| rfc9061v2.txt | rfc9061.txt | |||
|---|---|---|---|---|
| skipping to change at line 651 ¶ | skipping to change at line 651 ¶ | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 9061; see | This version of this YANG module is part of RFC 9061; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2021-06-09 { | revision 2021-06-09 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 9061: Software-Defined Networking | "RFC 9061: A YANG Data Model for IPsec Flow Protection | |||
| (SDN)-based IPsec Flow Protection."; | Based on Software-Defined Networking (SDN)."; | |||
| } | } | |||
| typedef encr-alg-t { | typedef encr-alg-t { | |||
| type uint16; | type uint16; | |||
| description | description | |||
| "The encryption algorithm is specified with a 16-bit | "The encryption algorithm is specified with a 16-bit | |||
| number extracted from the IANA registry. The acceptable | number extracted from the IANA registry. The acceptable | |||
| values MUST follow the requirement levels for | values MUST follow the requirement levels for | |||
| encryption algorithms for ESP and IKEv2."; | encryption algorithms for ESP and IKEv2."; | |||
| reference | reference | |||
| skipping to change at line 1516 ¶ | skipping to change at line 1516 ¶ | |||
| related to the amount of IKE connections established. | related to the amount of IKE connections established. | |||
| 5.2.2. Example Usage | 5.2.2. Example Usage | |||
| Appendix A shows an example of IKE case configuration for an NSF, in | Appendix A shows an example of IKE case configuration for an NSF, in | |||
| tunnel mode (gateway-to-gateway), with NSF authentication based on | tunnel mode (gateway-to-gateway), with NSF authentication based on | |||
| X.509 certificates. | X.509 certificates. | |||
| 5.2.3. YANG Module | 5.2.3. YANG Module | |||
| This YANG module has normative references to [RFC2247], [RFC5280], | This YANG module has normative references to [RFC5280], [RFC4301], | |||
| [RFC4301], [RFC5915], [RFC6991], [RFC7296], [RFC7383], [RFC7427], | [RFC5915], [RFC6991], [RFC7296], [RFC7383], [RFC7427], [RFC7619], | |||
| [RFC7619], [RFC8017], [ITU-T.X.690], [RFC5322], [RFC8229], [RFC8174], | [RFC8017], [ITU-T.X.690], [RFC5322], [RFC8229], [RFC8174], [RFC6960], | |||
| [RFC2560], [IKEv2-Auth-Method], [IKEv2-Transform-Type-4], | [IKEv2-Auth-Method], [IKEv2-Transform-Type-4], [IKEv2-Parameters], | |||
| [IKEv2-Parameters], and [IANA-Method-Type]. | and [IANA-Method-Type]. | |||
| <CODE BEGINS> file "ietf-i2nsf-ike@2021-06-09.yang" | <CODE BEGINS> file "ietf-i2nsf-ike@2021-06-09.yang" | |||
| module ietf-i2nsf-ike { | module ietf-i2nsf-ike { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; | namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; | |||
| prefix nsfike; | prefix nsfike; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types."; | "RFC 6991: Common YANG Data Types."; | |||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types."; | "RFC 6991: Common YANG Data Types."; | |||
| } | } | |||
| import ietf-i2nsf-ikec { | import ietf-i2nsf-ikec { | |||
| prefix nsfikec; | prefix nsfikec; | |||
| reference | reference | |||
| "RFC 9061: Software-Defined Networking | "RFC 9061: A YANG Data Model for IPsec Flow Protection | |||
| (SDN)-based IPsec Flow Protection."; | Based on Software-Defined Networking (SDN)."; | |||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| reference | reference | |||
| "RFC 8341: Network Configuration Access Control | "RFC 8341: Network Configuration Access Control | |||
| Model."; | Model."; | |||
| } | } | |||
| organization | organization | |||
| "IETF I2NSF Working Group"; | "IETF I2NSF Working Group"; | |||
