<?xml version='1.0' encoding='utf-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt"?> <?rfc toc="yes"?> <?rfc compact="no"?> <?rfc subcompact="no"?> <?rfc symrefs="yes" ?> <?rfc sortrefs="yes"?> <?rfc iprnotified="no"?> <?rfc strict="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" category="std" number="9348" docName="draft-ietf-ipsecme-yang-iptfs-11" submissionType="IETF" consensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.14.0 --> <front> <title abbrev="A YANG Data Model for IP-TFS">A YANG Data Model for IP Traffic Flow Security</title> <seriesInfoname="Internet-Draft" value="draft-ietf-ipsecme-yang-iptfs-11"/>name="RFC" value="9348"/> <author initials="D." surname="Fedyk" fullname="Don Fedyk"> <organization>LabN Consulting, L.L.C.</organization> <address> <email>dfedyk@labn.net</email> </address> </author> <author initials="C." surname="Hopps" fullname="Christian Hopps"> <organization>LabN Consulting, L.L.C.</organization> <address> <email>chopps@chopps.org</email> </address> </author><date/><date year="2023" month="January"/> <abstract> <t>This document describes a YANG module for the management of IP Traffic Flow Security (IP-TFS) additions toIKEv2Internet Key Exchange Protocol version 2 (IKEv2) and IPsec.</t> </abstract> </front> <middle> <section numbered="true" toc="default"> <name>Introduction</name> <t>This document defines a YANG module <xref target="RFC7950" format="default"/> for the management of the IP Traffic Flow Security (IP-TFS) extensionsasdefined in <xreftarget="I-D.ietf-ipsecme-iptfs"target="RFC9347" format="default"/>. IP-TFS provides enhancements to an IPsec tunnel Security Association (SA) to provide improved traffic confidentiality. Traffic confidentiality reduces the ability of traffic analysis to determine identity and correlate observable traffic patterns. IP-TFS offers efficiency when aggregating traffic infixed sizefixed-size IPsec tunnel packets.</t> <t>The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in <xref target="RFC8342" format="default"/>.</t> <t>The published YANG modules for IPsec are defined in <xref target="RFC9061" format="default"/>. This document uses these models as a general IPsec model that is augmented for IP-TFS. The models in <xref target="RFC9061" format="default"/> provide for both an IKE and anIKELESSIKE-less model.</t><!-- <section numbered="true" toc="default"> <name>Terminology & Concepts</name> <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119" format="default"/> <xref target="RFC8174" format="default"/> when, and only when, they appear in all capitals, as shown here.</t> </section> --></section> <section numbered="true" toc="default"> <name>Overview</name> <t>This document defines configuration and operational parameters of IPtraffic flow securityTraffic Flow Security (IP-TFS). IP-TFS, defined in <xreftarget="I-D.ietf-ipsecme-iptfs"target="RFC9347" format="default"/>, defines a security association for tunnel mode IPsec with characteristics that improve traffic confidentiality and reduce bandwidth efficiency loss. These documents assume familiarity withIP securitythe IPsec concepts described in <xref target="RFC4301" format="default"/>.</t> <t>IP-TFS uses tunnel mode to improve confidentiality by hiding inner packet identifiable information, packetsizesize, and packet timing. IP-TFS provides a general capability allowing aggregation of multiple packets inuniform sizeuniform-size outer tunnel IPsec packets. It maintains the outer packet size by utilizing combinations of aggregating,paddingpadding, and fragmenting inner packets to fill out the IPsec outer tunnel packet.Zero byte paddingPadding is used to fill the packet when no data is available to send.</t> <t>This document specifies an extensible configuration model for IP-TFS. This version utilizes the capabilities of IP-TFS to configurefixed sizefixed-size IP-TFSPacketspackets that are transmitted at a constant rate. This model is structured to allow for different types of operation through future augmentation.</t> <t>The IP-TFS YANG module augments the IPsec YANGmodelmodule from <xref target="RFC9061" format="default"/>. IP-TFS makes use of IPsec tunnel mode and adds a small number of configuration items to IPsec tunnelmode IPsec.mode. As defined in <xreftarget="I-D.ietf-ipsecme-iptfs"target="RFC9347" format="default"/>, any SA configured to use IP-TFS supports only IP-TFSpackets i.e.packets, i.e., no mixed IPsec modes.</t> <t>The behavior for IP-TFS is controlled by the source. The self-describing format of an IP-TFSpacketspacket allows a sending side to adjust thepacket-sizepacket size and timing independently from any receiver. Both directions are also independent,e.g.e.g., IP-TFS may be run only in one direction. This means that counters, which are created here for bothdirectionsdirections, may be 0 or not updated in the case of an SA that uses IP-TFS only in on direction.</t> <t>Cases where IP-TFS statistics are active for one direction:</t> <ul spacing="normal"> <li>SA one direction - IP-TFS enabled</li> <li>SA both directions - IP-TFS only enabled in one direction</li> </ul> <t>Case where IP-TFS statistics are active for both directions:</t> <ul spacing="normal"> <li>SA both directions - IP-TFS enable for both directions</li> </ul> <t>The IP-TFS modelsupportsupports IP-TFS configuration and operational data.</t> <t>This YANG module supports configuration offixed sizefixed-size andfixed ratefixed-rate packets,andas well as elements that may be augmented to support future configuration. The protocol specification <xreftarget="I-D.ietf-ipsecme-iptfs" format="default"/>,target="RFC9347" format="default"/> goes beyond thissimplesimple, fixed mode of operation by defining a general format for any type of scheme. In thisdocumentdocument, the outer IPsec packets can be sent with fixed or variable size (without padding). The configuration allows the fixed packet size to be determined by the path MTU. The fixed packet size can also be configured if a value lower than the path MTU is desired.</t> <t>Other configuration items include:</t><ul<dl newline="true" spacing="normal"><li>Congestion Control. A<dt>Congestion Control:</dt> <dd>A congestion control setting to allow IP-TFS to reduce the packet rate when congestion isdetected.