rfc9648.original | rfc9648.txt | |||
---|---|---|---|---|
TCPM M. Scharf | Internet Engineering Task Force (IETF) M. Scharf | |||
Internet-Draft Hochschule Esslingen | Request for Comments: 9648 Hochschule Esslingen | |||
Intended status: Standards Track M. Jethanandani | Category: Standards Track M. Jethanandani | |||
Expires: 15 March 2023 Kloud Services | ISSN: 2070-1721 Kloud Services | |||
V. Murgai | V. Murgai | |||
Samsung | F5, Inc. | |||
11 September 2022 | October 2024 | |||
A YANG Model for Transmission Control Protocol (TCP) Configuration and | YANG Data Model for TCP | |||
State | ||||
draft-ietf-tcpm-yang-tcp-09 | ||||
Abstract | Abstract | |||
This document specifies a minimal YANG model for TCP on devices that | This document specifies a minimal YANG data model for TCP on devices | |||
are configured and managed by network management protocols. The YANG | that are configured and managed by network management protocols. The | |||
model defines a container for all TCP connections, and groupings of | YANG data model defines a container for all TCP connections and | |||
authentication parameters that can be imported and used in TCP | groupings of authentication parameters that can be imported and used | |||
implementations or by other models that need to configure TCP | in TCP implementations or by other models that need to configure TCP | |||
parameters. The model also includes basic TCP statistics. The model | parameters. The model also includes basic TCP statistics. The model | |||
is compliant with Network Management Datastore Architecture (NMDA) | is compliant with Network Management Datastore Architecture (NMDA) | |||
(RFC 8342). | (RFC 8342). | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 15 March 2023. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9648. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Conventions | |||
2.1. Note to RFC Editor . . . . . . . . . . . . . . . . . . . 4 | 2. Requirements Language | |||
3. YANG Module Overview . . . . . . . . . . . . . . . . . . . . 4 | 3. YANG Module Overview | |||
3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Scope | |||
3.2. Model Design . . . . . . . . . . . . . . . . . . . . . . 6 | 3.2. Model Design | |||
3.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. Tree Diagram | |||
4. TCP YANG Model . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. TCP YANG Data Model | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 5. IANA Considerations | |||
5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 19 | 5.1. The IETF XML Registry | |||
5.2. The YANG Module Names Registry . . . . . . . . . . . . . 20 | 5.2. The YANG Module Names Registry | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 6. Security Considerations | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 7. References | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 21 | 7.1. Normative References | |||
7.2. Informative References . . . . . . . . . . . . . . . . . 23 | 7.2. Informative References | |||
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 25 | Appendix A. Examples | |||
Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 25 | A.1. Keepalive Configuration | |||
B.1. Keepalive Configuration . . . . . . . . . . . . . . . . . 26 | A.2. TCP-AO Configuration | |||
B.2. TCP-AO Configuration . . . . . . . . . . . . . . . . . . 26 | Appendix B. Complete Tree Diagram | |||
Appendix C. Complete Tree Diagram . . . . . . . . . . . . . . . 28 | Acknowledgements | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 | Authors' Addresses | |||
1. Introduction | 1. Introduction | |||
The Transmission Control Protocol (TCP) [RFC9293] is used by many | The Transmission Control Protocol (TCP) [RFC9293] is used by many | |||
applications in the Internet, including control and management | applications in the Internet, including control and management | |||
protocols. As such, TCP is implemented on network elements that can | protocols. As such, TCP is implemented on network elements that can | |||
be configured and managed via network management protocols such as | be configured and managed via network management protocols such as | |||
NETCONF [RFC6241] or RESTCONF [RFC8040]. | Network Configuration Protocol (NETCONF) [RFC6241] or RESTCONF | |||
[RFC8040]. | ||||
This document specifies a minimal YANG 1.1 [RFC7950] model for | This document specifies a minimal YANG 1.1 [RFC7950] data model for | |||
configuring and managing TCP on network elements that support YANG, a | configuring and managing TCP on network elements that support YANG, a | |||
TCP connection table, a TCP listener table containing information | TCP connection table, a TCP listener table containing information | |||
about a particular TCP listener, and an augmentation of the YANG Data | about a particular TCP listener, and an augmentation of the YANG data | |||
Model for Key Chains [RFC8177] to support authentication. The YANG | model for key chains [RFC8177] to support authentication. The YANG | |||
module specified in this document is compliant with Network | module specified in this document is compliant with Network | |||
Management Datastore Architecture (NMDA) [RFC8342]. | Management Datastore Architecture (NMDA) [RFC8342]. | |||
The YANG module has a narrow scope and focuses on a subset of | The YANG module has a narrow scope and focuses on a subset of | |||
fundamental TCP functions and basic statistics. It defines a | fundamental TCP functions and basic statistics. It defines a | |||
container for a list of TCP connections that includes definitions | container for a list of TCP connections that includes definitions | |||
from YANG Groupings for TCP Clients and TCP Servers | from "YANG Groupings for TCP Clients and TCP Servers" [RFC9643]. The | |||
[I-D.ietf-netconf-tcp-client-server]. The model adheres to the | model adheres to the recommendation in "BGP/MPLS IP Virtual Private | |||
recommendation in BGP/MPLS IP Virtual Private Networks [RFC4364]. | Networks (VPNs)" [RFC4364]. Therefore, it allows enabling of TCP | |||
Therefore it allows enabling of TCP-AO [RFC5925], and accommodates | Authentication Option (TCP-AO) [RFC5925] and accommodates the | |||
the installed base that makes use of MD5. The module can be | installed base that makes use of MD5. The module can be augmented or | |||
augmented or updated to address more advanced or implementation- | updated to address more advanced or implementation-specific TCP | |||
specific TCP features in the future. | features in the future. | |||
This specification does not deprecate the Management Information Base | This specification does not deprecate the Management Information Base | |||
(MIB) for the Transmission Control Protocol (TCP) [RFC4022]. The | (MIB) for the Transmission Control Protocol (TCP) [RFC4022]. The | |||
basic statistics defined in this document follow the model of the TCP | basic statistics defined in this document follow the model of the TCP | |||
MIB. An TCP Extended Statistics MIB [RFC4898] is also available, but | MIB. A TCP extended statistics MIB [RFC4898] is also available, but | |||
this document does not cover such extended statistics. The YANG | this document does not cover such extended statistics. The YANG | |||
module also omits some selected parameters included in TCP MIB, most | module also omits some selected parameters included in TCP MIB, most | |||
notably Retransmission Timeout (RTO) configuration and a maximum | notably Retransmission Timeout (RTO) configuration and a maximum | |||
connection limit. This is a conscious decision as these parameters | connection limit. This is a conscious decision as these parameters | |||
hardly matter in a state-of-the-art TCP implementation. It would | hardly matter in a state-of-the-art TCP implementation. It would | |||
also be possible to translate a MIB into a YANG module, for instance | also be possible to translate a MIB into a YANG module, for instance, | |||
using Translation of Structure of Management Information Version 2 | using "Translation of Structure of Management Information Version 2 | |||
(SMIv2) MIB Modules to YANG Modules [RFC6643]. However, this | (SMIv2) MIB Modules to YANG Modules" [RFC6643]. However, this | |||
approach is not used in this document, because a translated model | approach is not used in this document, because a translated model | |||
would not be up-to-date. | would not be up-to-date. | |||
There are other existing TCP-related YANG models, which are | There are other existing TCP-related YANG data models, which are | |||
orthogonal to this specification. Examples are: | orthogonal to this specification. Examples are: | |||
* TCP header attributes are modeled in other security-related | * TCP header attributes are modeled in other security-related | |||
models, such as YANG Data Model for Network Access Control Lists | models, such as those described in "YANG Data Model for Network | |||
(ACLs) [RFC8519], Distributed Denial-of-Service Open Thread | Access Control Lists (ACLs)" [RFC8519], "Distributed Denial-of- | |||
Signaling (DOTS) Data Channel Specification [RFC8783], I2NSF | Service Open Threat Signaling (DOTS) Data Channel Specification" | |||
Capability YANG Data Model [I-D.ietf-i2nsf-capability-data-model], | [RFC8783], "I2NSF Capability YANG Data Model" [NSF-CAP-YANG], or | |||
or I2NSF Network Security Function-Facing Interface YANG Data | "I2NSF Network Security Function-Facing Interface YANG Data Model" | |||
Model [I-D.ietf-i2nsf-nsf-facing-interface-dm]. | [NSF-FACING-YANG]. | |||
* TCP-related configuration of a NAT (e.g., NAT44, NAT64, | * TCP-related configuration of a NAT (e.g., NAT44, NAT64, or | |||
Destination NAT) is defined in A YANG Module for Network Address | Destination NAT) is defined in "A YANG Module for Network Address | |||
