each IKE_SA. The following attributes are thus considered. . Window Size defines how much parallel exchange can be performed between the peers. By default this value is set to 1. When greater than 1, as defined in [RFC7296] section 2.3, a Tran, et al. Expires September 18, 2016 [Page 5] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 SET_WINDOW_SIZE Notify Payloads will be sent by the peer to agree with the other peer on the Window Size. After this exchange succeeds, the operational attribute that defines the Window Size used by the IKE_SA, will be updated with the value agreed by the peers. . Optional Enable INVALID_MESSAGE_ID defines whether an optional INVALID_MESSAGE_ID Notify Payload is sent when the IKEv2 message received is outside the Operational Window Size. . Operational Window Size defines the Window size considered by the IKE_SA. When the IKE_SA is created, it is set to 1. This value is updated only once the peers have agreed on another Window Size value with the SET_WINDOW_SIZE informational exchange. . Peer Request MESSAGE ID stores the Message ID of the last request received by the peer. . Peer Request MESSAGE ID stores the Message ID of the last response received by the peer. . Local Request MESSAGE ID stores the Message ID of the last request received by the local host. . Local Request MESSAGE ID stores the Message ID of the last response received by the local host. Anti-Replay Mechanism Configuration Attributes - Window Size # [RFC7296] section 2.3 - Optional Enable INVALID_MESSAGE_ID # [RFC7296] section 2.3 Anti-Replay Mechanism Operational Attributes (1 per IKE_SA) - Operational Window Size = 1 # [RFC7296] section 2.3 - Peer Request MESSAGE ID # [RFC7296] section 2.2 - Peer Response MESSAGE_ID # [RFC7296] section 2.2 - Local Request MESSAGE_ID # [RFC7296] section 2.2 - Local Response MESSAGE_ID # [RFC7296] section 2.2 Tran, et al. Expires September 18, 2016 [Page 6] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 IKEv2 Retransmission defines the necessary attributes to manage the retransmission of message by the IKEv2 daemon. Such attributes are not necessary for interoperability and as such are not defined in [RFC7296]. However, retransmission mechanism is described in [RFC7296] section 2.1. Although the configuration mechanism may be common to the IKEv2 daemon, the operational attributes are expected to be defined for each IKE_SA exchange. The number of parallel IKEv2 exchange is defined by Window Size. . Max Retries: [RFC7256] section 2.1 mentions that when retransmission fails, all states associated to the IKE SA MUST be removed. . Initial Retransmission Timeout: [RFC7256] section 2.1 mentions the retransmission timeout is not expected to be a fix value, but instead it should depend on the on number of retries. How the retransmission-timer value is set depends on the Retransmission Timer Policy. . Retransmission Timer Policy: defines of the Retransmission Timer should be computed. . Response Buffer Timeout: (section 2.1 of RFC7256). This timer set when the response buffer can be clean when the message ID is not being updated. It value is expected to be in the order of several minutes. . Retries: Defines the number of retries for a given exchange. The number of exchange is defined by the Window Size. . Retransmission Timeout: is an operational attribute that set how long the IKEv2 daemon should wait until a retransmission occurs. This attribute is derived from the Retransmission Timer Policy and the Initial Retransmission Timeout. . Retransmission Timer: is an operational attribute that defines the time the response is being waited for. When its value reaches, Retransmission Timeout, a retransmission occurs. This Timer is set for each exchange. . Response Buffer Timer: is an operational value that counts the time each Message ID is stored. There is a timer associated to each Message ID. IKEv2 Retransmission Configuration Attributes - Max Retries # [RFC7296] section 2.1 - Initial Retransmission Timeout # [RFC7296] section 2.1 - Retransmission Timeout Policy - Max Response Buffer Timeout # [RFC7296] section 2.1 - Keep-Alive Timeout - NAT Keep-Alive Timeout Tran, et al. Expires September 18, 2016 [Page 7] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 IKEv2 Retransmission Operational Attributes (Window Size per IKE_SA) - Retries - Retransmission Timeout - Retransmission Timer - Response Buffer Timer - Keep-Alive Timer - NAT Keep-Alive Timer IKEv2 COOKIE MECHANISM Configuration Attributes - COOKIE Lifetime - Half Open IKE_SA Threshold IKEv2 COOKIE MECHANISM Operational Attributes (Window Size per IKE_SA) - Half Open IKE_SA Counter IKEv2 VENDOR ID Configuration Attributes - OPAQUE VALUES 3.2. IKEv2_INIT Exchange This section provides the necessary configuration attributes so the IKE_INIT exchange can be performed. Authorized DH is an ordered list that contains DH Transform. DH Transforms are ordered by preference. Such ordering avoids setting an additional preference field. The Initiator will choose the first and most preferred DH Transform to initiate the IKE_INIT. The DH public key will be generated and the chosen DH Transform will be included into the Transform Type 4 of the SAi1. If the DH Transform is not accepted by the Responder, the Initiator may check the acceptable DH Transform of the responder is acceptable by the initiator. IKE_SA Proposals defines the proposals similarly to the proposals structure of SA1i. Note that the IKEv2 daemon is expected to place the appropriated Transform of Type 4, that it the chosen DH Transform. In addition, the IKEv2 daemons associates each transform to an ID to build SA1i. Tran, et al. Expires September 18, 2016 [Page 8] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 Optional IKE_INIT Responder CERTREQ indicates whether the Certification authority supported by the responder should be added into the response. Authorized Certification Authorities lists the CA considered by the responder. Supported IKEv2 Options defines the option supported by the IKEv2 daemon. Some options should be considered in the IKE_INIT exchange, other should be considered in the IKE_AUTH exchange. To avoid duplication of the supported IKEv2 Options, they are all indicated here. Each Option may be associated some specific configuration and operational attributes detailed. IKEv2_INIT Exchange Configuration Attributes: ## Attributes Model is common to object so it is defined as ## a preambule Attributes [list] - Attribute - Attribute Type - Attribute Value ## Ordered list of the authorized DH Authorized DH [list] - DH Transform - Name - Attributes ## Ordered list of proposals, the preference is indicated by the Num IKE_SA Proposals [list] - IKE_SA Proposal - Proposal Num # specify the order the proposals are sent. # Need to check there are no two identical # numbers - Protocol: IKE # It has a fix value - Transform Type 1: Encryption Algorithm [list] - ENCR Transform - Name - Attributes - Transform Type 2: PRF [list] - PRF Transform - Name - Transform Type 3: Integrity check Algorithm [list] - INTEG Transform Tran, et al. Expires September 18, 2016 [Page 9] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 - Name - Attributes ##- Transform Type 4: Diffie Hellman Group ## RFC7296 this MUST be the DH Transform used in the KEi ## lists the authorized Certification Authorities Authorized Certification_Authorities [list] - Certification Authority - Cert Encoding - Cert Value Optional IKE_INIT Responder CERTREQ ## IKEv2 options Supported IKEv2 Options ## sent during the IKE_INIT - NAT_DETECTION_SOURCE_IP - NAT_DETECTION_DESTINATION_IP - REDIRECT_SUPPORTED - IKEV2_FRAGMENTATION_SUPPORTED ## sent during the IKE_AUTH - MOBIKE_SUPPORTED - ROHC_SUPPORTED - CHILDLESS_IKEV2_SUPPORTED - IKEV2_MESSAGE_ID_SYNC_SUPPORTED - IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED - ERX_SUPPORTED - CLONE_IKE_SA_SUPPORTED Section 1 of [RFC7296] provides a description of the IKEv2 exchanges. The purpose of the first exchange is that the initiator and the responder are able to set a IKE SA. The IKE SA can be seen as a control channel between the initiator and the responder that will be used for further negotiations. To reach an agreement on the IKE SA, the initiator and the responder must agree on the SKEYSEED (KEi, Ni KEr, Nr payloads) that is a Diffie Hellman value and nonces used to derived the cryptographic keys for the IKE SA and further IPsec SA or Child SA. In addition, the initiator and the respond must agree on how the IKE SA will use the cryptographic material (SAi1, SAr1). Tran, et al. Expires September 18, 2016 [Page 10] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 The IKE_INIT exchange is represented below: Initiator Responder ------------------------------------------------------------------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, [CERTREQ] All header of the IKEv2 payloads have a header which is built from the IKEv2 Header values as well as the IKE_SA for the SPI values. KEi is derived from Authorized DH that is an ordered list of DH parameters. The public key is not stored into the model and is computed by the initiator. The chosen transform MUST be inserted in Transform 4 of IKE_SA Proposal in SA1i. KEr is able to determine whether KEi is acceptable from the Authorized DH. In case the the KEi is not acceptable, the responder responds with an INVALID_KE_PAYLOAD. SAi1 is derived from IKE_SA Proposals and KEi SAr1: is derived by comparing the proposals from SA1i and the IKE_SA Proposals. The responder is able to chose the appropriated IKE proposal as well as to define whether none of the SAi1 is acceptable. Optional IKE_INIT Responder CERTREQ indicates whether the responder sends CERTREQ payloads, the following attribute should be defined. When set to true, one CERTREQ payload is provided per Certification Authority in the Authorized Certification Authority. When the NAT_DETECTION_SOURCE_IP, NAT_DETECTION_DESTINATION_IP, REDIRECT_SUPPORTED or IKEV2_FRAGMENTATION_SUPPORTED have been enabled, then additional notify payloads are added by the initiator. Unless not supported by the responder, the responder responds to them with an additional Notify payload. Tran, et al. Expires September 18, 2016 [Page 11] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 3.3. Creation of the IKE_SA In this model, it is assumed that the IKE_SA represents the relation between the initiator and the responder. It is expected that the IKE_SA model is created as soon as a peer initiates a IKE_INIT exchange as well as a peer receives a new IKE_INIT request. Of course this is implementation dependent, but the model relies on this assumption. The IKE_SA information model is represented with the following attributes: - Role: defines if the local peer acts as an initiator or as a responder. - Local IP address: defines the IP address used by the local peer. - Remote IP address: defines the IP address of the remote peer. - Cryptographic material is derived after the IKE_INIT exchange. The IKE_SA may keep the original material SKEYSEED and Nonces