</li> <li>Fixed Rate configuration. Thedetected.</dd> <dt>Fixed-Rate Configuration:</dt> <dd>The IP-TFS tunnel rate can be configured by taking into account either layer 2 overhead or layer 3 overhead. Layer 3 overhead is the IP dataraterate, and layer 2 overhead is the rate of bits on the link. The combination of packet size and rate determines the nominal maximum bandwidth and the transmission interval whenfixed sizefixed-size packets areused.</li> <li>User packetused.</dd> <dt>User Packet FragmentationControl. WhileControl:</dt> <dd>While fragmentation is recommended for improved efficiency, a configuration is provided if users wish to observe the effectno-fragmentationof no fragmentation on their dataflows.</li> </ul>flows.</dd> </dl> <t>The YANG operational data allows the readout of the configuredparametersparameters, as well as theper SAper-SA statistics and error counters for IP-TFS.Per SAPer-SA IPsec packet statistics are provided as afeaturefeature, andper SA IP-TFS specificper-SA IP-TFS-specific statistics are provided as another feature. Both sets of statistics augment the IPsec YANGmodelsmodules with counters that allow observation of IP-TFS packet efficiency.</t><t><xref target="RFC9061" format="default"/> has a set of<t> IPsec YANG managementobjects.objects are set in <xref target="RFC9061" format="default"/>. IP-TFS YANG augments the IKE and theIKELESSIKE-less models. In thesemodelsmodels, the Security Policy database entry and Security Association entry for an IPsecTunneltunnel can be augmented with IP-TFS. In addition, this model uses YANG types defined in <xref target="RFC6991" format="default"/>. </t> </section> <section numbered="true" toc="default"> <name>YANG Management</name> <section numbered="true" toc="default"> <name>YANG Tree</name> <t>The following is the YANG tree diagram(<xref<xref target="RFC8340"format="default"/>)format="default"/> for the IP-TFS extensions.</t><artwork name="" type="" align="left" alt=""><![CDATA[<sourcecode type="yangtree"><![CDATA[ module: ietf-ipsec-iptfs augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd /nsfike:spd-entry/nsfike:ipsec-policy-config /nsfike:processing-info/nsfike:ipsec-sa-cfg: +--rw traffic-flow-security +--rw congestion-control? boolean +--rw packet-size | +--rw use-path-mtu-discovery? boolean | +--rw outer-packet-size? uint16 +--rw (tunnel-rate)? | +--:(l2-fixed-rate) | | +--rw l2-fixed-rate? yang:gauge64 | +--:(l3-fixed-rate) | +--rw l3-fixed-rate? yang:gauge64 +--rw dont-fragment? boolean +--rw max-aggregation-time? decimal64 +--rw window-size? uint16 +--rw send-immediately? boolean +--rw lost-packet-timer-interval? decimal64 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: +--ro traffic-flow-security +--ro congestion-control? boolean +--ro packet-size | +--ro use-path-mtu-discovery? boolean | +--ro outer-packet-size? uint16 +--ro (tunnel-rate)? | +--:(l2-fixed-rate) | | +--ro l2-fixed-rate? yang:gauge64 | +--:(l3-fixed-rate) | +--ro l3-fixed-rate? yang:gauge64 +--ro dont-fragment? boolean +--ro max-aggregation-time? decimal64 +--ro window-size? uint16 +--ro send-immediately? boolean +--ro lost-packet-timer-interval? decimal64 augment /nsfikels:ipsec-ikeless/nsfikels:spd/nsfikels:spd-entry /nsfikels:ipsec-policy-config/nsfikels:processing-info /nsfikels:ipsec-sa-cfg: +--rw traffic-flow-security +--rw congestion-control? boolean +--rw packet-size | +--rw use-path-mtu-discovery? boolean | +--rw outer-packet-size? uint16 +--rw (tunnel-rate)? | +--:(l2-fixed-rate) | | +--rw l2-fixed-rate? yang:gauge64 | +--:(l3-fixed-rate) | +--rw l3-fixed-rate? yang:gauge64 +--rw dont-fragment? boolean +--rw max-aggregation-time? decimal64 +--rw window-size? uint16 +--rw send-immediately? boolean +--rw lost-packet-timer-interval? decimal64 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: +--ro traffic-flow-security +--ro congestion-control? boolean +--ro packet-size | +--ro use-path-mtu-discovery? boolean | +--ro outer-packet-size? uint16 +--ro (tunnel-rate)? | +--:(l2-fixed-rate) | | +--ro l2-fixed-rate? yang:gauge64 | +--:(l3-fixed-rate) | +--ro l3-fixed-rate? yang:gauge64 +--ro dont-fragment? boolean +--ro max-aggregation-time? decimal64 +--ro window-size? uint16 +--ro send-immediately? boolean +--ro lost-packet-timer-interval? decimal64 augment /nsfike:ipsec-ike/nsfike:conn-entry/nsfike:child-sa-info: +--ro ipsec-stats {ipsec-stats}? | +--ro tx-pkts? yang:counter64 | +--ro tx-octets? yang:counter64 | +--ro tx-drop-pkts? yang:counter64 | +--ro rx-pkts? yang:counter64 | +--ro rx-octets? yang:counter64 | +--ro rx-drop-pkts? yang:counter64 +--ro iptfs-inner-pkt-stats {iptfs-stats}? | +--ro tx-pkts? yang:counter64 | +--ro tx-octets? yang:counter64 | +--ro rx-pkts? yang:counter64 | +--ro rx-octets? yang:counter64 | +--ro rx-incomplete-pkts? yang:counter64 +--ro iptfs-outer-pkt-stats {iptfs-stats}? +--ro tx-all-pad-pkts? yang:counter64 +--ro tx-all-pad-octets? yang:counter64 +--ro tx-extra-pad-pkts? yang:counter64 +--ro tx-extra-pad-octets? yang:counter64 +--ro rx-all-pad-pkts? yang:counter64 +--ro rx-all-pad-octets? yang:counter64 +--ro rx-extra-pad-pkts? yang:counter64 +--ro rx-extra-pad-octets? yang:counter64 +--ro rx-errored-pkts? yang:counter64 +--ro rx-missed-pkts? yang:counter64 augment /nsfikels:ipsec-ikeless/nsfikels:sad/nsfikels:sad-entry: +--ro ipsec-stats {ipsec-stats}? | +--ro tx-pkts? yang:counter64 | +--ro tx-octets? yang:counter64 | +--ro tx-drop-pkts? yang:counter64 | +--ro rx-pkts? yang:counter64 | +--ro rx-octets? yang:counter64 | +--ro rx-drop-pkts? yang:counter64 +--ro iptfs-inner-pkt-stats {iptfs-stats}? | +--ro tx-pkts? yang:counter64 | +--ro tx-octets? yang:counter64 | +--ro rx-pkts? yang:counter64 | +--ro rx-octets? yang:counter64 | +--ro rx-incomplete-pkts? yang:counter64 +--ro iptfs-outer-pkt-stats {iptfs-stats}? +--ro tx-all-pad-pkts? yang:counter64 +--ro tx-all-pad-octets? yang:counter64 +--ro tx-extra-pad-pkts? yang:counter64 +--ro tx-extra-pad-octets? yang:counter64 +--ro rx-all-pad-pkts? yang:counter64 +--ro rx-all-pad-octets? yang:counter64 +--ro rx-extra-pad-pkts? yang:counter64 +--ro rx-extra-pad-octets? yang:counter64 +--ro rx-errored-pkts? yang:counter64 +--ro rx-missed-pkts? yang:counter64]]></artwork>]]></sourcecode> </section> <section numbered="true" toc="default"> <name>YANG Module</name> <t>The following is the YANG module for managing the IP-TFS extensions. The model contains references to <xreftarget="I-D.ietf-ipsecme-iptfs"target="RFC9347" format="default"/> and <xref target="RFC5348" format="default"/>.