Translation (NAT) and Network Prefix Translation (NPT) [RFC8512] | Translation (NAT) and Network Prefix Translation (NPT)" [RFC8512] | |||
and A YANG Data Model for Dual-Stack Lite (DS-Lite) [RFC8513]. | and "A YANG Data Model for Dual-Stack Lite (DS-Lite)" [RFC8513]. | |||
* TCP-AO and TCP MD5 configuration for Layer 3 VPNs is modeled in A | * TCP-AO and TCP MD5 configuration for Layer 3 VPNs is modeled in "A | |||
Layer 3 VPN Network YANG Model [RFC9182]. This model assumes that | YANG Network Data Model for Layer 3 VPNs" [RFC9182]. This model | |||
TCP-AO specific parameters are preconfigured in addition to the | assumes that TCP-AO-specific parameters are preconfigured in | |||
keychain parameters. | addition to the key chain parameters. | |||
1.1. Conventions | ||||
Various examples in this document use the XML [W3C.REC-xml-20081126] | ||||
encoding. Other encodings, such as JSON [RFC8259], could | ||||
alternatively be used. | ||||
Various examples in this document contain long lines that may be | ||||
folded, as described in [RFC8792]. | ||||
2. Requirements Language | 2. Requirements Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
2.1. Note to RFC Editor | ||||
This document uses several placeholder values throughout the | ||||
document. Please replace them as follows and remove this note before | ||||
publication. | ||||
RFC XXXX, where XXXX is the number assigned to this document at the | ||||
time of publication. | ||||
2022-09-11 with the actual date of the publication of this document. | ||||
3. YANG Module Overview | 3. YANG Module Overview | |||
3.1. Scope | 3.1. Scope | |||
TCP is implemented on different system architectures. As a result, | TCP is implemented on different system architectures. As a result, | |||
there are many different and often implementation-specific ways to | there are many different and often implementation-specific ways to | |||
configure parameters of the TCP engine. In addition, in many TCP/IP | configure parameters of the TCP engine. In addition, in many TCP/IP | |||
stacks configuration exists for different scopes: | stacks, configuration exists for different scopes: | |||
* System-wide configuration: Many TCP implementations have | * System-wide configuration: Many TCP implementations have | |||
configuration parameters that affect all TCP connections from or | configuration parameters that affect all TCP connections from or | |||
to this TCP stack. Typical examples include enabling or disabling | to this TCP stack. Typical examples include enabling or disabling | |||
optional protocol features. For instance, many implementations | optional protocol features. For instance, many implementations | |||
can turn on or off use of window scaling Transmission Control | can turn on or off use of window scaling (defined in "Transmission | |||
Protocol (TCP) Specification [RFC9293] for all TCP connections. | Control Protocol (TCP)" [RFC9293]) for all TCP connections. | |||
* Interface configuration: It can be useful to use different TCP | * Interface configuration: It can be useful to use different TCP | |||
parameters on different interfaces, e.g., different device ports | parameters on different interfaces, e.g., different device ports | |||
or IP interfaces. In that case, TCP parameters can be part of the | or IP interfaces. In that case, TCP parameters can be part of the | |||
interface configuration. Typical examples are the Maximum Segment | interface configuration. Typical examples are the Maximum Segment | |||
Size (MSS) or configuration related to hardware offloading. | Size (MSS) or configuration related to hardware offloading. | |||
* Connection parameters: Many implementations have means to | * Connection parameters: Many implementations have means to | |||
influence the behavior of each TCP connection, e.g., on the | influence the behavior of each TCP connection, e.g., on the | |||
programming interface used by applications. Typical examples are | programming interface used by applications. Typical examples are | |||
socket options in the socket API, such as disabling the Nagle | socket options in the socket API, such as disabling the Nagle | |||
algorithm Transmission Control Protocol (TCP) Specification | algorithm (as described in "Transmission Control Protocol (TCP)" | |||
[RFC9293] by TCP_NODELAY. If an application uses such an | [RFC9293]) by TCP_NODELAY. If an application uses such an | |||
interface, it is possible that the configuration of the | interface, it is possible that the configuration of the | |||
application or application protocol includes TCP-related | application or application protocol includes TCP-related | |||
parameters. An example is the BGP YANG Model for Service Provider | parameters. An example is the BGP YANG module for service | |||
Networks [I-D.ietf-idr-bgp-model]. | provider networks [BGP-MODEL]. | |||
* Application preferences: Setting of TCP parameters can also be | * Application preferences: Setting of TCP parameters can also be | |||
part of application preferences, templates, or profiles. An | part of application preferences, templates, or profiles. An | |||
example would be the preferences defined in An Abstract | example would be the preferences defined in "An Abstract | |||
Application Layer Interface to Transport Services | Application Layer Interface to Transport Services" | |||
[I-D.ietf-taps-interface]. | [TAPS-INTERFACE]. | |||
As a result, there is no ground truth for setting certain TCP | As a result, there is no ground truth for setting certain TCP | |||
parameters, and traditionally different TCP implementations have used | parameters, and generally different TCP implementations have used | |||
different modeling approaches. For instance, one implementation may | different modeling approaches. For instance, one implementation may | |||
define a given configuration parameter globally, while another one | define a given configuration parameter globally, while another one | |||
uses per-interface settings, and both approaches work well for the | uses per-interface settings, and both approaches work well for the | |||
corresponding use cases. Also, different systems may use different | corresponding use cases. Also, different systems may use different | |||
default values. In addition, TCP can be implemented in different | default values. In addition, TCP can be implemented in different | |||
ways and design choices by the protocol engine often affect | ways and design choices by the protocol engine often affect | |||
configuration options. | configuration options. | |||
Nonetheless, a number of TCP stack parameters require configuration | Nonetheless, a number of TCP stack parameters require configuration | |||
by YANG models. This document therefore defines a minimal YANG model | by YANG data models. This document therefore defines a minimal YANG | |||
with fundamental parameters. An important use case is the TCP | data model with fundamental parameters. An important use case is the | |||
configuration on network elements such as routers, which often use | TCP configuration on network elements, such as routers, which often | |||
YANG data models. The model therefore specifies TCP parameters that | use YANG data models. The model therefore specifies TCP parameters | |||
are important on such TCP stacks. | that are important on such TCP stacks. | |||
This in particular applies to the support of TCP-AO [RFC5925] and the | In particular, this applies to the support of the TCP Authentication | |||
corresponding cryptographic algorithms [RFC5926]. TCP Authentication | Option (TCP-AO) [RFC5925] and the corresponding cryptographic | |||
Option (TCP-AO) is used on routers to secure routing protocols such | algorithms [RFC5926]. TCP-AO is used on routers to secure routing | |||
as BGP. In that case, a YANG model for TCP-AO configuration is | protocols such as BGP. In that case, a YANG data model for TCP-AO | |||
required. The model defined in this document includes the required | configuration is required. The model defined in this document | |||
parameters for TCP-AO configuration, such as the values of SendID and | includes the required parameters for TCP-AO configuration, such as | |||
RecvID. The keychain for TCP-AO can be modeled by the YANG Data | the values of SendID and RecvID. The key chain for TCP-AO can be | |||
Model for Key Chains [RFC8177]. The groupings defined in this | modeled by the YANG data model for key chains [RFC8177]. The | |||
document can be imported and used as part of such a preconfiguration. | groupings defined in this document can be imported and used as part | |||
of such a preconfiguration. | ||||
Given an installed base, the model also allows enabling of the legacy | Given an installed base, the model also allows enabling of the legacy | |||
TCP MD5 [RFC2385] signature option. The TCP MD5 signature option was | TCP MD5 [RFC2385] signature option. The TCP MD5 signature option was | |||
obsoleted by TCP-AO in 2010. If current implementations require TCP | obsoleted by TCP-AO in 2010. If current implementations require TCP | |||
authentication, it is RECOMMENDED to use TCP-AO [RFC5925]. | authentication, it is RECOMMENDED to use TCP-AO [RFC5925]. | |||
Similar to the TCP MIB [RFC4022], this document also specifies basic | Similar to the TCP MIB [RFC4022], this document also specifies basic | |||
statistics, a TCP connection list, and a TCP listener list. | statistics, a TCP connection list, and a TCP listener list. | |||
* Statistics: Counters for the number of active/passive opens, sent | * Statistics: Counters for the number of active/passive opens, sent | |||
and received TCP segments, errors, and possibly other detailed | and received TCP segments, errors, and possibly other detailed | |||
debugging information | debugging information. | |||