Ni, Nr used to generate the necessary keys SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi, SK_pr. The following keys are used to protect the exchange. - IKE SA Proposal: the agreed IKE_SA proposal. - IKEv2 Header: the header with the agreed SPI values. - IKEv2 Anti Replay Mechanism which contains the agreed (or to be agreed Window Size) and current Message IDs. According to RFC7296 section 2.2 Message IDs of the INKE_INIT exchange are set to 0 during the IKE_INIT exchange. - IKEv2 Retransmission CTX that contains the element to enable retransmission for all ongoing exchange. - IDi/IDr, Credentials are defined during the IKE_AUTH exchange. - Vendor IDs. - Supported IKEv2 Option CTX contains all necessary context associated to the different IKEv2 Options. Tran, et al. Expires September 18, 2016 [Page 12] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 IKE_SA Operational Attributes IKE_SA - Role - Local IP address - Remote IP address - Cryptographic material - SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi, SK_pr - SKEYSEED, Nonces - IKE_SA lifetime - IKE SA Proposal ## cf IKE_INIT section - IKEv2 Header ## cf Transport section - IKEv2 Anti Replay Mechanism ## cf Transport section - IKEv2 Retransmission CTX [list Window Size] ## cf Transport section - IKEv2 Retransmission - IDi ## cf IKE_AUTH section - IDr ## cf IKE_AUTH section - Credentials ## fc IKE_AUTH section - Vendor ID - Supported IKEv2 Option CTX [list] Tran, et al. Expires September 18, 2016 [Page 13] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 3.4. IKE_AUTH Exchange This section provides the attributes associated to the IKE_AUTH exchange. The IKE_AUTH and CREATE_CHILD_SA exchange is represented below. The IKE_AUTH exchange goal is to authenticate the respective peers and the CREATE_CHILD_SA exchange intends to creates the PIsec SA. HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} --> <-- HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr} Authentication is performed by providing an identity as well as a proof of ownership associated to that identity. The Initiator and Responder may have multiple identities and choose one. The Initiator may choose a specific identity according to the expected responder, and vise versa, the responder may choose a specific identity according to the initiator identity (IDi) as well as the acceptable Certificate Authorities of the initiator (CERTREQ) or the Certificate Authority of the initiator, that is the one used in its Certificate (CERT). Available Signing Capabilities defines the signing capabilities of the IKEv2 daemon. A Signing capability is defined by a method and some Authentication Material such as a public key for example, or a certificate. Available Hash Capabilities and and Available Signature Verification defines which are the acceptable authentication method provided by the remote peer. In other words, outside these Signature Verification and Hash Capabilities the peer will not be able to be authenticated. The difference with Available Signing Capabilities is that in this case, no credentials are required. For example a RSA signature may be checked without the peer own a RSA private key. Has and Signature are placed in different attributes as a signature Tran, et al. Expires September 18, 2016 [Page 14] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 verification often results in a combination of these two structures. The authentication life time indicates when re-authentication needs to be performed. The minimum of the two values should be considered. Local IDs lists the various IDs the Local IKEv2 daemon may use to identify itself. The Preference field indicates which one should be used preferably, but in most cases, it is expected that the Local Id to use will depend on teh remote peer. Peer is the database of the Peer attributes. A Peer is defined by a list of IDr and a role. Once the Peer has been identified, it may be associated to some specific attributes to proceed the IKE_AUTH exchange. For example, suppose that the Local Peer want to set an IKE session with a Remote Peer, and both Peers have multiple IDs. When the Local Peer wants to reach the Remote Peer, it may use a specific IDi and request a specific IDr for that session. In addition, it can also redefine all configuration attributes previously defined for the IKE-Transport, IKE_INIT and IKE_AUTH. Note that The definition of the Preferred IDr is only mandatory when the Local Peer initiates the exchange, so when the Remote Peer is a responder. In that case, the IDi and IDr will be use to provide the appropriated parameters for the CREATE_CHILD_SA exchange. As detailed in Section 4.4.3 of RFC4301, the PAD use used to provide such binding. Optional attributes defines whether the optional payloads should be added or if an additional notification payload should be exchanged. IKEv2_AUTH Configuration Attributes Available Signing Capabilities [list] - Authentication Method - Authentication Method Name - Authentication Material - Authentication Material Type - Authentication Material Data ## CERT Authentication Material - Authentication Material Type = CERT - Authentication Material Data - Cert Encoding - Cert Value Tran, et al. Expires September 18, 2016 [Page 15] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 Available Hash Capabilities [list] - Hash Method - Authentication Life Time Available Signature Verification [list] - Authentication Method Name - Authentication Life Time Local IDs [list] - Local ID - preference - ID type - ID value Peers [list] - Peer - PeerIDs [list] # use to identify the peer - IDr - Role initiator / responder / any # this is only to make sure we can have different policies depending on who initiates the communication. - Sessions [list] - Session - Session Label - IDi ## When initiating an IKEv2 exchange with Peer - IDr ## Can set (redefine) all configuration attributes - IKE_Tranport Attributes - IKE_INIT Attributes - IKE_AUTH Attributes - ... - Optional Configuration Request - INTERNAL_ADDRESS - ... - Optional Configuration Reply - INTERNAL_ADDRESS Optional Enable INITIAL_CONTACT #[RFC7296] section 2.4 Optional IKE_AUTH Initiator CERTREQ Optional IKE_AUTH Initiator CERT Optional IKE_AUTH Initiator-IDr Optional IKE_AUTH Responder-CERT Tran, et al. Expires September 18, 2016 [Page 16] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 3.5. IKEv2 Configuration Data Model This section will present the YANG data model for IKEv2. The IKEv2 data model provides the appropriate leaves for configuring the IKEv2 protocol. The IKEv2 YANG data model has the following structure: module: ietf-ikev2 +--rw ikev2 {ikev2}? | +--rw transport {ikev2-transport}? | +--rw init {ikev2-init}? | +--rw sa {ikev2-sa}? | +--rw peer* [peer-address] {ikev2-peer}? The tree detail is: +--rw ikev2 {ikev2}? | +--rw transport {ikev2-transport}? | | +--rw base-info | | | +--rw major-version? uint8 | | | +--rw minor-version? uint8 | | | +--rw spi-generation-policy? string | | +--rw anti-replay-mechanism | | | +--rw window-size? uint32 | | | +--rw enable-notify-invalid-msg-id? empty {ikev2-transport-enable-notify- invalid-msg-id}? | | +--rw retransmision {ikev2-transport-retransmission}? | | | +--rw max-retries? uint32 | | | +--rw initial-retransmission-timeout? uint32 | | | +--rw retransmission-timeout-policy? string | | | +--rw max-response-buffer-timeout? uint32 | | | +--rw keepalive-timeout? uint32 | | | +--rw nat-keepalive-timeout? uint32 | | +--rw cookie-mechanism {ikev2-transport-cookie-mechanism}? | | | +--rw cookie-lifetime? uint32 | | | +--rw half-open-ike-sa-threshold? uint32 | | +--rw vendor-id? uint64 | +--rw init {ikev2-init}? | | +--rw authorized-dh* [dhg key-length] {ikev2-init-authorized-dh}? | | | +--rw dhg ikev2-crypto:ikev2-diffie-hellman-group-t | | | +--rw key-length uint32 | | +--rw proposal* [number] | | | +--rw name? string | | | +--rw description? string | | | +--rw transform-encr-algorithm* [encr-algorithm key-length] | | | | +--rw encr-algorithm ikev2-crypto:ikev2-encryption-algorithm-t | | | | +--rw key-length uint32 | | | +--rw transform-prf-algorithm* [prf-algorithm key-length] | | | | +--rw prf-algorithm ikev2-crypto:ikev2-pseudo-random-function-t Tran, et al. Expires September 18, 2016 [Page 17] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | | | +--rw key-length uint32 | | | +--rw transform-integrity-algorithm* [integrity-algorithm key-length] | | | | +--rw integrity-algorithm ikev2-crypto:ikev2-integrity-algorithm-t | | | | +--rw key-length uint32 | | | +--rw transform-dh* [dh key-length] | | | | +--rw dh ikev2-crypto:ikev2-diffie-hellman-group-t | | | | +--rw key-length uint32 | | | +--rw number uint32 | | | +--rw protocol? ikev2-crypto:ikev2-protocol-identifiers- t | | +--rw optional {ikev2-init-optional}? | | | +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? | | | | +--rw (ip-address)? | | | | | +--:(ipv4-address) | | | | | | +--rw ipv4-address? inet:ipv4-address | | | | | +--:(ipv6-address) | | | | | +--rw ipv6-address? inet:ipv6-address | | | | +--rw nat-keepalive-interval? uint16 | | | +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination-ip}? | | | | +--rw (ip-address)? | | | | | +--:(ipv4-address) | | | | | | +--rw ipv4-address? inet:ipv4-address | | | | | +--:(ipv6-address) | | | | | +--rw ipv6-address? inet:ipv6-address | | | | +--rw nat-keepalive-interval? uint16 | | | +--rw redirect-supported? boolean {ikev2-init-redirect- supported}? | | | +--rw fragmentation-supported? boolean {ikev2-init-fragmentation- supported}? | | | +--rw mobike-supported? boolean {ikev2-auth-mobike- supported}? | | | +--rw rohc-supported? boolean {ikev2-auth-rohc- supported}? | | | +--rw childless-ikev2-supported? boolean {ikev2-auth-childless- supported}? | | | +--rw message-id-sync-supported? boolean {ikev2-auth-message-id- supported}? | | | +--rw ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec-replay- counter-sync-supported}? | | | +--rw erx-supported? boolean {ikev2-auth-erx- supported}? | | | +--rw clone-ike-sa-supported? boolean {ikev2-auth-clone-ike-sa- supported}? | | +--rw auth-method? ikev2-crypto:ikev2-authentication-method-t | | +--rw responder-certreq {ikev2-init-responder-certreq}? | | | +--rw cert-encoding? ikev2-crypto:ikev2-cert-encoding-t | | | +--rw cert-value? uint32 | | +--rw config-request | | | +--rw (ip-address)? | | | +--:(ipv4-address) | | | | +--rw ipv4-address? inet:ipv4-address | | | +--:(ipv6-address) | | | +--rw ipv6-address? inet:ipv6-address | | +--rw config-responder | | | +--rw (ip-address)? Tran, et al. Expires September 18, 2016 [Page 18] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | | +--:(ipv4-address) | | | | +--rw ipv4-address? inet:ipv4-address | | | +--:(ipv6-address) | | | +--rw ipv6-address? inet:ipv6-address | | +--rw authorized-cert-auth* [cert-encoding] {ikev2-init-authorized-certification- auth}? | | +--rw cert-encoding ikev2-crypto:ikev2-cert-encoding-t | | +--rw cert-value? uint32 | +--rw sa {ikev2-sa}? | | +--rw role? role-t | | +--rw local-ip-address | | | +--rw (ip-address)? | | | +--:(ipv4-address) | | | | +--rw ipv4-address? inet:ipv4-address | | | +--:(ipv6-address) | | | +--rw ipv6-address? inet:ipv6-address | | +--rw remote-ip-address | | | +--rw (ip-address)? | | | +--:(ipv4-address) | | | | +--rw ipv4-address? inet:ipv4-address | | | +--:(ipv6-address) | | | +--rw ipv6-address? inet:ipv6-address | | +--rw cryptgraphic? cryptographic-material-t | | +--rw lifetime? uint32 | | +--rw proposal? ikev2-proposal-number-ref | | +--rw base-info | | | +--rw major-version? uint8 | | | +--rw minor-version? uint8 | | | +--rw spi-generation-policy? string | | +--rw anti-replay-mechanism | | | +--rw window-size? uint32 | | | +--rw enable-notify-invalid-msg-id? empty {ikev2-transport-enable-notify- invalid-msg-id}? | | +--rw retransmistion-ctx* [window-id] | | | +--rw window-id uint32 | | | +--rw retransmision {ikev2-transport-retransmission}? | | | +--rw max-retries? uint32 | | | +--rw initial-retransmission-timeout? uint32 | | | +--rw retransmission-timeout-policy? string | | | +--rw max-response-buffer-timeout? uint32 | | | +--rw keepalive-timeout? uint32 | | | +--rw nat-keepalive-timeout? uint32 | | +--rw initiator-id | | | +--rw initiator-id-type? ikev2-crypto:pad-type-t | | | +--rw initiator-id? string | | +--rw responder-id | | | +--rw responder-id-type? ikev2-crypto:pad-type-t | | | +--rw responder-id? string | | +--rw cert-authentication-type? string | | +--rw cert-auth | | | +--rw cert-auth-encoding? ikev2-crypto:ikev2-cert-encoding-t | | | +--rw cert-auth-value? uint32 | | +--rw vendor-id? uint64 | | +--rw optional-ctx* [window-id] | | +--rw window-id uint32 Tran, et al. Expires September 18, 2016 [Page 19] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | +--rw optional {ikev2-init-optional}? | | +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? | | | +--rw (ip-address)? | | | | +--:(ipv4-address) | | | | | +--rw ipv4-address? inet:ipv4-address | | | | +--:(ipv6-address) | | | | +--rw ipv6-address? inet:ipv6-address | | | +--rw nat-keepalive-interval? uint16 | | +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination- ip}? | | | +--rw (ip-address)? | | | | +--:(ipv4-address) | | | | | +--rw ipv4-address? inet:ipv4-address | | | | +--:(ipv6-address) | | | | +--rw ipv6-address? inet:ipv6-address | | | +--rw nat-keepalive-interval? uint16 | | +--rw redirect-supported? boolean {ikev2-init-redirect- supported}? | | +--rw fragmentation-supported? boolean {ikev2-init- fragmentation-supported}? | | +--rw mobike-supported? boolean {ikev2-auth-mobike- supported}? | | +--rw rohc-supported? boolean {ikev2-auth-rohc- supported}? | | +--rw childless-ikev2-supported? boolean {ikev2-auth-childless- supported}? | | +--rw message-id-sync-supported? boolean {ikev2-auth-message-id- supported}? | | +--rw ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec- replay-counter-sync-supported}? | | +--rw erx-supported? boolean {ikev2-auth-erx- supported}? | | +--rw clone-ike-sa-supported? boolean {ikev2-auth-clone-ike- sa-supported}? | +--rw peer* [peer-address] {ikev2-peer}? | +--rw peer-address string | +--rw role? role-t | +--rw peer-id-entries* [peer-id peer-id-type] | | +--rw peer-id-type ikev2-crypto:pad-type-t | | +--rw peer-id string | +--rw session* [session-label] | | +--rw session-label string | | +--rw initiator-id | | | +--rw initiator-id-type? ikev2-crypto:pad-type-t | | | +--rw initiator-id? string | | +--rw responder-id | | | +--rw responder-id-type? ikev2-crypto:pad-type-t | | | +--rw responder-id? string | | +--rw transport {ikev2-transport}? | | | +--rw base-info | | | | +--rw major-version? uint8 | | | | +--rw minor-version? uint8 | | | | +--rw spi-generation-policy? string | | | +--rw anti-replay-mechanism | | | | +--rw window-size? uint32 Tran, et al. Expires September 18, 2016 [Page 20] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | | | +--rw enable-notify-invalid-msg-id? empty {ikev2-transport-enable- notify-invalid-msg-id}? | | | +--rw retransmision {ikev2-transport-retransmission}? | | | | +--rw max-retries? uint32 | | | | +--rw initial-retransmission-timeout? uint32 | | | | +--rw retransmission-timeout-policy? string | | | | +--rw max-response-buffer-timeout? uint32 | | | | +--rw keepalive-timeout? uint32 | | | | +--rw nat-keepalive-timeout? uint32 | | | +--rw cookie-mechanism {ikev2-transport-cookie-mechanism}? | | | | +--rw cookie-lifetime? uint32 | | | | +--rw half-open-ike-sa-threshold? uint32 | | | +--rw vendor-id? uint64 | | +--rw init {ikev2-init}? | | | +--rw authorized-dh* [dhg key-length] {ikev2-init-authorized-dh}? | | | | +--rw dhg ikev2-crypto:ikev2-diffie-hellman-group-t | | | | +--rw key-length uint32 | | | +--rw proposal* [number] | | | | +--rw name? string | | | | +--rw description? string | | | | +--rw transform-encr-algorithm* [encr-algorithm key-length] | | | | | +--rw encr-algorithm ikev2-crypto:ikev2-encryption-algorithm-t | | | | | +--rw key-length uint32 | | | | +--rw transform-prf-algorithm* [prf-algorithm key-length] | | | | | +--rw prf-algorithm ikev2-crypto:ikev2-pseudo-random-function-t | | | | | +--rw key-length uint32 | | | | +--rw transform-integrity-algorithm* [integrity-algorithm key-length] | | | | | +--rw integrity-algorithm ikev2-crypto:ikev2-integrity-algorithm-t | | | | | +--rw key-length uint32 | | | | +--rw transform-dh* [dh key-length] | | | | | +--rw dh ikev2-crypto:ikev2-diffie-hellman-group-t | | | | | +--rw key-length uint32 | | | | +--rw number uint32 | | | | +--rw protocol? ikev2-crypto:ikev2-protocol- identifiers-t | | | +--rw optional {ikev2-init-optional}? | | | | +--rw nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? | | | | | +--rw (ip-address)? | | | | | | +--:(ipv4-address) | | | | | | | +--rw ipv4-address? inet:ipv4-address | | | | | | +--:(ipv6-address) | | | | | | +--rw ipv6-address? inet:ipv6-address | | | | | +--rw nat-keepalive-interval? uint16 | | | | +--rw nat-detection-destination-ip {ikev2-init-nat-detection-destination- ip}? | | | | | +--rw (ip-address)? | | | | | | +--:(ipv4-address) | | | | | | | +--rw ipv4-address? inet:ipv4-address | | | | | | +--:(ipv6-address) | | | | | | +--rw ipv6-address? inet:ipv6-address | | | | | +--rw nat-keepalive-interval? uint16 | | | | +--rw redirect-supported? boolean {ikev2-init- redirect-supported}? | | | | +--rw fragmentation-supported? boolean {ikev2-init- fragmentation-supported}? Tran, et al. Expires September 18, 2016 [Page 21] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | | | +--rw mobike-supported? boolean {ikev2-auth-mobike- supported}? | | | | +--rw rohc-supported? boolean {ikev2-auth-rohc- supported}? | | | | +--rw childless-ikev2-supported? boolean {ikev2-auth- childless-supported}? | | | | +--rw message-id-sync-supported? boolean {ikev2-auth-message- id-supported}? | | | | +--rw ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec- replay-counter-sync-supported}? | | | | +--rw erx-supported? boolean {ikev2-auth-erx- supported}? | | | | +--rw clone-ike-sa-supported? boolean {ikev2-auth-clone- ike-sa-supported}? | | | +--rw auth-method? ikev2-crypto:ikev2-authentication-method-t | | | +--rw responder-certreq {ikev2-init-responder-certreq}? | | | | +--rw cert-encoding? ikev2-crypto:ikev2-cert-encoding-t | | | | +--rw cert-value? uint32 | | | +--rw config-request | | | | +--rw (ip-address)? | | | | +--:(ipv4-address) | | | | | +--rw ipv4-address? inet:ipv4-address | | | | +--:(ipv6-address) | | | | +--rw ipv6-address? inet:ipv6-address | | | +--rw config-responder | | | | +--rw (ip-address)? | | | | +--:(ipv4-address) | | | | | +--rw ipv4-address? inet:ipv4-address | | | | +--:(ipv6-address) | | | | +--rw ipv6-address? inet:ipv6-address | | | +--rw authorized-cert-auth* [cert-encoding] {ikev2-init-authorized- certification-auth}? | | | +--rw cert-encoding ikev2-crypto:ikev2-cert-encoding-t | | | +--rw cert-value? uint32 | | +--rw auth {ikev2-auth}? | | | +--rw avail-signing-capabilities* [auth-method-name] | | | | +--rw auth-method-name string | | | | +--rw auth-method? ikev2-crypto:ikev2-authentication-method-t | | | | +--rw auth-material-data? string | | | +--rw cert-auth | | | | +--rw cert-auth-encoding? ikev2-crypto:ikev2-cert-encoding-t | | | | +--rw cert-auth-value? uint32 | | | +--rw avail-hash* [hash-method] | | | | +--rw hash-method string | | | | +--rw auth-hash-lifetime? uint32 | | | +--rw avail-signature-verify* [signature-id] | | | | +--rw signature-id string | | | | +--rw signature-lifetime? uint32 | | | +--rw local-id* [host-id] | | | | +--rw host-id string | | | | +--rw preference? string | | | | +--rw id-type? string | | | | +--rw id-value? string | | | +--rw authorized-certificate-authority | | | +--rw cert-encoding? ikev2-crypto:ikev2-cert-encoding-t Tran, et al. Expires September 18, 2016 [Page 22] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | | +--rw cert-value? uint32 | | +--rw config-request | | | +--rw (ip-address)? | | | +--:(ipv4-address) | | | | +--rw ipv4-address? inet:ipv4-address | | | +--:(ipv6-address) | | | +--rw ipv6-address? inet:ipv6-address | | +--rw config-responder | | +--rw (ip-address)? | | +--:(ipv4-address) | | | +--rw ipv4-address? inet:ipv4-address | | +--:(ipv6-address) | | +--rw ipv6-address? inet:ipv6-address | +--rw preshared-key? string | +--rw nat-traversal? boolean Tran, et al. Expires September 18, 2016 [Page 23] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 3.6. IKEv2 Operation Data Model The IKEv2 data model provides the appropriate leaves for operational sattes of the IKEv2 protocol. The IKEv2 YANG data model has the following structure: +--ro ikev2-state {ikev2-state}? +--ro transport-state {ikev2-transport-state}? +--ro ike-sa-state* [initiator-spi responder-spi] The tree detail is: +--ro ikev2-state {ikev2-state}? +--ro ikev2-state {ikev2-state}? +--ro transport-state {ikev2-transport-state}? | +--ro major-version? uint8 | +--ro minor-version? uint8 | +--ro spi-generation-policy? string | +--ro exchange-type? ikev2-crypto:ikev2-exchange-type-t | +--ro flags? uint8 +--ro sa-state* [initiator-spi responder-spi] +--ro initiator-spi ipsec-spi +--ro responder-spi ipsec-spi +--ro retransmistion-ctx* [window-id] | +--ro window-id uint32 | +--ro retransmision {ikev2-transport-retransmission}? | +--ro max-retries? uint32 | +--ro initial-retransmission-timeout? uint32 | +--ro retransmission-timeout-policy? string | +--ro max-response-buffer-timeout? uint32 | +--ro keepalive-timeout? uint32 | +--ro nat-keepalive-timeout? uint32 +--ro anti-replay-mechanism | +--ro window-size? uint32 | +--ro peer-request-msg-id? uint32 | +--ro peer-response-msg-id? uint32 | +--ro local-request-msg-id? uint32 | +--ro local-response-msg-id? uint32 +--ro vendor-id? uint64 +--ro initiator-id | +--ro initiator-id-type? ikev2-crypto:pad-type-t | +--ro initiator-id? string +--ro responder-id | +--ro responder-id-type? ikev2-crypto:pad-type-t | +--ro responder-id? string +--ro auth {ikev2-auth}? | +--ro avail-signing-capabilities* [auth-method-name] | | +--ro auth-method-name string | | +--ro auth-method? ikev2-crypto:ikev2-authentication-method-t | | +--ro