| skipping to change at line 1594 ¶ | skipping to change at line 1594 ¶ | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 9061; see | This version of this YANG module is part of RFC 9061; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2021-06-09 { | revision 2021-06-09 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 9061: Software-Defined Networking | "RFC 9061: A YANG Data Model for IPsec Flow Protection | |||
| (SDN)-based IPsec Flow Protection."; | Based on Software-Defined Networking (SDN)."; | |||
| } | } | |||
| typedef ike-spi { | typedef ike-spi { | |||
| type uint64 { | type uint64 { | |||
| range "0..max"; | range "0..max"; | |||
| } | } | |||
| description | description | |||
| "Security Parameter Index (SPI)'s IKE SA."; | "Security Parameter Index (SPI)'s IKE SA."; | |||
| reference | reference | |||
| "RFC 7296: Internet Key Exchange Protocol Version 2 | "RFC 7296: Internet Key Exchange Protocol Version 2 | |||
| skipping to change at line 2076 ¶ | skipping to change at line 2076 ¶ | |||
| Certificate and Certificate Revocation | Certificate and Certificate Revocation | |||
| List (CRL) Profile."; | List (CRL) Profile."; | |||
| } | } | |||
| leaf oscp-uri { | leaf oscp-uri { | |||
| type inet:uri; | type inet:uri; | |||
| description | description | |||
| "Online Certificate Status Protocol | "Online Certificate Status Protocol | |||
| (OCSP) URI. If it is not defined, | (OCSP) URI. If it is not defined, | |||
| the default value is empty."; | the default value is empty."; | |||
| reference | reference | |||
| "RFC 2560: X.509 Internet Public Key Infrastructure | "RFC 6960: X.509 Internet Public Key Infrastructure | |||
| Online Certificate Status Protocol - OCSP | Online Certificate Status Protocol - OCSP | |||
| RFC 5280: Internet X.509 Public Key Infrastructure | RFC 5280: Internet X.509 Public Key Infrastructure | |||
| Certificate and Certificate Revocation | Certificate and Certificate Revocation | |||
| List (CRL) Profile."; | List (CRL) Profile."; | |||
| } | } | |||
| description | description | |||
| "digital-signature container."; | "digital-signature container."; | |||
| } /*container digital-signature*/ | } /*container digital-signature*/ | |||
| } /*container peer-authentication*/ | } /*container peer-authentication*/ | |||
| } | } | |||
| skipping to change at line 2767 ¶ | skipping to change at line 2767 ¶ | |||
| "RFC 6991: Common YANG Data Types."; | "RFC 6991: Common YANG Data Types."; | |||
| } | } | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types."; | "RFC 6991: Common YANG Data Types."; | |||
| } | } | |||
| import ietf-i2nsf-ikec { | import ietf-i2nsf-ikec { | |||
| prefix nsfikec; | prefix nsfikec; | |||
| reference | reference | |||
| "RFC 9061: Software-Defined Networking | "RFC 9061: A YANG Data Model for IPsec Flow Protection | |||
| (SDN)-based IPsec Flow Protection."; | Based on Software-Defined Networking (SDN)."; | |||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| reference | reference | |||
| "RFC 8341: Network Configuration Access Control | "RFC 8341: Network Configuration Access Control | |||
| Model."; | Model."; | |||
| } | } | |||
| organization | organization | |||
| "IETF I2NSF Working Group"; | "IETF I2NSF Working Group"; | |||
| skipping to change at line 2820 ¶ | skipping to change at line 2820 ¶ | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 9061; see | This version of this YANG module is part of RFC 9061; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2021-06-09 { | revision 2021-06-09 { | |||
| description | description | |||
| "Initial version."; | "Initial version."; | |||
| reference | reference | |||
| "RFC 9061: Software-Defined Networking | "RFC 9061: A YANG Data Model for IPsec Flow Protection | |||
| (SDN)-based IPsec Flow Protection."; | Based on Software-Defined Networking (SDN)."; | |||
| } | } | |||
| feature ikeless-notification { | feature ikeless-notification { | |||