* TCP connection list: Access to status information for all TCP | * TCP connection list: Access to status information for all TCP | |||
connections. Note, the connection table is modeled as a list that | connections. Note that the connection table is modeled as a list | |||
is read-writeable, even though a connection cannot be created by | that is readable and writeable, even though a connection cannot be | |||
adding entries to the table. Similarly, deletion of connections | created by adding entries to the table. Similarly, deletion of | |||
from this list is implementation-specific. | connections from this list is implementation-specific. | |||
* TCP listener list: A list containing information about TCP | * TCP listener list: A list containing information about TCP | |||
listeners, i.e., applications willing to accept connections. | listeners, i.e., applications willing to accept connections. | |||
This allows implementations of TCP MIB [RFC4022] to migrate to the | This allows implementations of TCP MIB [RFC4022] to migrate to the | |||
YANG model defined in this memo. Note that the TCP MIB does not | YANG data model defined in this memo. Note that the TCP MIB does not | |||
include means to reset statistics, which are defined in this | include means to reset statistics, which are defined in this | |||
document. This is not a major addition, as a reset can simply be | document. This is not a major addition, as a reset can simply be | |||
implemented by storing offset values for the counters. | implemented by storing offset values for the counters. | |||
This version of the module does not model details of Multipath TCP | This version of the module does not model details of Multipath TCP | |||
[RFC8684]. This could be addressed in a later version of this | [RFC8684]. This could be addressed in a later version of this | |||
document. | document. | |||
3.2. Model Design | 3.2. Model Design | |||
The YANG model defined in this document includes definitions from the | The YANG data model defined in this document includes definitions | |||
YANG Groupings for TCP Clients and TCP Servers | from "YANG Groupings for TCP Clients and TCP Servers" [RFC9643]. | |||
[I-D.ietf-netconf-tcp-client-server]. Similar to that model, this | Similar to that model, this specification defines YANG groupings. | |||
specification defines YANG groupings. This allows reuse of these | This allows reuse of these groupings in different YANG data models. | |||
groupings in different YANG data models. It is intended that these | It is intended that these groupings will be used either standalone or | |||
groupings will be used either standalone or for TCP-based protocols | for TCP-based protocols as part of a stack of protocol-specific | |||
as part of a stack of protocol-specific configuration models. An | configuration models. An example could be the one described in "YANG | |||
example could be the BGP YANG Model for Service Provider Networks | Model for Border Gateway Protocol (BGP-4)" [BGP-MODEL]. | |||
[I-D.ietf-idr-bgp-model]. | ||||
3.3. Tree Diagram | 3.3. Tree Diagram | |||
This section provides an abridged tree diagram for the YANG module | This section provides an abridged tree diagram for the YANG module | |||
defined in this document. Annotations used in the diagram are | defined in this document. Annotations used in the diagram are | |||
defined in YANG Tree Diagrams [RFC8340]. A complete tree diagram can | defined in "YANG Tree Diagrams" [RFC8340]. A complete tree diagram | |||
be found in the Appendix. | can be found in Appendix B. | |||
module: ietf-tcp | module: ietf-tcp | |||
+--rw tcp! | +--rw tcp! | |||
+--rw connections | +--rw connections | |||
| ... | | ... | |||
+--ro tcp-listeners* [type address port] | +--ro tcp-listeners* [type address port] | |||
| ... | | ... | |||
+--ro statistics {statistics}? | +--ro statistics {statistics}? | |||
... | ... | |||
augment /key-chain:key-chains/key-chain:key-chain/key-chain:key: | augment /key-chain:key-chains/key-chain:key-chain/key-chain:key: | |||
+--rw authentication {authentication}? | +--rw authentication {authentication}? | |||
+--rw keychain? key-chain:key-chain-ref | +--rw keychain? key-chain:key-chain-ref | |||
+--rw (authentication)? | +--rw (authentication)? | |||
... | ... | |||
4. TCP YANG Model | 4. TCP YANG Data Model | |||
This YANG module references The TCP Authentication Option [RFC5925], | This YANG module references "The TCP Authentication Option" | |||
Protection of BGP Sessions via the TCP MD5 Signature [RFC2385], | [RFC5925], "Protection of BGP Sessions via the TCP MD5 Signature | |||
Transmission Control Protocol (TCP) Specification [RFC9293], and | Option" [RFC2385], and "Transmission Control Protocol (TCP)" | |||
imports Common YANG Data Types [RFC6991], The NETCONF Access Control | [RFC9293] and imports "Common YANG Data Types" [RFC6991], "Network | |||
Model [RFC8341], and YANG Groupings for TCP Clients and TCP Servers | Configuration Access Control Model" [RFC8341], and "YANG Groupings | |||
[I-D.ietf-netconf-tcp-client-server]. | for TCP Clients and TCP Servers" [RFC9643]. | |||
<CODE BEGINS> file "ietf-tcp@2022-09-11.yang" | <CODE BEGINS> file "ietf-tcp@2022-09-11.yang" | |||
module ietf-tcp { | module ietf-tcp { | |||
yang-version "1.1"; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-tcp"; | namespace "urn:ietf:params:xml:ns:yang:ietf-tcp"; | |||
prefix "tcp"; | prefix tcp; | |||
import ietf-yang-types { | import ietf-yang-types { | |||
prefix "yang"; | prefix yang; | |||
reference | reference | |||
"RFC 6991: Common YANG Data Types."; | "RFC 6991: Common YANG Data Types."; | |||
} | } | |||
import ietf-tcp-common { | import ietf-tcp-common { | |||
prefix "tcpcmn"; | prefix tcpcmn; | |||
reference | reference | |||
"I-D.ietf-netconf-tcp-client-server: YANG Groupings for TCP | "RFC 9643: YANG Groupings for TCP Clients and TCP Servers."; | |||
Clients and TCP Servers."; | ||||
} | } | |||
import ietf-inet-types { | import ietf-inet-types { | |||
prefix "inet"; | prefix inet; | |||
reference | reference | |||
"RFC 6991: Common YANG Data Types."; | "RFC 6991: Common YANG Data Types."; | |||
} | } | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model."; | |||
} | } | |||
import ietf-key-chain { | import ietf-key-chain { | |||
prefix key-chain; | prefix key-chain; | |||
reference | reference | |||
"RFC 8177: YANG Key Chain."; | "RFC 8177: YANG Data Model for Key Chains."; | |||
} | } | |||
organization | organization | |||
"IETF TCPM Working Group"; | "IETF TCPM Working Group"; | |||
contact | contact | |||
"WG Web: <https://datatracker.ietf.org/wg/tcpm/about> | "WG Web: https://datatracker.ietf.org/wg/tcpm/about | |||
WG List: <tcpm@ietf.org> | WG List: TCPM WG <tcpm@ietf.org> | |||
Authors: Michael Scharf (michael.scharf at hs-esslingen dot de) | Authors: Michael Scharf <michael.scharf@hs-esslingen.de> | |||
Mahesh Jethanandani (mjethanandani at gmail dot com) | Mahesh Jethanandani <mjethanandani@gmail.com> | |||
Vishal Murgai (vmurgai at gmail dot com)"; | Vishal Murgai <vmurgai@gmail.com>"; | |||
description | description | |||
"This module focuses on fundamental TCP functions and basic | "This module focuses on fundamental TCP functions and basic | |||
statistics. The model can be augmented to address more advanced | statistics. The model can be augmented to address more advanced | |||
or implementation specific TCP features. | or implementation-specific TCP features. | |||
Copyright (c) 2022 IETF Trust and the persons identified as | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | |||
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', | ||||
'MAY', and 'OPTIONAL' in this document are to be interpreted as | ||||
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, | ||||
they appear in all capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified as | ||||
authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
the license terms contained in, the Simplified BSD License set | the license terms contained in, the Revised BSD License set | |||
forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
Relating to IETF Documents | Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC XXXX | This version of this YANG module is part of RFC 9648 | |||
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself | (https://www.rfc-editor.org/info/rfc9648); see the RFC itself | |||
for full legal notices. | for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | ||||
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', | ||||
'MAY', and 'OPTIONAL' in this document are to be interpreted as | ||||
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, | ||||
they appear in all capitals, as shown here."; | ||||
revision "2022-09-11" { | revision 2022-09-11 { | |||
description | description | |||
"Initial Version"; | "Initial version."; | |||
reference | reference | |||
"RFC XXXX, A YANG Model for Transmission Control Protocol (TCP) | "RFC 9648: YANG Data Model for TCP."; | |||
Configuration and State."; | ||||
} | } | |||
// Typedefs | // Typedefs | |||
typedef mss { | typedef mss { | |||
type uint16; | type uint16; | |||
description | description | |||
"Type definition for Maximum Segment Size."; | "Type definition for the Maximum Segment Size."; | |||
} | } | |||
// Features | // Features | |||
feature statistics { | feature statistics { | |||
description | description | |||
"This implementation supports statistics reporting."; | "This implementation supports statistics reporting."; | |||
} | } | |||
feature authentication { | feature authentication { | |||
description | description | |||
"This implementation supports authentication."; | "This implementation supports authentication."; | |||
} | } | |||
// Identities | // Identities | |||
identity aes-128 { | identity aes-128 { | |||