</t> <sourcecodename="ietf-ipsec-iptfs@2022-09-22.yang" type=""name="ietf-ipsec-iptfs@2022-12-16.yang" type="yang" markers="true"><![CDATA[ module ietf-ipsec-iptfs { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"; prefix iptfs; import ietf-i2nsf-ike { prefix nsfike; reference "RFC90619061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking(SDN)(SDN), Section 5.2"; } import ietf-i2nsf-ikeless { prefix nsfikels; reference "RFC90619061: A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking(SDN)(SDN), Section 5.3"; } import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } organization "IETF IPSECME Working Group (IPSECME)"; contact "WG Web: <https://datatracker.ietf.org/wg/ipsecme/> WG List: <mailto:ipsecme@ietf.org> Author: Don Fedyk <mailto:dfedyk@labn.net> Author: Christian Hopps <mailto:chopps@chopps.org>";// RFC Ed.: replace XXXX with actual RFC number and // remove this note.description "This module defines the configuration and operational state for managing the IP Traffic Flow Security functionality[RFC XXXX].(RFC 9348). Copyright (c)20222023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFCXXXX;9348; see the RFC itself for full legal notices.";// RFC Ed.: replace XXXX with actual RFC number and remove // this note // replace '2016-03-20' with the module publication date // the format is (2022-09-22)revision2022-09-222022-12-16 { description "InitialRevision";revision"; reference "RFCXXXX:9348: A YANG Data Model for IP Traffic FlowSecurity YANG Module";Security"; } feature ipsec-stats { description "This feature indicates the device supportsper SAper-SA IPsecstatistics";statistics."; } feature iptfs-stats { description "This feature indicates the device supportsper SAper-SA IP Traffic Flow Securitystatistics";statistics."; } /*--------------------*/ /* groupings */ /*--------------------*/ grouping ipsec-tx-stat-grouping { description "IPsec outbound statistics"; leaf tx-pkts { type yang:counter64; config false; description "Outbound Packet count"; } leaf tx-octets { type yang:counter64; config false; description "Outbound Packet bytes"; } leaf tx-drop-pkts { type yang:counter64; config false; description "Outbound dropped packets count"; } } grouping ipsec-rx-stat-grouping { description "IPsec inbound statistics"; leaf rx-pkts { type yang:counter64; config false; description "Inbound Packet count"; } leaf rx-octets { type yang:counter64; config false; description "Inbound Packet bytes"; } leaf rx-drop-pkts { type yang:counter64; config false; description "Inbound dropped packets count"; } } grouping iptfs-inner-tx-stat-grouping { description "IP-TFS outbound inner packet statistics"; leaf tx-pkts { type yang:counter64; config false; description "Total number of IP-TFS inner packets sent. This count is whole packets only. A fragmented packet counts as onepacket";packet."; reference"draft-ietf-ipsecme-iptfs";"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } leaf tx-octets { type yang:counter64; config false; description "Total number of IP-TFS inner octets sent. This is inner packet octets only.DoesIt does not count padding."; reference"draft-ietf-ipsecme-iptfs";"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } } grouping iptfs-outer-tx-stat-grouping { description "IP-TFS outbound inner packet statistics"; leaf tx-all-pad-pkts { type yang:counter64; config false; description "Total number of transmitted IP-TFS packets that were all padding with no inner packet data."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf tx-all-pad-octets { type yang:counter64; config false; description "Total number transmitted octets of padding added to IP-TFS packets with no inner packet data."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf tx-extra-pad-pkts { type yang:counter64; config false; description "Total number of transmitted outer IP-TFS packets that included some padding."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf tx-extra-pad-octets { type yang:counter64; config false; description "Total number of transmitted octets of padding added to outer IP-TFS packets with data."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } } grouping iptfs-inner-rx-stat-grouping { description "IP-TFS inner packet inbound statistics"; leaf rx-pkts { type yang:counter64; config false; description "Total number of IP-TFS inner packets received."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2"; } leaf rx-octets { type yang:counter64; config false; description "Total number of IP-TFS inner octets received.DoesIt does not include padding oroverhead";overhead."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2"; } leaf rx-incomplete-pkts { type yang:counter64; config false; description "Total number of IP-TFS inner packets that were incomplete. Usually this is due to fragments that are not received. Also, this may be due to misordering or errors in received outer packets."; reference"draft-ietf-ipsecme-iptfs";"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } } grouping iptfs-outer-rx-stat-grouping { description "IP-TFS outer packet inbound statistics"; leaf rx-all-pad-pkts { type yang:counter64; config false; description "Total number of received IP-TFS packets that were all padding with no inner packet data."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf rx-all-pad-octets { type yang:counter64; config false; description "Total number of received octets of padding added to IP-TFS packets with no inner packet data."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf rx-extra-pad-pkts { type yang:counter64; config false; description "Total number of received outer IP-TFS packets that included some padding."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf rx-extra-pad-octets { type yang:counter64; config false; description "Total number of received octets of padding added to outer IP-TFS packets with data."