| description | description | |||
| "This feature indicates that the server supports | "This feature indicates that the server supports | |||
| generating notifications in the ikeless module. | generating notifications in the ikeless module. | |||
| To ensure broader applicability of this module, | To ensure broader applicability of this module, | |||
| the notifications are marked as a feature. | the notifications are marked as a feature. | |||
| For the implementation of the IKE-less case, | For the implementation of the IKE-less case, | |||
| skipping to change at line 3564 ¶ | skipping to change at line 3564 ¶ | |||
| IANA, "Transform Type 3 - Integrity Algorithm Transform | IANA, "Transform Type 3 - Integrity Algorithm Transform | |||
| IDs", | IDs", | |||
| <https://www.iana.org/assignments/ikev2-parameters/>. | <https://www.iana.org/assignments/ikev2-parameters/>. | |||
| [IKEv2-Transform-Type-4] | [IKEv2-Transform-Type-4] | |||
| IANA, "Transform Type 4 - Diffie-Hellman Group Transform | IANA, "Transform Type 4 - Diffie-Hellman Group Transform | |||
| IDs", | IDs", | |||
| <https://www.iana.org/assignments/ikev2-parameters/>. | <https://www.iana.org/assignments/ikev2-parameters/>. | |||
| [ITU-T.X.690] | [ITU-T.X.690] | |||
| International Telecommunication Untion, "Information | International Telecommunication Union, "Information | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Technology - ASN.1 encoding rules: Specification of Basic | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | Distinguished Encoding Rules (DER)", ITU-T Recommendation | |||
| X.690, ISO/IEC 8825-1, February 2021. | X.690, ISO/IEC 8825-1, February 2021. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2247] Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. | ||||
| Sataluri, "Using Domains in LDAP/X.500 Distinguished | ||||
| Names", RFC 2247, DOI 10.17487/RFC2247, January 1998, | ||||
| <https://www.rfc-editor.org/info/rfc2247>. | ||||
| [RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. | ||||
| Adams, "X.509 Internet Public Key Infrastructure Online | ||||
| Certificate Status Protocol - OCSP", RFC 2560, | ||||
| DOI 10.17487/RFC2560, June 1999, | ||||
| <https://www.rfc-editor.org/info/rfc2560>. | ||||
| [RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe, | [RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe, | |||
| "Negotiation of NAT-Traversal in the IKE", RFC 3947, | "Negotiation of NAT-Traversal in the IKE", RFC 3947, | |||
| DOI 10.17487/RFC3947, January 2005, | DOI 10.17487/RFC3947, January 2005, | |||
| <https://www.rfc-editor.org/info/rfc3947>. | <https://www.rfc-editor.org/info/rfc3947>. | |||
| [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. | [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. | |||
| Stenberg, "UDP Encapsulation of IPsec ESP Packets", | Stenberg, "UDP Encapsulation of IPsec ESP Packets", | |||
| RFC 3948, DOI 10.17487/RFC3948, January 2005, | RFC 3948, DOI 10.17487/RFC3948, January 2005, | |||
| <https://www.rfc-editor.org/info/rfc3948>. | <https://www.rfc-editor.org/info/rfc3948>. | |||
| skipping to change at line 3632 ¶ | skipping to change at line 3621 ¶ | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | |||
| Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, | |||
| <https://www.rfc-editor.org/info/rfc6242>. | <https://www.rfc-editor.org/info/rfc6242>. | |||
| [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., | ||||
| Galperin, S., and C. Adams, "X.509 Internet Public Key | ||||
| Infrastructure Online Certificate Status Protocol - OCSP", | ||||
| RFC 6960, DOI 10.17487/RFC6960, June 2013, | ||||
| <https://www.rfc-editor.org/info/rfc6960>. | ||||
| [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||
| RFC 6991, DOI 10.17487/RFC6991, July 2013, | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||