base key-chain:crypto-algorithm; | base key-chain:crypto-algorithm; | |||
description | description | |||
"AES128 authentication algorithm used by TCP-AO."; | "AES128 authentication algorithm used by TCP-AO."; | |||
reference | reference | |||
"RFC 5926: Cryptographic Algorithms for the TCP | "RFC 5926: Cryptographic Algorithms for the TCP | |||
Authentication Option (TCP-AO)."; | Authentication Option (TCP-AO)."; | |||
} | } | |||
// TCP-AO Groupings | // TCP-AO Groupings | |||
grouping ao { | grouping ao { | |||
leaf send-id { | leaf send-id { | |||
type uint8 { | type uint8 { | |||
range "0..max"; | range "0..max"; | |||
} | } | |||
description | description | |||
"The SendID is inserted as the KeyID of the TCP-AO option | "The SendID is inserted as the KeyID of the TCP-AO option | |||
of outgoing segments. In a consistent configuration, the | of outgoing segments. In a consistent configuration, the | |||
SendID matches the RecvID at the other endpoint."; | SendID matches the RecvID at the other endpoint."; | |||
reference | reference | |||
"RFC 5925: The TCP Authentication Option, Section 3.1."; | "RFC 5925: The TCP Authentication Option, Section 3.1."; | |||
} | } | |||
leaf recv-id { | leaf recv-id { | |||
type uint8 { | type uint8 { | |||
range "0..max"; | range "0..max"; | |||
} | } | |||
description | description | |||
"The RecvID is matched against the TCP-AO KeyID of incoming | "The RecvID is matched against the TCP-AO KeyID of incoming | |||
segments. In a consistent configuration, the RecvID matches | segments. In a consistent configuration, the RecvID matches | |||
the SendID at the other endpoint."; | the SendID at the other endpoint."; | |||
reference | reference | |||
"RFC 5925: The TCP Authentication Option, Section 3.1."; | "RFC 5925: The TCP Authentication Option, Section 3.1."; | |||
} | } | |||
leaf include-tcp-options { | leaf include-tcp-options { | |||
type boolean; | type boolean; | |||
default true; | default "true"; | |||
description | description | |||
"When set to true, TCP options are included in MAC | "When set to true, TCP options are included in the message | |||
calculation."; | authentication code (MAC) calculation."; | |||
reference | reference | |||
"RFC 5925: The TCP Authentication Option, Section 3.1."; | "RFC 5925: The TCP Authentication Option, Section 3.1."; | |||
} | } | |||
leaf accept-key-mismatch { | leaf accept-key-mismatch { | |||
type boolean; | type boolean; | |||
description | description | |||
"Accept, when set to true, TCP segments with a Master Key | "Accept, when set to true, TCP segments with a Master Key | |||
Tuple (MKT) that is not configured."; | Tuple (MKT) that is not configured."; | |||
reference | reference | |||
skipping to change at page 11, line 4 ¶ | skipping to change at line 462 ¶ | |||
i.e., the desired 'receive next' key ID."; | i.e., the desired 'receive next' key ID."; | |||
reference | reference | |||
"RFC 5925: The TCP Authentication Option."; | "RFC 5925: The TCP Authentication Option."; | |||
} | } | |||
description | description | |||
"Authentication Option (AO) for TCP."; | "Authentication Option (AO) for TCP."; | |||
reference | reference | |||
"RFC 5925: The TCP Authentication Option."; | "RFC 5925: The TCP Authentication Option."; | |||
} | } | |||
// TCP configuration | // TCP configuration | |||
container tcp { | container tcp { | |||
presence "The container for TCP configuration."; | presence "The container for TCP configuration."; | |||
description | description | |||
"TCP container."; | "TCP container."; | |||
container connections { | container connections { | |||
list connection { | list connection { | |||
key "local-address remote-address local-port remote-port"; | key "local-address remote-address local-port remote-port"; | |||
leaf local-address { | leaf local-address { | |||
type inet:ip-address; | type inet:ip-address; | |||
description | description | |||
"Identifies the address that is used by the local | "Identifies the address that is used by the local | |||
endpoint for the connection, and is one of the four | endpoint for the connection and is one of the four | |||
elements that form the connection identifier."; | elements that form the connection identifier."; | |||
} | } | |||
leaf remote-address { | leaf remote-address { | |||
type inet:ip-address; | type inet:ip-address; | |||
description | description | |||
"Identifies the address that is used by the remote | "Identifies the address that is used by the remote | |||
endpoint for the connection, and is one of the four | endpoint for the connection and is one of the four | |||
elements that form the connection identifier."; | elements that form the connection identifier."; | |||
} | } | |||
leaf local-port { | leaf local-port { | |||
type inet:port-number; | type inet:port-number; | |||
description | description | |||
"Identifies the local TCP port used for the connection, | "Identifies the local TCP port used for the connection | |||
and is one of the four elements that form the | and is one of the four elements that form the | |||
connection identifier."; | connection identifier."; | |||
} | } | |||
leaf remote-port { | leaf remote-port { | |||
type inet:port-number; | type inet:port-number; | |||
description | description | |||
"Identifies the remote TCP port used for the connection, | "Identifies the remote TCP port used for the connection | |||
and is one of the four elements that form the | and is one of the four elements that form the | |||
connection identifier."; | connection identifier."; | |||
} | } | |||
leaf mss { | leaf mss { | |||
type mss; | type mss; | |||
description | description | |||
"Maximum Segment Size (MSS) desired on this connection. | "Maximum Segment Size (MSS) desired on this connection. | |||
Note that the 'effective send MSS' can be smaller than | ||||
Note, the 'effective send MSS' can be smaller than | ||||
what is configured here."; | what is configured here."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf pmtud { | leaf pmtud { | |||
type boolean; | type boolean; | |||
default false; | default "false"; | |||
description | description | |||
"Turns Path Maximum Transmission Unit Discovery (PMTUD) | "Turns Path Maximum Transmission Unit Discovery (PMTUD) | |||
on (true) or off (false)."; | on (true) or off (false)."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
uses tcpcmn:tcp-common-grouping; | uses tcpcmn:tcp-common-grouping; | |||
leaf state { | leaf state { | |||
type enumeration { | type enumeration { | |||
enum closed { | enum closed { | |||
value 1; | value 1; | |||
description | description | |||
"Connection is closed. Connections in this state | "Connection is closed. Connections in this state | |||
skipping to change at page 13, line 6 ¶ | skipping to change at line 559 ¶ | |||
enum syn-received { | enum syn-received { | |||
value 4; | value 4; | |||
description | description | |||
"Represents waiting for a confirming connection | "Represents waiting for a confirming connection | |||
request acknowledgment after having both received | request acknowledgment after having both received | |||
and sent a connection request."; | and sent a connection request."; | |||
} | } | |||
enum established { | enum established { | |||
value 5; | value 5; | |||
description | description | |||
"Represents an open connection, data received can be | "Represents an open connection; data received can be | |||
delivered to the user. The normal state for the data | delivered to the user. The normal state for the | |||
transfer phase of the connection."; | data transfer phase of the connection."; | |||
} | } | |||
enum fin-wait-1 { | enum fin-wait-1 { | |||
value 6; | value 6; | |||
description | description | |||
"Represents waiting for a connection termination | "Represents waiting for a connection termination | |||
request from the remote TCP peer, or an | request from the remote TCP peer or an | |||
acknowledgment of the connection termination request | acknowledgment of the connection termination | |||
previously sent."; | request previously sent."; | |||
} | } | |||
enum fin-wait-2 { | enum fin-wait-2 { | |||
value 7; | value 7; | |||
description | description | |||
"Represents waiting for a connection termination | "Represents waiting for a connection termination | |||
request from the remote TCP peer."; | request from the remote TCP peer."; | |||
} | } | |||
enum close-wait { | enum close-wait { | |||
value 8; | value 8; | |||
description | description | |||
skipping to change at page 13, line 38 ¶ | skipping to change at line 591 ¶ | |||
request from the local user."; | request from the local user."; | |||
} | } | |||
enum last-ack { | enum last-ack { | |||
value 9; | value 9; | |||
description | description | |||
"Represents waiting for an acknowledgment of the | "Represents waiting for an acknowledgment of the | |||
connection termination request previously sent to | connection termination request previously sent to | |||
the remote TCP peer (this termination request sent | the remote TCP peer (this termination request sent | |||
to the remote TCP peer already included an | to the remote TCP peer already included an | |||
acknowledgment of the termination request sent from | acknowledgment of the termination request sent from | |||
the remote TCP peer)"; | the remote TCP peer)."; | |||
} | } | |||
enum closing { | enum closing { | |||
value 10; | value 10; | |||
description | description | |||
"Represents waiting for a connection termination | "Represents waiting for a connection termination | |||
request acknowledgment from the remote TCP peer."; | request acknowledgment from the remote TCP peer."; | |||
} | } | |||
enum time-wait { | enum time-wait { | |||
value 11; | value 11; | |||
description | description | |||
"Represents waiting for enough time to pass to be | "Represents waiting for enough time to pass to be | |||