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3.1"; } leaf rx-errored-pkts { type yang:counter64; config false; description "Total number of IP-TFS outer packets dropped due to errors."; reference"draft-ietf-ipsecme-iptfs";"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } leaf rx-missed-pkts { type yang:counter64; config false; description "Total number of IP-TFS outer packetsmissingmissing, indicated by a missing sequence number."; reference"draft-ietf-ipsecme-iptfs";"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS)"; } } grouping iptfs-config { description "This is the grouping foriptfs configuration";IP-TFS configuration."; container traffic-flow-security { description "Configure theIPSecIPsec TFS in the Security Association Database(SAD)";(SAD)."; leaf congestion-control { type boolean; default "true"; description "When set to true, the default, this enables the congestion control on-the-wire exchange of data that is required by congestion controlalgorithmsalgorithms, as defined by RFC 5348. When set to false, IP-TFS sendsfixed-sizedfixed-size packets over an IP-TFS tunnel at a constant rate."; reference"draft-ietf-ipsecme-iptfs section 2.5.2,"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.4.2; RFC5348";5348: TCP Friendly Rate Control (TFRC): Protocol Specification"; } container packet-size { description "Packet size is either auto-discovered or manually configured."; leaf use-path-mtu-discovery { type boolean; default "true"; description "Utilize pathmtuMTU discovery to determine maximum IP-TFS packet size. If the packet size is explicitly configured, then it will only be adjusted downward if use-path-mtu-discovery is set."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.2"; } leaf outer-packet-size { type uint16; unitsbytes;"bytes"; description "On transmission, the size of the outer encapsulating tunnel packet (i.e., the IP packet containingthe ESP payload).";Encapsulating Security Payload (ESP))."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.2"; } } choice tunnel-rate { description"TFS"The TFS bit rate may be specified at layer 2 wire rate or layer 3 packetrate";rate."; leaf l2-fixed-rate { type yang:gauge64; units "bits/second"; description "On transmission, target bandwidth/bit rate in bits/second foriptfsIP-TFS tunnel. This fixed rate is the nominal timing for thefixed sizefixed-size packet. If congestion control isenabledenabled, the rate may be adjusted down (or up if unset)."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.1"; } leaf l3-fixed-rate { type yang:gauge64; units "bits/second"; description "On transmission, target bandwidth/bit rate in bits/second foriptfsIP-TFS tunnel. This fixed rate is the nominal timing for thefixed sizefixed-size packet. If congestion control isenabledenabled, the rate may be adjusted down (or up if unset)."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 4.1"; } } leaf dont-fragment { type boolean; default "false"; description "On transmission, disable packet fragmentation across consecutiveiptfsIP-TFS tunnel packets; inner packets larger than what can be transmitted in outer packets will be dropped."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.4 and 6.1.4"; } leaf max-aggregation-time { type decimal64 { fraction-digits 6; } units "milliseconds"; description "On transmission, maximum aggregation time is the maximum length of time a received inner packet can be held prior to transmission in theiptfsIP-TFS tunnel. Inner packets that would be held longer than this time, based on the current tunnelconfigurationconfiguration, will be dropped rather than be queued for transmission. Maximum aggregation time is configurable in milliseconds or fractional milliseconds down to 1 nanosecond."; } leaf window-size { type uint16 { range "0..65535"; } description "On reception, the maximum number of out-of-order packets that will be reordered by aniptfsIP-TFS receiver while performing the reordering operation. The value 0 disables any reordering."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } leaf send-immediately { type boolean; default "false"; description "On reception, send inner packets as soon aspossible,possible; do not wait for lost or misordered outer packets. Selecting this option reduces the inner (user) packet delay but can amplify out-of-order delivery of the inner packet stream in the presence of packet aggregation and any reordering."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.5"; } leaf lost-packet-timer-interval { type decimal64 { fraction-digits 6; } units "milliseconds"; description "On reception, this interval defines the length of time aniptfsIP-TFS receiver will wait for a missing packet before considering it lost. If not using send-immediately, then each lost packet will delay inner (user) packets until this timer expires. Setting this value too low can impact reordering and reassembly. The value is configurable in milliseconds or fractional milliseconds down to 1 nanosecond."; reference"draft-ietf-ipsecme-iptfs section"RFC 9347: Aggregation and Fragmentation Mode for Encapsulating Security Payload (ESP) and Its Use for IP Traffic Flow Security (IP-TFS), Section 2.2.3"; } } } /* * IP-TFS ike configuration */ augment "/nsfike:ipsec-ike/nsfike:conn-entry/nsfike:spd/" + "nsfike:spd-entry/" + "nsfike:ipsec-policy-config/" + "nsfike:processing-info/" + "nsfike:ipsec-sa-cfg" { description "IP-TFS configuration for this policy."; uses iptfs-config; } augment "/nsfike:ipsec-ike/nsfike:conn-entry/" + "nsfike:child-sa-info" { description "IP-TFS configured on this SA."; uses iptfs-config { refine "traffic-flow-security" { config false; } } } /* * IP-TFS ikeless configuration */ augment "/nsfikels:ipsec-ikeless/nsfikels:spd/" + "nsfikels:spd-entry/" + "nsfikels:ipsec-policy-config/" + "nsfikels:processing-info/" + "nsfikels:ipsec-sa-cfg" { description "IP-TFS configuration for this policy."; uses iptfs-config; } augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" + "nsfikels:sad-entry" { description "IP-TFS configured on this SA."; uses iptfs-config { refine "traffic-flow-security" { config false; } } } /* * packet counters */ augment "/nsfike:ipsec-ike/nsfike:conn-entry/" + "nsfike:child-sa-info" { description"Per SA Counters";"Per-SA counters"; container ipsec-stats { if-feature "ipsec-stats"; config false; description "IPsecper SAper-SA packet counters. tx = outbound, rx = inbound"; uses ipsec-tx-stat-grouping; uses ipsec-rx-stat-grouping; } container iptfs-inner-pkt-stats { if-feature "iptfs-stats"; config false; description"IPTFS per SA"IP-TFS per-SA inner packet counters. tx = outbound, rx = inbound"; uses iptfs-inner-tx-stat-grouping; uses iptfs-inner-rx-stat-grouping; } container iptfs-outer-pkt-stats { if-feature "iptfs-stats"; config false; description"IPTFS per SA"IP-TFS per-SA outer packets counters. tx = outbound, rx = inbound"; uses iptfs-outer-tx-stat-grouping; uses iptfs-outer-rx-stat-grouping; } } /* * packet counters */ augment "/nsfikels:ipsec-ikeless/nsfikels:sad/" + "nsfikels:sad-entry" { description"Per SA Counters";"Per-SA counters"; container ipsec-stats { if-feature "ipsec-stats"; config false; description "IPsecper SAper-SA packet counters. tx = outbound, rx = inbound"; uses ipsec-tx-stat-grouping; uses ipsec-rx-stat-grouping; } container iptfs-inner-pkt-stats { if-feature "iptfs-stats"; config false; description"IPTFS per SA"IP-TFS per-SA inner packet counters. tx = outbound, rx = inbound"; uses iptfs-inner-tx-stat-grouping; uses iptfs-inner-rx-stat-grouping; } container iptfs-outer-pkt-stats { if-feature "iptfs-stats"; config false; description"IPTFS per SA"IP-TFS per-SA outer packets counters. tx = outbound, rx = inbound"; uses iptfs-outer-tx-stat-grouping; uses iptfs-outer-rx-stat-grouping; } } } ]]></sourcecode> </section> </section> <section numbered="true" toc="default"> <name>IANA Considerations</name> <section numbered="true" toc="default"> <name>Updates to the IETF XML Registry</name><t>This document registers<t>Per this document, IANA has registered a URI in the "IETF XML Registry" <xref target="RFC3688"format="default"/>. Following the format in <xref target="RFC3688" format="default"/>, the following registration has been made:</t>format="default"/> as follows.</t> <dlnewline="true" spacing="normal">newline="false" spacing="compact"> <dt>URI:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs</dd> <dt>Registrant Contact:</dt> <dd>The IESG.</dd> <dt>XML:</dt> <dd>N/A; the requested URI is an XML namespace.</dd> </dl> </section> <section numbered="true" toc="default"> <name>Updates to the YANG Module Names Registry</name><t>This document registers<t>Per this document, IANA has registered one YANG module in the "YANG Module Names" registry <xref target="RFC6020"format="default"/>. Following the format in <xref target="RFC6020" format="default"/>, the following registration has been made:</t>format="default"/> as follows.</t> <dlnewline="true" spacing="normal"> <dt>name:</dt>newline="false" spacing="compact"> <dt>Name:</dt> <dd>ietf-ipsec-iptfs</dd><dt>namespace:</dt><dt>Namespace:</dt> <dd>urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs</dd><dt>prefix:</dt><dt>Prefix:</dt> <dd>iptfs</dd><dt>reference:</dt><dt>Reference:</dt> <dd>RFCXXXX (RFC Ed.: replace XXXX with actual RFC number and remove this note.)</dd>9348</dd> </dl> </section> </section> <section numbered="true" toc="default"> <name>Security Considerations</name> <t>The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF <xref target="RFC6241" format="default"/> or RESTCONF <xref target="RFC8040" format="default"/>. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) <xref target="RFC6242" format="default"/>. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS <xref target="RFC8446" format="default"/>.</t> <t>The Network Configuration Access Control Model (NACM) <xref target="RFC8341" format="default"/> provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.</t><t>Certain<t> There are a number of data nodes defined in this YANG module that arewritable/creatable/deletable. These changes can enable, disable and modify the behavior of IP traffic flow security, for the implications regarding these types of changes consult the <xref target="I-D.ietf-ipsecme-iptfs" format="default"/>writable/creatable/deletable (i.e., config true, whichdefinesis thefunctionality. The relevant sub-treesdefault). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodesare: </t>without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability:</t> <dl spacing="normal" indent="3" newline="false"> <dt>../traffic-flow-security:</dt> <dd>EnablingIP traffic flow securityIP-TFS is controlled by setting the entries under traffic-flow-security in IKE or IKE-less models.IP traffic flow securityIP-TFS is set either to be congestion sensitive or a fixed rate by setting parameters in thissub-tree.subtree. </dd> </dl><t>Certain<t> Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments.While IP-TFS hides the traffic flows through the network, IP-TFS YANG statistics could reveal some information about traffic flows. Therefore, accessIt is thus important toIP-TFS YANG statistics also needscontrol read access (e.g., via get, get-config, or notification) tobe protected from third party observation.these data nodes. TheseIP-TFS YANG statistics can be found at:are the subtrees and data nodes and their sensitivity/vulnerability: </t> <dl spacing="normal" indent="3" newline="false"> <dt>../iptfs-inner-pkt-stats and ../iptfs-outer-pkt-stats:</dt> <dd> Access toIP traffic flow securityIP-TFS statistics can provide information thatIP traffic flow security obscuresIP-TFS obscures, such as the true activity of the flows usingIP traffic flow security.IP-TFS. </dd> </dl> </section><section numbered="true" toc="default"> <name>Acknowledgements</name> <t>The authors would like to thank Eric Kinzie, Juergen Schoenwaelder, Lou Berger and Tero Kivinen for their feedback and review on the YANG model.</t> </section></middle> <back> <references> <name>References</name> <references> <name>Normative References</name><!--<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials="S." surname="Bradner" fullname="S. Bradner"> <organization/> </author> <date year="1997" month="March"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference>--> <reference anchor="RFC4301" target="https://www.rfc-editor.org/info/rfc4301"> <front> <title>Security Architecture for the Internet Protocol</title> <author initials="S." surname="Kent" fullname="S. Kent"> <organization/> </author> <author initials="K." surname="Seo" fullname="K. Seo"> <organization/> </author> <date year="2005" month="December"/> <abstract> <t>This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401 (November 1998). [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4301"/> <seriesInfo name="DOI" value="10.17487/RFC4301"/> </reference> <reference anchor="RFC6020" target="https://www.rfc-editor.org/info/rfc6020"> <front> <title>YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)</title> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund" role="editor"> <organization/> </author> <date year="2010" month="October"/> <abstract> <t>YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6020"/> <seriesInfo name="DOI" value="10.17487/RFC6020"/> </reference> <reference anchor="RFC7950" target="https://www.rfc-editor.org/info/rfc7950"> <front> <title>The YANG 1.1 Data Modeling Language</title> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund" role="editor"> <organization/> </author> <date year="2016" month="August"/> <abstract> <t>YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF).</t> </abstract> </front> <seriesInfo name="RFC" value="7950"/> <seriesInfo name="DOI" value="10.17487/RFC7950"/> </reference> <!--<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author initials="B." surname="Leiba" fullname="B. Leiba"> <organization/> </author> <date year="2017" month="May"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference>--> <reference anchor="RFC8342" target="https://www.rfc-editor.org/info/rfc8342"> <front> <title>Network Management Datastore Architecture (NMDA)</title> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund"> <organization/> </author> <author initials="J." surname="Schoenwaelder" fullname="J. Schoenwaelder"> <organization/> </author> <author initials="P." surname="Shafer" fullname="P. Shafer"> <organization/> </author> <author initials="K." surname="Watsen" fullname="K. Watsen"> <organization/> </author> <author initials="R." surname="Wilton" fullname="R. Wilton"> <organization/> </author> <date year="2018" month="March"/> <abstract> <t>Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950.</t> </abstract> </front> <seriesInfo name="RFC" value="8342"/> <seriesInfo name="DOI" value="10.17487/RFC8342"/> </reference><xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8342.xml"/> <referenceanchor="I-D.ietf-ipsecme-iptfs" target="https://www.ietf.org/archive/id/draft-ietf-ipsecme-iptfs-19.txt">anchor="RFC9347" target="https://www.rfc-editor.org/info/rfc9347"> <front><title>IP-TFS: Aggregation<title>Aggregation and Fragmentation Mode forESPEncapsulating Security Payload (ESP) anditsIts Use for IP Traffic FlowSecurity</title>Security (IP-TFS)</title> <author initials="C" surname="Hopps" fullname="Christian Hopps"> <organization>LabN Consulting, L.L.C.</organization> </author> <datemonth="November" day="8" year="2021"/> <abstract> <t> This document describes a mechanism for aggregation and fragmentation of IP packets when they are being encapsulated in ESP payload. This new payload type can be used for various purposes such as decreasing encapsulation overhead for small IP packets; however, the focus in this document is to enhance IPsec traffic flow security (IP-TFS) by adding Traffic Flow Confidentiality (TFC) to encrypted IP encapsulated traffic. TFC is provided by obscuring the size and frequency of IP traffic using a fixed-sized, constant-send-rate IPsec tunnel. The solution allows for congestion control as well as non- constant send-rate usage. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-iptfs-19"/> </reference> <reference anchor="RFC9061" target="https://www.rfc-editor.org/info/rfc9061"> <front> <title>A YANG Data Model for IPsec Flow Protection Based on Software-Defined Networking (SDN)</title> <author initials="R." surname="Marin-Lopez" fullname="R. Marin-Lopez"> <organization/> </author> <author initials="G." surname="Lopez-Millan" fullname="G. Lopez-Millan"> <organization/> </author> <author initials="F." surname="Pereniguez-Garcia" fullname="F. Pereniguez-Garcia"> <organization/> </author> <date year="2021" month="July"/> <abstract> <t>This document describes how to provide IPsec-based flow protection (integrity and confidentiality) by means of an Interface to Network Security Function (I2NSF) Controller. It considers two main well-known scenarios in IPsec: gateway-to-gateway and host-to-host. The service described in this document allows the configuration and monitoring of IPsec Security Associations (IPsec SAs) from an I2NSF Controller to one or several flow-based Network Security Functions (NSFs) that rely on IPsec to protect data traffic. </t> <t>This document focuses on the I2NSF NSF-Facing Interface by providing YANG data models for configuring the IPsec databases, namely Security Policy Database (SPD), Security Association Database (SAD), Peer Authorization Database (PAD), and Internet Key Exchange Version 2 (IKEv2). This allows IPsec SA establishment with minimal intervention by the network administrator. This document defines three YANG modules, but it does not define any new protocol.</t> </abstract>month="January" year="2023"/> </front> <seriesInfo name="RFC"value="9061"/>value="9347"/> <seriesInfo name="DOI"value="10.17487/RFC9061"/> </reference> <reference anchor="RFC6991" target="https://www.rfc-editor.org/info/rfc6991" quoteTitle="true" derivedAnchor="RFC6991"> <front> <title>Common YANG Data Types</title> <author initials="J." surname="Schoenwaelder" fullname="J. Schoenwaelder" role="editor"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="July"/> <abstract> <t indent="0">This document introduces a collection of common data types to be used with the YANG data modeling language. This document obsoletes RFC 6021.</t> </abstract> </front> <seriesInfo name="RFC" value="6991"/> <seriesInfo name="DOI" value="10.17487/RFC6991"/>value="10.17487/RFC9347"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9061.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6991.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6242.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"/> </references> <references> <name>Informative References</name><reference anchor="RFC3688" target="https://www.rfc-editor.org/info/rfc3688"> <front> <title>The IETF XML Registry</title> <author initials="M." surname="Mealling" fullname="M. Mealling"> <organization/> </author> <date year="2004" month="January"/> <abstract> <t>This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.