rfc9348.original   rfc9348.txt 
Network Working Group D. Fedyk Internet Engineering Task Force (IETF) D. Fedyk
Internet-Draft C. Hopps Request for Comments: 9348 C. Hopps
Intended status: Standards Track LabN Consulting, L.L.C. Category: Standards Track LabN Consulting, L.L.C.
Expires: 26 March 2023 22 September 2022 ISSN: 2070-1721 January 2023
A YANG Data Model for IP Traffic Flow Security A YANG Data Model for IP Traffic Flow Security
draft-ietf-ipsecme-yang-iptfs-11
Abstract Abstract
This document describes a YANG module for the management of IP This document describes a YANG module for the management of IP
Traffic Flow Security additions to IKEv2 and IPsec. Traffic Flow Security (IP-TFS) additions to Internet Key Exchange
Protocol version 2 (IKEv2) and IPsec.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 26 March 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9348.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview
3. YANG Management . . . . . . . . . . . . . . . . . . . . . . . 4 3. YANG Management
3.1. YANG Tree . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. YANG Tree
3.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. YANG Module
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 4. IANA Considerations
4.1. Updates to the IETF XML Registry . . . . . . . . . . . . 19 4.1. Updates to the IETF XML Registry
4.2. Updates to the YANG Module Names Registry . . . . . . . . 19 4.2. Updates to the YANG Module Names Registry
5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 5. Security Considerations
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 6. References
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 6.1. Normative References
7.1. Normative References . . . . . . . . . . . . . . . . . . 21 6.2. Informative References
7.2. Informative References . . . . . . . . . . . . . . . . . 21 Appendix A. Examples
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22 A.1. Example XML Configuration
A.1. Example XML Configuration . . . . . . . . . . . . . . . . 22 A.2. Example XML Operational Data
A.2. Example XML Operational Data . . . . . . . . . . . . . . 23 A.3. Example JSON Configuration
A.3. Example JSON Configuration . . . . . . . . . . . . . . . 24 A.4. Example JSON Operational Data
A.4. Example JSON Operational Data . . . . . . . . . . . . . . 26 A.5. Example JSON Operational Statistics
A.5. Example JSON Operational Statistics . . . . . . . . . . . 27 Acknowledgements
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses
1. Introduction 1. Introduction
This document defines a YANG module [RFC7950] for the management of This document defines a YANG module [RFC7950] for the management of
the IP Traffic Flow Security (IP-TFS) extensions as defined in the IP Traffic Flow Security (IP-TFS) extensions defined in
[I-D.ietf-ipsecme-iptfs]. IP-TFS provides enhancements to an IPsec [RFC9347]. IP-TFS provides enhancements to an IPsec tunnel Security
tunnel Security Association to provide improved traffic Association (SA) to provide improved traffic confidentiality.
confidentiality. Traffic confidentiality reduces the ability of Traffic confidentiality reduces the ability of traffic analysis to
traffic analysis to determine identity and correlate observable determine identity and correlate observable traffic patterns. IP-TFS
traffic patterns. IP-TFS offers efficiency when aggregating traffic offers efficiency when aggregating traffic in fixed-size IPsec tunnel
in fixed size IPsec tunnel packets. packets.
The YANG data model in this document conforms to the Network The YANG data model in this document conforms to the Network
Management Datastore Architecture (NMDA) defined in [RFC8342]. Management Datastore Architecture (NMDA) defined in [RFC8342].
The published YANG modules for IPsec are defined in [RFC9061]. This The published YANG modules for IPsec are defined in [RFC9061]. This
document uses these models as a general IPsec model that is augmented document uses these models as a general IPsec model that is augmented
for IP-TFS. The models in [RFC9061] provide for both an IKE and an for IP-TFS. The models in [RFC9061] provide for both an IKE and an
IKELESS model. IKE-less model.
2. Overview 2. Overview
This document defines configuration and operational parameters of IP This document defines configuration and operational parameters of IP
traffic flow security (IP-TFS). IP-TFS, defined in Traffic Flow Security (IP-TFS). IP-TFS, defined in [RFC9347],
[I-D.ietf-ipsecme-iptfs], defines a security association for tunnel defines a security association for tunnel mode IPsec with
mode IPsec with characteristics that improve traffic confidentiality characteristics that improve traffic confidentiality and reduce
and reduce bandwidth efficiency loss. These documents assume bandwidth efficiency loss. These documents assume familiarity with
familiarity with IP security concepts described in [RFC4301]. the IPsec concepts described in [RFC4301].
IP-TFS uses tunnel mode to improve confidentiality by hiding inner IP-TFS uses tunnel mode to improve confidentiality by hiding inner
packet identifiable information, packet size and packet timing. IP- packet identifiable information, packet size, and packet timing. IP-
TFS provides a general capability allowing aggregation of multiple TFS provides a general capability allowing aggregation of multiple
packets in uniform size outer tunnel IPsec packets. It maintains the packets in uniform-size outer tunnel IPsec packets. It maintains the
outer packet size by utilizing combinations of aggregating, padding outer packet size by utilizing combinations of aggregating, padding,
and fragmenting inner packets to fill out the IPsec outer tunnel and fragmenting inner packets to fill out the IPsec outer tunnel
packet. Zero byte padding is used to fill the packet when no data is packet. Padding is used to fill the packet when no data is available
available to send. to send.
This document specifies an extensible configuration model for IP-TFS. This document specifies an extensible configuration model for IP-TFS.
This version utilizes the capabilities of IP-TFS to configure fixed This version utilizes the capabilities of IP-TFS to configure fixed-
size IP-TFS Packets that are transmitted at a constant rate. This size IP-TFS packets that are transmitted at a constant rate. This
model is structured to allow for different types of operation through model is structured to allow for different types of operation through
future augmentation. future augmentation.