auth-material-data? string | +--ro cert-auth Tran, et al. Expires September 18, 2016 [Page 24] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 | | +--ro cert-auth-encoding? ikev2-crypto:ikev2-cert-encoding-t | | +--ro cert-auth-value? uint32 | +--ro avail-hash* [hash-method] | | +--ro hash-method string | | +--ro auth-hash-lifetime? uint32 | +--ro avail-signature-verify* [signature-id] | | +--ro signature-id string | | +--ro signature-lifetime? uint32 | +--ro local-id* [host-id] | | +--ro host-id string | | +--ro preference? string | | +--ro id-type? string | | +--ro id-value? string | +--ro authorized-certificate-authority | +--ro cert-encoding? ikev2-crypto:ikev2-cert-encoding-t | +--ro cert-value? uint32 +--ro half-open-ike-sa-counter? uint32 +--ro optional-ctx* [window-id] +--ro window-id uint32 +--ro optional {ikev2-init-optional}? +--ro nat-detection-source-ip {ikev2-init-nat-detection-src-ip}? | +--ro (ip-address)? | | +--:(ipv4-address) | | | +--ro ipv4-address? inet:ipv4-address | | +--:(ipv6-address) | | +--ro ipv6-address? inet:ipv6-address | +--ro nat-keepalive-interval? uint16 +--ro nat-detection-destination-ip {ikev2-init-nat-detection-destination- ip}? | +--ro (ip-address)? | | +--:(ipv4-address) | | | +--ro ipv4-address? inet:ipv4-address | | +--:(ipv6-address) | | +--ro ipv6-address? inet:ipv6-address | +--ro nat-keepalive-interval? uint16 +--ro redirect-supported? boolean {ikev2-init-redirect- supported}? +--ro fragmentation-supported? boolean {ikev2-init- fragmentation-supported}? +--ro mobike-supported? boolean {ikev2-auth-mobike- supported}? +--ro rohc-supported? boolean {ikev2-auth-rohc- supported}? +--ro childless-ikev2-supported? boolean {ikev2-auth-childless- supported}? +--ro message-id-sync-supported? boolean {ikev2-auth-message-id- supported}? +--ro ipsec-replay-counter-sync-supported? boolean {ikev2-auth-ipsec- replay-counter-sync-supported}? +--ro erx-supported? boolean {ikev2-auth-erx- supported}? +--ro clone-ike-sa-supported? boolean {ikev2-auth-clone-ike- sa-supported}? Tran, et al. Expires September 18, 2016 [Page 25] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 4. IKEv2 Crypto YANG Module This section will present the YANG data model for IKEv2 Crypto. file "ietf-ikev2-crypto@2016-02-26.yang" module ietf-ikev2-crypto { namespace "urn:ietf:params:xml:ns:yang:ietf-ikev2-crypto"; prefix ikev2-crypto; organization "Ericsson AB. Huawei Technologies India Pvt Ltd."; contact "Web: "; description "This YANG module defines the parameters"+ " for IANA, Internet Key Exchange Version 2 (IKEv2)"+ " Parameters."+ " "+ " Copyright (c) 2016 Ericsson AB."+ " All rights reserved."; revision 2016-02-26 { description "First revision."; reference "RFC 7296: Internet Key Exchange Protocol Version 2."; } /*--------------------*/ /* Typedefs */ /*--------------------*/ /* IKEv2 Exchange Types (ET) */ typedef ikev2-exchange-type-t { type enumeration { enum et-ike-sa-init { value 34; description "et-ike-sa-init - IKEv2 Exchange Types (ET)"; } enum et-ike-auth { value 35; description "et-ike-auth - IKEv2 Exchange Types (ET)"; } enum et-create-child-sa { value 36; Tran, et al. Expires September 18, 2016 [Page 26] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 description "et-create-child-sa - IKEv2 Exchange Types (ET)"; } enum et-informational { value 37; description "et-informational - IKEv2 Exchange Types (ET)"; } enum et-ike-session-resume { value 38; description "et-ike-session-resume - IKEv2 Exchange Types (ET)"; } enum et-gsa-auth { value 39; description "et-gsa-auth - IKEv2 Exchange Types (ET)"; } enum et-gsa-registration { value 40; description "et-gsa-registration - IKEv2 Exchange Types (ET)"; } enum et-gsa-rekey { value 41; description "et-gsa-rekey - IKEv2 Exchange Types (ET)"; } } description "IKEv2 Exchange Types (ET)."; } /* Transform Type Values (TTV), RFC 7296 */ typedef ikev2-transform-type-value-t { type enumeration { enum ttv-reserved-0 { value 0; description "ttv-reserved-0 - Transform Type Value (TTV)"+ " Reserved "; } enum ttv-encr { value 1; description "ttv-encr - Transform Type Value 1 (TTV),"+ " Encryption Algorithm "+ "(ENCR) used in IKE and ESP."; } Tran, et al. Expires September 18, 2016 [Page 27] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 enum ttv-prf { value 2; description "ttv-prf - Transform Type Value 2 (TTV),"+ " Pseudo-Random Function(PRF) used in IKE."; } enum ttv-integ { value 3; description "ttv-integ - Transform Type Value 3 (TTV),"+ " Integrity Algorithm"+ " (INTEG) used in IKE, AH, optional ESP."; } enum ttv-dh { value 4; description "ttv-dh - Transform Type Value 4 (TTV),"+ " Diffie-Hellman (DH)"+ " used in IKE, optional AH and ESP."; } enum ttv-esn { value 5; description "ttv-esn - Transform Type Value 5 (TTV),"+ " Extended Sequence"+ " Numbers (ESN) used in AH and ESP."; } } description "IKEv2 Transform Type Values ((TTV)."; } /* IKEv2 Transform Attribute Types (TAT) */ typedef ikev2-transform-attribute-type-t { type enumeration { enum tat-reserved-0 { value 0; description "tat-reserved-0 - IKEv2 Transform Attribute "+ "Type (TAT) Reserved-0"; } enum tat-reserved-1 { value 1; description "tat-reserved-1 - IKEv2 Transform Attribute "+ "Type (TAT) Reserved-1"; } enum tat-reserved-13 { value 13; Tran, et al. Expires September 18, 2016 [Page 28] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 description "ikev2-tat-reserved-13 - IKEv2 Transform Attribute "+ "Type (TAT) Reserved-13"; } enum tat-key-length { value 41; description "ikev2-tat-key-length - IKEv2 Transform Attribute "+ "Type (TAT) KEY LENGTH (in bits)"; } } description "IKEv2 Transform Attribute Types (TAT)"; } /* Transform Type 1 (Encryption Algorithm) Transform IDs */ typedef ikev2-encryption-algorithm-t { type enumeration { enum encr-reserved-0 { value 0; description "encr-reserved-0 - IKEv2 Encryption Algorithm Transform"; } enum encr-des-iv4 { value 1; description "encr-des-iv4 - IKEv2 Encryption Algorithm Transform"; } enum encr-des { value 2; description "encr-des - IKEv2 Encryption Algorithm Transform"; } enum encr-3des { value 3; description "encr-3des - IKEv2 Encryption Algorithm Transform"; } enum encr-rc5 { value 4; description "encr-rc5 - IKEv2 Encryption Algorithm Transform"; } enum encr-idea { value 5; description "encr-idea - IKEv2 Encryption Algorithm Transform"; } enum encr-cast { Tran, et al. Expires September 18, 2016 [Page 29] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 value 6; description "encr-cast - IKEv2 Encryption Algorithm Transform"; } enum encr-blowfish { value 7; description "encr-blowfish - IKEv2 Encryption Algorithm Transform"; } enum encr-3idea { value 8; description "encr-3idea - IKEv2 Encryption Algorithm Transform"; } enum encr-des-iv32 { value 9; description "encr-des-iv32 - IKEv2 Encryption Algorithm Transform"; } enum encr-reserved-10 { value 10; description "encr-reserved-10 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-null { value 11; description "encr-null - IKEv2 Encryption Algorithm Transform"; } enum encr-aes-cbc { value 12; description "encr-aes-cbc - IKEv2 Encryption Algorithm Transform"; } enum encr-aes-ctr { value 13; description "encr-aes-ctr - IKEv2 Encryption Algorithm Transform"; } enum encr-aes-ccm-8 { value 14; description "encr-aes-ccm-8 - IKEv2 Encryption Algorithm Transform"; } enum encr-aes-ccm-12 { value 15; description "encr-aes-ccm-12 - IKEv2 Encryption Algorithm"+ Tran, et al. Expires September 18, 2016 [Page 30] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 " Transform"; } enum encr-aes-ccm-16 { value 16; description "encr-aes-ccm-16 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-reserved-17 { value 17; description "encr-reserved-17 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-aes-gcm-8-icv { value 18; description "encr-aes-gcm-8-icv - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-aes-gcm-12-icv { value 19; description "encr-aes-gcm-12-icv - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-aes-gcm-16-icv { value 20; description "encr-aes-gcm-16-icv - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-null-auth-aes-gmac { value 21; description "encr-null-auth-aes-gmac - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-ieee-p1619-xts-aes { value 22; description "encr-ieee-p1619-xts-aes - IKEv2 Encryption Algorithm"+ " Transform IEEE P1619 XTS-AES."; } enum encr-camellia-cbc { value 23; description "encr-camellia-cbc - IKEv2 Encryption Algorithm"+ " Transform"; Tran, et al. Expires September 18, 2016 [Page 31] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } enum encr-camellia-ctr { value 24; description "encr-camellia-ctr - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-camellia-ccm-8-icv { value 25; description "encr-camellia-ccm-8-icv - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-camellia-ccm-12-icv { value 26; description "encr-camellia-ccm-12-icv - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-camellia-ccm-16-icv { value 27; description "encr-camellia-ccm-16-icv - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-chacha20-poly1305 { value 28; description "encr-chacha20-poly1305 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-aes-cbc-128 { value 1024; description "encr-aes-cbc-128 - IKEv2 Encryption Algorithm Transform"; } enum encr-aes-cbc-192 { value 1025; description "encr-aes-cbc-192 - IKEv2 Encryption Algorithm Transform"; } enum encr-aes-cbc-256 { value 1026; description "encr-aes-cbc-256 - IKEv2 Encryption Algorithm Transform"; } enum encr-blowfish-128 { value 1027; description Tran, et al. Expires September 18, 2016 [Page 32] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "encr-blowfish-128 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-blowfish-192 { value 1028; description "encr-blowfish-192 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-blowfish-256 { value 1029; description "encr-blowfish-256 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-blowfish-448 { value 1030; description "encr-blowfish-448 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-camellia-128 { value 1031; description "encr-camellia-128 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-camellia-192 { value 1032; description "encr-camellia-192 - IKEv2 Encryption Algorithm"+ " Transform"; } enum encr-camellia-256 { value 1033; description "encr-camellia-256 - IKEv2 Encryption Algorithm"+ " Transform"; } } description "Transform Type 1 - IKEv2 Encryption Algorithm Transformm"+ " IDs"; } /* Transform Type 2 (Pseudo-Random Function PRF) Transform IDs */ typedef ikev2-pseudo-random-function-t { type enumeration { enum prf-reserved-0 { Tran, et al. Expires September 18, 2016 [Page 33] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 value 0; description "prf-reserved-0 - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-hmac-md5 { value 1; description "prf-hmac-md5 - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-hmac-sha1 { value 2; description "prf-hmac-sha1 - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-hmac-tiger { value 3; description "prf-hmac-tiger - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-aes128-xcbc { value 4; description "prf-aes128-xcbc - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-hmac-sha2-256 { value 5; description "prf-hmac-sha2-256 - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-hmac-sha2-384 { value 6; description "prf-hmac-sha2-384 - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-hmac-sha2-512 { value 7; description "prf-hmac-sha2-512 - IKEv2 Pseudo-Random Function (PRF)"; } enum prf-aes128-cmac { value 8; description "prf-aes128-cmac - IKEv2 Pseudo-Random Function (PRF)"; } } description "Transform Type 2 - IKEv2 Pseudo-Random Function (PRF)"+ " Transform IDs"; } Tran, et al. Expires September 18, 2016 [Page 34] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 /* Transform Type 3 (Integrity Algorithm) Transform IDs */ typedef ikev2-integrity-algorithm-t { type enumeration { enum auth-none { value 0; description "auth-none - IKEv2 Integrity Algorithm"; } enum auth-hmac-md5-96 { value 1; description "auth-hmac-md5-96 - IKEv2 Integrity Algorithm"; } enum auth-hmac-sha1-96 { value 2; description "auth-hmac-sha1-96 - IKEv2 Integrity Algorithm"; } enum auth-des-mac { value 3; description "auth-des-mac - IKEv2 Integrity Algorithm"; } enum auth-kpdk-md5 { value 4; description "auth-kpdk-md5 - IKEv2 Integrity Algorithm"; } enum auth-aes-xcbc-96 { value 5; description "auth-aes-xcbc-96 - IKEv2 Integrity Algorithm"; } enum auth-hmac-md5-128 { value 6; description "auth-hmac-md5-128 - IKEv2 Integrity Algorithm"; } enum auth-hmac-sha1-160 { value 7; description "auth-hmac-sha1-160 - IKEv2 Integrity Algorithm"; } enum auth-aes-cmac-96 { value 8; description "auth-aes-cmac-96 - IKEv2 Integrity Algorithm"; } Tran, et al. Expires September 18, 2016 [Page 35] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 enum auth-aes-128-gmac { value 9; description "auth-aes-128-gmac - IKEv2 Integrity Algorithm"; } enum auth-aes-192-gmac { value 10; description "auth-aes-192-gmac - IKEv2 Integrity Algorithm"; } enum auth-aes-256-gmac { value 11; description "auth-aes-256-gmac - IKEv2 Integrity Algorithm"; } enum auth-hmac-sha2-256-128 { value 12; description "auth-hmac-sha2-256-128 - IKEv2 Integrity Algorithm"; } enum auth-hmac-sha2-384-192 { value 13; description "auth-hmac-sha2-384-192 - IKEv2 Integrity Algorithm"; } enum auth-hmac-sha2-512-256 { value 14; description "auth-hmac-sha2-512-256 - IKEv2 Integrity Algorithm"; } enum auth-hmac-sha2-256-96 { value 1024; description "auth-hmac-sha2-256-96 - IKEv2 Integrity Algorithm"; } } description "Transform Type 3 - IKEv2"+ " Integrity Algorithms Transform IDs"; } /* Transform Type 4 (Diffie-Hellman Group) Transform IDs */ typedef ikev2-diffie-hellman-group-t { type enumeration { enum dh-group-none { value 0; description "dh-group-none - IKEv2 Diffie-Hellman Group (DH)"; } Tran, et al. Expires September 18, 2016 [Page 36] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 enum dh-modp-768-group-1 { value 1; description "dh-modp-768-group-1 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-1024-group-2 { value 2; description "dh-modp-1024-group-2 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-1536-group-5 { value 5; description "dh-modp-1536-group-5 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-2048-group-14 { value 14; description "dh-modp-2048-group-14 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-3072-group-15 { value 15; description "dh-modp-3072-group-15 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-4096-group-16 { value 16; description "dh-modp-4096-group-16 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-6144-group-17 { value 17; description "dh-modp-6144-group-17 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-8192-group-18 { value 18; description "dh-modp-8192-group-18 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-recp-256-group-19 { value 19; description "dh-recp-256-group-19 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-recp-384-group-20 { value 20; description "dh-recp-384-group-20 - IKEv2 Diffie-Hellman Group (DH)"; Tran, et al. Expires September 18, 2016 [Page 37] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } enum dh-recp-521-group-21 { value 21; description "dh-recp-521-group-21 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-modp-1024-160-pos-group-22 { value 22; description "dh-modp-1024-160-pos-group-22 - IKEv2 Diffie-Hellman"+ " Group (DH)"; } enum dh-modp-2048-224-pos-group-23 { value 23; description "dh-modp-2048-224-pos-group-23 - IKEv2 Diffie-Hellman"+ " Group (DH)"; } enum dh-modp-2048-256-pos-group-24 { value 24; description "dh-modp-2048-256-pos-group-24 - IKEv2 Diffie-Hellman"+ " Group (DH)"; } enum dh-recp-192-group-25 { value 25; description "dh-recp-192-group-25 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-recp-224-group-26 { value 26; description "dh-recp-224-group-26 - IKEv2 Diffie-Hellman Group (DH)"; } enum dh-brainpool-ip-224-r1 { value 27; description "dh-brainpool-ip-224-r1 - IKEv2 Diffie-Hellman Group"+ " (DH)"; } enum dh-brainpool-ip-256-r1 { value 28; description "dh-brainpool-ip-256-r1 - IKEv2 Diffie-Hellman Group"+ " (DH)"; } enum dh-brainpool-ip-384-r1 { value 29; description Tran, et al. Expires September 18, 2016 [Page 38] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "dh-brainpool-ip-384-r1 - IKEv2 Diffie-Hellman Group"+ " (DH)"; } enum dh-brainpool-ip-512-r1 { value 30; description "dh-brainpool-ip-512-r1 - IKEv2 Diffie-Hellman Group"+ " (DH)"; } } description "Transform Type 4 - IKEv2"+ " Diffie-Hellman Groups (DH) Transform IDs"; } /* Transform Type 5 (Extended Sequence Numbers ESN Transform IDs) */ typedef ikev2-extended-sequence-number-t { type enumeration { enum esn-none { value 0; description "esn-none - IKEv2 Extended Sequence Number"; } enum esn-1 { value 1; description "esn-1 - IKEv2 Extended Sequence Number"; } } description "Transform Type 5 - IKEv2 Extended Sequence Number (ESN)"; } typedef ikev2-connection-type-t { type enumeration { enum initiator-only { value 0; description "initiator-only: ME will act as initiator for"+ " bringing up IKEv2"+ " session with its IKE peer."; } enum responder-only { value 1; description "responder-only: ME will act as responder for"+ " bringing up IKEv2"+ " session with its IKE peer."; } enum both { Tran, et al. Expires September 18, 2016 [Page 39] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 value 2; description "both: ME can act as initiator or responder."; } } description "IKEv2 Connection type for IKE session."; } typedef ikev2-transport-protocol-name-t { type enumeration { enum tcp { value 1; description "Transmission Control Protocol (TCP) Transport Protocol."; } enum udp { value 2; description "User Datagram Protocol (UDP) Transport Protocol"; } enum sctp { value 3; description "Stream Control Transmission Protocol (SCTP) Transport "+ "Protocol"; } enum icmp { value 4; description "Internet Control Message Protocol (ICMP) Transport "+ "Protocol"; } } description "Enumeration of well known transport protocols."; } typedef preshared-key-t { type string; description "Derived string used as Pre-Shared Key."; } typedef pad-type-t { type enumeration { enum id-ipv4-addr { value 1; description "A single four (4) octet IPv4 address"; Tran, et al. Expires September 18, 2016 [Page 40] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } enum id-fdqn { value 2; description "A fully-qualified domain name string."; } enum id-rfc822-addr { value 3; description "A fully-qualified RFC 822 email address string"; } enum id-ipv6-addr { value 5; description "A single sixteen (16) octet IPv6 address"; } enum id-der-asn1-dn { value 9; description "The binary Distinguished Encoding Rules (DER) encoding"+ " of an ASN.1 X.500 Distinguished Name"; } enum id-der-asn1-gn { value 10; description "The binary Distinguished Encoding Rules (DER) encoding"+ " of an ASN.1 X.509 General Name"; } enum id-key { value 11; description "Key ID (exact match only). An opaque octet stream that"+ " may be used to pass vendor-specific information"+ " necessary to do certain proprietary types of"+ " identification"; } enum id-any { value 100; description "Optional: openIKEv2.conf"; } } description "Peer Authorization Database (PAD) Type"; } typedef ikev2-protocol-identifiers-t { type enumeration { enum "reserved-0" { Tran, et al. Expires September 18, 2016 [Page 41] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 value 0; description "Reserved IKEv2 Security Protocol Identifier"; } enum "ike" { value 1; description "Internet Key Exchange (IKE) Protocol Identifier"; } enum "ah" { value 2; description "Authentication Header (AH) Protocol Identifier"; } enum "esp" { value 3; description "Encapsulating Security Payload (ESP) Protocol"+ " Identifier"; } enum "fc_esp_header" { value 4; description "Fibre Channel Encapsulating Security Payload Header"; } enum "fc_ct_authentication" { value 5; description "Fibre Channel Common Transport Authentication"; } } description "IKEv2 Security Protocol Identifiers"; } typedef ikev2-authentication-method-t { type enumeration { enum auth-preshared { value 0; description "authorization preshared - IKEv2 Authentication Method"; } enum rsa-digital-signature { value 1; description "rsa-digital-signature - IKEv2 Authentication Method"; } enum shared-key-msg-integrity-code { value 2; Tran, et al. Expires September 18, 2016 [Page 42] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 description "shared-key-msg-integrity-code - IKEv2 Authentication"+ " Method"; } enum dss-digital-signature { value 3; description "dss-digital-signature - IKEv2 Authentication Method"; } enum ecdsa-sha-256-p256-curve { value 9; description "ecdsa-sha-256-p256-curve - IKEv2 Authentication Method"; } enum ecdsa-sha-384-p384-curve { value 10; description "ecdsa-sha-384-p384-curve - IKEv2 Authentication Method"; } enum ecdsa-sha-512-p512-curve { value 11; description "ecdsa-sha-512-p512-curve - IKEv2 Authentication Method"; } enum generic-secure-passwd-auth-method { value 12; description "generic-secure-passwd-auth-method - IKEv2"+ " Authentication Method"; } enum null-auth-method { value 13; description "null-auth-method - IKEv2 Authentication Method"; } enum digital-signature { value 14; description "digital-signature - IKEv2 Authentication Method"; } } description "IKEv2 Authentication Methods"; } typedef ikev2-traffic-selector-types-t { type enumeration { enum "ts-ipv4-addr-range" { value 7; description Tran, et al. Expires September 18, 2016 [Page 43] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "ts-ipv4-addr-range - IKEv2 Traffic Selector Type (TS)"; } enum "ts-ipv6-addr-range" { value 8; description "ts-ipv6-addr-range - IKEv2 Traffic Selector Type (TS)"; } enum "ts-fc-addr-range" { value 9; description "ts-fc-addr-range - IKEv2 Traffic Selector Type (TS)"; } } description "IKEv2 Traffic Selector Types"; } typedef ikev2-cert-encoding-t { type enumeration { enum cert-pkcs-7-wrapped-x509 { value 1; description "PKCS #7 wrapped X.509 certificate"; } enum cert-pgp { value 2; description "PGP