sure the remote TCP peer received the acknowledgment | sure the remote TCP peer received the | |||
of its connection termination request, and to avoid | acknowledgment of its connection termination | |||
new connections being impacted by delayed segments | request and to avoid new connections being impacted | |||
from previous connections."; | by delayed segments from previous connections."; | |||
} | } | |||
} | } | |||
config false; | config false; | |||
description | description | |||
"The state of this TCP connection."; | "The state of this TCP connection."; | |||
} | } | |||
description | description | |||
"List of TCP connections with their parameters. | "List of TCP connections with their parameters. | |||
The list is modeled as writeable even though only some of | The list is modeled as writeable even though only some of | |||
the nodes are writeable, e.g. keepalive. Connections | the nodes are writeable, e.g., keepalive. Connections | |||
that are created and match this list SHOULD apply the | that are created and match this list SHOULD apply the | |||
writeable parameters. At the same time, implementations | writeable parameters. At the same time, implementations | |||
may not allow creation of new TCP connections simply by | may not allow creation of new TCP connections simply by | |||
adding entries to the list. Furthermore, the behavior | adding entries to the list. Furthermore, the behavior | |||
upon removal is implementation-specific. Implementations | upon removal is implementation-specific. Implementations | |||
may not support closing or resetting a TCP connection | may not support closing or resetting a TCP connection | |||
upon an operation that removes the entry from the list. | upon an operation that removes the entry from the list. | |||
The operational state of this list SHOULD reflect | The operational state of this list SHOULD reflect | |||
connections that have configured, but not created, and | connections that have configured but not created and | |||
connections that have been created. Connections in | connections that have been created. Connections in the | |||
CLOSED state are not reflected on this list."; | CLOSED state are not reflected on this list."; | |||
} | } | |||
description | description | |||
"A container of all TCP connections."; | "A container of all TCP connections."; | |||
} | } | |||
list tcp-listeners { | list tcp-listeners { | |||
key "type address port"; | key "type address port"; | |||
config false; | config false; | |||
skipping to change at page 15, line 6 ¶ | skipping to change at line 655 ¶ | |||
description | description | |||
"The address type of address. The value | "The address type of address. The value | |||
should be unspecified (0) if connection initiations | should be unspecified (0) if connection initiations | |||
to all local IP addresses are accepted."; | to all local IP addresses are accepted."; | |||
} | } | |||
leaf address { | leaf address { | |||
type union { | type union { | |||
type inet:ip-address; | type inet:ip-address; | |||
type string { | type string { | |||
length 0; | length "0"; | |||
} | } | |||
} | } | |||
description | description | |||
"The local IP address for this TCP connection. | "The local IP address for this TCP connection. | |||
The value of this node can be represented in three | The value of this node can be represented in three | |||
possible ways, depending on the characteristics of the | possible ways, depending on the characteristics of the | |||
listening application: | listening application: | |||
1. For an application willing to accept both IPv4 and | 1. For an application willing to accept both IPv4 and | |||
IPv6 datagrams, the value of this node must be | IPv6 datagrams, the value of this node must be | |||
''h (a zero-length octet-string), with the value | ''h (a zero-length octet string), with the value | |||
of the corresponding 'type' object being | of the corresponding 'type' object being | |||
unspecified (0). | unspecified (0). | |||
2. For an application willing to accept only IPv4 or | 2. For an application willing to accept only IPv4 or | |||
IPv6 datagrams, the value of this node must be | IPv6 datagrams, the value of this node must be | |||
'0.0.0.0' or '::' respectively, with | '0.0.0.0' or '::' respectively, with | |||
'type' representing the appropriate address type. | 'type' representing the appropriate address type. | |||
3. For an application which is listening for data | 3. For an application that is listening for data | |||
destined only to a specific IP address, the value | destined only to a specific IP address, the value | |||
of this node is the specific local address, with | of this node is the specific local address, with | |||
'type' representing the appropriate address type."; | 'type' representing the appropriate address type."; | |||
} | } | |||
leaf port { | leaf port { | |||
type inet:port-number; | type inet:port-number; | |||
description | description | |||
"The local port number for this TCP connection."; | "The local port number for this TCP connection."; | |||
} | } | |||
} | } | |||
container statistics { | container statistics { | |||
if-feature statistics; | if-feature "statistics"; | |||
config false; | config false; | |||
leaf active-opens { | leaf active-opens { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The number of times that TCP connections have made a | "The number of times that TCP connections have made a | |||
direct transition to the SYN-SENT state from the CLOSED | direct transition to the SYN-SENT state from the CLOSED | |||
state."; | state."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf passive-opens { | leaf passive-opens { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The number of times TCP connections have made a direct | "The number of times TCP connections have made a direct | |||
transition to the SYN-RCVD state from the LISTEN state."; | transition to the SYN-RCVD state from the LISTEN state."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf attempt-fails { | leaf attempt-fails { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The number of times that TCP connections have made a | "The number of times that TCP connections have made a | |||
direct transition to the CLOSED state from either the | direct transition to the CLOSED state from either the | |||
SYN-SENT state or the SYN-RCVD state, plus the number of | SYN-SENT state or the SYN-RCVD state, plus the number of | |||
times that TCP connections have made a direct transition | times that TCP connections have made a direct transition | |||
to the LISTEN state from the SYN-RCVD state."; | to the LISTEN state from the SYN-RCVD state."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf establish-resets { | leaf establish-resets { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The number of times that TCP connections have made a | "The number of times that TCP connections have made a | |||
direct transition to the CLOSED state from either the | direct transition to the CLOSED state from either the | |||
ESTABLISHED state or the CLOSE-WAIT state."; | ESTABLISHED state or the CLOSE-WAIT state."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf currently-established { | leaf currently-established { | |||
type yang:gauge32; | type yang:gauge32; | |||
description | description | |||
"The number of TCP connections for which the current state | "The number of TCP connections for which the current state | |||
is either ESTABLISHED or CLOSE-WAIT."; | is either ESTABLISHED or CLOSE-WAIT."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf in-segments { | leaf in-segments { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The total number of TCP segments received, including those | "The total number of TCP segments received, including those | |||
received in error. This count includes TCP segments | received in error. This count includes TCP segments | |||
received on currently established connections."; | received on currently established connections."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf out-segments { | leaf out-segments { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The total number of TCP segments sent, including those on | "The total number of TCP segments sent, including those on | |||
current connections but excluding those containing only | current connections but excluding those containing only | |||
retransmitted octets."; | retransmitted octets."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf retransmitted-segments { | leaf retransmitted-segments { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The total number of TCP segments retransmitted; that is, | "The total number of TCP segments retransmitted; that is, | |||
the number of TCP segments transmitted containing one or | the number of TCP segments transmitted containing one or | |||
more previously transmitted octets."; | more previously transmitted octets."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf in-errors { | leaf in-errors { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The total number of TCP segments received in error | "The total number of TCP segments received in error | |||
(e.g., bad TCP checksums)."; | (e.g., bad TCP checksums)."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf out-resets { | leaf out-resets { | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The number of TCP segments sent containing the RST flag."; | "The number of TCP segments sent containing the RST flag."; | |||
reference | reference | |||
"RFC 9293: Transmission Control Protocol (TCP) | "RFC 9293: Transmission Control Protocol (TCP)."; | |||
Specification."; | ||||
} | } | |||
leaf auth-failures { | leaf auth-failures { | |||