The IP-TFS YANG module augments IPsec YANG model from [RFC9061]. IP- The IP-TFS YANG module augments the IPsec YANG module from [RFC9061].
TFS makes use of IPsec tunnel mode and adds a small number IP-TFS makes use of IPsec tunnel mode and adds a small number of
configuration items to tunnel mode IPsec. As defined in configuration items to IPsec tunnel mode. As defined in [RFC9347],
[I-D.ietf-ipsecme-iptfs], any SA configured to use IP-TFS supports any SA configured to use IP-TFS supports only IP-TFS packets, i.e.,
only IP-TFS packets i.e. no mixed IPsec modes. no mixed IPsec modes.
The behavior for IP-TFS is controlled by the source. The self- The behavior for IP-TFS is controlled by the source. The self-
describing format of an IP-TFS packets allows a sending side to describing format of an IP-TFS packet allows a sending side to adjust
adjust the packet-size and timing independently from any receiver. the packet size and timing independently from any receiver. Both
Both directions are also independent, e.g. IP-TFS may be run only in directions are also independent, e.g., IP-TFS may be run only in one
one direction. This means that counters, which are created here for direction. This means that counters, which are created here for both
both directions may be 0 or not updated in the case of an SA that directions, may be 0 or not updated in the case of an SA that uses
uses IP-TFS only in on direction. IP-TFS only in on direction.
Cases where IP-TFS statistics are active for one direction: Cases where IP-TFS statistics are active for one direction:
* SA one direction - IP-TFS enabled * SA one direction - IP-TFS enabled
* SA both directions - IP-TFS only enabled in one direction * SA both directions - IP-TFS only enabled in one direction
Case where IP-TFS statistics are for both directions: Case where IP-TFS statistics are active for both directions:
* SA both directions - IP-TFS enable for both directions * SA both directions - IP-TFS enable for both directions
The IP-TFS model support IP-TFS configuration and operational data.
This YANG module supports configuration of fixed size and fixed rate The IP-TFS model supports IP-TFS configuration and operational data.
packets, and elements that may be augmented to support future
configuration. The protocol specification [I-D.ietf-ipsecme-iptfs], This YANG module supports configuration of fixed-size and fixed-rate
goes beyond this simple fixed mode of operation by defining a general packets, as well as elements that may be augmented to support future
format for any type of scheme. In this document the outer IPsec configuration. The protocol specification [RFC9347] goes beyond this
packets can be sent with fixed or variable size (without padding). simple, fixed mode of operation by defining a general format for any
The configuration allows the fixed packet size to be determined by type of scheme. In this document, the outer IPsec packets can be
the path MTU. The fixed packet size can also be configured if a sent with fixed or variable size (without padding). The
value lower than the path MTU is desired. configuration allows the fixed packet size to be determined by the
path MTU. The fixed packet size can also be configured if a value
lower than the path MTU is desired.
Other configuration items include: Other configuration items include:
* Congestion Control. A congestion control setting to allow IP-TFS Congestion Control:
to reduce the packet rate when congestion is detected. A congestion control setting to allow IP-TFS to reduce the packet
rate when congestion is detected.
* Fixed Rate configuration. The IP-TFS tunnel rate can be Fixed-Rate Configuration:
configured taking into account either layer 2 overhead or layer 3 The IP-TFS tunnel rate can be configured by taking into account
overhead. Layer 3 overhead is the IP data rate and layer 2 either layer 2 overhead or layer 3 overhead. Layer 3 overhead is
overhead is the rate of bits on the link. The combination of the IP data rate, and layer 2 overhead is the rate of bits on the
packet size and rate determines the nominal maximum bandwidth and link. The combination of packet size and rate determines the
the transmission interval when fixed size packets are used. nominal maximum bandwidth and the transmission interval when
fixed-size packets are used.
* User packet Fragmentation Control. While fragmentation is User Packet Fragmentation Control:
recommended for improved efficiency, a configuration is provided While fragmentation is recommended for improved efficiency, a
if users wish to observe the effect no-fragmentation on their data configuration is provided if users wish to observe the effect of
flows. no fragmentation on their data flows.
The YANG operational data allows the readout of the configured The YANG operational data allows the readout of the configured
parameters as well as the per SA statistics and error counters for parameters, as well as the per-SA statistics and error counters for
IP-TFS. Per SA IPsec packet statistics are provided as a feature and IP-TFS. Per-SA IPsec packet statistics are provided as a feature,
per SA IP-TFS specific statistics as another feature. Both sets of and per-SA IP-TFS-specific statistics are provided as another
statistics augment the IPsec YANG models with counters that allow feature. Both sets of statistics augment the IPsec YANG modules with
observation of IP-TFS packet efficiency. counters that allow observation of IP-TFS packet efficiency.
[RFC9061] has a set of IPsec YANG management objects. IP-TFS YANG IPsec YANG management objects are set in [RFC9061]. IP-TFS YANG
augments the IKE and the IKELESS models. In these models the augments the IKE and the IKE-less models. In these models, the
Security Policy database entry and Security Association entry for an Security Policy database entry and Security Association entry for an
IPsec Tunnel can be augmented with IP-TFS. In addition, this model IPsec tunnel can be augmented with IP-TFS. In addition, this model
uses YANG types defined in [RFC6991]. uses YANG types defined in [RFC6991].