</t> </abstract> </front> <seriesInfo name="BCP" value="81"/> <seriesInfo name="RFC" value="3688"/> <seriesInfo name="DOI" value="10.17487/RFC3688"/> </reference> <reference anchor="RFC6241" target="https://www.rfc-editor.org/info/rfc6241"> <front> <title>Network Configuration Protocol (NETCONF)</title> <author initials="R." surname="Enns" fullname="R. Enns" role="editor"> <organization/> </author> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund" role="editor"> <organization/> </author> <author initials="J." surname="Schoenwaelder" fullname="J. Schoenwaelder" role="editor"> <organization/> </author> <author initials="A." surname="Bierman" fullname="A. Bierman" role="editor"> <organization/> </author> <date year="2011" month="June"/> <abstract> <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6241"/> <seriesInfo name="DOI" value="10.17487/RFC6241"/> </reference> <reference anchor="RFC6242" target="https://www.rfc-editor.org/info/rfc6242"> <front> <title>Using the NETCONF Protocol over Secure Shell (SSH)</title> <author initials="M." surname="Wasserman" fullname="M. Wasserman"> <organization/> </author> <date year="2011" month="June"/> <abstract> <t>This document describes a method for invoking and running the Network Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as an SSH subsystem. This document obsoletes RFC 4742. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6242"/> <seriesInfo name="DOI" value="10.17487/RFC6242"/> </reference> <reference anchor="RFC8040" target="https://www.rfc-editor.org/info/rfc8040"> <front> <title>RESTCONF Protocol</title> <author initials="A." surname="Bierman" fullname="A. Bierman"> <organization/> </author> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund"> <organization/> </author> <author initials="K." surname="Watsen" fullname="K. Watsen"> <organization/> </author> <date year="2017" month="January"/> <abstract> <t>This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).</t> </abstract> </front> <seriesInfo name="RFC" value="8040"/> <seriesInfo name="DOI" value="10.17487/RFC8040"/> </reference> <reference anchor="RFC8340" target="https://www.rfc-editor.org/info/rfc8340"> <front> <title>YANG Tree Diagrams</title> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund"> <organization/> </author> <author initials="L." surname="Berger" fullname="L. Berger" role="editor"> <organization/> </author> <date year="2018" month="March"/> <abstract> <t>This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language.</t> </abstract> </front> <seriesInfo name="BCP" value="215"/> <seriesInfo name="RFC" value="8340"/> <seriesInfo name="DOI" value="10.17487/RFC8340"/> </reference> <reference anchor="RFC8341" target="https://www.rfc-editor.org/info/rfc8341"> <front> <title>Network Configuration Access Control Model</title> <author initials="A." surname="Bierman" fullname="A. Bierman"> <organization/> </author> <author initials="M." surname="Bjorklund" fullname="M. Bjorklund"> <organization/> </author> <date year="2018" month="March"/> <abstract> <t>The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model.</t> <t>This document obsoletes RFC 6536.</t> </abstract> </front> <seriesInfo name="STD" value="91"/> <seriesInfo name="RFC" value="8341"/> <seriesInfo name="DOI" value="10.17487/RFC8341"/> </reference> <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization/> </author> <date year="2018" month="August"/> <abstract> <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="RFC5348" target="https://www.rfc-editor.org/info/rfc5348"> <front> <title>TCP Friendly Rate Control (TFRC): Protocol Specification</title> <author initials="S." surname="Floyd" fullname="S. Floyd"> <organization/> </author> <author initials="M." surname="Handley" fullname="M. Handley"> <organization/> </author> <author initials="J." surname="Padhye" fullname="J. Padhye"> <organization/> </author> <author initials="J." surname="Widmer" fullname="J. Widmer"> <organization/> </author> <date year="2008" month="September"/> <abstract> <t>This document specifies TCP Friendly Rate Control (TFRC). TFRC is a congestion control mechanism for unicast flows operating in a best-effort Internet environment. It is reasonably fair when competing for bandwidth with TCP flows, but has a much lower variation of throughput over time compared with TCP, making it more suitable for applications such as streaming media where a relatively smooth sending rate is of importance.</t> <t>This document obsoletes RFC 3448 and updates RFC 4342. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5348"/> <seriesInfo name="DOI" value="10.17487/RFC5348"/> </reference><xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5348.xml"/> </references> </references> <section numbered="true" toc="default"> <name>Examples</name> <t>The following examples show configuration and operational data for the IKE-less and IKE cases using XML and JSON. Also, the operational statistics for the IKE-less case is illustrated.</t> <section numbered="true" toc="default"> <name>Example XML Configuration</name> <t>This example illustrates configuration for IP-TFS in the IKE-less case. Notethatthat, since this augments the IPsec IKE-lessschemaschema, onlyminimala minimal IKE-less configuration to satisfy the schema has been populated.</t> <figure anchor="sec-example-ip-tfs-xml-configuration"> <name>Example IP-TFS XMLconfiguration</name> <artwork name="" type="" align="left" alt=""><![CDATA[Configuration</name> <sourcecode type="xml"><![CDATA[ <i:ipsec-ikeless xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> <i:spd> <i:spd-entry> <i:name>protect-policy-1</i:name> <i:direction>outbound</i:direction> <i:ipsec-policy-config> <i:traffic-selector> <i:local-prefix>192.0.2.0/16</i:local-prefix> <i:remote-prefix>198.51.100.0/16</i:remote-prefix> </i:traffic-selector> <i:processing-info> <i:action>protect</i:action> <i:ipsec-sa-cfg> <tfs:traffic-flow-security> <tfs:congestion-control>true</tfs:congestion-control> <tfs:packet-size> <tfs:use-path-mtu-discovery >true</tfs:use-path-mtu-discovery> </tfs:packet-size> <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> <tfs:max-aggregation-time >0.1</tfs:max-aggregation-time> <tfs:window-size>5</tfs:window-size> <tfs:send-immediately>false</tfs:send-immediately> <tfs:lost-packet-timer-interval >0.2</tfs:lost-packet-timer-interval> </tfs:traffic-flow-security> </i:ipsec-sa-cfg> </i:processing-info> </i:ipsec-policy-config> </i:spd-entry> </i:spd> </i:ipsec-ikeless>]]></artwork>]]></sourcecode> </figure> </section> <section numbered="true" toc="default"> <name>Example XML Operational Data</name> <t>This example illustrates operational data for IP-TFS in the IKE-less case. Notethatthat, since this augments the IPsec IKE-less schemaonlyonly, a minimal IKE-less configuration to satisfy the schema has been populated.</t> <figure anchor="sec-example-ip-tfs-xml-operational-data"> <name>Example IP-TFS XML Operationaldata</name> <artwork name="" type="" align="left" alt=""><![CDATA[Data</name> <sourcecode type="xml"><![CDATA[ <i:ipsec-ikeless xmlns:i="urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless" xmlns:tfs="urn:ietf:params:xml:ns:yang:ietf-ipsec-iptfs"> <i:sad> <i:sad-entry> <i:name>sad-1</i:name> <i:ipsec-sa-config> <i:spi>1</i:spi> <i:traffic-selector> <i:local-prefix>2001:db8:1::/48</i:local-prefix> <i:remote-prefix>2001:db8:2::/48</i:remote-prefix> </i:traffic-selector> </i:ipsec-sa-config> <tfs:traffic-flow-security> <tfs:congestion-control>true</tfs:congestion-control> <tfs:packet-size> <tfs:use-path-mtu-discovery >true</tfs:use-path-mtu-discovery> </tfs:packet-size> <tfs:l2-fixed-rate>1000000000</tfs:l2-fixed-rate> <tfs:max-aggregation-time>0.100</tfs:max-aggregation-time> <tfs:window-size>0</tfs:window-size> <tfs:send-immediately>true</tfs:send-immediately> <tfs:lost-packet-timer-interval >0.200</tfs:lost-packet-timer-interval> </tfs:traffic-flow-security> </i:sad-entry> </i:sad> </i:ipsec-ikeless>]]></artwork>]]></sourcecode> </figure> </section> <section numbered="true" toc="default"> <name>Example JSON Configuration</name> <t>This example illustratesconfigconfiguration data for IP-TFS in the IKE case. Notethatthat, since this augments the IPsec IKEschemaschema, only a minimalikeIKE configuration to satisfy the schema has been populated.</t> <figure anchor="sec-example-ip-tfs-json-configuration"> <name>Example IP-TFS JSONconfiguration</name> <artworkConfiguration</name> <sourcecode name=""type="" align="left" alt=""><![CDATA[type="json"><![CDATA[ { "ietf-i2nsf-ike:ipsec-ike": { "ietf-i2nsf-ike:conn-entry": [ { "name": "my-peer-connection", "ike-sa-encr-alg": [ { "id": 1, "algorithm-type": 12, "key-length": 128 } ], "local": { "local-pad-entry-name": "local-1" }, "remote": { "remote-pad-entry-name": "remote-1" }, "ietf-i2nsf-ike:spd": { "spd-entry": [ { "name": "protect-policy-1", "ipsec-policy-config": { "traffic-selector": { "local-prefix": "192.0.2.0/16", "remote-prefix": "198.51.100.0/16" }, "processing-info": { "action": "protect", "ipsec-sa-cfg": { "ietf-ipsec-iptfs:traffic-flow-security": { "congestion-control": true, "l2-fixed-rate": "1000000000", "packet-size": { "use-path-mtu-discovery": true }, "max-aggregation-time": "0.1", "window-size": 1, "send-immediately": false, "lost-packet-timer-interval": "0.2" } } } } } ] } } ] } }]]></artwork>]]></sourcecode> </figure> </section> <section numbered="true" toc="default"> <name>Example JSON Operational Data</name> <t>This example illustrates operational data for IP-TFS in the IKE case. Notethatthat, since this augments the IPsec IKEtreetree, only a minimal IKE configuration to satisfy the schema has been populated.</t> <figure anchor="sec-example-ip-tfs-json-operational-data"> <name>Example IP-TFS JSON Operationaldata</name> <artwork name="" type="" align="left" alt=""><![CDATA[Data</name> <sourcecode type="json"><![CDATA[ { "ietf-i2nsf-ike:ipsec-ike": { "ietf-i2nsf-ike:conn-entry": [ { "name": "my-peer-connection", "ike-sa-encr-alg": [ { "id": 1, "algorithm-type": 12, "key-length": 128 } ], "local": { "local-pad-entry-name": "local-1" }, "remote": { "remote-pad-entry-name": "remote-1" }, "ietf-i2nsf-ike:child-sa-info": { "ietf-ipsec-iptfs:traffic-flow-security": { "congestion-control": true, "l2-fixed-rate": "1000000000", "packet-size": { "use-path-mtu-discovery": true }, "max-aggregation-time": "0.1", "window-size": 5, "send-immediately": false, "lost-packet-timer-interval": "0.2" } } } ] } }]]></artwork>]]></sourcecode> </figure> </section> <section numbered="true" toc="default"> <name>Example JSON Operational Statistics</name> <t>This example shows the JSON formatted statistics for IP-TFS. Note a unidirectional IP-TFS transmit side is illustrated, with arbitrary numbers for transmit.</t> <figure anchor="sec-example-ip-tfs-json-statistics"> <name>Example IP-TFS JSON Statistics</name><artwork name="" type="" align="left" alt=""><![CDATA[<sourcecode type="json"><![CDATA[ { "ietf-i2nsf-ikeless:ipsec-ikeless": { "sad": { "sad-entry": [ { "name": "sad-1", "ipsec-sa-config": { "spi": 1, "traffic-selector": { "local-prefix": "192.0.2.1/16", "remote-prefix": "198.51.100.0/16" } }, "ietf-ipsec-iptfs:traffic-flow-security": { "window-size": 5, "send-immediately": false, "lost-packet-timer-interval": "0.2" }, "ietf-ipsec-iptfs:ipsec-stats": { "tx-pkts": "300", "tx-octets": "80000", "tx-drop-pkts": "2", "rx-pkts": "0", "rx-octets": "0", "rx-drop-pkts": "0" }, "ietf-ipsec-iptfs:iptfs-inner-pkt-stats": { "tx-pkts": "250", "tx-octets": "75000", "rx-pkts": "0", "rx-octets": "0", "rx-incomplete-pkts": "0" }, "ietf-ipsec-iptfs:iptfs-outer-pkt-stats": { "tx-all-pad-pkts": "40", "tx-all-pad-octets": "40000", "tx-extra-pad-pkts": "200", "tx-extra-pad-octets": "30000", "rx-all-pad-pkts": "0", "rx-all-pad-octets": "0", "rx-extra-pad-pkts": "0", "rx-extra-pad-octets": "0", "rx-errored-pkts": "0", "rx-missed-pkts": "0" }, "ipsec-sa-state": { "sa-lifetime-current": { "time": 80000, "bytes": "400606", "packets": 1000, "idle": 5 } } } ] } } }]]></artwork>]]></sourcecode> </figure> </section> </section> <section numbered="false" toc="default"> <name>Acknowledgements</name> <t>The authors would like to thank <contact fullname="Eric Kinzie"/>, <contact fullname="Jürgen Schönwälder"/>, <contact fullname="Lou Berger"/>, and <contact fullname="Tero Kivinen"/> for their feedback and review on the YANG module.</t> </section> </back> </rfc>