if-feature authentication; | if-feature "authentication"; | |||
type yang:counter64; | type yang:counter64; | |||
description | description | |||
"The number of times that authentication has failed either | "The number of times that authentication has failed either | |||
with TCP-AO or MD5."; | with TCP-AO or MD5."; | |||
} | } | |||
action reset { | action reset { | |||
nacm:default-deny-all; | nacm:default-deny-all; | |||
description | description | |||
"Reset statistics action command."; | "Reset statistics action command."; | |||
skipping to change at page 18, line 46 ¶ | skipping to change at line 829 ¶ | |||
"Statistics across all connections."; | "Statistics across all connections."; | |||
} | } | |||
} | } | |||
augment "/key-chain:key-chains/key-chain:key-chain/key-chain:key" { | augment "/key-chain:key-chains/key-chain:key-chain/key-chain:key" { | |||
description | description | |||
"Augmentation of the key-chain model to add TCP-AO and TCP-MD5 | "Augmentation of the key-chain model to add TCP-AO and TCP-MD5 | |||
authentication."; | authentication."; | |||
container authentication { | container authentication { | |||
if-feature authentication; | if-feature "authentication"; | |||
leaf keychain { | leaf keychain { | |||
type key-chain:key-chain-ref; | type key-chain:key-chain-ref; | |||
description | description | |||
"Reference to the key chain that will be used by | "Reference to the key chain that will be used by | |||
this model. Applicable for TCP-AO and TCP-MD5 | this model. Applicable for TCP-AO and TCP-MD5 | |||
only"; | only."; | |||
reference | reference | |||
"RFC 8177: YANG Key Chain."; | "RFC 8177: YANG Data Model for Key Chains."; | |||
} | } | |||
choice authentication { | choice authentication { | |||
container ao { | container ao { | |||
presence "Presence container for all TCP-AO related" + | presence "Presence container for all TCP-AO related" | |||
" configuration"; | + " configuration"; | |||
uses ao; | uses ao; | |||
description | description | |||
"Use TCP-AO to secure the connection."; | "Use TCP-AO to secure the connection."; | |||
} | } | |||
container md5 { | container md5 { | |||
presence "Presence container for all MD5 related" + | presence "Presence container for all MD5 related" | |||
" configuration"; | + " configuration"; | |||
description | description | |||
"Use TCP-MD5 to secure the connection. As the TCP MD5 | "Use TCP-MD5 to secure the connection. As the TCP MD5 | |||
signature option is obsoleted by TCP-AO, it is | signature option is obsoleted by TCP-AO, it is | |||
RECOMMENDED to use TCP-AO instead."; | RECOMMENDED to use TCP-AO instead."; | |||
reference | reference | |||
"RFC 2385: Protection of BGP Sessions via the TCP MD5 | "RFC 2385: Protection of BGP Sessions via the TCP MD5 | |||
Signature."; | Signature Option."; | |||
} | } | |||
description | description | |||
"Choice of TCP authentication."; | "Choice of TCP authentication."; | |||
} | } | |||
description | description | |||
"Authentication definitions for TCP configuration. | "Authentication definitions for TCP configuration. | |||
This includes parameters such as how to secure the | This includes parameters such as how to secure the | |||
connection, that can be part of either the client | connection, which can be part of either the client | |||
or server."; | or server."; | |||
} | } | |||
} | } | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
5. IANA Considerations | 5. IANA Considerations | |||
5.1. The IETF XML Registry | 5.1. The IETF XML Registry | |||
This document registers an URI in the "ns" subregistry of the IETF | IANA has registered the following URI in the "ns" registry defined in | |||
XML Registry [RFC3688]. Following the format in IETF XML Registry | the "IETF XML Registry" [RFC3688]. | |||
[RFC3688], the following registration is requested: | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-tcp | URI: urn:ietf:params:xml:ns:yang:ietf-tcp | |||
Registrant Contact: The IESG. | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
5.2. The YANG Module Names Registry | 5.2. The YANG Module Names Registry | |||
The following entry is requested to be added to the "YANG Module | IANA has registered the following in the "YANG Module Names" registry | |||
Names" registry created by YANG - A Data Modeling Language for the | created by "YANG - A Data Modeling Language for the Network | |||
Network Configuration Protocol (NETCONF) [RFC6020]: | Configuration Protocol (NETCONF)" [RFC6020]. | |||
name: ietf-tcp | Name: ietf-tcp | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-tcp | Namespace: urn:ietf:params:xml:ns:yang:ietf-tcp | |||
prefix: tcp | Prefix: tcp | |||
reference: RFC XXXX (this document) | Reference: RFC 9648 | |||
The registration is not maintained by IANA. | This is not an IANA maintained module; however, the URI and other | |||
details of the module are maintained by IANA. | ||||
6. Security Considerations | 6. Security Considerations | |||
The YANG module specified in this document defines a schema for data | This section is modeled after the template defined in Section 3.7.1 | |||
that is designed to be accessed via network management protocols such | of [RFC8407]. | |||
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer | ||||
is the secure transport layer, and the mandatory-to-implement secure | The "ietf-tcp" YANG module defines a schema for data that is designed | |||
transport is Secure Shell (SSH) described in Using the NETCONF | to be accessed via YANG-based management protocols, such as NETCONF | |||
protocol over SSH [RFC6242]. The lowest RESTCONF layer is HTTPS, and | [RFC6241] and RESTCONF [RFC8040]. These protocols have mandatory-to- | |||
the mandatory-to-implement secure transport is TLS [RFC8446]. | implement secure transport layers (e.g., Secure Shell (SSH) | |||
[RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to- | ||||
implement mutual authentication. | ||||
The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
provides the means to restrict access for particular NETCONF or | provides the means to restrict access for particular NETCONF or | |||
RESTCONF users to a preconfigured subset of all available NETCONF or | RESTCONF users to a preconfigured subset of all available NETCONF or | |||
RESTCONF protocol operations and content. | RESTCONF protocol operations and content. | |||
There are a number of data nodes defined in this YANG module that are | There are a number of data nodes defined in this YANG module that are | |||
writable/creatable/deletable (i.e., "config true", which is the | writable/creatable/deletable (i.e., "config true", which is the | |||
default). These data nodes may be considered sensitive or vulnerable | default). These data nodes may be considered sensitive or vulnerable | |||
in some network environments. Write operations (e.g., edit-config) | in some network environments. Write operations (e.g., edit-config) | |||
to these data nodes without proper protection can have a negative | to these data nodes without proper protection can have a negative | |||
effect on network operations. These are the subtrees and data nodes | effect on network operations. These are the subtrees and data nodes | |||
and their sensitivity/vulnerability: | and their sensitivity/vulnerability: | |||
* Common configuration included from NETCONF Client and Server | * Common configuration included from NETCONF client and server | |||
Models [I-D.ietf-netconf-tcp-client-server]. Unrestricted access | models [RFC9643]. Unrestricted access to all the nodes, e.g., | |||
to all the nodes, e.g., keepalive idle-timer, can cause | keepalive idle timer, can cause connections to fail or to timeout | |||
connections to fail or to timeout prematurely. | prematurely. | |||
* Authentication configuration. Unrestricted access to the nodes | * Authentication configuration. Unrestricted access to the nodes | |||
under authentication configuration can prevent the use of | under authentication configuration can prevent the use of | |||
authenticated communication and cause connection setups to fail. | authenticated communication and cause connection setups to fail. | |||
This can result in massive security vulnerabilities and service | This can result in massive security vulnerabilities and service | |||
disruption for the traffic requiring authentication. | disruption for the traffic requiring authentication. | |||
Some of the readable data nodes in this YANG module may be considered | Some of the readable data nodes in this YANG module may be considered | |||
sensitive or vulnerable in some network environments. It is thus | sensitive or vulnerable in some network environments. It is thus | |||
important to control read access (e.g., via get, get-config, or | important to control read access (e.g., via get, get-config, or | |||
skipping to change at page 21, line 35 ¶ | skipping to change at line 958 ¶ | |||
sensitive or vulnerable in some network environments. It is thus | sensitive or vulnerable in some network environments. It is thus | |||
important to control access to these operations. These are the | important to control access to these operations. These are the | |||
operations and their sensitivity/vulnerability: | operations and their sensitivity/vulnerability: | |||
* The YANG module allows for the statistics to be cleared by | * The YANG module allows for the statistics to be cleared by | |||
executing the reset action. This action should be restricted to | executing the reset action. This action should be restricted to | |||
users with the right permission. | users with the right permission. | |||
The module specified in this document supports MD5 to basically | The module specified in this document supports MD5 to basically | |||
accommodate the installed BGP base. MD5 suffers from the security | accommodate the installed BGP base. MD5 suffers from the security | |||