3. YANG Management 3. YANG Management
3.1. YANG Tree 3.1. YANG Tree
The following is the YANG tree diagram ([RFC8340]) for the IP-TFS The following is the YANG tree diagram [RFC8340] for the IP-TFS
extensions. extensions.
module: ietf-ipsec-iptfs module: ietf-ipsec-iptfs
augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd
/nsfike:spd-entry/nsfike:ipsec-policy-config /nsfike:spd-entry/nsfike:ipsec-policy-config
/nsfike:processing-info/nsfike:ipsec-sa-cfg: /nsfike:processing-info/nsfike:ipsec-sa-cfg:
+--rw traffic-flow-security +--rw traffic-flow-security
+--rw congestion-control? boolean +--rw congestion-control? boolean
+--rw packet-size +--rw packet-size
| +--rw use-path-mtu-discovery? boolean | +--rw use-path-mtu-discovery? boolean
| +--rw outer-packet-size? uint16 | +--rw outer-packet-size? uint16
+--rw (tunnel-rate)? +--rw (tunnel-rate)?
| +--:(l2-fixed-rate) | +--:(l2-fixed-rate)
skipping to change at page 7, line 33 skipping to change at line 308
+--ro rx-all-pad-pkts? yang:counter64 +--ro rx-all-pad-pkts? yang:counter64
+--ro rx-all-pad-octets? yang:counter64 +--ro rx-all-pad-octets? yang:counter64
+--ro rx-extra-pad-pkts? yang:counter64 +--ro rx-extra-pad-pkts? yang:counter64
+--ro rx-extra-pad-octets? yang:counter64 +--ro rx-extra-pad-octets? yang:counter64
+--ro rx-errored-pkts? yang:counter64 +--ro rx-errored-pkts? yang:counter64
+--ro rx-missed-pkts? yang:counter64 +--ro rx-missed-pkts? yang:counter64
3.2. YANG Module 3.2. YANG Module
The following is the YANG module for managing the IP-TFS extensions. The following is the YANG module for managing the IP-TFS extensions.
The model contains references to [I-D.ietf-ipsecme-iptfs] and The model contains references to [RFC9347] and [RFC5348].
[RFC5348].
<CODE BEGINS> file "ietf-ipsec-iptfs@2022-09-22.yang" <CODE BEGINS> file "ietf-ipsec-iptfs@2022-12-16.yang"
module ietf-ipsec-iptfs { module ietf-ipsec-iptfs {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs";
prefix iptfs; prefix iptfs;
import ietf-i2nsf-ike { import ietf-i2nsf-ike {
prefix nsfike; prefix nsfike;
reference reference
"RFC 9061 A YANG Data Model for IPsec Flow Protection Based on "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on
Software-Defined Networking (SDN) Section 5.2"; Software-Defined Networking (SDN), Section 5.2";
} }
import ietf-i2nsf-ikeless { import ietf-i2nsf-ikeless {
prefix nsfikels; prefix nsfikels;
reference reference
"RFC 9061 A YANG Data Model for IPsec Flow Protection Based on "RFC 9061: A YANG Data Model for IPsec Flow Protection Based on
Software-Defined Networking (SDN) Section 5.3"; Software-Defined Networking (SDN), Section 5.3";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
} }
organization organization
"IETF IPSECME Working Group (IPSECME)"; "IETF IPSECME Working Group (IPSECME)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/ipsecme/> "WG Web: <https://datatracker.ietf.org/wg/ipsecme/>
WG List: <mailto:ipsecme@ietf.org> WG List: <mailto:ipsecme@ietf.org>
Author: Don Fedyk Author: Don Fedyk
<mailto:dfedyk@labn.net> <mailto:dfedyk@labn.net>
Author: Christian Hopps Author: Christian Hopps
<mailto:chopps@chopps.org>"; <mailto:chopps@chopps.org>";
// RFC Ed.: replace XXXX with actual RFC number and
// remove this note.
description description
"This module defines the configuration and operational state for "This module defines the configuration and operational state for
managing the IP Traffic Flow Security functionality [RFC XXXX]. managing the IP Traffic Flow Security functionality (RFC 9348).
Copyright (c) 2022 IETF Trust and the persons identified as Copyright (c) 2023 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Revised BSD License to the license terms contained in, the Revised BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 9348; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove revision 2022-12-16 {
// this note
// replace '2016-03-20' with the module publication date
// the format is (2022-09-22)
revision 2022-09-22 {
description description
"Initial Revision"; "Initial revision";
reference reference
"RFC XXXX: IP Traffic Flow Security YANG Module"; "RFC 9348: A YANG Data Model for IP Traffic Flow Security";
} }
feature ipsec-stats { feature ipsec-stats {
description description
"This feature indicates the device supports "This feature indicates the device supports
per SA IPsec statistics"; per-SA IPsec statistics.";
} }
feature iptfs-stats { feature iptfs-stats {
description description
"This feature indicates the device supports "This feature indicates the device supports
per SA IP Traffic Flow Security statistics"; per-SA IP Traffic Flow Security statistics.";
} }
/*--------------------*/ /*--------------------*/
/* groupings */ /* groupings */
/*--------------------*/ /*--------------------*/
grouping ipsec-tx-stat-grouping { grouping ipsec-tx-stat-grouping {
description description
"IPsec outbound statistics"; "IPsec outbound statistics";
leaf tx-pkts { leaf tx-pkts {
skipping to change at page 10, line 29 skipping to change at line 439
} }
} }
grouping iptfs-inner-tx-stat-grouping { grouping iptfs-inner-tx-stat-grouping {
description description
"IP-TFS outbound inner packet statistics"; "IP-TFS outbound inner packet statistics";
leaf tx-pkts { leaf tx-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS inner packets sent. This "Total number of IP-TFS inner packets sent. This
count is whole packets only. A fragmented packet count is whole packets only. A fragmented packet
counts as one packet"; counts as one packet.";
reference reference
"draft-ietf-ipsecme-iptfs"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS)";
} }
leaf tx-octets { leaf tx-octets {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS inner octets sent. This is "Total number of IP-TFS inner octets sent. This is
inner packet octets only. Does not count padding."; inner packet octets only. It does not count padding.";
reference reference
"draft-ietf-ipsecme-iptfs"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS)";
} }
} }
grouping iptfs-outer-tx-stat-grouping { grouping iptfs-outer-tx-stat-grouping {
description description
"IP-TFS outbound inner packet statistics"; "IP-TFS outbound inner packet statistics";
leaf tx-all-pad-pkts { leaf tx-all-pad-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of transmitted IP-TFS packets that "Total number of transmitted IP-TFS packets that
were all padding with no inner packet data."; were all padding with no inner packet data.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3";
} }
leaf tx-all-pad-octets { leaf tx-all-pad-octets {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number transmitted octets of padding added to "Total number transmitted octets of padding added to
IP-TFS packets with no inner packet data."; IP-TFS packets with no inner packet data.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3";
} }
leaf tx-extra-pad-pkts { leaf tx-extra-pad-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of transmitted outer IP-TFS packets "Total number of transmitted outer IP-TFS packets
that included some padding."; that included some padding.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3.1"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3.1";
} }
leaf tx-extra-pad-octets { leaf tx-extra-pad-octets {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of transmitted octets of padding added "Total number of transmitted octets of padding added
to outer IP-TFS packets with data."; to outer IP-TFS packets with data.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3.1"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3.1";
} }
} }
grouping iptfs-inner-rx-stat-grouping { grouping iptfs-inner-rx-stat-grouping {
description description
"IP-TFS inner packet inbound statistics"; "IP-TFS inner packet inbound statistics";
leaf rx-pkts { leaf rx-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS inner packets received."; "Total number of IP-TFS inner packets received.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2";
} }
leaf rx-octets { leaf rx-octets {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS inner octets received. Does "Total number of IP-TFS inner octets received. It does
not include padding or overhead"; not include padding or overhead.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2";
} }
leaf rx-incomplete-pkts { leaf rx-incomplete-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS inner packets that were "Total number of IP-TFS inner packets that were
incomplete. Usually this is due to fragments not incomplete. Usually this is due to fragments that are
received. Also, this may be due to misordering or not received. Also, this may be due to misordering or
errors in received outer packets."; errors in received outer packets.";
reference reference
"draft-ietf-ipsecme-iptfs"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS)";
} }
} }
grouping iptfs-outer-rx-stat-grouping { grouping iptfs-outer-rx-stat-grouping {
description description
"IP-TFS outer packet inbound statistics"; "IP-TFS outer packet inbound statistics";
leaf rx-all-pad-pkts { leaf rx-all-pad-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of received IP-TFS packets that were "Total number of received IP-TFS packets that were
all padding with no inner packet data."; all padding with no inner packet data.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3";
} }
leaf rx-all-pad-octets { leaf rx-all-pad-octets {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number received octets of padding added to "Total number of received octets of padding added to
IP-TFS packets with no inner packet data."; IP-TFS packets with no inner packet data.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3";
} }
leaf rx-extra-pad-pkts { leaf rx-extra-pad-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of received outer IP-TFS packets that "Total number of received outer IP-TFS packets that
included some padding."; included some padding.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3.1"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3.1";
} }
leaf rx-extra-pad-octets { leaf rx-extra-pad-octets {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of received octets of padding added to "Total number of received octets of padding added to
outer IP-TFS packets with data."; outer IP-TFS packets with data.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3.1"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3.1";
} }
leaf rx-errored-pkts { leaf rx-errored-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS outer packets dropped due to "Total number of IP-TFS outer packets dropped due to
errors."; errors.";
reference reference
"draft-ietf-ipsecme-iptfs"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS)";
} }
leaf rx-missed-pkts { leaf rx-missed-pkts {
type yang:counter64; type yang:counter64;
config false; config false;
description description
"Total number of IP-TFS outer packets missing "Total number of IP-TFS outer packets missing,
indicated by missing sequence number."; indicated by a missing sequence number.";
reference reference
"draft-ietf-ipsecme-iptfs"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS)";
} }
} }
grouping iptfs-config { grouping iptfs-config {
description description
"This is the grouping for iptfs configuration"; "This is the grouping for IP-TFS configuration.";
container traffic-flow-security { container traffic-flow-security {
description description
"Configure the IPSec TFS in Security "Configure the IPsec TFS in the Security
Association Database (SAD)"; Association Database (SAD).";
leaf congestion-control { leaf congestion-control {
type boolean; type boolean;
default "true"; default "true";
description description
"When set to true, the default, this enables the "When set to true, the default, this enables the
congestion control on-the-wire exchange of data that is congestion control on-the-wire exchange of data that is
required by congestion control algorithms as defined by required by congestion control algorithms, as defined by
RFC 5348. When set to false, IP-TFS sends fixed-sized RFC 5348. When set to false, IP-TFS sends fixed-size
packets over an IP-TFS tunnel at a constant rate."; packets over an IP-TFS tunnel at a constant rate.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.5.2, RFC 5348"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.4.2;
RFC 5348: TCP Friendly Rate Control (TFRC): Protocol
Specification";
} }
container packet-size { container packet-size {
description description
"Packet size is either auto-discovered or manually "Packet size is either auto-discovered or manually
configured."; configured.";
leaf use-path-mtu-discovery { leaf use-path-mtu-discovery {
type boolean; type boolean;
default "true"; default "true";
description description
"Utilize path mtu discovery to determine maximum "Utilize path MTU discovery to determine maximum
IP-TFS packet size. If the packet size is explicitly IP-TFS packet size. If the packet size is explicitly
configured, then it will only be adjusted downward if configured, then it will only be adjusted downward if
use-path-mtu-discovery is set."; use-path-mtu-discovery is set.";
reference reference
"draft-ietf-ipsecme-iptfs section 4.2"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 4.2";
} }
leaf outer-packet-size { leaf outer-packet-size {
type uint16; type uint16;
units bytes; units "bytes";
description description
"On transmission, the size of the outer encapsulating "On transmission, the size of the outer encapsulating
tunnel packet (i.e., the IP packet containing the ESP tunnel packet (i.e., the IP packet containing
payload)."; Encapsulating Security Payload (ESP)).";
reference reference
"draft-ietf-ipsecme-iptfs section 4.2"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 4.2";
} }
} }
choice tunnel-rate { choice tunnel-rate {
description description
"TFS bit rate may be specified at layer 2 wire "The TFS bit rate may be specified at layer 2 wire
rate or layer 3 packet rate"; rate or layer 3 packet rate.";
leaf l2-fixed-rate { leaf l2-fixed-rate {
type yang:gauge64; type yang:gauge64;
units "bits/second"; units "bits/second";
description description
"On transmission, target bandwidth/bit rate in "On transmission, target bandwidth/bit rate in
bits/second for iptfs tunnel. This fixed rate is the bits/second for IP-TFS tunnel. This fixed rate is the
nominal timing for the fixed size packet. If nominal timing for the fixed-size packet. If
congestion control is enabled the rate may be congestion control is enabled, the rate may be
adjusted down (or up if unset)."; adjusted down (or up if unset).";
reference reference
"draft-ietf-ipsecme-iptfs section 4.1"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 4.1";
} }
leaf l3-fixed-rate { leaf l3-fixed-rate {
type yang:gauge64; type yang:gauge64;
units "bits/second"; units "bits/second";
description description
"On transmission, target bandwidth/bit rate in "On transmission, target bandwidth/bit rate in
bits/second for iptfs tunnel. This fixed rate is the bits/second for IP-TFS tunnel. This fixed rate is the
nominal timing for the fixed size packet. If nominal timing for the fixed-size packet. If
congestion control is enabled the rate may be congestion control is enabled, the rate may be
adjusted down (or up if unset)."; adjusted down (or up if unset).";
reference reference
"draft-ietf-ipsecme-iptfs section 4.1"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 4.1";
} }
} }
leaf dont-fragment { leaf dont-fragment {
type boolean; type boolean;
default "false"; default "false";
description description
"On transmission, disable packet fragmentation across "On transmission, disable packet fragmentation across
consecutive iptfs tunnel packets; inner packets larger consecutive IP-TFS tunnel packets; inner packets larger
than what can be transmitted in outer packets will be than what can be transmitted in outer packets will be
dropped."; dropped.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.4 and 6.1.4"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.4 and
6.1.4";
} }
leaf max-aggregation-time { leaf max-aggregation-time {
type decimal64 { type decimal64 {
fraction-digits 6; fraction-digits 6;
} }
units "milliseconds"; units "milliseconds";
description description
"On transmission, maximum aggregation time is the "On transmission, maximum aggregation time is the
maximum length of time a received inner packet can be maximum length of time a received inner packet can be
held prior to transmission in the iptfs tunnel. Inner held prior to transmission in the IP-TFS tunnel. Inner
packets that would be held longer than this time, based packets that would be held longer than this time, based
on the current tunnel configuration will be dropped on the current tunnel configuration, will be dropped
rather than be queued for transmission. Maximum rather than be queued for transmission. Maximum
aggregation time is configurable in milliseconds or aggregation time is configurable in milliseconds or
fractional milliseconds down to 1 nanosecond."; fractional milliseconds down to 1 nanosecond.";
} }
leaf window-size { leaf window-size {
type uint16 { type uint16 {
range "0..65535"; range "0..65535";
} }
description description
"On reception, the maximum number of out-of-order "On reception, the maximum number of out-of-order
packets that will be reordered by an iptfs receiver packets that will be reordered by an IP-TFS receiver
while performing the reordering operation. The value 0 while performing the reordering operation. The value 0
disables any reordering."; disables any reordering.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3";
} }
leaf send-immediately { leaf send-immediately {
type boolean; type boolean;
default "false"; default "false";
description description
"On reception, send inner packets as soon as possible, do "On reception, send inner packets as soon as possible; do
not wait for lost or misordered outer packets. not wait for lost or misordered outer packets.
Selecting this option reduces the inner (user) packet Selecting this option reduces the inner (user) packet
delay but can amplify out-of-order delivery of the delay but can amplify out-of-order delivery of the
inner packet stream in the presence of packet inner packet stream in the presence of packet
aggregation and any reordering."; aggregation and any reordering.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.5"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.5";
} }
leaf lost-packet-timer-interval { leaf lost-packet-timer-interval {
type decimal64 { type decimal64 {
fraction-digits 6; fraction-digits 6;
} }
units "milliseconds"; units "milliseconds";
description description
"On reception, this interval defines the length of time "On reception, this interval defines the length of time
an iptfs receiver will wait for a missing packet before an IP-TFS receiver will wait for a missing packet before
considering it lost. If not using send-immediately, considering it lost. If not using send-immediately,
then each lost packet will delay inner (user) packets then each lost packet will delay inner (user) packets
until this timer expires. Setting this value too low until this timer expires. Setting this value too low
can impact reordering and reassembly. The value is can impact reordering and reassembly. The value is
configurable in milliseconds or fractional milliseconds configurable in milliseconds or fractional milliseconds
down to 1 nanosecond."; down to 1 nanosecond.";
reference reference
"draft-ietf-ipsecme-iptfs section 2.2.3"; "RFC 9347: Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for
IP Traffic Flow Security (IP-TFS), Section 2.2.3";
} }
} }
} }
/* /*
* IP-TFS ike configuration * IP-TFS ike configuration
*/ */
augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/"
+ "nsfike:spd-entry/" + "nsfike:spd-entry/"
skipping to change at page 17, line 46 skipping to change at line 842
} }
} }
/* /*
* packet counters * packet counters
*/ */
augment "/nsfike:ipsec-ike/nsfike:conn-entry/" augment "/nsfike:ipsec-ike/nsfike:conn-entry/"
+ "nsfike:child-sa-info" { + "nsfike:child-sa-info" {
description description
"Per SA Counters"; "Per-SA counters";
container ipsec-stats { container ipsec-stats {
if-feature "ipsec-stats"; if-feature "ipsec-stats";
config false; config false;
description description
"IPsec per SA packet counters. "IPsec per-SA packet counters.
tx = outbound, rx = inbound"; tx = outbound, rx = inbound";
uses ipsec-tx-stat-grouping; uses ipsec-tx-stat-grouping;
uses ipsec-rx-stat-grouping; uses ipsec-rx-stat-grouping;
} }
container iptfs-inner-pkt-stats { container iptfs-inner-pkt-stats {
if-feature "iptfs-stats"; if-feature "iptfs-stats";
config false; config false;
description description
"IPTFS per SA inner packet counters. "IP-TFS per-SA inner packet counters.
tx = outbound, rx = inbound"; tx = outbound, rx = inbound";
uses iptfs-inner-tx-stat-grouping; uses iptfs-inner-tx-stat-grouping;
uses iptfs-inner-rx-stat-grouping; uses iptfs-inner-rx-stat-grouping;
} }
container iptfs-outer-pkt-stats { container iptfs-outer-pkt-stats {
if-feature "iptfs-stats"; if-feature "iptfs-stats";
config false; config false;
description description
"IPTFS per SA outer packets counters. "IP-TFS per-SA outer packets counters.
tx = outbound, rx = inbound"; tx = outbound, rx = inbound";
uses iptfs-outer-tx-stat-grouping; uses iptfs-outer-tx-stat-grouping;
uses iptfs-outer-rx-stat-grouping; uses iptfs-outer-rx-stat-grouping;
} }
} }
/* /*
* packet counters * packet counters
*/ */
augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" augment "/nsfikels:ipsec-ikeless/nsfikels:sad/"
+ "nsfikels:sad-entry" { + "nsfikels:sad-entry" {
description description
"Per SA Counters"; "Per-SA counters";
container ipsec-stats { container ipsec-stats {
if-feature "ipsec-stats"; if-feature "ipsec-stats";
config false; config false;
description description
"IPsec per SA packet counters. "IPsec per-SA packet counters.
tx = outbound, rx = inbound"; tx = outbound, rx = inbound";
uses ipsec-tx-stat-grouping; uses ipsec-tx-stat-grouping;
uses ipsec-rx-stat-grouping; uses ipsec-rx-stat-grouping;
} }
container iptfs-inner-pkt-stats { container iptfs-inner-pkt-stats {
if-feature "iptfs-stats"; if-feature "iptfs-stats";
config false; config false;
description description
"IPTFS per SA inner packet counters. "IP-TFS per-SA inner packet counters.
tx = outbound, rx = inbound"; tx = outbound, rx = inbound";
uses iptfs-inner-tx-stat-grouping; uses iptfs-inner-tx-stat-grouping;
uses iptfs-inner-rx-stat-grouping; uses iptfs-inner-rx-stat-grouping;
} }
container iptfs-outer-pkt-stats { container iptfs-outer-pkt-stats {
if-feature "iptfs-stats"; if-feature "iptfs-stats";
config false; config false;
description description
"IPTFS per SA outer packets counters. "IP-TFS per-SA outer packets counters.
tx = outbound, rx = inbound"; tx = outbound, rx = inbound";
uses iptfs-outer-tx-stat-grouping; uses iptfs-outer-tx-stat-grouping;
uses iptfs-outer-rx-stat-grouping; uses iptfs-outer-rx-stat-grouping;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. IANA Considerations 4. IANA Considerations
4.1. Updates to the IETF XML Registry 4.1. Updates to the IETF XML Registry
This document registers a URI in the "IETF XML Registry" [RFC3688]. Per this document, IANA has registered a URI in the "IETF XML
Following the format in [RFC3688], the following registration has Registry" [RFC3688] as follows.
been made:
URI:
urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs
Registrant Contact:
The IESG.
XML: URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs
N/A; the requested URI is an XML namespace. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
4.2. Updates to the YANG Module Names Registry 4.2. Updates to the YANG Module Names Registry
This document registers one YANG module in the "YANG Module Names" Per this document, IANA has registered one YANG module in the "YANG
registry [RFC6020]. Following the format in [RFC6020], the following Module Names" registry [RFC6020] as follows.
registration has been made:
name:
ietf-ipsec-iptfs
namespace:
urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs
prefix:
iptfs
reference: Name: ietf-ipsec-iptfs
RFC XXXX (RFC Ed.: replace XXXX with actual RFC number and remove Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs
this note.) Prefix: iptfs
Reference: RFC 9348
5. Security Considerations 5. Security Considerations
The YANG module specified in this document defines a schema for data The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446]. [RFC8446].
The Network Configuration Access Control Model (NACM) [RFC8341] The Network Configuration Access Control Model (NACM) [RFC8341]
provides the means to restrict access for particular NETCONF or provides the means to restrict access for particular NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or
RESTCONF protocol operations and content. RESTCONF protocol operations and content.
Certain data nodes defined in this YANG module are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable. These changes can enable, disable and writable/creatable/deletable (i.e., config true, which is the
modify the behavior of IP traffic flow security, for the implications default). These data nodes may be considered sensitive or vulnerable
regarding these types of changes consult the [I-D.ietf-ipsecme-iptfs] in some network environments. Write operations (e.g., edit-config)
which defines the functionality. The relevant sub-trees or nodes to these data nodes without proper protection can have a negative
are: effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability:
../traffic-flow-security: Enabling IP traffic flow security is
controlled by setting the entries under traffic-flow-security in
IKE or IKE-less models. IP traffic flow security is set either to
be congestion sensitive or a fixed rate by setting parameters in
this sub-tree.
Certain readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. While IP-TFS
hides the traffic flows through the network, IP-TFS YANG statistics
could reveal some information about traffic flows. Therefore, access
to IP-TFS YANG statistics also needs to be protected from third party
observation. These IP-TFS YANG statistics can be found at:
../iptfs-inner-pkt-stats and ../iptfs-outer-pkt-stats: Access to IP
traffic flow security statistics can provide information that IP
traffic flow security obscures such as the true activity of the
flows using IP traffic flow security.
6. Acknowledgements ../traffic-flow-security: Enabling IP-TFS is controlled by setting
the entries under traffic-flow-security in IKE or IKE-less models.
IP-TFS is set either to be congestion sensitive or a fixed rate by
setting parameters in this subtree.
The authors would like to thank Eric Kinzie, Juergen Schoenwaelder, Some of the readable data nodes in this YANG module may be considered
Lou Berger and Tero Kivinen for their feedback and review on the YANG sensitive or vulnerable in some network environments. It is thus
model. important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability:
7. References ../iptfs-inner-pkt-stats and ../iptfs-outer-pkt-stats: Access to IP-
TFS statistics can provide information that IP-TFS obscures, such
as the true activity of the flows using IP-TFS.
7.1. Normative References 6. References
[I-D.ietf-ipsecme-iptfs] 6.1. Normative References
Hopps, C., "IP-TFS: Aggregation and Fragmentation Mode for
ESP and its Use for IP Traffic Flow Security", Work in
Progress, Internet-Draft, draft-ietf-ipsecme-iptfs-19, 8
November 2021, <https://www.ietf.org/archive/id/draft-
ietf-ipsecme-iptfs-19.txt>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
December 2005, <https://www.rfc-editor.org/info/rfc4301>. December 2005, <https://www.rfc-editor.org/info/rfc4301>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez- [RFC9061] Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "A YANG Data Model for IPsec Flow Protection Based Garcia, "A YANG Data Model for IPsec Flow Protection Based
on Software-Defined Networking (SDN)", RFC 9061, on Software-Defined Networking (SDN)", RFC 9061,
DOI 10.17487/RFC9061, July 2021, DOI 10.17487/RFC9061, July 2021,
<https://www.rfc-editor.org/info/rfc9061>. <https://www.rfc-editor.org/info/rfc9061>.
7.2. Informative References [RFC9347] Hopps, C., "Aggregation and Fragmentation Mode for
Encapsulating Security Payload (ESP) and Its Use for IP
Traffic Flow Security (IP-TFS)", RFC 9347,
DOI 10.17487/RFC9347, January 2023,
<https://www.rfc-editor.org/info/rfc9347>.
6.2. Informative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP
Friendly Rate Control (TFRC): Protocol Specification", Friendly Rate Control (TFRC): Protocol Specification",
RFC 5348, DOI 10.17487/RFC5348, September 2008, RFC 5348, DOI 10.17487/RFC5348, September 2008,
<https://www.rfc-editor.org/info/rfc5348>. <https://www.rfc-editor.org/info/rfc5348>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
Appendix A. Examples Appendix A. Examples
The following examples show configuration and operational data for The following examples show configuration and operational data for
the IKE-less and IKE cases using XML and JSON. Also, the operational the IKE-less and IKE cases using XML and JSON. Also, the operational
statistics for the IKE-less case is illustrated. statistics for the IKE-less case is illustrated.
A.1. Example XML Configuration A.1. Example XML Configuration
This example illustrates configuration for IP-TFS in the IKE-less This example illustrates configuration for IP-TFS in the IKE-less
case. Note that since this augments the IPsec IKE-less schema only case. Note that, since this augments the IPsec IKE-less schema, only
minimal a IKE-less configuration to satisfy the schema has been a minimal IKE-less configuration to satisfy the schema has been
populated. populated.
<i:ipsec-ikeless <i:ipsec-ikeless
xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"
xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs">
<i:spd> <i:spd>
<i:spd-entry> <i:spd-entry>
<i:name>protect-policy-1</i:name> <i:name>protect-policy-1</i:name>
<i:direction>outbound</i:direction> <i:direction>outbound</i:direction>
<i:ipsec-policy-config> <i:ipsec-policy-config>
skipping to change at page 23, line 41 skipping to change at line 1094
<tfs:lost-packet-timer-interval <tfs:lost-packet-timer-interval
>0.2</tfs:lost-packet-timer-interval> >0.2</tfs:lost-packet-timer-interval>
</tfs:traffic-flow-security> </tfs:traffic-flow-security>
</i:ipsec-sa-cfg> </i:ipsec-sa-cfg>
</i:processing-info> </i:processing-info>
</i:ipsec-policy-config> </i:ipsec-policy-config>
</i:spd-entry> </i:spd-entry>
</i:spd> </i:spd>
</i:ipsec-ikeless> </i:ipsec-ikeless>
Figure 1: Example IP-TFS XML configuration Figure 1: Example IP-TFS XML Configuration
A.2. Example XML Operational Data A.2. Example XML Operational Data
This example illustrates operational data for IP-TFS in the IKE-less This example illustrates operational data for IP-TFS in the IKE-less
case. Note that since this augments the IPsec IKE-less schema only case. Note that, since this augments the IPsec IKE-less schema only,
minimal IKE-less configuration to satisfy the schema has been a minimal IKE-less configuration to satisfy the schema has been
populated. populated.
<i:ipsec-ikeless <i:ipsec-ikeless
xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"
xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs">
<i:sad> <i:sad>
<i:sad-entry> <i:sad-entry>
<i:name>sad-1</i:name> <i:name>sad-1</i:name>
<i:ipsec-sa-config> <i:ipsec-sa-config>
<i:spi>1</i:spi> <i:spi>1</i:spi>
skipping to change at page 24, line 35 skipping to change at line 1133
<tfs:max-aggregation-time>0.100</tfs:max-aggregation-time> <tfs:max-aggregation-time>0.100</tfs:max-aggregation-time>
<tfs:window-size>0</tfs:window-size> <tfs:window-size>0</tfs:window-size>
<tfs:send-immediately>true</tfs:send-immediately> <tfs:send-immediately>true</tfs:send-immediately>
<tfs:lost-packet-timer-interval <tfs:lost-packet-timer-interval
>0.200</tfs:lost-packet-timer-interval> >0.200</tfs:lost-packet-timer-interval>
</tfs:traffic-flow-security> </tfs:traffic-flow-security>
</i:sad-entry> </i:sad-entry>
</i:sad> </i:sad>
</i:ipsec-ikeless> </i:ipsec-ikeless>
Figure 2: Example IP-TFS XML Operational data Figure 2: Example IP-TFS XML Operational Data
A.3. Example JSON Configuration A.3. Example JSON Configuration
This example illustrates config data for IP-TFS in the IKE case. This example illustrates configuration data for IP-TFS in the IKE
Note that since this augments the IPsec IKE schema only minimal ike case. Note that, since this augments the IPsec IKE schema, only a
configuration to satisfy the schema has been populated. minimal IKE configuration to satisfy the schema has been populated.
{ {
"ietf-i2nsf-ike:ipsec-ike": { "ietf-i2nsf-ike:ipsec-ike": {
"ietf-i2nsf-ike:conn-entry": [ "ietf-i2nsf-ike:conn-entry": [
{ {
"name": "my-peer-connection", "name": "my-peer-connection",
"ike-sa-encr-alg": [ "ike-sa-encr-alg": [
{ {
"id": 1, "id": 1,
"algorithm-type": 12, "algorithm-type": 12,
skipping to change at page 25, line 47 skipping to change at line 1193
} }
} }
} }
] ]
} }
} }
] ]
} }
} }
Figure 3: Example IP-TFS JSON configuration Figure 3: Example IP-TFS JSON Configuration
A.4. Example JSON Operational Data A.4. Example JSON Operational Data
This example illustrates operational data for IP-TFS in the IKE case. This example illustrates operational data for IP-TFS in the IKE case.
Note that since this augments the IPsec IKE tree only minimal IKE Note that, since this augments the IPsec IKE tree, only a minimal IKE
configuration to satisfy the schema has been populated. configuration to satisfy the schema has been populated.
{ {
"ietf-i2nsf-ike:ipsec-ike": { "ietf-i2nsf-ike:ipsec-ike": {
"ietf-i2nsf-ike:conn-entry": [ "ietf-i2nsf-ike:conn-entry": [
{ {
"name": "my-peer-connection", "name": "my-peer-connection",
"ike-sa-encr-alg": [ "ike-sa-encr-alg": [
{ {
"id": 1, "id": 1,
skipping to change at page 26, line 47 skipping to change at line 1237
"window-size": 5, "window-size": 5,
"send-immediately": false, "send-immediately": false,
"lost-packet-timer-interval": "0.2" "lost-packet-timer-interval": "0.2"
} }
} }
} }
] ]
} }
} }
Figure 4: Example IP-TFS JSON Operational data Figure 4: Example IP-TFS JSON Operational Data
A.5. Example JSON Operational Statistics A.5. Example JSON Operational Statistics
This example shows the JSON formatted statistics for IP-TFS. Note a This example shows the JSON formatted statistics for IP-TFS. Note a
unidirectional IP-TFS transmit side is illustrated, with arbitrary unidirectional IP-TFS transmit side is illustrated, with arbitrary
numbers for transmit. numbers for transmit.
{ {
"ietf-i2nsf-ikeless:ipsec-ikeless": { "ietf-i2nsf-ikeless:ipsec-ikeless": {
"sad": { "sad": {
skipping to change at page 28, line 23 skipping to change at line 1306
} }
} }
} }
] ]
} }
} }
} }
Figure 5: Example IP-TFS JSON Statistics Figure 5: Example IP-TFS JSON Statistics
Acknowledgements
The authors would like to thank Eric Kinzie, Jürgen Schönwälder, Lou
Berger, and Tero Kivinen for their feedback and review on the YANG
module.
Authors' Addresses Authors' Addresses
Don Fedyk Don Fedyk
LabN Consulting, L.L.C. LabN Consulting, L.L.C.
Email: dfedyk@labn.net Email: dfedyk@labn.net
Christian Hopps Christian Hopps
LabN Consulting, L.L.C. LabN Consulting, L.L.C.
Email: chopps@chopps.org Email: chopps@chopps.org
 End of changes. 124 change blocks. 
305 lines changed or deleted 324 lines changed or added

This html diff was produced by rfcdiff 1.48.