Certificate"; } enum cert-dns-signed-key { value 3; description "DNS Signed Key"; } enum cert-x509-signature { value 4; description "X.509 Certificate - Signature"; } enum cert-kerberos-token { value 6; description "Kerberos Token"; } enum cert-revocation-list { value 7; description "Certificate Revocation List (CRL)"; } Tran, et al. Expires September 18, 2016 [Page 44] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 enum cert-authority-revocation-list { value 8; description "Authority Revocation List (ARL)"; } enum cert-spki { value 9; description "SPKI Certificate"; } enum cert-x509-attribute { value 10; description "X.509 Certificate - Attribute"; } enum cert-raw-rsa-key { value 11; description "Raw RSA Key"; } enum cert-hash-url-x509 { value 12; description "Hash and URL of X.509 certificate"; } enum cert-hash-url-x509-bundle { value 13; description "Hash and URL of X.509 bundle"; } enum cert-ocsp-content { value 14; description "OCSP Content"; } enum cert-raw-public-key { value 15; description "Raw Public Key"; } } description "Type of Certificate Encoding"; } } Tran, et al. Expires September 18, 2016 [Page 45] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 5. IKEv2 YANG Module This section will present the YANG data model for IKEv2. file "ietf-ikev2@2016-03-10.yang" module ietf-ikev2 { namespace "urn:ietf:params:xml:ns:yang:ietf-ikev2"; prefix "ikev2"; import "ietf-ikev2-crypto" { prefix "ikev2-crypto"; } import ietf-inet-types { prefix inet; } organization "Ericsson AB. Huawei Technologies India Pvt Ltd."; contact "Web: "; description "This YANG module defines the configuration and operational state data for Internet Key Exchange version 2 (IKEv2) on IETF draft. Copyright (c) 2016 Ericsson AB. All rights reserved."; revision 2016-03-10 { description "First revision."; reference "YANG Data model for Internet Protocol Security - IPSec. draft-tran-ipecme-yang-ipsec-00. draft-wang-ipsecme-ike-yang-00. draft-wang-ipsecme-ipsec-yang-00."; } /*--------------------*/ /* Feature */ /*--------------------*/ feature ikev2 { description "Feature IKEv2"; Tran, et al. Expires September 18, 2016 [Page 46] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } feature ikev2-transport { description "Common IKEv2 Transport attributes"; } feature ikev2-transport-anti-replay-mechanism { description "Optional: Enable INVALID_MESSAGE_ID defines whether an"+ " optional INVALID_MESSAGE_ID Notify Payload is sent when"+ " the IKEv2 message received is outside the Operational"+ " Window Size"; } feature ikev2-transport-enable-notify-invalid-msg-id { description "Feature IKEv2 Transport enable notify of invalid message id"; } feature ikev2-transport-retransmission { description "Feature IKEv2 Transport retransmission"; } feature ikev2-transport-cookie-mechanism { description "Feature IKEv2 Transport Cookie mechanism"; } feature ikev2-init { description "Feature IKEv2 INIT"; } feature ikev2-init-authorized-dh { description "Feature IKEv2 INIT authorized Diffie-Hellman (DH)"; } feature ikev2-init-authorized-certification-auth { description "Feature IKEv2 INIT authorized certification author"; } feature ikev2-init-nat-detection-src-ip { description "Feature IKEv2 INIT NAT Detection Source IP Address"; } feature ikev2-init-nat-detection-destination-ip { description Tran, et al. Expires September 18, 2016 [Page 47] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "Feature IKEv2 INIT Detection Destination IP Address"; } feature ikev2-init-redirect-supported { description "Feature IKEv2 INIT Redirect Supported"; } feature ikev2-init-fragmentation-supported { description "Feature IKEv2 INIT Fragmentation Supported"; } feature ikev2-init-responder-certreq { description "Feature IKEv2 INIT Responder CERTREQ"; } feature ikev2-init-optional { description "Feature IKEv2 INIT Optional Attributes"; } feature ikev2-auth-mobike-supported { description "Feature IKEv2 AUTH Mobike Supported"; } feature ikev2-auth-rohc-supported { description "Feature IKEv2 AUTH RObust Header Compression ROHC Supported"; } feature ikev2-auth-childless-supported { description "Feature IKEv2 AUTH Childless Supported"; } feature ikev2-auth-message-id-supported { description "Feature IKEv2 AUTH Message ID supported"; } feature ikev2-auth-ipsec-replay-counter-sync-supported { description "Feature IKEv2 AUTH IPSec Replay Counter Sync Supported"; } feature ikev2-auth-erx-supported { description "Feature IKEv2 AUTH ERX Supported"; Tran, et al. Expires September 18, 2016 [Page 48] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } feature ikev2-auth-clone-ike-sa-supported { description "Feature IKEv2 AUTH Clone IKE-SA Supported"; } feature ikev2-sa { description "Feature IKEv2 Security Association (SA)"; } feature ikev2-auth { description "Feature IKEv2 AUTH"; } feature ikev2-peer { description "Feature IKEv2 Peer"; } feature ikev2-state { description "IKEv2 Operational State"; } feature ikev2-proposal-state { description "IKEv2 Proposal Operational State"; } feature ikev2-transport-state { description "IKEv2 Transport State"; } /*--------------------*/ /* Typedefs */ /*--------------------*/ typedef ipsec-spi { type uint64 { range "1..max"; } description "Security Parameter Index SPI"; } Tran, et al. Expires September 18, 2016 [Page 49] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 typedef transport-protocol-name-t { type enumeration { enum tcp { value 1; description "Transmission Control Protocol (TCP) Transport Protocol."; } enum udp { value 2; description "User Datagram Protocol (UDP) Transport Protocol"; } enum sctp { value 3; description "Stream Control Transmission Protocol (SCTP) Transport "+ "Protocol"; } enum icmp { value 4; description "Internet Control Message Protocol (ICMP) Transport "+ "Protocol"; } } description "Enumeration of well known transport protocols."; } typedef role-t { type enumeration { enum any { value 0; description "Role: Any"; } enum initiator { value 1; description "Role: Initiator"; } enum responder { value 2; description "Role: Responder"; } } description Tran, et al. Expires September 18, 2016 [Page 50] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "Role Type"; } typedef cryptographic-material-t { type enumeration { enum sk-d { value 0; description "SK_d"; } enum sk-ai { value 1; description "SK_ai"; } enum sk-ar { value 2; description "SK_ar"; } enum sk-ei { value 3; description "SK_ei"; } enum sk-er { value 4; description "SK_er"; } enum sk-pi { value 5; description "SK_pi"; } enum sk-pr { value 6; description "SK_pr"; } enum skeyseed { value 7; description "SKEYSEED"; } enum nonces { value 8; description "Nonces"; Tran, et al. Expires September 18, 2016 [Page 51] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } } description "Cryptographic Material Type"; } typedef ikev2-proposal-number-ref { type leafref { path "/ikev2/init/proposal/number"; } description "reference to IKEv2 proposal number"; } typedef ikev2-transport-base-mjver-ref { type leafref { path "/ikev2/transport/base-info/major-version"; } description "reference to IKEv2 Transport Base Information Major Version"; } typedef ikev2-transport-base-mnver-ref { type leafref { path "/ikev2/transport/base-info/minor-version"; } description "reference to IKEv2 Transport Base Information Minor Version"; } typedef ikev2-transport-base-spi-gen-policy-ref { type leafref { path "/ikev2/transport/base-info/spi-generation-policy"; } description "reference to IKEv2 Transport Base Information SPI Generation Policy"; } typedef ikev2-transport-anti-replay-mechanism-window-size-ref { type leafref { path "/ikev2/transport/anti-replay-mechanism/window-size"; } description "reference to IKEv2 Transport Anti Replay Mechanism Window Size"; } Tran, et al. Expires September 18, 2016 [Page 52] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 typedef ikev2-transport-anti-replay-mechanism-enable-notify-ref { type leafref { path "/ikev2/transport/anti-replay-mechanism/"+ "enable-notify-invalid-msg-id"; } description "reference to IKEv2 Transport Anti Replay Mechanism Enable Notify Invalid Message ID"; } /*--------------------*/ /* grouping */ /*--------------------*/ /* The following groupings are used in both configuration data and operational state data */ grouping name-grouping { description "This grouping provides a leaf identifying the name."; leaf name { type string; description "Name of a identifying."; } leaf description { type string; description "Specify the description."; } } grouping ip-address-grouping { description "IP Address grouping"; choice ip-address { description "Choice of IPv4 or IPv6."; leaf ipv4-address { type inet:ipv4-address; description "Specifies the identity as a single four (4) octet IPv4 address. An example is, 10.10.10.10. "; } leaf ipv6-address { type inet:ipv6-address; description Tran, et al. Expires September 18, 2016 [Page 53] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "Specifies the identity as a single sixteen (16) "+ "octet IPv6 address. "+ "An example is, "+ "FF01::101, 2001:DB8:0:0:8:800:200C:417A ."; } } } grouping certificate-auth-grouping { description "Certificate Authority"; leaf cert-encoding { type ikev2-crypto:ikev2-cert-encoding-t; description "Certificate Authority Encoding"; } leaf cert-value { type uint32; description "Certificate Authority value"; } } grouping sequence-number-grouping { description "This grouping provides a leaf identifying a sequence number."; leaf sequence-number { type uint32 { range "1..4294967295"; } description "Specify the sequence number."; } } grouping description-grouping { description "description for free use."; leaf description { type string; description "description for free use."; } } grouping transform-encr-algorithm-grouping { description "Transform Type 1, Encryption Algorithm"; Tran, et al. Expires September 18, 2016 [Page 54] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 list transform-encr-algorithm { key "encr-algorithm key-length"; leaf encr-algorithm { type ikev2-crypto:ikev2-encryption-algorithm-t; description "IKEv2 Transform Type 1, Encryption Algorithm"; } leaf key-length { type uint32; description "IKEv2 Transform Type 1, key length for Encryption"+ " Algorithm"; } description "IKEv2 Transform Type 1, Encryption Algorithm"; } } grouping transform-prf-algorithm-grouping { description "IKEv2 Transform Type 2, Pseudo-Random Function PRF"; list transform-prf-algorithm { key "prf-algorithm key-length"; leaf prf-algorithm { type ikev2-crypto:ikev2-pseudo-random-function-t; description "IKEv2 Transform Type 2, Pseudo-Random Function"+ " (PRF) Algorithm"; } leaf key-length { type uint32; description "IKEv2 Transform Type 2, key length for PRF"; } description "IKEv2 Transform Type 2, Pseudo-Random Function PRF"; } } grouping transform-integrity-algorithm-grouping { description "IKEv2 Transform Type 3, Integrity Algorithm"; list transform-integrity-algorithm { key "integrity-algorithm key-length"; leaf integrity-algorithm { type ikev2-crypto:ikev2-integrity-algorithm-t; description "IKEv2 Transform Type 3, Integrity Algorithm"; Tran, et al. Expires September 18, 2016 [Page 55] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } leaf key-length { type uint32; description "IKEv2 Transform Type 3, key length for Integrity"+ " Algorithm"; } description "IKEv2 Transform Type 3, Integrity Algorithm"; } } grouping transform-dh-grouping { description "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; list transform-dh { key "dh key-length"; leaf dh { type ikev2-crypto:ikev2-diffie-hellman-group-t; description "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; } leaf key-length { type uint32; description "IKEv2 Transform Type 4, key length for Diffie-Hellman"+ " Group (DH)"; } description "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; } } grouping ikev2-proposal-grouping { description "IKEv2 Proposal"; list proposal { key "number"; description "Configure IKEv2 proposal"; uses name-grouping; uses transform-encr-algorithm-grouping; uses transform-prf-algorithm-grouping; uses transform-integrity-algorithm-grouping; uses transform-dh-grouping; leaf number { type uint32; description "specify the order the proposals are sent"; Tran, et al. Expires September 18, 2016 [Page 56] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } leaf protocol { type ikev2-crypto:ikev2-protocol-identifiers-t; description "IKEv2 Proposal Protocol Identifier"; } } } grouping ikev2-retransmission-grouping { description "IKEv2 retransmission policy configuration"; container retransmision { if-feature ikev2-transport-retransmission; leaf max-retries { type uint32; description "maximum retry when retransmission failed"; } leaf initial-retransmission-timeout { type uint32; description "initial retransmission timeout value"; } leaf retransmission-timeout-policy { type string; description "defines of the Retransmission Timeout should be"+ " computed"; } leaf max-response-buffer-timeout { type uint32; description "This timer set when the response buffer can be clean"+ " when the message ID is not being updated. It value"+ " is expected to be in the order of several minutes"; } leaf keepalive-timeout { type uint32; description "Keep-alive timeout"; } leaf nat-keepalive-timeout { type uint32; description "Network Address Translation (NAT) Keep-alive timeout"; } description "IKEv2 retransmission policy configuration"; Tran, et al. Expires September 18, 2016 [Page 57] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } } grouping ikev2-cookie-mechanism-grouping { description "IKEv2 Cookie Mechanism"; container cookie-mechanism { if-feature ikev2-transport-cookie-mechanism; leaf cookie-lifetime { type uint32; description "Cookie Lifetime"; } leaf half-open-ike-sa-threshold { type uint32; description "Half-open IKE-SA Threshold"; } description "IKEv2 Cookie Mechanism"; } } grouping ikev2-auth-avail-signing-capabilities-grouping { description "IKEv2 AUTH Available Signing Capabilities"; list avail-signing-capabilities { key "auth-method-name"; description "availiable signing capabilities"; leaf auth-method-name { type string; description "Authentication method name"; } leaf auth-method { type ikev2-crypto:ikev2-authentication-method-t; description "type of authentication method"; } leaf auth-material-data { type string; description "authentication material data"; } } } grouping ikev2-cert-auth-grouping { Tran, et al. Expires September 18, 2016 [Page 58] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 description "IKEv2 AUTH Certificate Authentication"; container cert-auth { description "Certificate authentication"; leaf cert-auth-encoding { type ikev2-crypto:ikev2-cert-encoding-t; description "certificate authentication encoding"; } leaf cert-auth-value { type uint32; description "certificate authentication value"; } } } grouping ikev2-cert-authentication-material-grouping { description "IKEv2 CERT Authentication Material"; leaf cert-authentication-type { type string; default "cert"; description "CERT Authentication Type"; } uses ikev2-cert-auth-grouping; } grouping ikev2-auth-avail-hash-capabilities-grouping { description "IKEv2 AUTH Available Hash Capabilities"; list avail-hash { key "hash-method"; description "available hash"; leaf hash-method { type string; description "hash method"; } leaf auth-hash-lifetime { type uint32; description "Authentication Hash lifetime"; } } } Tran, et al. Expires September 18, 2016 [Page 59] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 grouping ikev2-auth-avail-signature-verification-grouping { description "IKEv2 AUTH Available Signature Verification"; list avail-signature-verify { key "signature-id"; description "available signature verification"; leaf signature-id { type string; description "signature ID"; } leaf signature-lifetime { type uint32; description "signature lifetime"; } } } grouping local-id-grouping { description "IKEv2 AUTH Local ID"; list local-id { key "host-id"; description "list of Local ID"; leaf host-id { type string; description "Local Host ID"; } leaf preference { type string; description "Local Preference"; } leaf id-type { type string; description "Local ID type"; } leaf id-value { type string; description "ID value"; } } Tran, et al. Expires September 18, 2016 [Page 60] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } grouping ikev2-vendor-id-grouping { description "IKEv2 Vendor ID"; leaf vendor-id { type uint64; description "IKEv2 Vendor ID"; } } grouping ikev2-base-info-grouping { description "IKEv2 Base Information"; container base-info { description "IKEv2 basic information"; leaf major-version { type uint8; default 2; description "IKEv2 Major Version"; } leaf minor-version { type uint8; default 0; description "IKEv2 Minor Version"; } leaf spi-generation-policy { type string; description "SPI genration policy"; } } } grouping ikev2-anti-replay-mechanism-grouping { description "IKEv2 Anti Replay Mechanism"; container anti-replay-mechanism { leaf window-size { type uint32; default 1; description "Window Size defines how much parallel exchange can"+ " be performed between the peers. By default this"+ " value is set to 1. When greater than 1, as defined"+ Tran, et al. Expires September 18, 2016 [Page 61] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 " in [RFC7296] section 2.3, a SET_WINDOW_SIZE Notify"+ " Payloads will be sent by the peer to agree withe the"+ " other peer on the Window Size. After this exchange"+ " succeeds, the operational attribute that defines"+ " the Window Size used by the IKE_SA, will be updated"+ " with the value agreed by the peers."; } leaf enable-notify-invalid-msg-id { if-feature ikev2-transport-enable-notify-invalid-msg-id; type empty; description "Optional Enable INVALID_MESSAGE_ID defines whether an"+ " optional INVALID_MESSAGE_ID Notify Payload is sent"+ " when the IKEv2 message received is outside the"+ " Operational Window Size."; } description "Anti Replay Mechanism describes when message should be"+ " rejected or considered by the IKEv2 daemon. The anti"+ " reply mechanism is defined for each session."; } } grouping ikev2-init-optional-grouping { description "IKEv2 INIT Optional"; container optional { if-feature ikev2-init-optional; container nat-detection-source-ip { if-feature ikev2-init-nat-detection-src-ip; description "Optional support: for Network Address Translation (NAT)"+ " Destination Source IP Address, sent during the"+ " IKE_INIT"; uses ip-address-grouping; leaf nat-keepalive-interval { type uint16 { range "5..300"; } units "Seconds"; default 20; description "NAT detected and keepalive interval"; } } container nat-detection-destination-ip { if-feature ikev2-init-nat-detection-destination-ip; description Tran, et al. Expires September 18, 2016 [Page 62] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "Optional support: for Network Address Translation (NAT)"+ " Detecttion Destination IP Address, sent during the"+ " IKE_INIT"; uses ip-address-grouping; leaf nat-keepalive-interval { type uint16 { range "5..300"; } units "Seconds"; default 20; description "NAT detected and keepalive interval"; } } leaf redirect-supported { if-feature ikev2-init-redirect-supported; type boolean; default true; description "Optional support: for redirect supported, sent"+ " during the IKE_INIT"; } leaf fragmentation-supported { if-feature ikev2-init-fragmentation-supported; type boolean; default true; description "Optional support: for fragmentation supported"+ " sent during the IKE_INIT"; } leaf mobike-supported { if-feature ikev2-auth-mobike-supported; type boolean; default true; description "Optional support: for mobike supported, sent during"+ " IKE-AUTH"; } leaf rohc-supported { if-feature ikev2-auth-rohc-supported; type boolean; default true; description "Optional support: for RObust Header Compression (ROHC)"+ " supported, sent during IKE-AUTH"; } leaf childless-ikev2-supported { if-feature ikev2-auth-childless-supported; type boolean; Tran, et al. Expires September 18, 2016 [Page 63] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 default true; description "Optional support: for CHILDLESS_IKEV2_SUPPORTED,"+ " sent during IKE-AUTH"; } leaf message-id-sync-supported { if-feature ikev2-auth-message-id-supported; type boolean; default true; description "Optional support: for IKEV2_MESSAGE_ID_SYNC_SUPPORTED,"+ " sent during IKE-AUTH"; } leaf ipsec-replay-counter-sync-supported { if-feature ikev2-auth-ipsec-replay-counter-sync-supported; type boolean; default true; description "Optional support: for"+ " IPSEC_REPLAY_COUNTER_SYNC_SUPPORTED,"+ " sent during IKE-AUTH"; } leaf erx-supported { if-feature ikev2-auth-erx-supported; type boolean; default true; description "Optional support: for ERX_SUPPORTED,"+ " sent during IKE-AUTH"; } leaf clone-ike-sa-supported { if-feature ikev2-auth-clone-ike-sa-supported; type boolean; default true; description "Optional support: for CLONE_IKE_SA_SUPPORTED,"+ " sent during IKE-AUTH"; } description "IKEv2 INIT Optional Attributes"; } } grouping ikev2-initiator-id-grouping { container initiator-id { leaf initiator-id-type { type ikev2-crypto:pad-type-t; description "Initiator ID Type"; Tran, et al. Expires September 18, 2016 [Page 64] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 } leaf initiator-id { type string; description "Initiator ID"; } description "Initiator ID"; } description "Initiator ID"; } grouping ikev2-responder-id-grouping { container responder-id { leaf responder-id-type { type ikev2-crypto:pad-type-t; description "Responder ID Type"; } leaf responder-id { type string; description "Responder ID"; } description "Responder ID"; } description "Responder ID"; } grouping ikev2-transport-grouping { description "IKEv2 Transport Attributes"; container transport { if-feature ikev2-transport; description "Common IKEv2 transport attributes"; uses ikev2-base-info-grouping; uses ikev2-anti-replay-mechanism-grouping; uses ikev2-retransmission-grouping; uses ikev2-cookie-mechanism-grouping; uses ikev2-vendor-id-grouping; } // End of container transport } grouping ikev2-config-request-grouping { Tran, et al. Expires September 18, 2016 [Page 65] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 description "Optional Configuration Request"; container config-request { uses ip-address-grouping; description "Optional Configuration Requester"; } } grouping ikev2-config-responder-grouping { description "Optional Configuration Responder"; container config-responder { uses ip-address-grouping; description "Optional Configuration Responder"; } } grouping ikev2-init-grouping { description "IKEv2 INIT Attributes"; container init { if-feature ikev2-init; description "configuration attributes for the IKE_INIT exchange"; list authorized-dh { if-feature ikev2-init-authorized-dh; key "dhg key-length"; leaf dhg { type ikev2-crypto:ikev2-diffie-hellman-group-t; description "IKEv2 Transform Type 4, Diffie-Hellman Group (DH)"; } leaf key-length { type uint32; description "IKEv2 Transform Type 4, key length for Diffie-Hellman"+ " Group (DH)"; } description "IKEv2 INIT Authorized Diffie-Hellman"; } uses ikev2-proposal-grouping; uses ikev2-init-optional-grouping; leaf auth-method { Tran, et al. Expires September 18, 2016 [Page 66] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 type ikev2-crypto:ikev2-authentication-method-t; default auth-preshared; description "The authentication method of IKEv2 peer"; } container responder-certreq { if-feature ikev2-init-responder-certreq; uses certificate-auth-grouping; description "IKEv2 INIT Responder CERTREQ"; } uses ikev2-config-request-grouping; uses ikev2-config-responder-grouping; list authorized-cert-auth { if-feature ikev2-init-authorized-certification-auth; key "cert-encoding"; uses certificate-auth-grouping; description "IKev2 Initiator authorized certification authorities"; } } // end of container init } grouping ikev2-auth-grouping { description "IKEv2 AUTH Attributes"; container auth { if-feature ikev2-auth; description "IKEv2 AUTH Exchange"; uses ikev2-auth-avail-signing-capabilities-grouping; uses ikev2-cert-auth-grouping; uses ikev2-auth-avail-hash-capabilities-grouping; uses ikev2-auth-avail-signature-verification-grouping; uses local-id-grouping; container authorized-certificate-authority { uses certificate-auth-grouping; description "IKEv2 AUTH Authorized Certificate Authority"; } } // End of container auth } grouping ikev2-proposal-state-components { description "IKEv2 Operational state"; list proposal { Tran, et al. Expires September 18, 2016 [Page 67] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 if-feature ikev2-proposal-state; key "name"; description "IKEv2 proposal operational data"; uses name-grouping; leaf encryption-algorithm { type ikev2-crypto:ikev2-encryption-algorithm-t; description "Transform Type 1 - IKEv2 Encryption Algorithm"; } leaf prf-algorithm { type ikev2-crypto:ikev2-pseudo-random-function-t; description "Transform Type 2 - IKEv2 Pseudo-Random Function (PRF)"; } leaf integrity-algorithm { type ikev2-crypto:ikev2-integrity-algorithm-t; description "Transform Type 3 - IKEv2 Integrity Algorithms"; } leaf dh-group { type ikev2-crypto:ikev2-diffie-hellman-group-t; mandatory true; description "Transform Type 4 - IKEv2 Diffie-Hellman group."; } leaf esn { type ikev2-crypto:ikev2-extended-sequence-number-t; description "Transform Type 5 - IKEv2 Extended Sequence Number (ESN)"; } } leaf connection-type { type ikev2-crypto:ikev2-connection-type-t; description "define whether the corresponding IKEv2 SA is being used"+ " as an initiator or as a responder or both"; } } /*---------------------------------------------------------*/ /************* Configuration Data *************/ /*---------------------------------------------------------*/ /* ------------------- */ /* IKEv2 configuration */ /* ------------------- */ Tran, et al. Expires September 18, 2016 [Page 68] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 container ikev2 { if-feature ikev2; description "Configuration IPSec IKEv2"; uses ikev2-transport-grouping; uses ikev2-init-grouping; container sa { if-feature ikev2-sa; description "IKEv2 Security Association"; leaf role { type role-t; description "IKEv2 SA Role [any | initiator | responder]"; } container local-ip-address { description "IKEv2 SA Local IP Address"; uses ip-address-grouping; } container remote-ip-address { description "IKEv2 SA Remote IP Address"; uses ip-address-grouping; } leaf cryptgraphic { type cryptographic-material-t; description "Cryptographic Material Type"; } leaf lifetime { type uint32; description "lifetime for IKEv2 SAs 0: for no timeout. 300 .. 99999999: IKEv2 SA lifetime in seconds."; } leaf proposal { type ikev2-proposal-number-ref; description "IKE proposal number referenced by IKE peer"; } uses ikev2-base-info-grouping; uses ikev2-anti-replay-mechanism-grouping; list retransmistion-ctx { key "window-id"; Tran, et al. Expires September 18, 2016 [Page 69] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 leaf window-id { type uint32; description "Window ID"; } uses ikev2-retransmission-grouping; description "IKEv2 Security Association Retransmission CTX that contains the element to enable retransmission for all ongoing exchange"; } uses ikev2-initiator-id-grouping; uses ikev2-responder-id-grouping; uses ikev2-cert-authentication-material-grouping; uses ikev2-vendor-id-grouping; list optional-ctx { key "window-id"; description "Optional Security Association CTX"; leaf window-id { type uint32; description "Window ID"; } uses ikev2-init-optional-grouping; } } // end of container sa list peer { if-feature ikev2-peer; key "peer-address"; description "IKEv2 peer information"; leaf peer-address { type string; description "Peer address"; } leaf role { type role-t; default any; description "Peer Role [any | initiator | responder]"; } list peer-id-entries { key "peer-id peer-id-type"; description "IKE peer information"; leaf peer-id-type { type ikev2-crypto:pad-type-t; Tran, et al. Expires September 18, 2016 [Page 70] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 description "Peer ID Type"; } leaf peer-id { type string; description "Peer ID"; } } // End of peer-entries list session { key "session-label"; description "List of session"; leaf session-label { type string; description "Session Label"; } uses ikev2-initiator-id-grouping; uses ikev2-responder-id-grouping; uses ikev2-transport-grouping; uses ikev2-init-grouping; uses ikev2-auth-grouping; uses ikev2-config-request-grouping; uses ikev2-config-responder-grouping; } leaf preshared-key { type string; description "Preshare key"; } leaf nat-traversal { type boolean; default false; description "Enable/Disable Network Address Translation"+ " (NAT) traversal"; } } //End of peer } // End of ikev2 /*---------------------------------------------------------*/ /************* Operational State *************/ /*---------------------------------------------------------*/ Tran, et al. Expires September 18, 2016 [Page 71] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 /*--------------------------*/ /* IKEv2 Operational State */ /*--------------------------*/ container ikev2-state { if-feature ikev2-state; config "false"; container transport-state { if-feature ikev2-transport-state; description "Common IKEv2 operational transport state"; leaf major-version { type uint8; default 2; description "IKEv2 Major Version"; } leaf minor-version { type uint8; default 0; description "IKEv2 Minor Version"; } leaf spi-generation-policy { type string; description "SPI genration policy"; } leaf exchange-type { type ikev2-crypto:ikev2-exchange-type-t; description "IKEv2 Exchange Type"; } leaf flags { type uint8; description "indicate specific options that are set for message"; } } list sa-state { key "initiator-spi responder-spi"; description "IKEv2 Security Association (SA) Operational State"; leaf initiator-spi { type ipsec-spi; description Tran, et al. Expires September 18, 2016 [Page 72] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 "initiator Security Parameter Index (SPI)"; } leaf responder-spi { type ipsec-spi; description "initiator Security Parameter Index (SPI)"; } list retransmistion-ctx { key "window-id"; leaf window-id { type uint32; description "Window ID"; } uses ikev2-retransmission-grouping; description "IKEv2 Security Association Retransmission CTX that contains the element to enable retransmission for all ongoing exchange"; } container anti-replay-mechanism { leaf window-size { type uint32; description "window size"; } leaf peer-request-msg-id { type uint32; description "Peer Request Message ID"; } leaf peer-response-msg-id { type uint32; description "Peer Response Message ID"; } leaf local-request-msg-id { type uint32; description "Local Request Message ID"; } leaf local-response-msg-id { type uint32; description "Local Response Message ID"; } description "IKEv2 Anti Replay Mechanism Operational State"; } Tran, et al. Expires September 18, 2016 [Page 73] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 uses ikev2-vendor-id-grouping; uses ikev2-initiator-id-grouping; uses ikev2-responder-id-grouping; uses ikev2-auth-grouping; leaf half-open-ike-sa-counter { type uint32; description "IKEv2 Cookie Mechanism Half-Open IKE-SA counter"; } list optional-ctx { key "window-id"; description "Optional Security Association CTX"; leaf window-id { type uint32; description "Window ID"; } uses ikev2-init-optional-grouping; } } description "Contain the operational data for IKEv2"; } } /* module ietf-ikev2 */ Tran, et al. Expires September 18, 2016 [Page 74] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 6. Security Considerations The configuration, state, and action data defined in this document are designed to be accessed via the NETCONF protocol [RFC6241]. The data model by itself does not create any security implications. The security considerations for the NETCONF protocol are applicable. The NETCONF protocol used for sending the data supports authentication and encryption. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, Internet Mail Consortium and Demon Internet Ltd., November 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, October 2010. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T., "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 5996, October 2014. [RFC6071] Frankel, S., Krishnan, S., "IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap", February 2011. Tran, et al. Expires September 18, 2016 [Page 75] Internet-Draft draft-tran-ipsecme-ikev2-yang-00.txt March 2016 7.2. Informative References [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG Data Model Documents", RFC 6087, January 2011. Authors' Addresses Khanh Tran Ericsson 300 Holger Way San Jose, CA 95134 USA Email: khanh.x.tran@ericsson.com Daniel Migault Ericsson 8500 Decarie Blvd Montreal, Quebec H4P 2N2 CANADA Email: daniel.migault@ericsson.com Honglei Wang Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: stonewater.wang@huawei.com Vijay Kumar Nagaraj Huawei Technologies Huawei Technologies India Pvt Ltd Bangalore 560008 India Email: vijay.kn@huawei.com Xia Chen Huawei Technologies Huawei Bld., No.156 Beiqing Rd. Beijing 100095 China Email: xiachen@huawei.com Tran, et al. Expires September 18, 2016 [Page 76]