weaknesses discussed in Section 2 of RFC 6151 [RFC6151] or | weaknesses discussed in Section 2 of [RFC6151] or Section 2.1 of | |||
Section 2.1 of RFC 6952 [RFC6952]. | [RFC6952]. | |||
7. References | 7. References | |||
7.1. Normative References | 7.1. Normative References | |||
[I-D.ietf-netconf-tcp-client-server] | ||||
Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
and TCP Servers", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-tcp-client-server-13, 24 May 2022, | ||||
<https://www.ietf.org/archive/id/draft-ietf-netconf-tcp- | ||||
client-server-13.txt>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 | [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 | |||
Signature Option", RFC 2385, DOI 10.17487/RFC2385, August | Signature Option", RFC 2385, DOI 10.17487/RFC2385, August | |||
1998, <https://www.rfc-editor.org/info/rfc2385>. | 1998, <https://www.rfc-editor.org/info/rfc2385>. | |||
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
<https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | ||||
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | ||||
January 2006, <https://www.rfc-editor.org/info/rfc4252>. | ||||
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP | [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP | |||
Authentication Option", RFC 5925, DOI 10.17487/RFC5925, | Authentication Option", RFC 5925, DOI 10.17487/RFC5925, | |||
June 2010, <https://www.rfc-editor.org/info/rfc5925>. | June 2010, <https://www.rfc-editor.org/info/rfc5925>. | |||
[RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms | [RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms | |||
for the TCP Authentication Option (TCP-AO)", RFC 5926, | for the TCP Authentication Option (TCP-AO)", RFC 5926, | |||
DOI 10.17487/RFC5926, June 2010, | DOI 10.17487/RFC5926, June 2010, | |||
<https://www.rfc-editor.org/info/rfc5926>. | <https://www.rfc-editor.org/info/rfc5926>. | |||
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
<https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | ||||
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | ||||
<https://www.rfc-editor.org/info/rfc6242>. | ||||
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||
RFC 6991, DOI 10.17487/RFC6991, July 2013, | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||
<https://www.rfc-editor.org/info/rfc6991>. | <https://www.rfc-editor.org/info/rfc6991>. | |||
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
<https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | |||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | |||
skipping to change at page 23, line 28 ¶ | skipping to change at line 1040 ¶ | |||
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | ||||
Multiplexed and Secure Transport", RFC 9000, | ||||
DOI 10.17487/RFC9000, May 2021, | ||||
<https://www.rfc-editor.org/info/rfc9000>. | ||||
[RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)", | [RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)", | |||
STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, | STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, | |||
<https://www.rfc-editor.org/info/rfc9293>. | <https://www.rfc-editor.org/info/rfc9293>. | |||
7.2. Informative References | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, October | ||||
2024, <https://www.rfc-editor.org/info/rfc9643>. | ||||
[I-D.ietf-i2nsf-capability-data-model] | 7.2. Informative References | |||
Hares, S., Jeong, J. P., Kim, J. T., Moskowitz, R., and Q. | ||||
Lin, "I2NSF Capability YANG Data Model", Work in Progress, | ||||
Internet-Draft, draft-ietf-i2nsf-capability-data-model-32, | ||||
23 May 2022, <https://www.ietf.org/archive/id/draft-ietf- | ||||
i2nsf-capability-data-model-32.txt>. | ||||
[I-D.ietf-i2nsf-nsf-facing-interface-dm] | [BGP-MODEL] | |||
Kim, J. T., Jeong, J. P., Park, J., Hares, S., and Q. Lin, | Jethanandani, M., Patel, K., Hares, S., and J. Haas, "YANG | |||
"I2NSF Network Security Function-Facing Interface YANG | Model for Border Gateway Protocol (BGP-4)", Work in | |||
Data Model", Work in Progress, Internet-Draft, draft-ietf- | Progress, Internet-Draft, draft-ietf-idr-bgp-model-17, 5 | |||
i2nsf-nsf-facing-interface-dm-29, 1 June 2022, | July 2023, <https://datatracker.ietf.org/doc/html/draft- | |||
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- | ietf-idr-bgp-model-17>. | |||
facing-interface-dm-29.txt>. | ||||
[I-D.ietf-idr-bgp-model] | [NSF-CAP-YANG] | |||
Jethanandani, M., Patel, K., Hares, S., and J. Haas, "BGP | Hares, S., Ed., Jeong, J., Ed., Kim, J., Moskowitz, R., | |||
YANG Model for Service Provider Networks", Work in | and Q. Lin, "I2NSF Capability YANG Data Model", Work in | |||
Progress, Internet-Draft, draft-ietf-idr-bgp-model-14, 3 | Progress, Internet-Draft, draft-ietf-i2nsf-capability- | |||
July 2022, <https://www.ietf.org/archive/id/draft-ietf- | data-model-32, 23 May 2022, | |||
idr-bgp-model-14.txt>. | <https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf- | |||
capability-data-model-32>. | ||||
[I-D.ietf-taps-interface] | [NSF-FACING-YANG] | |||
Trammell, B., Welzl, M., Enghardt, T., Fairhurst, G., | Kim, J., Ed., Jeong, J., Ed., Park, J., Hares, S., and Q. | |||
Kuehlewind, M., Perkins, C., Tiesel, P. S., and T. Pauly, | Lin, "I2NSF Network Security Function-Facing Interface | |||
"An Abstract Application Layer Interface to Transport | YANG Data Model", Work in Progress, Internet-Draft, draft- | |||
Services", Work in Progress, Internet-Draft, draft-ietf- | ietf-i2nsf-nsf-facing-interface-dm-29, 1 June 2022, | |||
taps-interface-16, 31 August 2022, | <https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf- | |||
<https://www.ietf.org/archive/id/draft-ietf-taps- | nsf-facing-interface-dm-29>. | |||
interface-16.txt>. | ||||
[RFC4022] Raghunarayan, R., Ed., "Management Information Base for | [RFC4022] Raghunarayan, R., Ed., "Management Information Base for | |||
the Transmission Control Protocol (TCP)", RFC 4022, | the Transmission Control Protocol (TCP)", RFC 4022, | |||
DOI 10.17487/RFC4022, March 2005, | DOI 10.17487/RFC4022, March 2005, | |||
<https://www.rfc-editor.org/info/rfc4022>. | <https://www.rfc-editor.org/info/rfc4022>. | |||
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private | [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private | |||
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February | Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February | |||
2006, <https://www.rfc-editor.org/info/rfc4364>. | 2006, <https://www.rfc-editor.org/info/rfc4364>. | |||
skipping to change at page 25, line 5 ¶ | skipping to change at line 1107 ¶ | |||
Information Version 2 (SMIv2) MIB Modules to YANG | Information Version 2 (SMIv2) MIB Modules to YANG | |||
Modules", RFC 6643, DOI 10.17487/RFC6643, July 2012, | Modules", RFC 6643, DOI 10.17487/RFC6643, July 2012, | |||
<https://www.rfc-editor.org/info/rfc6643>. | <https://www.rfc-editor.org/info/rfc6643>. | |||
[RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of | [RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of | |||
BGP, LDP, PCEP, and MSDP Issues According to the Keying | BGP, LDP, PCEP, and MSDP Issues According to the Keying | |||
and Authentication for Routing Protocols (KARP) Design | and Authentication for Routing Protocols (KARP) Design | |||
Guide", RFC 6952, DOI 10.17487/RFC6952, May 2013, | Guide", RFC 6952, DOI 10.17487/RFC6952, May 2013, | |||
<https://www.rfc-editor.org/info/rfc6952>. | <https://www.rfc-editor.org/info/rfc6952>. | |||
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
Interchange Format", STD 90, RFC 8259, | ||||
DOI 10.17487/RFC8259, December 2017, | ||||
<https://www.rfc-editor.org/info/rfc8259>. | ||||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | ||||
Documents Containing YANG Data Models", BCP 216, RFC 8407, | ||||
DOI 10.17487/RFC8407, October 2018, | ||||
<https://www.rfc-editor.org/info/rfc8407>. | ||||
[RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C., | [RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C., | |||
Vinapamula, S., and Q. Wu, "A YANG Module for Network | Vinapamula, S., and Q. Wu, "A YANG Module for Network | |||
Address Translation (NAT) and Network Prefix Translation | Address Translation (NAT) and Network Prefix Translation | |||
(NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019, | (NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019, | |||
<https://www.rfc-editor.org/info/rfc8512>. | <https://www.rfc-editor.org/info/rfc8512>. | |||
[RFC8513] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG | [RFC8513] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG | |||
Data Model for Dual-Stack Lite (DS-Lite)", RFC 8513, | Data Model for Dual-Stack Lite (DS-Lite)", RFC 8513, | |||
DOI 10.17487/RFC8513, January 2019, | DOI 10.17487/RFC8513, January 2019, | |||
<https://www.rfc-editor.org/info/rfc8513>. | <https://www.rfc-editor.org/info/rfc8513>. | |||
skipping to change at page 25, line 31 ¶ | skipping to change at line 1143 ¶ | |||
[RFC8684] Ford, A., Raiciu, C., Handley, M., Bonaventure, O., and C. | [RFC8684] Ford, A., Raiciu, C., Handley, M., Bonaventure, O., and C. | |||
Paasch, "TCP Extensions for Multipath Operation with | Paasch, "TCP Extensions for Multipath Operation with | |||
Multiple Addresses", RFC 8684, DOI 10.17487/RFC8684, March | Multiple Addresses", RFC 8684, DOI 10.17487/RFC8684, March | |||
2020, <https://www.rfc-editor.org/info/rfc8684>. | 2020, <https://www.rfc-editor.org/info/rfc8684>. | |||
[RFC8783] Boucadair, M., Ed. and T. Reddy.K, Ed., "Distributed | [RFC8783] Boucadair, M., Ed. and T. Reddy.K, Ed., "Distributed | |||
Denial-of-Service Open Threat Signaling (DOTS) Data | Denial-of-Service Open Threat Signaling (DOTS) Data | |||