| <https://www.rfc-editor.org/info/rfc6991>. | <https://www.rfc-editor.org/info/rfc6991>. | |||
| [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. | |||
| Kivinen, "Internet Key Exchange Protocol Version 2 | Kivinen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October | |||
| 2014, <https://www.rfc-editor.org/info/rfc7296>. | 2014, <https://www.rfc-editor.org/info/rfc7296>. | |||
| [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 | [RFC7383] Smyslov, V., "Internet Key Exchange Protocol Version 2 | |||
| skipping to change at line 3714 ¶ | skipping to change at line 3709 ¶ | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [IPSECME-CONTROLLER-IKE] | [IPSECME-CONTROLLER-IKE] | |||
| Carrel, D. and B. Weis, "IPsec Key Exchange using a | Carrel, D. and B. Weis, "IPsec Key Exchange using a | |||
| Controller", Work in Progress, Internet-Draft, draft- | Controller", Work in Progress, Internet-Draft, draft- | |||
| carrel-ipsecme-controller-ike-01, 10 March 2019, | carrel-ipsecme-controller-ike-01, 10 March 2019, | |||
| <https://tools.ietf.org/html/draft-carrel-ipsecme- | <https://datatracker.ietf.org/doc/html/draft-carrel- | |||
| controller-ike-01>. | ipsecme-controller-ike-01>. | |||
| [ITU-T.Y.3300] | [ITU-T.Y.3300] | |||
| International Telecommunications Union, "Y.3300: Framework | International Telecommunications Union, "Y.3300: Framework | |||
| of software-defined networking", June 2014, | of software-defined networking", June 2014, | |||
| <https://www.itu.int/rec/T-REC-Y.3300/en>. | <https://www.itu.int/rec/T-REC-Y.3300/en>. | |||
| [libreswan] | [libreswan] | |||
| The Libreswan Project, "Libreswan VPN software", | The Libreswan Project, "Libreswan VPN software", | |||
| <https://libreswan.org/>. | <https://libreswan.org/>. | |||
| skipping to change at line 3810 ¶ | skipping to change at line 3805 ¶ | |||
| <https://doi.org/10.1145/2491185.2491199>. | <https://doi.org/10.1145/2491185.2491199>. | |||
| [strongswan] | [strongswan] | |||
| CESNET, "strongSwan: the OpenSource IPsec-based VPN | CESNET, "strongSwan: the OpenSource IPsec-based VPN | |||
| Solution", <https://www.strongswan.org/>. | Solution", <https://www.strongswan.org/>. | |||
| [TRAN-IPSECME-YANG] | [TRAN-IPSECME-YANG] | |||
| Tran, K., Wang, H., Nagaraj, V. K., and X. Chen, "Yang | Tran, K., Wang, H., Nagaraj, V. K., and X. Chen, "Yang | |||
| Data Model for Internet Protocol Security (IPsec)", Work | Data Model for Internet Protocol Security (IPsec)", Work | |||
| in Progress, Internet-Draft, draft-tran-ipsecme-yang-01, | in Progress, Internet-Draft, draft-tran-ipsecme-yang-01, | |||
| 18 March 2016, | 18 March 2016, <https://datatracker.ietf.org/doc/html/ | |||
| <https://tools.ietf.org/html/draft-tran-ipsecme-yang-01>. | draft-tran-ipsecme-yang-01>. | |||
| Appendix A. XML Configuration Example for IKE Case (Gateway-to-Gateway) | Appendix A. XML Configuration Example for IKE Case (Gateway-to-Gateway) | |||
| This example shows an XML configuration file sent by the I2NSF | This example shows an XML configuration file sent by the I2NSF | |||
| Controller to establish an IPsec SA between two NSFs (see Figure 3) | Controller to establish an IPsec SA between two NSFs (see Figure 3) | |||
| in tunnel mode (gateway-to-gateway) with ESP, with authentication | in tunnel mode (gateway-to-gateway) with ESP, with authentication | |||
| based on X.509 certificates (simplified for brevity with | based on X.509 certificates (simplified for brevity with | |||
| "base64encodedvalue==") and applying the IKE case. | "base64encodedvalue==") and applying the IKE case. | |||
| +------------------+ | +------------------+ | |||
| End of changes. 12 change blocks. | ||||
| 32 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||