Channel Specification", RFC 8783, DOI 10.17487/RFC8783, | Channel Specification", RFC 8783, DOI 10.17487/RFC8783, | |||
May 2020, <https://www.rfc-editor.org/info/rfc8783>. | May 2020, <https://www.rfc-editor.org/info/rfc8783>. | |||
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | ||||
"Handling Long Lines in Content of Internet-Drafts and | ||||
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | ||||
<https://www.rfc-editor.org/info/rfc8792>. | ||||
[RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M., | [RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M., | |||
Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model | Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model | |||
for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182, | for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182, | |||
February 2022, <https://www.rfc-editor.org/info/rfc9182>. | February 2022, <https://www.rfc-editor.org/info/rfc9182>. | |||
[RFC9235] Touch, J. and J. Kuusisaari, "TCP Authentication Option | [RFC9235] Touch, J. and J. Kuusisaari, "TCP Authentication Option | |||
(TCP-AO) Test Vectors", RFC 9235, DOI 10.17487/RFC9235, | (TCP-AO) Test Vectors", RFC 9235, DOI 10.17487/RFC9235, | |||
May 2022, <https://www.rfc-editor.org/info/rfc9235>. | May 2022, <https://www.rfc-editor.org/info/rfc9235>. | |||
Appendix A. Acknowledgements | [TAPS-INTERFACE] | |||
Trammell, B., Ed., Welzl, M., Ed., Enghardt, R., | ||||
Michael Scharf was supported by the StandICT.eu project, which is | Fairhurst, G., Kühlewind, M., Perkins, C., Tiesel, P., and | |||
funded by the European Commission under the Horizon 2020 Programme. | T. Pauly, "An Abstract Application Layer Interface to | |||
Transport Services", Work in Progress, Internet-Draft, | ||||
draft-ietf-taps-interface-26, 16 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-taps- | ||||
interface-26>. | ||||
The following persons have contributed to this document by reviews | [W3C.REC-xml-20081126] | |||
(in alphabetical order): Mohamed Boucadair, Gorry Fairhurst, Jeffrey | Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | |||
Haas, and Tom Petch. | and F. Yergeau, "Extensible Markup Language (XML) 1.0 | |||
(Fifth Edition)", World Wide Web Consortium | ||||
Recommendation REC-xml-20081126, November 2008, | ||||
<https://www.w3.org/TR/2008/REC-xml-20081126/>. | ||||
Appendix B. Examples | Appendix A. Examples | |||
B.1. Keepalive Configuration | ||||
This particular example demonstrates how both a particular connection | A.1. Keepalive Configuration | |||
can be configured for keepalives. | ||||
NOTE: '\' line wrapping per RFC 8792 | This particular example demonstrates how a particular connection can | |||
be configured for keepalives. | ||||
<?xml version="1.0" encoding="UTF-8"?> | NOTE: '\' line wrapping per RFC 8792 | |||
<!-- | ||||
This example shows how TCP keepalive, MSS and PMTU can be configured \ | ||||
for a given connection. An idle connection is dropped after | <?xml version="1.0" encoding="UTF-8"?> | |||
idle-time + (max-probes * probe-interval). | <!-- | |||
--> | This example shows how TCP keepalive, MSS, and PMTU can be configure\ | |||
<tcp | d for a given connection. An idle connection is dropped after | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> | idle-time + (max-probes * probe-interval). | |||
<connections> | --> | |||
<connection> | <tcp | |||
<local-address>192.0.2.1</local-address> | xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> | |||
<remote-address>192.0.2.2</remote-address> | <connections> | |||
<local-port>1025</local-port> | <connection> | |||
<remote-port>22</remote-port> | <local-address>192.0.2.1</local-address> | |||
<mss>1400</mss> | <remote-address>192.0.2.2</remote-address> | |||
<pmtud>true</pmtud> | <local-port>1025</local-port> | |||
<keepalives> | <remote-port>22</remote-port> | |||
<idle-time>5</idle-time> | <mss>1400</mss> | |||
<max-probes>5</max-probes> | <pmtud>true</pmtud> | |||
<probe-interval>10</probe-interval> | <keepalives> | |||
</keepalives> | <idle-time>5</idle-time> | |||
</connection> | <max-probes>5</max-probes> | |||
</connections> | <probe-interval>10</probe-interval> | |||
</tcp> | </keepalives> | |||
</connection> | ||||
</connections> | ||||
</tcp> | ||||
B.2. TCP-AO Configuration | A.2. TCP-AO Configuration | |||
The following example demonstrates how to model a TCP-AO [RFC5925] | The following example demonstrates how to model a TCP-AO [RFC5925] | |||
configuration for the example in TCP-AO Test Vectors [RFC9235]. The | configuration for the example in "TCP Authentication Option (TCP-AO) | |||
IP addresses and other parameters are taken from the test vectors. | Test Vectors" [RFC9235]. The IP addresses and other parameters are | |||
taken from the test vectors. | ||||
NOTE: '\' line wrapping per RFC 8792 | NOTE: '\' line wrapping per RFC 8792 | |||
<?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
<!-- | <!-- | |||
This example sets TCP-AO configuration parameters similar to | This example sets TCP-AO configuration parameters similarly to | |||
the examples in RFC 9235. | the examples in RFC 9235. | |||
--> | ||||
<key-chains | <key-chains | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> | xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> | |||
<key-chain> | <key-chain> | |||
<name>ao-config</name> | <name>ao-config</name> | |||
<description>"An example for TCP-AO configuration."</description>\ | <description>"An example for TCP-AO configuration."</description> | |||
<key> | ||||
<key-id>55</key-id> | ||||
<lifetime> | ||||
<send-lifetime> | ||||
<start-date-time>2017-01-01T00:00:00Z</start-date-time> | ||||
<end-date-time>2017-02-01T00:00:00Z</end-date-time> | ||||
</send-lifetime> | ||||
<accept-lifetime> | ||||
<start-date-time>2016-12-31T23:59:55Z</start-date-time> | ||||
<end-date-time>2017-02-01T00:00:05Z</end-date-time> | ||||
</accept-lifetime> | ||||
</lifetime> | ||||
<crypto-algorithm | ||||
xmlns:tcp= | ||||
"urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto\ | ||||
-algorithm> | ||||
<key-string> | ||||
<keystring>testvector</keystring> | ||||
</key-string> | ||||
<authentication | ||||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> | ||||
<keychain>ao-config</keychain> | ||||
<ao> | ||||
<send-id>61</send-id> | ||||
<recv-id>84</recv-id> | ||||
</ao> | ||||
</authentication> | ||||
</key> | ||||
</key-chain> | ||||
</key-chains> | ||||
<key> | Appendix B. Complete Tree Diagram | |||
<key-id>55</key-id> | ||||
<lifetime> | ||||
<send-lifetime> | ||||
<start-date-time>2017-01-01T00:00:00Z</start-date-time> | ||||
<end-date-time>2017-02-01T00:00:00Z</end-date-time> | ||||
</send-lifetime> | ||||
<accept-lifetime> | ||||
<start-date-time>2016-12-31T23:59:55Z</start-date-time> | ||||
<end-date-time>2017-02-01T00:00:05Z</end-date-time> | ||||
</accept-lifetime> | ||||
</lifetime> | ||||
<crypto-algorithm | ||||
xmlns:tcp= | ||||
"urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto-algorit\ | ||||
hm> | ||||
<key-string> | ||||
<keystring>testvector</keystring> | ||||
</key-string> | ||||
<authentication | ||||
xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> | ||||
<keychain>ao-config</keychain> | ||||
<ao> | ||||
<send-id>61</send-id> | ||||
<recv-id>84</recv-id> | ||||
</ao> | ||||
</authentication> | ||||
</key> | ||||
</key-chain> | ||||
</key-chains> | ||||
Appendix C. Complete Tree Diagram | ||||
Here is the complete tree diagram for the TCP YANG model. | Here is the complete tree diagram for the TCP YANG data model. | |||
module: ietf-tcp | module: ietf-tcp | |||
+--rw tcp! | +--rw tcp! | |||
+--rw connections | +--rw connections | |||
| +--rw connection* | | +--rw connection* | |||
| [local-address remote-address local-port remote-port] | | [local-address remote-address local-port remote-port] | |||
| +--rw local-address inet:ip-address | | +--rw local-address inet:ip-address | |||
| +--rw remote-address inet:ip-address | | +--rw remote-address inet:ip-address | |||
| +--rw local-port inet:port-number | | +--rw local-port inet:port-number | |||
| +--rw remote-port inet:port-number | | +--rw remote-port inet:port-number | |||
skipping to change at page 29, line 13 ¶ | skipping to change at line 1315 ¶ | |||
+--:(ao) | +--:(ao) | |||
| +--rw ao! | | +--rw ao! | |||
| +--rw send-id? uint8 | | +--rw send-id? uint8 | |||
| +--rw recv-id? uint8 | | +--rw recv-id? uint8 | |||
| +--rw include-tcp-options? boolean | | +--rw include-tcp-options? boolean | |||
| +--rw accept-key-mismatch? boolean | | +--rw accept-key-mismatch? boolean | |||
| +--ro r-next-key-id? uint8 | | +--ro r-next-key-id? uint8 | |||
+--:(md5) | +--:(md5) | |||
+--rw md5! | +--rw md5! | |||
Acknowledgements | ||||
Michael Scharf was supported by the StandICT.eu project, which is | ||||
funded by the European Commission under the Horizon 2020 Programme. | ||||
The following persons have contributed to this document by reviews | ||||
(in alphabetical order): Mohamed Boucadair, Gorry Fairhurst, Jeffrey | ||||
Haas, and Tom Petch. | ||||
Authors' Addresses | Authors' Addresses | |||
Michael Scharf | Michael Scharf | |||
Hochschule Esslingen - University of Applied Sciences | Hochschule Esslingen | |||
University of Applied Sciences | ||||
Kanalstr. 33 | Kanalstr. 33 | |||
73728 Esslingen | 73728 Esslingen am Neckar | |||
Germany | Germany | |||
Email: michael.scharf@hs-esslingen.de | Email: michael.scharf@hs-esslingen.de | |||
Mahesh Jethanandani | Mahesh Jethanandani | |||
Kloud Services | Kloud Services | |||
Email: mjethanandani@gmail.com | Email: mjethanandani@gmail.com | |||
Vishal Murgai | Vishal Murgai | |||
Samsung | F5, Inc. | |||
Email: vmurgai@gmail.com | Email: vmurgai@gmail.com | |||
End of changes. 139 change blocks. | ||||
402 lines changed or deleted | 413 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |