I2NSF R. Marin-Lopez Internet-Draft G. Lopez-Millan Intended status: Standards Track University of Murcia Expires:February 6,December 19, 2020 F. Pereniguez-Garcia University Defense CenterAugust 5, 2019June 17, 2020 Software-Defined Networking (SDN)-based IPsec Flow Protectiondraft-ietf-i2nsf-sdn-ipsec-flow-protection-07draft-ietf-i2nsf-sdn-ipsec-flow-protection-08 Abstract This document describes howprovidingto provide IPsec-based flow protection (integrity and confidentiality) by means ofa Software-Defined Network (SDN) controller (aka. Security Controller) and establishes the requirements to support this service.an I2NSF Controller. It considers two main well-known scenarios in IPsec: (i) gateway-to- gateway and (ii) host-to-host. TheSDN-basedservice described in this document allows thedistributionconfiguration and monitoring of IPsec information from aSecurityI2NSF Controller to one or several flow-based Network Security Function(NSF). The NSFs(NSF) that implement IPsec to protect datatraffic between network resources.traffic. The document focuses on theNSF FacingI2NSF NSF-Facing Interface by providing YANG data models for configuration and state data required to allow theSecurityI2NSF Controller to configure the IPsec databases (SPD, SAD, PAD) and IKEv2 to establish IPsec Security Associations with a reduced intervention of the network administrator. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onFebruary 6,December 19, 2020. Copyright Notice Copyright (c)20192020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . .45 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.SDN-based IPsec management description . . . . . . . . . . . 65.1.4.1. IKE case:IKE/IPsecIKEv2/IPsec in the NSF . . . . . . . . . . . ..65.1.1. Interface Requirements for IKE case . . . . . . . . . 7 5.2.4.2. IKE-less case: IPsec (no IKEv2) in the NSF. . . . . . . . 75.2.1. Interface Requirements for IKE-less case . . . . . . 8 5.3.5. IKE case vs IKE-less case . . . . . . . . . . . . . . . . . . 95.3.1.5.1. Rekeyingprocess.process . . . . . . . . . . . . . . . . . . . . 105.3.2.5.2. NSF state loss. . . . . . . . . . . . . . . . . . . .12 5.3.3. NAT Traversal . . .. . 11 5.3. NAT Traversal . . . . . . . . . . . . . . .12 5.3.4. NSF Discovery. . . . . . . 11 5.4. NSF registration and discovery . . . . . . . . . . . . .1312 6. YANG configuration data models . . . . . . . . . . . . . . . 13 6.1. IKE case model . . . . . . . . . . . . . . . . . . . . .1413 6.2. IKE-less case model . . . . . . . . . . . . . . . . . . .1716 7.Use cases examplesIANA Considerations . . . . . . . . . . . . . . . . . . . . . 207.1. Host-to-host or gateway-to-gateway under the same8. SecurityControllerConsiderations . . . . . . . . . . . . . . . . . . .20 7.2. Host-to-host or gateway-to-gateway under different Security Controllers21 8.1. IKE case . . . . . . . . . . . . . . . . . .24 8. IANA Considerations. . . . . . 22 8.2. IKE-less case . . . . . . . . . . . . . . .26 9. Security Considerations. . . . . . . 23 8.3. YANG modules . . . . . . . . . . . .27 9.1. IKE case. . . . . . . . . . 23 9. Acknowledgements . . . . . . . . . . . . . .28 9.2. IKE-less case. . . . . . . . 25 10. References . . . . . . . . . . . . . .29 9.3. YANG modules. . . . . . . . . . . 25 10.1. Normative References . . . . . . . . . . .29 10. Acknowledgements. . . . . . . 25 10.2. Informative References . . . . . . . . . . . . . . .31 11. References. . 26 Appendix A. Common YANG model for IKE and IKE-less cases . . . . 29 Appendix B. YANG model for IKE case . . . . . . . . . . . . . . 42 Appendix C. YANG model for IKE-less case . . . . .31 11.1. Normative References. . . . . . . 61 Appendix D. XML configuration example for IKE case (gateway-to- gateway) . . . . . . . . . . .31 11.2. Informative References. . . . . . . . . . . 71 Appendix E. XML configuration example for IKE-less case (host- to-host) . . . . . .32 Appendix A. Appendix A: Common YANG model for IKE and IKE-less cases. . . . . . . . . . . . . . . . 75 Appendix F. XML notification examples . . . . . . .35 Appendix B. Appendix B: YANG model for IKE case. . . . . . 79 Appendix G. Operational use cases examples . .48 Appendix C. Appendix C: YANG model for IKE-less case. . . . . .67 Appendix D. Example of IKE case, tunnel mode (gateway-to- gateway) with X.509 certificate authentication.. .77 Appendix E.. 80 G.1. Example ofIKE-less case, transport mode (host-to- host).IPsec SA establishment . . . . . . . . . . . . 80 G.1.1. IKE case . . . . . . . . . . . . . . . . . . . . . . 81Appendix F. Examples of notifications.G.1.2. IKE-less case . . . . . . . . . . . . . . . . . . . . 83 G.2. Example of the rekeying process in IKE-less case . . . . 85 G.3. Example of managing NSF state loss in IKE-less case . . . 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 86 1. Introduction Software-Defined Networking (SDN) is an architecture that enables users to directly program, orchestrate, control and manage network resources through software. The SDN paradigm relocates the control of network resources to adedicated network element,centralized entity, namely SDN Controller. The SDN controller(or Security Controller in the context of this document)manages and configures the distributed network resources and provides an abstracted view of the network resources to the SDN applications. The SDN application can customize and automate the operations (including management) of the abstracted network resources in a programmable manner via this interface [RFC7149] [ITU-T.Y.3300] [ONF-SDN-Architecture] [ONF-OpenFlow]. Recently, several network scenarios areconsideringdemanding a centralized way of managing different security aspects. For example, Software- Defined WANs (SD-WAN), an SDN extension providing a software abstraction to create secure network overlays over traditional WAN and branch networks. SD-WAN is based on IPsec [RFC4301] as an underlying security protocol and aims to provide flexible, automated,fast deploymentand rapid deployment, enabling on-demand security networkservicesservices, such as IPsecSA managementSecurity Association (IPsec SA) management, from a centralized point. Additionally, Section 4.3.3 in [RFC8192] describes another example, a use case for Cloud Data Center Scenario, entitled Client-Specific Security Policy in Cloud VPNs, where "the dynamic key management is critical for securing the VPN and the distribution of policies". These VPNs can be established using IPsec. The management of IPsec SAs in data centers using a centralized entity is also an scenario of interest. Therefore, with the growth of SDN-based scenarios where network resources are deployed in an autonomous manner, a mechanism to manage IPsec SAsaccording to the SDN architecturefrom a centralized entity becomes morerelevant. Thus, the SDN-based service describedrelevant inthis document will autonomously deal with IPsec SAs management following the SDN paradigm. IPsec architecture [RFC4301] defines clear separation betweentheprocessing to provide security servicesindustry. In response toIP packets andthis need, thekey management proceduresInterface toestablish the IPsecNetwork SecurityAssociations. InFunctions (I2NSF) charter states that the goal of thisdocument, weworking group is "to definea service where the key management procedures can be carried by an externalset of software interfaces andcentralized entity: thedata models for controlling and monitoring aspects of physical and virtual Network SecurityController. First,Functions". As defined in [RFC8192] an NSF is "a function that is used to ensure integrity, confidentiality, or availability of network communication; to detect unwanted network activity; or to block, or at least mitigate, the effects of unwanted activity". This document pays special attention to flow-based NSFs that ensure integrity and confidentiality by means of IPsec. In fact, as Section 3.1.9 in [RFC8192] states "there is a need for a controller to create, manage, and distribute various keys to distributed NSFs.", however "there is a lack of a standard interface to provision and manage security associations". Inspired in the SDN paradigm, the I2NSF framework [RFC8329] defines a centralized entity, the I2NSF Controller, which manages one or multiple NSFs through a I2NSF NSF-Facing interface. In this documentexposeswe define a service allowing therequirementsI2NSF Controller tosupportcarry out theprotection ofkey management procedures. More specifically, we define YANG dataflows usingmodels for I2NSF NSF-Facing interface that allow the I2NSF Controller to configure and monitor IPsec-enabled flow-based NSFs. IPsec[RFC4301]. We have consideredarchitecture [RFC4301] defines clear separation between the processing to provide security services to IP packets and the key management procedures to establish the IPsec Security Associations, which allows to centralize the key management procedures in the I2NSF Controller. This document considers two typical scenarios to autonomously manage IPsec SAs: gateway-to-gateway and host-to-host [RFC6071]. In these cases, hosts, gateways or both may act as NSFs. Consideration for the host-to-gateway scenario is out of scope. For the definition of the YANG data model for I2NSF NSF-Facing interface, this document considers two generalcases:cases, namely: 1) IKE case. TheNetwork Security Function (NSF)NSF implements the Internet Key Exchange(IKE)version 2 (IKEv2) protocol and the IPsec databases: the Security Policy Database (SPD), the Security Association Database (SAD) and the Peer Authorization Database (PAD). TheSecurityI2NSF Controller is in charge of provisioning the NSF with the required informationto IKE,in theSPDSPD, PAD (e.g. IKE credential) and IKE protocol itself (e.g. parameters for thePAD.IKE_SA_INIT negotiation). 2) IKE-less case. The NSF only implements the IPsec databases (no IKE implementation). TheSecurityI2NSF Controller will provide the required parameters to create valid entries in the SPD and the SAD into the NSF. Therefore, the NSF will have only support for IPsec whileautomatedkey management functionality is moved to theSecurityI2NSF Controller. In both cases,an interface/protocol is required to carrya data model for the I2NSF NSF-Facing interface is required to carry out this provisioning in a secure manner between theSecurityI2NSF Controller and the NSF.In particular, IKE case requires the provision of SPD and PAD entries, the IKE credential and information related with the IKE negotiation (e.g. IKE_SA_INIT). IKE-less case requires the management of SPD and SAD entries.Based on YANG models in [netconf-vpn] and [I-D.tran-ipsecme-yang], RFC 4301 [RFC4301] and RFC 7296 [RFC7296], this document defines the required interfaces with a YANG model for configuration and state data for IKE, PAD, SPD and SAD (see Appendix A, Appendix B and Appendix C). Examples of the usage of these models can be found in Appendix D, Appendix E and Appendix F.This document considers two typical scenarios to manage autonomously IPsec SAs: gateway-to-gateway and host-to-host [RFC6071].Inthese cases, hosts, gateways or both may act as NSFs. Finally, it also discusses the situation where two NSFs are under the control of two different Security Controllers. The analysis ofsummary, thehost-to-gateway (roadwarrior) scenario is out of scopeobjetives of thisdocument. Finally, this work pays attention toI-D are: o To describe thechallenge "Lack of Mechanismarchitecture forDynamic Key Distribution to NSFs" defined in [RFC8192] intheparticular case ofI2NSF-based IPsec management, which allows the establishment and management of IPsecSAs. In fact,this I-D could be considered as a proper use case forsecurity associations from the I2NSF Controller in order to protect specific data flows between two flow-based NSFs implementing IPsec. o To map thisparticular challengearchitecture to the I2NSF Framework. o To define the interfaces required to manage and monitor the IPsec SAs in[RFC8192].the NSF from a I2NSF Controller. YANG data models are defined for configuration and state data for IPsec and IKEv2 management through the I2NSF NSF-Facing interface. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. When these words appear in lower case, they have their natural language meaning. 3. Terminology This document uses the terminology described in[RFC7149], [RFC4301],[RFC8329], [RFC8192], [RFC4301],[RFC7296], [RFC6241], [ITU-T.Y.3300],[ONF-SDN-Architecture], [ONF-OpenFlow], [ITU-T.X.1252], [ITU-T.X.800] and [I-D.ietf-i2nsf-terminology]. In addition, theThe followingterms areterm is definedbelow:in [ITU-T.Y.3300]: o Software-Defined Networking.A set of techniques enabling to directly program, orchestrate, control, and manage network resources, which facilitates the design, delivery and operation of network servicesThe following terms are ina dynamic and scalable manner [ITU-T.Y.3300].defined in [RFC8192]: oFlow/Data Flow. Set of network packets sharing a set of characteristics, for example IP dst/src values or QoS parameters. o Security Controller. An entity that contains control plane functions to manage and facilitate information sharing, as well as execute security functions. In the context of this document, it provides IPsec management information. o Network Security Function (NSF). Software that provides a set of security-related services.NSF. o Flow-based NSF.A NSF that inspects network flows according to a set of policies intended for enforcing security properties.TheNSFs consideredfollowing terms are defined inthis document fall into this classification.[RFC4301]: oFlow-based Protection Policy.Peer Authorization Database (PAD). o Security Associations Database (SAD). o Security Policy Database (SPD). Theset of rules defining the conditions under which a data flow MUST be protected with IPsec, and the rules that MUST be applied to the specificfollowing term is defined in [RFC6437]: o Flow/traffic flow. The following terms is defined in [RFC7296]: o Internet Key Exchange(IKE) v2. Protocol to establishversion 2 (IKEv2). The following terms are defined in [RFC6241]: o Configuration data. o Configuration datastore. o State date. o Startup configuration datastore. o Running configuration datastore. 4. SDN-based IPsecSecurity Associations (SAs). It requires information aboutmanagement description As mentioned in Section 1, two cases are considered, depending on whether therequired authentication method (i.e. raw RSA/ECDSA keysNSF ships an IKEv2 implementation orX.509 certificates), Diffie-Hellman (DH) groups, IPsec SAs parametersnot: IKE case andalgorithms forIKE-less case. 4.1. IKESA negotiation, etc. o Security Policy Database (SPD). It includes information aboutcase: IKEv2/IPsec in the NSF In this case, the NSF ships an IPsecpolicies direction (in, out), local and remote addresses (traffic selectors information), inboundimplementation with IKEv2 support. The I2NSF Controller is in charge of managing andoutboudapplying IPsecSAs, etc. o Security Associations Database (SAD). It includesconnection informationabout IPsec SAs,(determining which nodes need to start an IKEv2/IPsec session, identifying the type of traffic to be protected, deriving and delivering IKEv2 Credentials such asSPI, destination addresses, authentication and encryption algorithms and keys to protect IP flows. o Peer Authorization Database (PAD). It provides the link between the SPD and a security association management protocol. It is used when the NSF deploys IKE implementation (IKE case). 4. Objectives o To describe the architecture for the SDN-based IPsec management, which implements a security service to allow the establishment and management of IPsec security associations from a central point, in order to protect specific data flows. o To define the interfaces required to manage and monitor the IPsec Security Associations (SA) in the NSF from a Security Controller. YANG models are defined for configuration and state data for IPsec management. 5. SDN-based IPsec management description As mentioned in Section 1, two cases are considered, depending on whether the NSF ships an IKEv2 implementation or not: IKE case and IKE-less case. 5.1. IKE case: IKE/IPsec in the NSF In this case the NSF ships an IKEv2 implementation besides the IPsec support. The Security Controller is in charge of managing and applying IPsec connection information (determining which nodes need to start an IKE/IPsec session, deriving and delivering IKE Credentials such as a pre-shared key, certificates, etc.),a pre- shared key, certificates, etc.), and applying otherIKEIKEv2 configuration parameters (e.g. cryptographic algorithms for establishing anIKEIKEv2 SA) to the NSF necessary for theIKEIKEv2 negotiation. With these entries, the IKEv2 implementation can operate to establish the IPsec SAs. Theapplication (administrator)I2NSF User establishes the IPsec requirements and information about the end points information (through theClient FacingI2NSF Consumer-Facing Interface,[RFC8192]),[RFC8329]), and theSecurityI2NSF Controller translates these requirements intoIKE,IKEv2, SPD and PAD entries that will be installed into the NSF (through theNSF FacingI2NSF NSF-Facing Interface). With that information, the NSF can just run IKEv2 to establish the required IPsec SA (when thedatatraffic flow needs protection). Figure 1 shows the different layers and corresponding functionality. +-------------------------------------------+|IPsec Management/Orchestration Application|Client orIPsec Management System | I2NSFClient | App GatewayUser +-------------------------------------------+ |Client Facing| I2NSF Consumer-Facing | Interface +-------------------------------------------+Vendor | Application Support|Facing<->|-------------------------------------------| Security Interface| IKE Credential,PADIKEv2 Configuration, PAD and SPDentries Distr.Entries | I2NSF | Distribution | Controller +-------------------------------------------+ |NSF Facing Interface +-------------------------------------------+| I2NSFAgentNSF-Facing ||-------------------------------------------| NetworkInterface +-------------------------------------------+ |IKEIKEv2 |IPsec(SPD,PAD)IPsec(PAD, SPD) |SecurityNetwork |-------------------------------------------|FunctionSecurity | IPsec Data Protection and Forwarding | Function +-------------------------------------------+ Figure 1: IKE case: IKE/IPsec in the NSF5.1.1. Interface Requirements for IKE case SDN-basedI2NSF-based IPsec flow protection services provide dynamic and flexible management of IPsec SAs in flow-based NSFs. In order to support this capability in the IKE case,the following interface requirements need to be met: o Aa YANG data model for IKEv2, SPD and PAD configuration data, and forIKEIKEv2 statedata. o In scenarios where multiple Security Controllers are implicated, SDN-based IPsec management services may require a mechanism to discover which Security Controller is managing a specific NSF. Moreover, an east-west interface [RFC7426] is required to exchange IPsec-related information. For example, if two gateways need to establish an IPsec SA and both are under the control of two different controllers, then both Security Controllers need to exchange information to properly configure their own NSFs. That is, the may need to agree on whether IKEv2 authentication willdata MUST bebased on raw public keys, pre-shared keys, etc. In case of using pre-shared keys they will have to agree indefined for thePSK. 5.2.I2NSF NSF-Facing Interface. 4.2. IKE-less case: IPsec (no IKEv2) in the NSF. In this case, the NSF does not deploy IKEv2 and, therefore, theSecurityI2NSF Controller has to perform theIKEIKEv2 security functions and management of IPsec SAs by populating and managing the SPD and the SAD. +-----------------------------------------+ | IPsec ManagementApplication | Client orSystem | I2NSFClient | App GatewayUser +-----------------------------------------+ |Client Facing| I2NSF Consumer-Facing Interface | +-----------------------------------------+Vendor| Application Support|Facing<->|-----------------------------------------| Security Interface| SPD, SADSPD andPADSAD EntriesDistr.| I2NSF | Distribution | Controller +-----------------------------------------+ |NSF Facing| I2NSF NSF-Facing Interface | +-----------------------------------------+ |I2NSF AgentIPsec (SPD, SAD) | Network |-----------------------------------------| Security | IPsec(SPD,SAD) | Function (NSF) |-----------------------------------------| |Data Protection and Forwarding | Function +-----------------------------------------+ Figure 2: IKE-less case: IPsec (noIKE)IKEv2) in the NSF As shown in Figure 2,applications for flow protection run on the top of the Security Controller. Whenwhen anadministratorI2NSF User enforcesflow- basedflow-based protection policies through theClient FacingConsumer-Facing Interface, theSecurityI2NSF Controller translates these requirements into SPD and SAD entries, which are installed in the NSF. PAD entries are not required since there is no IKEv2 in the NSF.5.2.1. Interface Requirements for IKE-less caseIn order to support the IKE-less case,the following requirements need to be met: o Aa YANG data model forconfiguration data forSPD and SAD configuration data andforSAD state datafor SAD. o In scenarios where multiple controllers are implicated, SDN-based IPsec management services may require a mechanism to discover which Security Controller is managing a specific NSF. Moreover, an east-west interface [RFC7426] is required to exchange IPsec- related information. NOTE: A possible east-west protocol for this IKE-less case could be IKEv2. However, this needs to be explore since the IKEv2 peers wouldMUST be defined for theSecurity Controllers.NSF-Facing Interface. Specifically, the IKE-less case assumes that theSDN controllerI2NSF Controller has to perform some security functions that IKEv2 typically does, namely (non-exhaustive): o IV generation. o Prevent counter resets for the same key. o Generation of pseudo-random cryptographic keys for the IPsec SAs. oRekeyGeneration of the IPsec SAs when required based on notifications (i.e. sadb-acquire) from theNSF (i.e. expire).NSF. oGenerationRekey of the IPsec SAswhen requiredbased on notifications(i.e. sadb-acquire)from theNSF.NSF (i.e. expire). o NAT Traversal discovery and management. Additionally to these functions, another set of tasks must be performed by theSecurityI2NSF Controller (non-exhaustive list): o IPsec SA's SPI random generation. o Cryptographic algorithm/s selection. o Usage of extended sequence numbers. o Establishment of proper traffic selectors.5.3.5. IKE case vs IKE-less case In principle, the IKE case is easier to deploy than the IKE-less case because current flow-based NSFs (either hosts or gateways) have access to IKEv2 implementations. While gateways typicallyhavedeploy an IKEv2/IPsecimplementation. Moreoverimplementation, hosts caninstalleasilyan IKE implementation.install it. As downside, the NSF needs more resources to holdIKEv2. Moreover, theIKEv2implementation needs to implement an internal interface so that the IKE configuration sent bysuch as memory for theSecurity Controller can be enforced in runtime.IKEv2 implementation, and computation, since each IPsec security association rekeying MAY involve a Diffie-Hellman exchange. Alternatively, IKE-less caseallows lighter NSFs (no IKEv2 implementation), whichbenefits the deployment in resource- constrained NSFs. Moreover, IKEv2 does not need to be performed in gateway-to-gateway and host-to-host scenarios under the sameSecurityI2NSF Controller (seeSection 7.1).Appendix G.1). On the contrary, theoverloadcomplexity of creating and managing IPsec SAs is shifted to theSecurityI2NSF Controller since IKEv2 is not in the NSF. As a consequence, this may result in a more complex implementation in the controller side in comparison with IKE case. For example, theSecurityI2NSF Controllerhavehas to deal with the latency existing in the path between theSecurityI2NSF Controller and theNSFNSF, in order to solve tasks suchas, rekeyas rekey, or creation and installation of new IPsec SAs. However, this is not specific toourthis contribution but a general aspect in any SDN-based network. In summary, thisoverload maycomplexity MAY create some scalability and performance issues when the number of NSFs is high. Nevertheless, literature around SDN-based network management using a centralizedSecurity Controllercontroller (like the I2NSF Controller) is aware about scalability and performance issues and solutions have been already provided and discussed (e.g. hierarchicalSecurity Controllers;controllers; having multiple replicatedSecurity Controllers,controllers, dedicated high-speed management networks, etc). In the context ofSDN-basedI2SNF-based IPsec management, one way to reduce the latency and alleviate some performance issues can be the installation of the IPsec policies and IPsec SAs at the same time (proactive mode, as described inSection 7.1)Appendix G.1) instead of waiting for notifications (e.g. a notification sadb-acquire when a new IPsec SA is required) to proceed with the IPsec SAinstallationsinstallation (reactive mode). Another way to reduce the overhead and the potential scalability and performance issues in theSecurityI2NSF Controller is to apply the IKE case described in this document, since the IPsec SAs are managed between NSFs without the involvement of theSecurityI2NSF Controller at all, except by the initialIKEconfiguration (i.e. IKEv2, PAD and SPD entries) provided by theSecurityI2NSF Controller. Other solutions, such as Controller-IKE [I-D.carrel-ipsecme-controller-ike], have proposed that NSFs provide their DH public keys to theSecurityI2NSF Controller, so that theSecurityI2NSF Controller distributes all public keys to all peers. All peers can calculate a unique pairwise secret for each other peer and there is no inter-NSF messages. A rekey mechanism is further described in [I-D.carrel-ipsecme-controller-ike]. In terms of security, IKE case provides better security properties than IKE-less case, as we discuss in section Section9.8. The main reason is that the NSFsare generatinggenerate the session keys and not theSecurityI2NSF Controller.5.3.1.5.1. Rekeying process Performing a rekey for IPsec SAs is an important operation during the IPsec SAs management. With the YANG data models defined in this document the I2NSF Controller can configure and conduct the rekey process. Depending on the case, the rekey process is different. For the IKE case, the rekeying process is carried out by IKEv2, following the information defined in the SPD andSAD.SAD (i.e. based on the IPsec SA lifetime established by the I2NSF Controller using the YANG data model defined in this document). Therefore, IPsec connections will live unless something different is required by theadministratorI2NSF User or theSecurityI2NSF Controller detects something wrong.Traditionally, during a rekey process ofFor theIPSec SA using IKE, a bundle of inbound and outbound IPsec SAs is taken into account fromIKE-less case, theperspective of oneI2NSF Controller MUST take care of theNSFs. For example, ifrekeying process. When theinboundIPsec SAexpires both the inbound and outboundis going to expire (e.g. IPsec SAare rekeyed at the same time in that NSF. However, when IKE is not used, we have followed a different approach to avoid any packet loss during rekey: the Security Controller installs first the new inbound SAs in both NSFs and then, the outbound IPsec SAs. In other words, for the IKE-less case, the Security Controller needs to take care of the rekeying process. When the IPsec SA is going to expire (e.g. IPsec SA soft lifetime), it has to createsoft lifetime), it MUST create a new IPsec SA and it MAY remove the oldone.one (if a IPsec SA lifetime has not been defined). This rekeying process starts when theSecurityI2NSF Controller receives asadb-expiresadb- expire notification or it decides so, based on lifetime state data obtained from the NSF.To explainHow therekeyingI2NSF Controller implements an algorithm for the rekey processbetween two IPsec NSFs A and B, let assume that SPIa1 identifiesis out of theinbound IPsec SAscope of this document. Nevertheless, an example of how this rekey could be performed is inA, and SPIb1Appendix G.2. 5.2. NSF state loss. If one of theinbound IPsec SA in B. The rekeying processNSF restarts, it willtake the following steps: 1. The Security Controller chooses two random values as SPI forlose thenew inbound IPsec SAs: for example, SPIa2 for A and SPIb2 for B. These numbers MUST NOT be in conflict with anyIPsecSA in A or B. Then,state (affected NSF). By default, theSecurityI2NSF Controllercreates an inbound IPsec SA with SPIa2 in A and another inbound IPsec SA in B with SPIb2. Itcansend this information simultaneously to A and B. 2. Once the Security Controller receives confirmation from A and B, the controller knowsassume that all theinbound IPsec A are correctly installed. Thenstate has been lost and therefore itproceedswill have to sendin parallel to AIKEv2, SPD andB, the outbound IPsec SAs: it sends the outbound IPsec SA to A with SPIb2 and the outbound IPsec SAPAD information toB with SPIa2. At this point the new IPsec SAs are ready. 3. Once the Security Controller receives confirmation from A and B that the outbound IPsec SAs have been installed,theSecurity Controller,NSF inparallel, deletestheold IPsec SAs from A (inbound SPIa1 and outbound SPIb1)IKE case, andB (outbound SPIa1SPD andinbound SPIb1). If some of the operationsSAD information instep 1 fail (e.g. the NSF A reports an error whentheSecurity Controller is trying to install a new inbound IPsec SA)IKE-less case. In both cases, theSecurityI2NSF Controllermust perform rollback operations by removing any new inbound SA that had been successfully installed during step 1. If step 1issuccessful but someaware of theoperations in step 2 failsaffected NSF (e.g. theNSF A reports an error whenNETCONF/TCP connection is broken with theSecurityaffected NSF, the I2NSF Controller istrying to install the new outbound IPsec SA),receiving sadb-bad-spi notification from a particular NSF, etc.). Moreover, theSecurityI2NSF Controllermust performkeeps arollback operation by deleting any new outbound SAlist of NSFs thathad been successfully installed during step 2 and by deleting the inboundhave IPsec SAscreated in step 1. Ifwith thesteps 1 an 2 are successful andaffected NSF. Therefore, it knows thestep 3 failsaffected IPsec SAs. In theSecurityIKE case, the I2NSF Controller willavoid any rollback ofconfigure the affected NSF with theoperations carried out in step 1 and step 2 sincenewand valid IPsec SAs were created and are functional. The Security Controller may reattempt to remove the old inbound and outbound SAs in NSF A and NSF B several times until it receives a success or it gives up. In the last case, the old IPsec SAs will be removed when the hard lifetime is reached. 5.3.2. NSF state loss. If one of the NSF restarts, it will lose the IPsec state (affected NSF). By default, the Security Controller can assume that all the state has been lost and therefore it will have to send IKEv2, SPD and PAD information to the NSF in the IKE case, and SPD and SAD information in IKE-less case. In both cases, the Security Controller is aware of the affected NSF (e.g. the NETCONF/TCP connection is broken with the affected NSF, the Security Controller is receiving sadb-bad-spi notification from a particular NSF, etc.). Moreover, the Security Controller has a register about all the NSFs that have IPsec SAs with the affected NSF. Therefore, it knows the affected IPsec SAs. In IKE case, the Security Controller will configure the affected NSF with the new IKEv2, SPDIKEv2, SPD and PAD information. It has also to send new parameters (e.g. a new fresh PSK for authentication) to the NSFs which have IKEv2 SAs and IPsec SAs with the affected NSF. Finally, theSecurityI2NSF Controller will instruct the affected NSF to start the IKEv2 negotiation with the new configuration.In IKE-less case, ifAlternatively, IKEv2 configuration MAY be made permanent between NSFs reboots without compromising security by means of theSecurity Controller detects thatstartup configuration datastore in the NSF. This way, each time a NSFhas lost the IPsec SAsreboots it will use that configuration for each rebooting. It would imply avoiding to contact with the I2NSF Controller. In the IKE-less case, the I2NSF Controller SHOULD delete the old IPsec SAsonin the non-failednodes,nodes established with thefailed node (step 1). This prevents the non-failed nodes from leaking plaintext. Ifaffected NSF. Once the affected nodecomes to live,restarts, theSecurityI2NSF Controllerwill configureMUST take thenew inboundnecessary actions to reestablish IPsecSAsprotected communication between theaffectedfailed node andall the nodes it was talking to (step 2). After these inboundthose others having IPsec SAshave been established,with theSecurityaffected NSF. How the I2NSF Controllercan configureimplements an algorithm for managing a potential NSF state loss is out of theoutbound IPsec SAs in parallel (step 3). Nevertheless other more optimized options canscope of this document. Nevertheless, an example of how this could beconsidered (e.g. makingperformed is described in Appendix G.3. 5.3. NAT Traversal In the IKE case, IKEv2configuration permanentalready provides a mechanism to detect whether some of the peers or both are located behind a NAT. If there is a NAT network configured betweenreboots). 5.3.3.two peers, it is required to activate the usage of UDP or TCP/TLS encapsulation for ESP packets ([RFC3948], [RFC8229]). Note that the usage of IPsec transport mode when NATTraversalis required MUST NOT be used in this specification. In the IKE case, IKEv2 already provides a mechanism to detect whether some of the peers or both are located behind a NAT. If there is a NAT network configured between two peers, it is required to activate the usage of UDP or TCP/TLS encapsulation for ESP packets ([RFC3948], [RFC8229]). Note that the usage of IPsec transport mode when NAT is required MUST NOT be used in this specification.On the contrary,In the IKE-lesscasecase, the NSF does not haveany protocol intheNSFsassistance of the IKEv2 implementation to detectwhether they areif it is located behind aNAT or not. However,NAT. If the NSF does not have any other mechanism to detect this situation, the I2NSF Controller SHOULD implement a mechanism to detect that case. The SDN paradigm generally assumes theSecurityI2NSF Controller has a view of the network under its control. This view is built either requesting information to the NSFs under its control, or because these NSFs inform theSecurityI2NSF Controller. Based on this information, theSecurityI2NSF ControllercanMAY guess if there is a NAT configured between two hosts, and apply the required policies to both NSFs besides activating the usage of UDP or TCP/TLS encapsulation of ESP packets ([RFC3948], [RFC8229]).For example, the Security Controller could directly requestThe interface for discovering if the NSFfor specific data such as networking configuration, NAT support, etc. Protocols such as NETCONF or SNMP can be used here. For example, RFC 7317 [RFC7317] provides a YANG data model for system management or [RFC8512]is behind adata model for NAT management. The Security Controller can use this NETCONF module with a NSF to collectNATinformation or even configure a NAT network. In any case, if this NETCONF moduleisnot available in the NSF andout of scope of this document. If theSecurityI2NSF Controller does not haveaany mechanism to know whether a host is behind a NAT or not, then theIKE case shouldIKE-case MUST bethe right choiceused and not the IKE-less case.5.3.4.5.4. NSF registration and discovery NSF registration refers to the process of facilitating the I2NSF Controller information about a valid NSFDiscoverysuch as certificate, IP address, etc. This information is incorporated to a list of NSFs under its control. The assumption in this document is that, for both cases, before a NSF can operate in this system, it MUST be registered in theSecurityI2NSF Controller. In this way, when the NSFcomes to livestarts and establishes a connection to theSecurityI2NSF Controller, it knows that the NSF is valid for joining the system. Either during this registration process or when the NSF connects with theSecurityI2NSF Controller, theSecurityI2NSF Controller MUST discover certain capabilities of this NSF, such as what is the cryptographic suite supported, authentication method, the support of the IKE caseorand/or the IKE-less case, etc.ThisThe registration and discoveryprocess isprocesses are out of the scope of this document. 6. YANG configuration data models In order to support the IKE and IKE-less cases we have modeled the different parameters and values that must be configured to manage IPsec SAs. Specifically, the IKE case requires modelingIKEv2,IKEv2 configuration parameters, SPD and PAD, while the IKE-less case requires configuration models for the SPD and SAD. We have defined three models: ietf-ipsec-common (Appendix A), ietf-ipsec-ike (Appendix B, IKE case), ietf-ipsec-ikeless (Appendix C, IKE-less case). Since the model ietf-ipsec-common has only typedef and groupings common to the other modules, we only show a simplified view of the ietf-ipsec-ike and ietf-ipsec-ikeless models. 6.1. IKE case model The model related to IKEv2 has been extracted from reading IKEv2 standard in [RFC7296], and observing some open source implementations, such as Strongswan [strongswan] or Libreswan [libreswan]. The definition of the PAD model has been extracted from the specification in section 4.4.3 in [RFC4301] (NOTE: We have observed that many implementations integrate PAD configuration as part of the IKEv2 configuration). module: ietf-ipsec-ike +--rw ipsec-ike +--rw pad | +--rw pad-entry* [name] | +--rw name string | +--rw (identity) | | +--:(ipv4-address) | | | +--rw ipv4-address? inet:ipv4-address | | +--:(ipv6-address) | | | +--rw ipv6-address? inet:ipv6-address | | +--:(fqdn-string) | | | +--rw fqdn-string? inet:domain-name | | +--:(rfc822-address-string) | | | +--rw rfc822-address-string? string | | +--:(dnx509) | | | +--rw dnx509? string | | +--:(gnx509) | | | +--rw gnx509? string | | +--:(id-key) | | | +--rw id-key? string | | +--:(id-null) | | +--rw id-null? empty | +--rw auth-protocol? auth-protocol-type | +--rw peer-authentication | +--rw auth-method? auth-method-type | +--rw eap-method | | +--rw eap-type uint8 | +--rw pre-shared | | +--rw secret? yang:hex-string | +--rw digital-signature | +--rw ds-algorithm? uint8 | +--rw (public-key) | | +--:(raw-public-key) | | | +--rw raw-public-key? binary | | +--:(cert-data) | | +--rw cert-data? ct:x509 | +--rw private-key? binary | +--rw ca-data* ct:x509 | +--rw crl-data? ct:crl | +--rw crl-uri? inet:uri | +--rw oscp-uri? inet:uri +--rw conn-entry* [name] | +--rw name string | +--rw autostartup? autostartup-type | +--rw initial-contact? boolean | +--rw version? auth-protocol-type | +--rw fragmentation? boolean | +--rw ike-sa-lifetime-soft | | +--rw rekey-time? uint32 | | +--rw reauth-time? uint32 | +--rw ike-sa-lifetime-hard | | +--rw over-time? uint32 | +--rw authalg* ic:integrity-algorithm-type | +--rw encalg* ic:encryption-algorithm-type | +--rw dh-group? pfs-group | +--rw half-open-ike-sa-timer? uint32 | +--rw half-open-ike-sa-cookie-threshold? uint32 | +--rw local | | +--rw local-pad-entry-name? string | +--rw remote | | +--rw remote-pad-entry-name? string | +--rw encapsulation-type | | +--rw espencap? esp-encap | | +--rw sport? inet:port-number | | +--rw dport? inet:port-number | | +--rw oaddr* inet:ip-address | +--rw spd | | +--rw spd-entry* [name] | | +--rw name string | | +--rw ipsec-policy-config | | +--rw anti-replay-window? uint64 | | +--rw traffic-selector | | | +--rw local-subnet inet:ip-prefix | | | +--rw remote-subnet inet:ip-prefix | | | +--rw inner-protocol? ipsec-inner-protocol | | | +--rw local-ports* [start end] | | | | +--rw start inet:port-number | | | | +--rw end inet:port-number | | | +--rw remote-ports* [start end] | | | +--rw start inet:port-number | | | +--rw end inet:port-number | | +--rw processing-info | | | +--rw action? ipsec-spd-action | | | +--rw ipsec-sa-cfg | | | +--rw pfp-flag? boolean | | | +--rw ext-seq-num? boolean | | | +--rw seq-overflow? boolean | | | +--rw stateful-frag-check? boolean | | | +--rw mode? ipsec-mode | | | +--rw protocol-parameters? ipsec-protocol-parameters | | | +--rw esp-algorithms | | | | +--rw integrity* integrity-algorithm-type | | | | +--rw encryption* encryption-algorithm-type | | | | +--rw tfc-pad? boolean | | | +--rw tunnel | | | +--rw local inet:ip-address | | | +--rw remote inet:ip-address | | | +--rw df-bit? enumeration | | | +--rw bypass-dscp? boolean | | | +--rw dscp-mapping? yang:hex-string | | | +--rw ecn? boolean | | +--rw spd-mark | | +--rw mark? uint32 | | +--rw mask? yang:hex-string | +--rw child-sa-info | | +--rw pfs-groups* pfs-group | | +--rw child-sa-lifetime-soft | | | +--rw time? uint32 | | | +--rw bytes? uint32 | | | +--rw packets? uint32 | | | +--rw idle? uint32 | | | +--rw action? ic:lifetime-action | | +--rw child-sa-lifetime-hard | | +--rw time? uint32 | | +--rw bytes? uint32 | | +--rw packets? uint32 | | +--rw idle? uint32 | +--ro state | +--ro initiator? boolean | +--ro initiator-ikesa-spi? ike-spi | +--ro responder-ikesa-spi? ike-spi | +--ro nat-local? boolean | +--ro nat-remote? boolean | +--ro encapsulation-type | | +--ro espencap? esp-encap | | +--ro sport? inet:port-number | | +--ro dport? inet:port-number | | +--ro oaddr* inet:ip-address | +--ro established? uint64 | +--ro current-rekey-time? uint64 | +--ro current-reauth-time? uint64 +--ro number-ike-sas +--ro total? uint64 +--ro half-open? uint64 +--ro half-open-cookies? uint64 Appendix D shows an example of IKE case configuration for a NSF, in tunnel mode (gateway-to-gateway), with NSFs authentication based on X.509 certificates. 6.2. IKE-less case model For this case, the definition of the SPD model has been mainly extracted from the specification in section 4.4.1 and Appendix D in [RFC4301], though with somesimplications. For example, eachchanges, namely: o Each IPsec policy (spd-entry) contains one traffic selector, instead of a list of them. The reason is that we have observedrealactual kernel implementations only admit a single traffic selector per IPsec policy. o Each IPsec policy contains a identifier (reqid) to relate the policy with the IPsec SA. This is common in Linux-based systems. o Each IPsec policy has only one name and not a list of names. o Combined algorithms has been removed because encryption algorithms MAY include authenticated encryption with associated data (AEAD). o Tunnel information has been extended with information about DSCP mapping and ECN bit. The reason is that we have observed real kernel implementations admit the configurations of these values. The definition of the SAD model has been mainly extracted from the specification in section 4.4.2 in[RFC4301]. Note[RFC4301] though with some changes, namely: o Each IPsec SA (sad-entry) contains one traffic selector, instead of a list of them. The reason is thatthis model notwe have observed actual kernel implementations onlyallows to associate anadmit a single traffic selector per IPsec SA. o Each IPsec SAwith its correspondingcontains a identifier (reqid) to relate the policythroughwith thespecific traffic selector but also an identifier (reqid).IPsec Policy. Thenotifications model hasreason is that we have observed real kernel implementations allow to include this value. o Each IPsec SA has also a name in the same way as IPsec policies. o Combined algorithm has been removed because encryption algorithm MAY include authenticated encryption with associated data (AEAD). o Tunnel information has been extended with information about Differentiated Services Code Point (DSCP) mapping and Explicit Congestion Notificsation (ECN) bit. The reason is that we have observed actual kernel implementations admit the configurations of these values. o Lifetime of the IPsec SAs also include idle time and number of IP packets as threshold to trigger the lifetime. The reason is that we have observed actual kernel implementations allow to set these types of lifetimes. o Information to configure the type of encapsulation (encapsulation- type) for IPsec ESP packets in UDP ([RFC3948]), TCP ([RFC8229]) or TLS ([RFC8229]) has been included. The notifications model has been defined using as reference the PF_KEYv2 standard in [RFC2367]. module: ietf-ipsec-ikeless +--rw ipsec-ikeless +--rw spd | +--rw spd-entry* [name] | +--rw name string | +--rw direction? ic:ipsec-traffic-direction | +--rw reqid? uint64 | +--rw ipsec-policy-config | +--rw anti-replay-window? uint64 | +--rw traffic-selector | | +--rw local-subnet inet:ip-prefix | | +--rw remote-subnet inet:ip-prefix | | +--rw inner-protocol? ipsec-inner-protocol | | +--rw local-ports* [start end] | | | +--rw start inet:port-number | | | +--rw end inet:port-number | | +--rw remote-ports* [start end] | | +--rw start inet:port-number | | +--rw end inet:port-number | +--rw processing-info | | +--rw action? ipsec-spd-action | | +--rw ipsec-sa-cfg | | +--rw pfp-flag? boolean | | +--rw ext-seq-num? boolean | | +--rw seq-overflow? boolean | | +--rw stateful-frag-check? boolean | | +--rw mode? ipsec-mode | | +--rw protocol-parameters? | | +--rw esp-algorithms | | | +--rw integrity* integrity-algorithm-type | | | +--rw encryption* encryption-algorithm-type | | | +--rw tfc-pad? boolean | | +--rw tunnel | | +--rw local inet:ip-address | | +--rw remote inet:ip-address | | +--rw df-bit? enumeration | | +--rw bypass-dscp? boolean | | +--rw dscp-mapping? yang:hex-string | | +--rw ecn? boolean | +--rw spd-mark | +--rw mark? uint32 | +--rw mask? yang:hex-string +--rw sad +--rw sad-entry* [name] +--rw name string +--rw reqid? uint64 +--rw ipsec-sa-config | +--rw spi uint32 | +--rw ext-seq-num? boolean | +--rw seq-number-counter? uint64 | +--rw seq-overflow? boolean | +--rw anti-replay-window? uint32 | +--rw traffic-selector | | +--rw local-subnet inet:ip-prefix | | +--rw remote-subnet inet:ip-prefix | | +--rw inner-protocol? ipsec-inner-protocol | | +--rw local-ports* [start end] | | | +--rw start inet:port-number | | | +--rw end inet:port-number | | +--rw remote-ports* [start end] | | +--rw start inet:port-number | | +--rw end inet:port-number | +--rw protocol-parameters? ic:ipsec-protocol-parameters | +--rw mode? ic:ipsec-mode | +--rw esp-sa | | +--rw encryption | | | +--rw encryption-algorithm? ic:encryption-algorithm-type | | | +--rw key? yang:hex-string | | | +--rw iv? yang:hex-string | | +--rw integrity | | +--rw integrity-algorithm? ic:integrity-algorithm-type | | +--rw key? yang:hex-string | +--rw sa-lifetime-hard | | +--rw time? uint32 | | +--rw bytes? uint32 | | +--rw packets? uint32 | | +--rw idle? uint32 | +--rw sa-lifetime-soft | | +--rw time? uint32 | | +--rw bytes? uint32 | | +--rw packets? uint32 | | +--rw idle? uint32 | | +--rw action? ic:lifetime-action | +--rw tunnel | | +--rw local inet:ip-address | | +--rw remote inet:ip-address | | +--rw df-bit? enumeration | | +--rw bypass-dscp? boolean | | +--rw dscp-mapping? yang:hex-string | | +--rw ecn? boolean | +--rw encapsulation-type | +--rw espencap? esp-encap | +--rw sport? inet:port-number | +--rw dport? inet:port-number | +--rw oaddr* inet:ip-address +--ro ipsec-sa-state +--ro sa-lifetime-current | +--ro time? uint32 | +--ro bytes? uint32 | +--ro packets? uint32 | +--ro idle? uint32 +--ro replay-stats +--ro replay-window? uint64 +--ro packet-dropped? uint64 +--ro failed? uint32 +--ro seq-number-counter? uint64 notifications: +---n sadb-acquire | +--ro ipsec-policy-name string | +--ro traffic-selector | +--ro local-subnet inet:ip-prefix | +--ro remote-subnet inet:ip-prefix | +--ro inner-protocol? ipsec-inner-protocol | +--ro local-ports* [start end] | | +--ro start inet:port-number | | +--ro end inet:port-number | +--ro remote-ports* [start end] | +--ro start inet:port-number | +--ro end inet:port-number +---n sadb-expire | +--ro ipsec-sa-name string | +--ro soft-lifetime-expire? boolean | +--ro lifetime-current | +--ro time? uint32 | +--ro bytes? uint32 | +--ro packets? uint32 | +--ro idle? uint32 +---n sadb-seq-overflow | +--ro ipsec-sa-name string +---n sadb-bad-spi +--ro spi uint32 Appendix E shows an example of IKE-less case configuration for a NSF, in transport mode (host-to-host), with NSFs authentication based on shared secrets. For the IKE-less case, Appendix F shows examples of IPsec SA expire, acquire, sequence number overflow and bad SPI notifications. 7.Use cases examplesIANA Considerations Thissection explains how different traditional configurations, that is, host-to-host and gateway-to-gateway, are deployed using this SDN- based IPsec management service. In turn, these configurations will be typicaldocument registers three URIs inmodern networks where, for example, virtualization will be key. 7.1. Host-to-host or gateway-to-gateway underthesame Security Controller +----------------------------------------+ | Security Controller | | | (1)| +--------------+ (2)+--------------+ | Flow-based ------> |Translate into|--->| South. Prot. | | Security. Pol. | |IPsec Policies| | | | | +--------------+ +--------------+ | | | | | | | | | +--------------------------|-----|-------+ | | | (3) | |-------------------------+ +---| V V +----------------------+ +----------------------+ | NSF A |<=======>| NSF B | |IKEv2/IPsec(SPD/PAD) | |IKEv2/IPsec(SPD/PAD) | +----------------------+ (4) +----------------------+ Figure 3: Host-to-host / gateway-to-gateway single Security Controller for"ns" subregistry of theIKE case. Figure 3 describesIETF XML Registry [RFC3688]. Following theIKE case: 1. The administrator defines general flow-based security policies.format in [RFC3688], the following registrations are requested: URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-common Registrant Contact: TheSecurity Controller looks forI2NSF WG of theNSFs involved (NSF A and NSF B). 2.IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-ike Registrant Contact: TheSecurity Controller generates IKEv2 credentials for them and translatesI2NSF WG of thepolicies into SPD and PAD entries. 3.IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless Registrant Contact: TheSecurity Controller insertsI2NSF WG of the IETF. XML: N/A, the requested URI is anIKEv2 configuration that includesXML namespace. This document registers three YANG modules in theSPD and PAD entries"YANG Module Names" registry [RFC6020]. Following the format inboth NSF A and NSF B. If some of operations with NSF A and NSF B fail[RFC6020], the following registrations are requested: Name: ietf-ipsec-common Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-common Prefix: ic Reference: RFC XXXX Name: ietf-ipsec-ike Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-ike Prefix: ike Reference: RFC XXXX Name: ietf-ipsec-ikeless Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless Prefix: ikeless Reference: RFC XXXX 8. SecurityController will stopConsiderations First of all, this document shares all theprocess and perform a rollback operation by deleting any IKEv2, SPD and PAD configurationsecurity issues of SDN thathad been successfully installedare specified inNSF A or B. 4. Iftheprevious step is successful,"Security Considerations" section of [ITU-T.Y.3300] and [RFC7426]. On theflowone hand, it isprotected by means ofimportant to note that there MUST exist a security association between theIPsec SA established with IKEv2. +----------------------------------------+ | (1) SecurityI2NSF Controller| Flow-based | | Security -----------| | Policy | V | | +---------------+ (2)+-------------+ | | |Translate into |--->| South. Prot.| | | |IPsec policies | | | | | +---------------+ +-------------+ | | | | | | | | | +-------------------------| --- |--------+ | | | (3) | |----------------------+ +--| V V +------------------+ +------------------+ | NSF A |<=====>| NSF B | |IPsec(SPD/SAD) | 4) |IPsec(SPD/SAD) | +------------------+ +------------------+ Figure 4: Host-to-host / gateway-to-gateway single Security Controller for IKE-less case. Inand theIKE-less case, flow-based security policies defined byNSFs to protect theadministrator are translated into IPsec SPD entries and inserted intocritical information (cryptographic keys, configuration parameter, etc.) exchanged between these entities. On thecorresponding NSFs. Besides, fresh SAD entries willother hand, if encryption is mandatory for all traffic of a NSF, its default policy MUST bealso generated by the Security Controller and enforcedto drop (DISCARD) packets to prevent cleartext packet leaks. This default policy MUST be pre-configured in theNSFs. In this case,startup configuration datastore in theSecurity Controller does not run any IKEv2 implementation (neitherNSF before theNSFs), and it providesNSF contacts thecryptographic material forI2NSF Controller. Moreover, theIPsec SAs. These keys willstartup configuration datastore MUST be alsodistributed securely throughpre-configured with thesouthbound interface. Noterequired ALLOW policies thatthisallow to communicate the NSF with the I2NSF Controller once the NSF ispossible because both NSFs are manageddeployed. This pre-configuration step is not carried out by thesame Security Controller. Figure 4 describesI2NSF Controller but by some other entity before theIKE-less case,NSF deployment. In this manner, whena data packet needs to be protected in the path betweenthe NSFA and NSF B: 1. The administrator establishesstarts/reboots, it will always first apply theflow-based security policies, andconfiguration in theSecurity Controller looks for the involved NSFs. 2. The Security Controller translatesstartup configuration before contacting theflow-based security policies into IPsec SPD and SAD entries. 3. The Security Controller inserts these entriesI2NSF Controller. Finally, we have divided this section in two parts in order to analyze different security considerations for both cases: NSFAwith IKEv2 (IKE case) and NSFB IPsec databases (SPD and SAD). The following text describes how this happens between two NSFs A and B: * The Security Controller chooses two random valueswithout IKEv2 (IKE-less case). In general, the I2NSF Controller, asSPIs: for example, SPIa1typically in the SDN paradigm, is a target forNSF Adifferent type of attacks [SDNSecServ] and [SDNSecurity]. Thus, the I2NSF Controller is a key entity in the infrastructure andSPIb1 for NSF B. These numbersMUSTNOTbein conflict with any IPsec SA in NSF A or NSF B. It also generates freshprotected accordingly. In particular, the I2NSF Controller will handle cryptographic materialfor the new inbound/outbound IPsec SAs and their parameters and send simultaneouslyso that thenew inbound IPsec SA with SPIa1 and new outbound IPsec SAs with SPIb1attacker may try to access this information. Although we can assume this attack will not likely to happen due toNSF A; andthenew inbound IPsec SA with SPIb1 and new outbound IPsec SAs with SPIa1assumed security measurements toB, together withprotect thecorresponding IPsec policies. * OnceI2NSF Controller, it deserves some analysis in theSecurity Controller receives confirmation from NSF A and NSF B,hypothetical case thecontroller knows thatattack occurs. The impact is different depending on theIPsec SAs are correctly installed and ready. If some of the operations described above fails (e.g.IKE case or IKE-less case. 8.1. IKE case In theNSF A reports an error whenIKE case, theSecurityI2NSF Controlleris tryingsends IKEv2 credentials (PSK, public/private keys, certificates, etc.) toinstalltheSPD entry, the new inbound and outbound IPsec SAs)NSFs using theSecuritysecurity association between I2NSF Controllermust perform rollback operations by deleting any new inbound or outbound SAandSPD entry that had been successfully installed in any ofNSFs. The I2NSF Controller MUST NOT store the IKEv2 credentials after distributing them. Moreover, the NSFs(e.g NSF B) and stopMUST NOT allow theprocess (NOTE:reading of these values once they have been applied by theSecurityI2NSF Controllermay retry several times before giving up). Other alternative(i.e. write only operations). One option is tothisalways return the same value (i.e. all 0s) if a read operationis:is carried out. If theSecurityattacker has access to the I2NSF Controllersends firstduring theIPsec policies and new inbound IPsec SAs to A and B and once it obtains a successful confirmationperiod ofthese operations from NSF A and NSF B,time that key material is generated, itproceeds with installingmight have access to thenew outbound IPsec SAs. However, thiskey material. Since these values are used during NSF authentication in IKEv2, it mayincreaseimpersonate thelatencyaffected NSFs. Several recommendations are important. o IKEv2 configurations should adhere tocompletetheprocess. As an advantage, no trafficrecommendations in [RFC8247]. o If PSK authentication issent overused in IKEv2, thenetwork untilI2NSF Controller MUST remove theIPsec SAsPSK immediately after generating and distributing it. o When public/private keys arecompletely operative. In any case other alternatives may be possible. Finally, it is worth mentioning thatused, theSecurityI2NSF ControllerassociatesMAY generate both public key and private key. In such alifetimecase, the I2NSF Controller MUST remove the associated private key immediately after distributing them to thenew IPsec SAs. When this lifetime expires,NSFs. Alternatively, the NSFwill send a sadb-expire notification tocould generate theSecurity Controller in orderprivate key and export only the public key tostarttherekeying process. 4. The flow is protected withI2NSF Controller. o If certificates are used, theIPsec SA established byNSF MAY generate theSecurityprivate key and exports the public key for certification to the I2NSF Controller.Instead of installing IPsec policies inHow theSPDNSF generates these cryptographic material (public key/ private keys) andIPsec SAs inexports theSAD in step 3 (proactive mode),public key it isalso possible that the Security Controller only installs the SPD entries in step 3 (reactive mode).out of scope of this document. 8.2. IKE-less case Insuch a case, when a data packet requires to be protected with IPsec, the NSF that saw firstthedata packet will send a sadb- acquire notification that informsIKE-less case, theSecurityI2NSF Controllerthat needs SAD entries withsends the IPsecSAsSA information toprocess the data packet. In such as reactive mode, since IPsec policies are already installed intheSPD,NSF's SAD that includes theSecurityprivate session keys required for integrity and encryption. The I2NSF Controllerinstalls firstMUST NOT store thenew IPsec SAs in NSF A and B withkeys after distributing them. Moreover, theoperations described in step 3 but without sending any IPsec policies. Again, if someNSFs receiving private key material MUST NOT allow the reading of these values by any other entity (including theoperations installingI2NSF Controller itself) once they have been applied (i.e. write only operations) into thenew inbound/outbound IPsec SAs fail,NSFs. Nevertheless, if theSecurityattacker has access to the I2NSF Controllerstopsduring theprocess and performs a rollback operation by deleting any new inbound/outbound SAsperiod of time thathad been successfully installed. Both NSFs couldkey material is generated, it may obtain these values. In other words, the attacker might betwo hosts that exchangeable to observe the IPsec traffic andrequire to establish an end-to-end security association to protect their communications (host-to-host)decrypt, ortwo gateways (gateway-to-gateway), for example, within an enterprise that needs to protecteven modify and re-encrypt, the traffic betweenthe networks of two branch offices. Applicability of these configurations appearpeers. 8.3. YANG modules The YANG module specified incurrent and new networking scenarios. For example, SD-WAN technologies are providing dynamic and on-demand VPN connections between branch offices,this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] orbetween branchesRESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, andSaaS cloud services. Beside, IaaS services providing virtualization environments are deployments solutions based on IPsec to providethe mandatory-to-implement securechannels between virtual instances (host- to-host)transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, andproviding VPN solutions for virtualized networks (gateway-to-gateway). In general (for IKE and IKE-less cases), this system has various advantages: 1. It allows to create IPsec SAs among two NSFs, based only ontheapplication of general Flow-based Security Policies atmandatory-to-implement secure transport is TLS [RFC8446]. The Network Configuration Access Control Model (NACM) [RFC8341] provides theapplication layer. Thus, administrators can managemeans to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of allsecurity associations inavailable NETCONF or RESTCONF protocol operations and content. There are acentralized point with an abstracted viewnumber ofthe network. 2. Any NSF deployed in the system does not need manual configuration, therefore allowing its deploymentdata nodes defined inan automated manner. 7.2. Host-to-host or gateway-to-gateway under different Security Controllers It is also possiblethese YANG modules thattwo NSFs (i.e. NSF A and NSF B)areunderwritable/creatable/deletable (i.e., config true, which is thecontrol of two different Security Controllers. Thisdefault). These data nodes mayhappen, for example, when two organizations, namely Enterprise A and Enterprise B,be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can havetheir headquarters interconnected throughaWAN connectionnegative effect on network operations. These are the subtrees and data nodes andthey both have deployed a SDN-based architecture to provide connectivity to alltheirclients. +-------------+ +-------------+ | | | | Flow-based| Security |<=========>| Security <--Flow-based Sec. Pol.--> Controller | (3) | Controller | Sec. Pol. (1) | A | | B | (2) +-------------+ +-------------+ | | | (4) (4) | V V +--------------------+ +--------------------+ | NSF A |<=======>| NSF B | |IKEv2/IPsec(SPD/PAD)| |IKEv2/IPsec(SPD/PAD)| +--------------------+ (5) +--------------------+ Figure 5: Different Security Controllers insensitivity/vulnerability: The YANG modules describe configuration data for the IKEcase. Figure 5 describes IKEcasewhen two Security Controllers are involved(ietf- ipsec-ike) and IKE-less case (ietf-ipsec-ikeless). There is a common module (ietf-ipsec-common) used in both cases. For theprocess. 1. The A's administrator establishes general Flow-based Security Policies in Security Controller A. 2.IKE case (ietf-ipsec-ike): /ipsec-ike: TheB's administrator establishes general Flow-based Security Policiesentire container inSecurity Controller B. 3. The Security Controller A realizes that protectionthis module isrequired betweensensitive to write operations. An attacker may add/modify theNSF A and NSF B, butcredentials to be used for theNSF B is underauthentication (e.g. to impersonate a NSF), thecontrol of another Security Controller (Security Controller B), so it starts negotiations withtrust root (e.g. changing theother controller to agree ontrusted CA certificates), the cryptographic algorithms (allowing a downgrading attack), the IPsecSPDpolicies (e.g. by allowing leaking of data traffic by changing to a allow policy), andIKEv2 credentials for their respective NSFs. NOTE: This may require extensionsin general changing theEast/West interface. 4. Then, both Security Controllers enforce the IKEv2 credentials, related parametersIKE SA conditions and credentials between any NSF. For theSPD and PAD entries in their respective NSFs. 5.IKE-less case (ietf-ipsec-ikeless): /ipsec-ikeless: Theflowentire container in this module isprotected withsensitive to write operations. An attacker may add/modify/ delete any IPsec policies (e.g. by allowing leaking of data traffic by changing to a allow policy) in the /ipsec-ikeless/ spd container, and add/modify/delete any IPsec SAsestablished with IKEv2betweenboth NSFs. +--------------+ +--------------+ | | | | Flow-based. ---> | | <---Flow-based Prot. | Security |<===========>| Security |Sec. Pol.(1)| Controller | (3) | Controller |Pol. (2) | A | | B | +--------------+ +--------------+ | | | (4) (4) | V V +--------------+ (5) +--------------+ | NSF A |<==============>|two NSFB | |IPsec(SPD/SAD)| |IPsec(SPD/SAD)| +--------------+ +--------------+ Figure 6: Different Security Controllers in the IKE-less case. Figure 6 describes IKE-less case when two Security Controllers are involved in the process. 1. The A's administrator establishes general Flow Protection Policiesby means of /ipsec-ikeless/sad container and, inSecurity Controller A. 2. The B's administrator establishesgeneralFlow Protection Policies in Security Controller B. 3. The Security Controller A realizes that the flow between NSF Bchanging any IPsec SAs andNSF B MUSTIPsec policies between any NSF. Some of the readable data nodes in this YANG module may beprotected. Nevertheless, it notices that NSF Bconsidered sensitive or vulnerable in some network environments. It isunder thethus important to controlof another Security Controller B, so it starts negotiations with the other controllerread access (e.g., via get, get-config, or notification) toagree onthese data nodes. These are theIPsec SPDsubtrees andSAD entries that definedata nodes and their sensitivity/vulnerability: For theIPsec SAs. NOTE: It would worth evaluating IKEv2 asIKE case (ietf-ipsec-ike): /ipsec-ike/pad: This container includes sensitive information to read operations. This information should never be returned to a client. For example, cryptographic material configured in theprotocol forNSFs: peer-authentication/pre-shared/secret and peer- authentication/digital-signature/private-key are already protected by theEast/West interfaceNACM extension "default-deny-all" in thiscase. 4. Oncedocument. For theSecurity Controllers have agreed onIKE-less case (ietf-ipsec-ikeless): /ipsec-ikeless/sad/ipsec-sa-config/esp-sa: This container includes symmetric keys for the IPsec SAs. For example, encryption/key contains a ESP encryption keymaterialvalue and encryption/iv contains a initialization vector value. Similarly, integrity/key has ESP integrity key value. Those values must not be read by anyone and are protected by thedetails of the IPsec SAs, they both enforceNACM extension "default-deny-all" in thisinformation into their respective NSFs. 5. The flow is protected with the IPsec SAs established by both Security Controllers indocument. 9. Acknowledgements Authors want to thank Paul Wouters, Valery Smyslov, Sowmini Varadhan, David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham Bartlett, Sandeep Kampati, Linda Dunbar, Carlos J. Bernardos, Alejandro Perez-Mendez, Alejandro Abad-Carrascosa, Ignacio Martinez, Ruben Ricart and Roman Danyliw for theirrespective NSFs. 8. IANA Considerations This document registers three URIs in the "ns" subregistry of the IETF XML Registry [RFC3688]. Following the format in [RFC3688], the following registrations are requested: URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-common Registrant Contact: The I2NSF WG of the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-ike Registrant Contact: The I2NSF WG of the IETF. XML: N/A, the requested URI is an XML namespace. URI: urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless Registrant Contact: The I2NSF WG of the IETF. XML: N/A, the requested URI is an XML namespace. This document registers three YANG modulesvaluable comments. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, <https://www.rfc-editor.org/info/rfc4301>. [RFC6020] Bjorklund, M., Ed., "YANGModule Names" registry [RFC6020]. Following the format in [RFC6020],- A Data Modeling Language for thefollowing registrations are requested: Name: ietf-ipsec-common Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-common Prefix: ic Reference: RFC XXXX Name: ietf-ipsec-ike Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-ike Prefix: ike Reference: RFC XXXX Name: ietf-ipsec-ikeless Namespace: urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless Prefix: ikeless Reference:Network Configuration Protocol (NETCONF)", RFCXXXX 9. Security Considerations First of all, this document shares all the security issues of SDN that are specified in the "Security Considerations" section of [ITU-T.Y.3300] and [RFC8192]. On the one hand, it is important to note that there MUST exit a security association between the Security Controller6020, DOI 10.17487/RFC6020, October 2010, <https://www.rfc-editor.org/info/rfc6020>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>. [RFC6242] Wasserman, M., "Using theNSFs to protect of the critical information (cryptographic keys, configuration parameter, etc...) exchanged between these entities. For example, whenNETCONFis used as southbound protocol betweenProtocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <https://www.rfc-editor.org/info/rfc7296>. [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>. [RFC8247] Nir, Y., Kivinen, T., Wouters, P., and D. Migault, "Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 8247, DOI 10.17487/RFC8247, September 2017, <https://www.rfc-editor.org/info/rfc8247>. [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, March 2018, <https://www.rfc-editor.org/info/rfc8341>. [RFC8446] Rescorla, E., "The Transport Layer SecurityController(TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>. 10.2. Informative References [I-D.carrel-ipsecme-controller-ike] Carrel, D. andthe NSFs, it is defined that TLS or SSH security association MUST be established between both entities. On the other hand, if encryption is mandatory for all traffic ofB. Weiss, "IPsec Key Exchange using aNSF, its default policy MUST be to drop (DISCARD) packets to prevent cleartext packet leaks. This default policy MUST be in the startup configuration datastore in the NSF before the NSF contacts with the Security Controller. Moreover, the startup configuration datastore MUST be pre-configured with the required ALLOW policies that allow to communicate the NSF with the Security Controller once the NSF is deployed. This pre-configuration step is not carried out by the Security Controller but by some other entity before the NSF deployment. In this manner, when the NSF starts/reboots, it will always apply first the configuration in the startup configuration before contacting the Security Controller. Finally, we have divided this section in two partsController", draft-carrel-ipsecme-controller-ike-01 (work inorder to analyze different security considerations for both cases: NSF with IKEv2 (IKE case)progress), March 2019. [I-D.tran-ipsecme-yang] Tran, K., Wang, H., Nagaraj, V., andNSF without IKEv2 (IKE-less case). In general, the Security Controller, as typically in the SDN paradigm, is a targetX. Chen, "Yang Data Model fordifferent type of attacks. Thus, the Security Controller is a key entity in the infrastructure and MUST be protected accordingly. In particular, the Security Controller will handle cryptographic material so that the attacker may try to access this information. Although we can assume this attack will not likely to happen due to the assumed security measurements to protect theInternet Protocol SecurityController, it deserves some analysis(IPsec)", draft-tran- ipsecme-yang-01 (work inthe hypothetical case the attack occurs.progress), June 2015. [ITU-T.Y.3300] "Recommendation ITU-T Y.3300", June 2014. [libreswan] Theimpact is different depending on the IKE case or IKE-less case. 9.1. IKE case In IKE case, theLibreswan Project, "Libreswan VPN software", August 2019. [netconf-vpn] Stefan Wallin, "Tutorial: NETCONF and YANG", January 2014. [ONF-OpenFlow] ONF, "OpenFlow Switch Specification (Version 1.4.0)", October 2013. [ONF-SDN-Architecture] "SDN Architecture", June 2014. [RFC2367] McDonald, D., Metz, C., and B. Phan, "PF_KEY Key Management API, Version 2", RFC 2367, DOI 10.17487/RFC2367, July 1998, <https://www.rfc-editor.org/info/rfc2367>. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <https://www.rfc-editor.org/info/rfc3688>. [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec ESP Packets", RFC 3948, DOI 10.17487/RFC3948, January 2005, <https://www.rfc-editor.org/info/rfc3948>. [RFC6071] Frankel, S. and S. Krishnan, "IP SecurityController sends IKE credentials (PSK, public/private keys, certificates, etc.)(IPsec) and Internet Key Exchange (IKE) Document Roadmap", RFC 6071, DOI 10.17487/RFC6071, February 2011, <https://www.rfc-editor.org/info/rfc6071>. [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, "IPv6 Flow Label Specification", RFC 6437, DOI 10.17487/RFC6437, November 2011, <https://www.rfc-editor.org/info/rfc6437>. [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined Networking: A Perspective from within a Service Provider Environment", RFC 7149, DOI 10.17487/RFC7149, March 2014, <https://www.rfc-editor.org/info/rfc7149>. [RFC7426] Haleplidis, E., Ed., Pentikousis, K., Ed., Denazis, S., Hadi Salim, J., Meyer, D., and O. Koufopavlou, "Software- Defined Networking (SDN): Layers and Architecture Terminology", RFC 7426, DOI 10.17487/RFC7426, January 2015, <https://www.rfc-editor.org/info/rfc7426>. [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., and J. Jeong, "Interface tothe NSFs using the security association betweenNetwork SecurityControllerFunctions (I2NSF): Problem Statement andNSFs. The general recommendation is that the Security Controller MUST NOT store theUse Cases", RFC 8192, DOI 10.17487/RFC8192, July 2017, <https://www.rfc-editor.org/info/rfc8192>. [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation of IKEcredentials after distributing them. Moreover,and IPsec Packets", RFC 8229, DOI 10.17487/RFC8229, August 2017, <https://www.rfc-editor.org/info/rfc8229>. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, <https://www.rfc-editor.org/info/rfc8329>. [SDNSecServ] Scott-Hayward, S., O'Callaghan, G., and P. Sezer, "SDN Security: A Survey", 2013. [SDNSecurity] Kreutz, D., Ramos, F., and P. Verissimo, "Towards Secure and Dependable Software-Defined Networks", 2013. [strongswan] CESNET, "StrongSwan: theNSFs MUST NOT allowOpenSource IPsec-based VPN Solution", August 2019. Appendix A. Common YANG model for IKE and IKE-less cases <CODE BEGINS> file "ietf-ipsec-common@2019-08-05.yang" module ietf-ipsec-common { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-common"; prefix "ipsec-common"; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/about/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> "; description "Common Data model for thereading of these values once they have been appliedIKE and IKE-less cases defined by theSecurity Controller (i.e. write only operations). One option is to return alwaysSDN-based IPsec flow protection service. Copyright (c) 2019 IETF Trust and thesame value (i.e. all 0s) if a read operation is carried out. Ifpersons identified as authors of theattacker has accesscode. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to theSecurity Controller duringlicense terms contained in, theperiodSimplified BSD License set forth in Section 4.c oftime that key material is generated, it might have accessthe IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX;; see the RFC itself for full legal notices. The keymaterial. Since these values are used during NSF authenticationwords 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' inIKEv2, it may impersonate the affected NSFs. Several recommendationsthis document areimportant. If PSK authentication is usedto be interpreted as described inIKEv2, the Security Controller MUST remove the PSK immediately after generatingBCP 14 (RFC 2119) (RFC 8174) when, anddistributing it. Moreover, the PSK MUST have a proper length (e.g. minimum 128 bit length)only when, they appear in all capitals, as shown here."; revision "2019-08-05" { description "Revision 06"; reference "RFC XXXX: YANG Groupings andstrength. When public/private keys are used, the Security Controller MAY generate both public keytypedef for IKE andprivate key. In suchIKE-less case"; } typedef encryption-algorithm-type { type uint16; description "The encryption algorithm is specified with acase, the Security Controller16-bit number extracted from IANA Registry. The acceptable values MUSTremove the associated private key immediately after distributing them to the NSFs. Alternatively, the NSF could generatefollow theprivate keyrequirement levels for encryption algorithms for ESP andexport only the public key to the Security Controller. If certificates are used, the NSF MAY generate the private keyIKEv2."; reference "IANA Registry- Transform Type 1 - Encryption Algorithm Transform IDs. RFC 8221 - Cryptographic Algorithm Implementation Requirements andexports the public keyUsage Guidance forcertification to theEncapsulating SecurityController. How the NSF generates these cryptographic material (public key/private keys)Payload (ESP) andexportAuthentication Header (AH) and RFC 8247 - Algorithm Implementation Requirements and Usage Guidance for thepublic key, or it is instructed to do so, it is out of the scope of this document. 9.2. IKE-less case In the IKE-less case, the Security Controller sends the IPsec SA information to the NSF's SAD that includes the private session keys required forInternet Key Exchange Protocol Version 2 (IKEv2)."; } typedef integrity-algorithm-type { type uint16; description "The integrityand encryption. The general recommendationalgorithm isthat it MUST NOT store the keys after distributing them. Moreover, the NSFs receiving private key material MUST NOT allow the reading of thesespecified with a 16-bit number extracted from IANA Registry. The acceptable valuesby any other entity (including the Security Controller itself) once they have been applied (i.e. write only operations) into the NSFs. Nevertheless, if the attacker has access toMUST follow the requirement levels for encryption algorithms for ESP and IKEv2."; reference "IANA Registry- Transform Type 3 - Integrity Algorithm Transform IDs. RFC 8221 - Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating SecurityController during the period of time that key material is generated, it may obtain these values. In other words, the attacker might be able to observe the IPsec trafficPayload (ESP) anddecrypt, or even modifyAuthentication Header (AH) andre- encrypt the traffic between peers. 9.3. YANG modules The YANG module specified in this document defines a schemaRFC 8247 - Algorithm Implementation Requirements and Usage Guidance fordata that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer isthesecureInternet Key Exchange Protocol Version 2 (IKEv2)."; } typedef ipsec-mode { type enumeration { enum transportlayer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure{ description "IPsec transportis TLS [RFC8446]. Themode. No NetworkConfiguration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subsetAddress Translation (NAT) support."; } enum tunnel { description "IPsec tunnel mode."; } } description "Type definition ofall available NETCONFIPsec mode: transport orRESTCONF protocol operations and content. There are a number of data nodes definedtunnel."; reference "Section 3.2 inthese YANG modules that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerableRFC 4301."; } typedef esp-encap { type enumeration { enum espintcp { description "ESP insome network environments. Write operations (e.g., edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability: The YANG modules describe configuration data for theTCP encapsulation."; reference "RFC 8229 - TCP Encapsulation of IKEcase (ietf- ipsec-ike)andIKE-less case (ietf-ipsec-ikeless). There is a common module (ietf-ipsec-common) usedIPsec Packets."; } enum espintls { description "ESP inboth cases. For theTCP encapsulation using TLS."; reference "RFC 8229 - TCP Encapsulation of IKEcase (ietf-ipsec-ike): /ipsec-ike: The entire containerand IPsec Packets."; } enum espinudp { description "ESP inthis module is sensitive to write operations. An attacker may add/modify the credentials to be used for the authentication (e.g. to impersonate a NSF), the trust root (e.g. changing the trusted CA certificates), the cryptographic algorithms (allowing a downgrading attack), the IPsec policies (e.g. by allowing leakingUDP encapsulation."; reference "RFC 3948 - UDP Encapsulation ofdata traffic by changing to a allow policy), and in general changing the IKE SA conditions and credentials between any NSF. For the IKE-less case (ietf-ipsec-ikeless): /ipsec-ikeless: The entire container in this module is sensitive to write operations. An attacker may add/modify/ delete anyIPsecpolicies (e.g. by allowing leakingESP Packets."; } enum none { description "NOT ESP encapsulation."; } } description "Types ofdata traffic by changing to a allow policy) in the /ipsec-ikeless/ spd container, and add/modify/delete any IPsec SAsESP encapsulation when Network Address Translation (NAT) is present between twoNSF by meansNSFs."; reference "RFC 8229 - TCP Encapsulation of/ipsec-ikeless/sad container and, in general changing any IPsec SAsIKE and IPsecpolicies between any NSF. SomePackets and RFC 3948 - UDP Encapsulation of IPsec ESP Packets."; } typedef ipsec-protocol-parameters { type enumeration { enum esp { description "IPsec ESP protocol."; } } description "Only thereadable data nodes in this YANG module mayEncapsulation Security Protocol (ESP) is supported but it could beconsidered sensitive or vulnerableextended insome network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These arethesubtrees and data nodesfuture."; reference "RFC 4303- IP Encapsulating Security Payload (ESP)."; } typedef lifetime-action { type enumeration { enum terminate-clear { description "Terminates the IPsec SA andtheir sensitivity/vulnerability: Forallows theIKE case (ietf-ipsec-ike): /ipsec-ike/pad: This container includes sensitive information to read operations. This information should never be returned to a client. For example, cryptographic material configured inpackets through."; } enum terminate-hold { description "Terminates theNSFs: peer-authentication/pre-shared/secretIPsec SA andpeer- authentication/digital-signature/private-key are already protected by the NACM extension "default-deny-all" in this document. Fordrops theIKE-less case (ietf-ipsec-ikeless): /ipsec-ikeless/sad/ipsec-sa-config/esp-sa: This container includes symmetric keys forpackets."; } enum replace { description "Replaces the IPsecSAs. For example, encryption/key contains a ESP encryption key value and encryption/iv containsSA with ainitialization vector value. Similarly, integrity/key has ESP integrity key value. Those values must not be read by anyone and are protected bynew one: rekey. "; } } description "When theNACM extension "default-deny-all" in this document. 10. Acknowledgements Authors wantlifetime of an IPsec SA expires an action needs tothank Paul Wouters, Valery Smyslov, Sowmini Varadhan, David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham Bartlett, Sandeep Kampati, Linda Dunbar, Carlos J. Bernardos, Alejandro Perez-Mendez, Alejandro Abad-Carrascosa, Ignacio Martinezbe performed over the IPsec SA that reached the lifetime. There are three posible options: terminate-clear, terminate-hold andRuben Ricart for their valuable comments. 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for usereplace."; reference "Section 4.5 inRFCs to Indicate Requirement Levels", BCP 14,RFC2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4301] Kent, S.4301."; } typedef ipsec-traffic-direction { type enumeration { enum inbound { description "Inbound traffic."; } enum outbound { description "Outbound traffic."; } } description "IPsec traffic direction is defined in two directions: inbound andK. Seo, "Security Architecture foroutbound. From a NSF perspective inbound means theInternet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, <https://www.rfc-editor.org/info/rfc4301>. [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language fortraffic that enters theNetwork Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, October 2010, <https://www.rfc-editor.org/info/rfc6020>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,NSF andA. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <https://www.rfc-editor.org/info/rfc6241>. [RFC6242] Wasserman, M., "Usingoutbound is theNETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, <https://www.rfc-editor.org/info/rfc6242>. [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <https://www.rfc-editor.org/info/rfc7296>. [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, <https://www.rfc-editor.org/info/rfc8040>. [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91,traffic that is sent from the NSF."; reference "Section 5 in RFC8341, DOI 10.17487/RFC8341, March 2018, <https://www.rfc-editor.org/info/rfc8341>. [RFC8446] Rescorla, E.,4301."; } typedef ipsec-spd-action { type enumeration { enum protect { description "PROTECT the traffic with IPsec."; } enum bypass { description "BYPASS the traffic. The packet is forwarded without IPsec protection."; } enum discard { description "DISCARD the traffic. The IP packet is discarded."; } } description "TheTransport Layer Security (TLS) Protocol Version 1.3",action when traffic matches an IPsec security policy. According to RFC8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>. 11.2. Informative References [I-D.carrel-ipsecme-controller-ike] Carrel, D. and B. Weiss, "IPsec Key Exchange using a Controller", draft-carrel-ipsecme-controller-ike-01 (work4301 there are three possible values: BYPASS, PROTECT AND DISCARD"; reference "Section 4.4.1 inprogress), March 2019. [I-D.ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L.,RFC 4301."; } typedef ipsec-inner-protocol { type union { type uint8; type enumeration { enum any { value 256; description "Any IP protocol number value."; } } } default any; description "IPsec protection can be applied to specific IP traffic andH. Birkholz, "Interfacelayer 4 traffic (TCP, UDP, SCTP, etc.) or ANY protocol in the IP packet payload. We specify the IP protocol number with an uint8 or ANY defining an enumerate with value 256 toNetwork Security Functions (I2NSF) Terminology", draft-ietf-i2nsf-terminology-08 (workindicate the protocol number."; reference "Section 4.4.1.1 inprogress), July 2019. [I-D.tran-ipsecme-yang] Tran, K., Wang, H., Nagaraj, V., and X. Chen, "Yang Data Model for InternetRFC 4301. IANA Registry - ProtocolSecurity (IPsec)", draft-tran- ipsecme-yang-01 (workNumbers."; } grouping encap { description "This group of nodes allows to define the type of encapsulation inprogress), June 2015. [ITU-T.X.1252] "Baseline Identity Management Terms and Definitions", April 2010. [ITU-T.X.800] "Security Architecture for Open Systems Interconnection for CCITT Applications", March 1991. [ITU-T.Y.3300] "Recommendation ITU-T Y.3300", June 2014. [libreswan] The Libreswan Project, "Libreswan VPN software", August 2019. [netconf-vpn] Stefan Wallin, "Tutorial: NETCONF and YANG", January 2014. [ONF-OpenFlow] ONF, "OpenFlow Switch Specification (Version 1.4.0)", October 2013. [ONF-SDN-Architecture] "SDN Architecture", June 2014. [RFC2367] McDonald, D., Metz, C., and B. Phan, "PF_KEY Key Management API, Version 2", RFC 2367, DOI 10.17487/RFC2367, July 1998, <https://www.rfc-editor.org/info/rfc2367>. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <https://www.rfc-editor.org/info/rfc3688>. [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L.,case NAT traversal is required andM. Stenberg, "UDP Encapsulation of IPsecport information."; leaf espencap { type esp-encap; description "ESP in TCP, ESPPackets", RFC 3948, DOI 10.17487/RFC3948, January 2005, <https://www.rfc-editor.org/info/rfc3948>. [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap", RFC 6071, DOI 10.17487/RFC6071, February 2011, <https://www.rfc-editor.org/info/rfc6071>. [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined Networking: A Perspective from within a Service Provider Environment", RFC 7149, DOI 10.17487/RFC7149, March 2014, <https://www.rfc-editor.org/info/rfc7149>. [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for System Management", RFC 7317, DOI 10.17487/RFC7317, August 2014, <https://www.rfc-editor.org/info/rfc7317>. [RFC7426] Haleplidis, E., Ed., Pentikousis, K., Ed., Denazis, S., Hadi Salim, J., Meyer, D., and O. Koufopavlou, "Software- Defined Networking (SDN): Layersin UDP or ESP in TLS."; } leaf sport { type inet:port-number; default 4500; description "Encapsulation source port."; } leaf dport { type inet:port-number; default 4500; description "Encapsulation destination port."; } leaf-list oaddr { type inet:ip-address; description "If required, this is the original address that was used before NAT was applied over the Packet. "; } reference "RFC 3947 andArchitecture Terminology",RFC7426, DOI 10.17487/RFC7426, January 2015, <https://www.rfc-editor.org/info/rfc7426>. [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., and J. Jeong, "Interface8229."; } grouping lifetime { description "Different lifetime values limited toNetwork Security Functions (I2NSF): Problem Statement and Use Cases", RFC 8192, DOI 10.17487/RFC8192, July 2017, <https://www.rfc-editor.org/info/rfc8192>. [RFC8229] Pauly, T., Touati, S., and R. Mantha, "TCP Encapsulation of IKE andan IPsecPackets", RFC 8229, DOI 10.17487/RFC8229, August 2017, <https://www.rfc-editor.org/info/rfc8229>. [RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C., Vinapamula, S., and Q. Wu, "A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019, <https://www.rfc-editor.org/info/rfc8512>. [strongswan] CESNET, "StrongSwan:SA."; leaf time { type uint32; default 0; description "Time in seconds since theOpenSource IPsec-based VPN Solution", August 2019. Appendix A. Appendix A: Common YANG model for IKE and IKE-less cases <CODE BEGINS> file "ietf-ipsec-common@2019-08-05.yang" module ietf-ipsec-common { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-common"; prefix "ipsec-common"; import ietf-inet-types { prefix inet;IPsec SA was added. For example, if this value is 180 seconds it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite."; }import ietf-yang-typesleaf bytes {prefix yang; } organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/about/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> ";type uint32; default 0; description"Common Data model for the IKE and IKE-less cases defined by"If theSDN-basedIPsecflow protection service. Copyright (c) 2019 IETF Trust andSA processes thepersons identified as authorsnumber ofthe code. All rights reserved. Redistribution and usebytes expressed insource and binary forms, with or without modification, is permitted pursuant to,this leaf, the IPsec SA expires andsubject toshould be rekeyed. The value 0 implies infinite."; } leaf packets { type uint32; default 0; description "If thelicense terms contained in,IPsec SA processes theSimplified BSD License set forth in Section 4.cnumber of packets expressed in this leaf, theIETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version ofIPsec SA expires and should be rekeyed. The value 0 implies infinite."; } leaf idle { type uint32; default 0; description "When a NSF stores an IPsec SA, it consumes system resources. In an idle NSF thisYANG moduleisparta waste ofRFC XXXX;; seeresources. If theRFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' inIPsec SA is idle during thisdocument are tonumber of seconds the IPsec SA should beinterpretedremoved. The value 0 implies infinite."; } reference "Section 4.4.2.1 in RFC 4301."; } grouping port-range { description "This grouping defines a port range, such asdescribedexpressed inBCP 14 (RFC 2119) (RFC 8174) when, and only when, they appearRFC 4301. For example: 1500 (Start Port Number)-1600 (End Port Number). A port range is used inall capitals, as shown here."; revision "2019-08-05"the Traffic Selector."; leaf start { type inet:port-number; description"Revision 06"; reference "RFC XXXX: YANG Groupings and typedef for IKE and IKE-less case";"Start port number."; }typedef encryption-algorithm-typeleaf end { typeuint16;inet:port-number; description "End port number."; } reference "Section 4.4.1.2 in RFC 4301."; } grouping tunnel-grouping { description "Theencryption algorithm is specified with a 16-bit number extracted from IANA Registry.parameters required to define the IP tunnel endpoints when IPsec SA requires tunnel mode. Theacceptable values MUST followtunnel is defined by two endpoints: therequirement levels for encryption algorithms for ESP and IKEv2."; reference "IANA Registry- Transform Type 1 - Encryption Algorithm Transform IDs. RFC 8221 - Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) and RFC 8247 - Algorithm Implementation Requirementslocal IP address andUsage Guidance fortheInternet Key Exchange Protocol Version 2 (IKEv2)."; } typedef integrity-algorithm-typeremote IP address."; leaf local { typeuint16;inet:ip-address; mandatory true; description"The integrity algorithm is specified with a 16-bit number extracted from IANA Registry. The acceptable values MUST follow the requirement levels for encryption algorithms for ESP and IKEv2."; reference "IANA Registry- Transform Type 3 - Integrity Algorithm Transform IDs. RFC 8221 - Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) and RFC 8247 - Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2).";"Local IP address' tunnel endpoint."; }typedef ipsec-modeleaf remote { type inet:ip-address; mandatory true; description "Remote IP address' tunnel endpoint."; } leaf df-bit { type enumeration { enumtransportclear { description"IPsec transport mode. No Network Address Translation (NAT) support.";"Disable the DF (Don't Fragment) bit from the outer header. This is the default value."; } enumtunnelset { description"IPsec tunnel mode.";"Enable the DF bit in the outer header."; } enum copy { description "Copy the DF bit to the outer header."; } } default clear; description"Type definition of"Allow configuring the DF bit when encapsulating tunnel mode IPsecmode: transport or tunnel.";traffic. RFC 4301 describes three options to handle the DF bit during tunnel encapsulation: clear, set and copy from the inner IP header."; reference "Section3.28.1 in RFC 4301."; }typedef esp-encapleaf bypass-dscp { typeenumeration { enum espintcp {boolean; default true; description"ESP"If DSCP (Differentiated Services Code Point) values inTCP encapsulation."; reference "RFC 8229 - TCP Encapsulation of IKE andthe inner header have to be used to select one IPsecPackets.";SA among several that match the traffic selectors for an outbound packet"; reference "Section 4.4.2.1. in RFC 4301."; }enum espintlsleaf dscp-mapping { type yang:hex-string; description"ESP in TCP encapsulation using TLS."; reference "RFC 8229 - TCP Encapsulation of IKE and"DSCP values allowed for packets carried over this IPsecPackets."; } enum espinudp { description "ESP in UDP encapsulation.";SA."; reference"RFC 3948 - UDP Encapsulation of IPsec ESP Packets.";"Section 4.4.2.1. in RFC 4301."; }enum noneleaf ecn { type boolean; default false; description"NOT ESP encapsulation.";"Explicit Congestion Notification (ECN). If true copy CE bits to inner header."; reference "Section 5.1.2 and Annex C in RFC 4301."; } } grouping selector-grouping { description"Types"This grouping contains the definition ofESP encapsulation when Network Address Translation (NAT)a Traffic Selector, which ispresent between two NSFs."; reference "RFC 8229 - TCP Encapsulation of IKE andused in the IPsecPacketspolicies andRFC 3948 - UDP Encapsulation ofIPsecESP Packets."; } typedef ipsec-protocol-parametersSAs."; leaf local-subnet { typeenumeration { enum esp {inet:ip-prefix; mandatory true; description"IPsec ESP protocol.";"Local IP address subnet."; } leaf remote-subnet { type inet:ip-prefix; mandatory true; description "Remote IP address subnet."; } leaf inner-protocol { type ipsec-inner-protocol; default any; description"Only the Encapsulation Security"Inner Protocol(ESP)that issupported but it couldgoing to beextended in the future."; reference "RFC 4303- IP Encapsulating Security Payload (ESP).";protected with IPsec."; }typedef lifetime-action { type enumeration { enum terminate-clearlist local-ports { key "start end"; uses port-range; description"Terminates"List of local ports. When theIPsec SAinner protocol is ICMP this 16 bit value represents code andallows the packets through.";type."; }enum terminate-holdlist remote-ports { key "start end"; uses port-range; description"Terminates"List of remote ports. When theIPsec SA and drops the packets."; } enum replace { description "Replaces the IPsec SA with a new one: rekey. ";upper layer protocol is ICMP this 16 bit value represents code and type."; } reference "Section 4.4.1.2 in RFC 4301."; } grouping ipsec-policy-grouping { description"When the lifetime of"Holds configuration information for an IPsecSA expires an action needsSPD entry."; leaf anti-replay-window { type uint64; default 32; description "A 64-bit counter used tobe performed over the IPsec SA that reached the lifetime. There are three posible options: terminate-clear, terminate-hold and replace.";determine whether an inbound ESP packet is a replay."; reference "Section4.54.4.2.1 in RFC 4301."; }typedef ipsec-traffic-direction { type enumeration { enum inbound { description "Inbound traffic."; } enum outboundcontainer traffic-selector { description"Outbound traffic."; } } description "IPsec traffic direction is defined in two directions: inbound and outbound. From a NSF perspective inbound means the traffic that enters"Packets are selected for processing actions based on theNSFIP andoutbound is the traffic that is sent frominner protocol header information, selectors, matched against entries in theNSF.";SPD."; uses selector-grouping; reference "Section54.4.4.1 in RFC 4301."; }typedef ipsec-spd-action { type enumeration { enum protectcontainer processing-info { description"PROTECT"SPD processing. If thetraffic with IPsec."; } enum bypassrequired processing action is protect, it contains the required information to process the packet."; leaf action { type ipsec-spd-action; default discard; description"BYPASS the traffic. The packet"If bypass or discard, container ipsec-sa-cfg isforwarded without IPsec protection.";empty."; }enum discardcontainer ipsec-sa-cfg { when "../action = 'protect'"; description"DISCARD"IPsec SA configuration included in thetraffic. The IP packet is discarded."; } } description "The action when traffic matches an IPsec security policy. According to RFC 4301 there are three possible values: BYPASS, PROTECT AND DISCARD"; reference "Section 4.4.1 in RFC 4301."; } typedef ipsec-inner-protocol { type unionSPD entry."; leaf pfp-flag { typeuint8; type enumeration { enum any { value 256; description "Any IP protocol number value."; } } }boolean; defaultany;false; description"IPsec protection can be applied"Each selector has a Populate From Packet (PFP) flag. If asserted for a given selector X, the flag indicates that the IPsec SA tospecificbe created should take its value (local IPtraffic and layer 4 traffic (TCP, UDP, SCTP,address, remote IP address, Next Layer Protocol, etc.)or ANY protocolfor X from the value in theIP packet payload. We specifypacket. Otherwise, theIP protocol number with an uint8 or ANY defining an enumerate with value 256 to indicateIPsec SA should take its value(s) for X from theprotocol number."; reference "Section 4.4.1.1value(s) inRFC 4301. IANA Registry - Protocol Numbers."; } grouping encap { description "This group of nodes allows to definethetype of encapsulation in case NAT traversal is required and port information."; leaf espencap { type esp-encap; description "ESP in TCP, ESP in UDP or ESP in TLS.";SPD entry."; } leafsportext-seq-num { typeinet:port-number;boolean; default4500;false; description"Encapsulation source port.";"True if this IPsec SA is using extended sequence numbers. True 64 bit counter, False 32 bit."; } leafdportseq-overflow { typeinet:port-number;boolean; default4500; description "Encapsulation destination port."; } leaf-list oaddr { type inet:ip-address;false; description"If required, this is"The flag indicating whether overflow of theoriginal address that was used before NAT was applied over the Packet. "; } reference "RFC 3947 and RFC 8229."; } grouping lifetime { description "Different lifetime values limited to an IPsec SA."; leaf time { type uint32; default 0; description "Time in seconds sincesequence number counter should prevent transmission of additional packets on the IPsec SAwas added. For example, if this value(false) and, therefore needs to be rekeyed, or whether rollover is180 seconds it means the IPsec SA expires in 180 seconds since it was added. The value 0 implies infinite.";permitted (true). If Authenticated Encryption with Associated Data (AEAD) is used this flag MUST be false."; } leafbytesstateful-frag-check { typeuint32;boolean; default0;false; description"If the IPsec SA processes the number of bytes expressed in this leaf,"Indicates whether (true) or not (false) stateful fragment checking applies to the IPsec SAexpires and shouldto berekeyed. The value 0 implies infinite.";created."; } leafpacketsmode { typeuint32;ipsec-mode; default0;transport; description"If the IPsec SA processes the number of packets expressed in this leaf, the IPsec"IPsec SAexpires and shouldhas to berekeyed. The value 0 implies infinite.";processed in transport or tunnel mode."; } leafidleprotocol-parameters { typeuint32;ipsec-protocol-parameters; default0;esp; description"When a NSF stores an IPsec SA, it consumes system resources. In an idle NSF this is a waste"Security protocol ofresources. Ifthe IPsecSASA: Only ESP isidle during this number of seconds the IPsec SA shouldsupported but it could beremoved. The value 0 implies infinite."; } reference "Section 4.4.2.1extended inRFC 4301.";the future."; }grouping port-rangecontainer esp-algorithms { when "../protocol-parameters = 'esp'"; description"This grouping defines a port range, such as expressed"Configuration of Encapsulating Security Payload (ESP) parameters and algorithms."; leaf-list integrity { type integrity-algorithm-type; default 0; ordered-by user; description "Configuration of ESP authentication based on the specified integrity algorithm. With AEAD algorithms, the integrity node is not used."; reference "Section 3.2 in RFC4301. For example: 1500 (Start Port Number)-1600 (End Port Number). A port range4303."; } leaf-list encryption { type encryption-algorithm-type; default 20; ordered-by user; description "Configuration of ESP encryption algorithms. The default value isused20 (ENCR_AES_GCM_16)."; reference "Section 3.2 inthe Traffic Selector.";RFC 4303."; } leafstarttfc-pad { typeinet:port-number;boolean; default false; description"Start port number.";"If Traffic Flow Confidentiality (TFC) padding for ESP encryption can be used (true) or not (false)"; reference "Section 2.7 in RFC 4303."; }leaf endreference "RFC 4303."; } container tunnel {type inet:port-number;when "../mode = 'tunnel'"; uses tunnel-grouping; description"End port number.";"IPsec tunnel endpoints definition."; } } reference "Section 4.4.1.2 in RFC 4301."; }grouping tunnel-groupingcontainer spd-mark { description "Theparameters requiredMark todefineset for theIP tunnel endpoints whenIPsec SArequires tunnel mode. The tunnelof this connection. This option isdefined by two endpoints: the local IP address and the remote IP address.";only available on linux NETKEY/XFRM kernels. It can be used with iptables to create custom iptables rules using CONNMARK. It can also be used with Virtual Tunnel Interfaces (VTI) to direct marked traffic to specific vtiXX devices."; leaflocalmark { typeinet:ip-address; mandatory true;uint32; default 0; description"Local IP address' tunnel endpoint.";"Mark used to match XFRM policies and states."; } leafremotemask { typeinet:ip-address; mandatory true;yang:hex-string; default 00:00:00:00; description"Remote IP address' tunnel endpoint.";"Mask used to match XFRM policies and states."; }leaf df-bit} } } <CODE ENDS> Appendix B. YANG model for IKE case <CODE BEGINS> file "ietf-ipsec-ike@2019-08-05.yang" module ietf-ipsec-ike {type enumerationyang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-ike"; prefix "ike"; import ietf-inet-types {enum clearprefix inet; } import ietf-yang-types {description "Disable the DF (Don't Fragment) bit from the outer header. This is the default value.";prefix yang; }enum setimport ietf-crypto-types {description "Enable the DF bit in the outer header.";prefix ct; reference "draft-ietf-netconf-crypto-types-10: Common YANG Data Types for Cryptography."; }enum copyimport ietf-ipsec-common {description "Copy the DF bit to the outer header.";prefix ic; reference "RFC XXXX: module ietf-ipsec-common, revision 2019-08-05."; } import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model."; }default clear;organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/about/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> "; description"Allow configuring the DF bit when encapsulating tunnel mode"This module contains IPsectraffic. RFC 4301 describes three options to handleIKE case model for theDF bit during tunnel encapsulation: clear, setSDN-based IPsec flow protection service. An NSF will implement this module. Copyright (c) 2019 IETF Trust andcopy fromtheinner IP header."; reference "Section 8.1 in RFC 4301."; } leaf bypass-dscp { type boolean; default true; description "If DSCP (Differentiated Services Code Point) values inpersons identified as authors of theinner header have to be usedcode. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject toselect one IPsec SA among several that matchthetraffic selectors for an outbound packet"; reference "Section 4.4.2.1.license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC4301."; } leaf dscp-mapping { type yang:hex-string; description "DSCP values allowedXXXX; see the RFC itself forpackets carried overfull legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in thisIPsec SA."; reference "Section 4.4.2.1.document are to be interpreted as described inRFC 4301.";BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision "2019-08-05" { description "Revision 6"; reference "RFC XXXX: YANG model for IKE case."; }leaf ecntypedef ike-spi { typeboolean; default false;uint64 { range "0..max"; } description"Explicit Congestion Notification (ECN). If true copy CE bits to inner header.";"Security Parameter Index (SPI)'s IKE SA."; reference "Section5.1.2 and Annex C2.6 in RFC4301."; }7296."; }grouping selector-grouping { description "This grouping contains the definition of a Traffic Selector, which is used in the IPsec policies and IPsec SAs."; leaf local-subnettypedef autostartup-type { typeinet:ip-prefix; mandatory true; description "Local IP address subnet."; } leaf remote-subnetenumeration { enum add {type inet:ip-prefix; mandatory true;description"Remote IP address subnet.";"IKE/IPsec configuration is only loaded into IKE implementation but IKE/IPsec SA is not started."; }leaf inner-protocolenum on-demand {type ipsec-inner-protocol; default any;description"Inner Protocol that"IKE/IPsec configuration isgoing to be protected with IPsec.";loaded into IKE implementation. The IPsec policies are transferred to the NSF's kernel but the IPsec SAs are not established immediately. The IKE implementation will negotiate the IPsec SAs when the NSF's kernel requests it (i.e. through an ACQUIRE notification)."; }list local-portsenum start {key "start end"; uses port-range;description"List of local ports. When the inner protocol"IKE/IPsec configuration isICMP this 16 bit value represents codeloaded andtype."; } list remote-ports { key "start end"; uses port-range; description "List of remote ports. Whentransferred to theupper layer protocol is ICMP this 16 bit value represents codeNSF's kernel, andtype.";the IKEv2 based IPsec SAs are established immediately without waiting any packet."; }reference "Section 4.4.1.2 in RFC 4301.";}grouping ipsec-policy-grouping { description "Holds configuration information for an IPsec SPD entry."; leaf anti-replay-window { type uint64; default 32;description"A 64-bit counter used"Different policies todetermine whether an inbound ESP packet is a replay."; reference "Section 4.4.2.1 in RFC 4301.";set IPsec SA configuration into NSF's kernel when IKEv2 implementation has started."; }container traffic-selectortypedef pfs-group { type uint16; description"Packets are selected"DH groups forprocessing actions based on the IPIKE andinner protocol header information, selectors, matched against entries in the SPD."; uses selector-grouping;IPsec SA rekey."; reference "Section4.4.4.13.3.2 in RFC4301.";7296. Transform Type 4 - Diffie-Hellman Group Transform IDs in IANA Registry - Internet Key Exchange Version 2 (IKEv2) Parameters."; }container processing-infotypedef auth-protocol-type { type enumeration { enum ikev2 { value 2; description"SPD processing. If the required processing action"IKEv2 authentication protocol. It isprotect, it containstherequired information to process the packet."; leaf action { type ipsec-spd-action; default discard; description "If bypass or discard, container ipsec-sa-cfgonly defined right now. An enum isempty.";used for further extensibility."; } }container ipsec-sa-cfg { when "../action = 'protect'";description"IPSec SA configuration included"IKE authentication protocol version specified in theSPD entry."; leaf pfp-flag { type boolean; default false; description "Each selector has a Populate From Packet (PFP) flag. If asserted for a given selector X, the flag indicates that the IPSec SAPeer Authorization Database (PAD). It is defined as enumerate tobe created should take its value (local IP address, remote IP address, Next Layer Protocol, etc.) for X from the value in the packet. Otherwise, the IPsec SA should take its value(s) for X from the value(s)allow new IKE versions in theSPD entry.";future."; reference "RFC 7296."; }leaf ext-seq-numtypedef auth-method-type { typeboolean; default false; description "True if this IPsec SA is using extended sequence numbers. True 64 bit counter, False 32 bit."; } leaf seq-overflowenumeration { enum pre-shared {type boolean; default false;description"The flag indicating whether overflow of the sequence number counter should prevent transmission of additional packets on"Select pre-shared key as theIPsec SA (false) and, therefore needs to be rekeyed, or whether rollover is permitted (true). If Authenticated Encryption with Associated Data (AEAD) is used this flag MUST be false.";authentication method."; reference "RFC 7296."; }leaf stateful-frag-checkenum eap {type boolean; default false;description"Indicates whether (true) or not (false) stateful fragment checking applies to"Select EAP as theIPsec SA to be created.";authentication method."; reference "RFC 7296."; }leaf modeenum digital-signature {type ipsec-mode; default transport;description"IPsec SA has to be processed in transport or tunnel mode.";"Select digital signature method."; reference "RFC 7296 and RFC 7427."; }leaf protocol-parametersenum null {type ipsec-protocol-parameters; default esp;description"Security protocol of the IPsec SA: Only ESP is supported but it could be extended"Null authentication."; reference "RFC 7619."; } } description "Peer authentication method specified in thefuture.";Peer Authorization Database (PAD)."; } containeresp-algorithmsipsec-ike {when "../protocol-parameters = 'esp'";description"Configuration of Encapsulating Security Payload (ESP) parameters"IKE configuration for a NSF. It includes PAD parameters, IKE connections information andalgorithms."; leaf-list integritystate data."; container pad {type integrity-algorithm-type; default 0; ordered-by user;description "Configuration ofESP authentication based onPeer Authorization Database (PAD). The PAD contains information about IKE peer (local and remote). Therefore, thespecified integrity algorithm. With AEAD algorithms,Security Controller also stores authentication information for this NSF and can include several entries for theintegrity node islocal NSF notused."; reference "Section 3.2 in RFC 4303."; } leaf-list encryptiononly remote peers. Storing local and remote information makes possible to specify that this NSF with identity A will use some particular authentication with remote NSF with identity B and what are the authentication mechanisms allowed to B."; list pad-entry {type encryption-algorithm-type; default 20;key "name"; ordered-by user; description"Configuration of ESP encryption algorithms. The default value"Peer Authorization Database (PAD) entry. It is20 (ENCR_AES_GCM_16)."; reference "Section 3.2 in RFC 4303."; }a list of PAD entries ordered by the I2NSF Controller."; leaftfc-padname { typeboolean; default false;string; description"If Traffic Flow Confidentiality (TFC) padding for ESP encryption"PAD unique name to identify this entry."; } choice identity { mandatory true; description "A particular IKE peer will be identified by one of these identities. This peer can beused (true)a remote peer ornot (false)";local peer (this NSF)."; reference "Section2.74.4.3.1 in RFC4303."; } reference "RFC 4303."; } container tunnel4301."; case ipv4-address{ leaf ipv4-address {when "../mode = 'tunnel'"; uses tunnel-grouping;type inet:ipv4-address; description"IPsec tunnel endpoints definition."; }"Specifies the identity as a single four (4) octet."; }reference "Section 4.4.1.2 in RFC 4301.";}container spd-markcase ipv6-address{ leaf ipv6-address { type inet:ipv6-address; description"The Mark to set for"Specifies theIPsec SA of this connection. This optionidentity as a single sixteen (16) octet IPv6 address. An example isonly available on linux NETKEY/XFRM kernels. It can be used with iptables to create custom iptables rules using CONNMARK. It can also be used with Virtual Tunnel Interfaces (VTI) to direct marked traffic to specific vtiXX devices.";2001:DB8:0:0:8:800:200C:417A."; } } case fqdn-string { leafmarkfqdn-string { typeuint32; default 0;inet:domain-name; description"Mark used to match XFRM policies and states.";"Specifies the identity as a Fully-QualifiedDomain Name (FQDN) string. An example is: example.com. The string MUST NOT contain any terminators (e.g., NULL, CR, etc.)."; } } case rfc822-address-string { leafmaskrfc822-address-string { typeyang:hex-string; default 00:00:00:00;string; description"Mask used to match XFRM policies and states."; } }"Specifies the identity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST NOT contain any terminators e.g., NULL, CR, etc.)."; reference "RFC 822."; } }<CODE ENDS> Appendix B. Appendix B: YANG model for IKEcase<CODE BEGINS> file "ietf-ipsec-ike@2019-08-05.yang" module ietf-ipsec-ikednx509 {yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-ike"; prefix "ike"; import ietf-inet-typesleaf dnx509 {prefix inet;type string; description "Specifies the identity as a ASN.1 X.500 Distinguished Name. An example is C=US,O=Example Organisation,CN=John Smith."; reference "RFC 2247."; }import ietf-yang-types} case gnx509 {prefix yang;leaf gnx509 { type string; description "ASN.1 X.509 GeneralName. RFC 3280."; }import ietf-crypto-types} case id-key {prefix ct; reference "draft-ietf-netconf-crypto-types-10: Common YANG Data Typesleaf id-key { type string; description "Opaque octet stream that may be used to pass vendor-specific information forCryptography.";proprietary types of identification."; reference "Section 3.5 in RFC 7296."; }import ietf-ipsec-common} case id-null {prefix ic;leaf id-null { type empty; description "ID_NULL identification used when IKE identification payload is not used." ; reference "RFCXXXX: module ietf-ipsec-common, revision 2019-08-05.";7619."; }import ietf-netconf-acm} } leaf auth-protocol {prefix nacm; reference "RFC 8341: Network Configuration Access Control Model.";type auth-protocol-type; default ikev2; description "Only IKEv2 is supported right now but other authentication protocols may be supported in the future."; }organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/about/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> ";container peer-authentication { description "Thismodule contains IPSec IKE case model forcontainer allows theSDN-based IPsec flow protection service. An NSFSecurity Controller to configure the authentication method (pre-shared key, eap, digitial-signature, null) that willimplement this module. Copyright (c) 2019 IETF Trustuse a particular peer and thepersons identified as authors ofcredentials, which will depend on thecode. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision "2019-08-05"selected authentication method."; leaf auth-method { type auth-method-type; default pre-shared; description"Revision 6";"Type of authentication method (pre-shared, eap, digital signature, null)."; reference"RFC XXXX: YANG model for IKE case.";"Section 2.15 in RFC 7296."; }typedef ike-spicontainer eap-method {type uint64when "../auth-method = 'eap'"; leaf eap-type {range "0..max";type uint8; mandatory true; description "EAP method type. This information provides the particular EAP method to be used. Depending on the EAP method, pre-shared keys or certificates may be used."; } description"Security Parameter Index (SPI)'s IKE SA.";"EAP method description used when authentication method is 'eap'."; reference "Section2.62.16 in RFC 7296."; }typedef autostartup-type { type enumeration { enum addcontainer pre-shared {description "IKE/IPsec configuration is only loaded into IKE implementation but IKE/IPsec SA is not started."; } enum on-demandwhen "../auth-method[.='pre-shared' or .='eap']"; leaf secret { nacm:default-deny-all; type yang:hex-string; description"IKE/IPsec configuration is loaded into IKE implementation."Pre-shared secret value. TheIPsec policies are transferredNSF has tothe NSF's kernel but the IPsec SAs are not established immediately. The IKE implementation will negotiate the IPsec SAs when the NSF's kernel requests it (i.e. through an ACQUIRE notification).";prevent read access to this value for security reasons."; }enum start {description"IKE/IPsec configuration is loaded and transferred to the NSF's kernel, and the IKEv2"Shared secret value for PSK or EAP method authentication basedIPsec SAs are established immediately without waiting any packet."; }on PSK."; }description "Different policies to set IPsec SA configuration into NSF's kernelcontainer digital-signature { whenIKEv2 implementation has started."; } typedef pfs-group"../auth-method[.='digital-signature' or .='eap']"; leaf ds-algorithm { typeuint16;uint8; description"DH groups for IKE"The digital signature algorithm is specified with a value extracted from the IANA Registry. Depending on the algorithm, the following leafs must contain information. For example if digital signature involves a certificate then leaf 'cert-data' andIPsec SA rekey.";'private-key' will contain this information."; reference"Section 3.3.2 in RFC 7296. Transform Type 4"IKEv2 Authentication Method -Diffie-Hellman Group Transform IDs inIANA Registry - Internet Key Exchange Version 2 (IKEv2) Parameters."; }typedef auth-protocol-type { type enumerationchoice public-key {enum ikev2mandatory true; leaf raw-public-key {value 2;type binary; description"IKEv2 authentication protocol. It is"A binary that contains theonly defined right now. An enum is used for further extensibility."; } } description "IKE authentication protocol version specified invalue of thePeer Authorization Database (PAD). Itpublic key. The interpretation of the content is definedas enumerate to allow new IKE versions inby thefuture."; reference "RFC 7296."; } typedef auth-method-type { type enumeration { enum pre-shared { description "Select pre-shareddigital signature algorithm. For example, an RSA key is represented asthe authentication method."; reference "RFC 7296."; } enum eap { description "Select EAPRSAPublicKey as defined in RFC 8017, and an Elliptic Curve Cryptography (ECC) key is represented using theauthentication method."; reference "RFC 7296."; } enum digital-signature { description "Select digital signature method.";'publicKey' described in RFC 5915."; reference "RFC7296 and RFC 7427.";XXX: Common YANG Data Types for Cryptography."; }enum nullleaf cert-data { type ct:x509; description"Null authentication.";"X.509 certificate data - PEM4."; reference "RFC7619."; } } description "Peer authentication method specified in the Peer Authorization Database (PAD)."; } container ipsec-ike { description "IKE configurationXXX: Common YANG Data Types fora NSF. It includes PAD parameters, IKE connections information and state data."; container pad {Cryptography."; } description"Configuration of Peer Authorization Database (PAD). The PAD contains information about IKE peer (local and remote). Therefore,"If theSecurityI2NSF Controlleralso stores authentication information for this NSF and can include several entries forknows that thelocalNSFnot only remote peers. Storing local and remote information makes possiblealready owns a private key associated tospecify thatthis public key (the NSFwith identity A will use some particular authentication with remote NSF with identity B and what aregenerated theauthentication mechanisms allowed to B."; list pad-entry {pair public key/private key"name"; ordered-by user; description "Peer Authorization Database (PAD) entry. It is a listout of band), it will only configure one ofPAD entries ordered bytheSecurity Controller.";leafnameof this choice. The NSF, based on the public key value can know the private key to be used."; } leaf private-key { nacm:default-deny-all; typestring;binary; description"PAD unique name to identify this entry.";"A binary that contains the value of the private key. The interpretation of the content is defined by the digital signature algorithm. For example, an RSA key is represented as RSAPrivateKey as defined in RFC 8017, and an Elliptic Curve Cryptography (ECC) key is represented as ECPrivateKey as defined in RFC 5915."; reference "RFC XXX: Common YANG Data Types for Cryptography."; }choice identityleaf-list ca-data {mandatory true;type ct:x509; description"A particular IKE peer will be identified by one"List ofthese identities. This peer can be a remote peer or local peer (this NSF).";trusted Certification Authorities (CA) certificates encoded using ASN.1 distinguished encoding rules (DER)."; reference"Section 4.4.3.1 in RFC 4301."; case ipv4-address{"RFC XXX: Common YANG Data Types for Cryptography."; } leafipv4-addresscrl-data { typeinet:ipv4-address;ct:crl; description"Specifies the identity"A CertificateList structure, asa single four (4) octet."; }specified in RFC 5280, encoded using ASN.1 distinguished encoding rules (DER),as specified in ITU-T X.690."; reference "RFC XXX: Common YANG Data Types for Cryptography."; }case ipv6-address{leafipv6-addresscrl-uri { typeinet:ipv6-address;inet:uri; description"Specifies the identity as a single sixteen (16) octet IPv6 address. An example is 2001:DB8:0:0:8:800:200C:417A."; }"X.509 CRL certificate URI."; }case fqdn-string {leaffqdn-stringoscp-uri { typeinet:domain-name;inet:uri; description"Specifies the identity as a Fully-QualifiedDomain Name (FQDN) string. An example is: example.com. The string MUST NOT contain any terminators (e.g., NULL, CR, etc.).";"OCSP URI."; } description "Digital Signature container."; } /*container digital-signature*/ }case rfc822-address-string { leaf rfc822-address-string/*container peer-authentication*/ } } list conn-entry {type string;key "name"; description"Specifies"IKE peer connection information. This list contains theidentity as a fully-qualified RFC822 email address string. An example is, jsmith@example.com. The string MUST NOT contain any terminators e.g., NULL, CR, etc.)."; reference "RFC 822."; } } case dnx509 {IKE connection for this peer with other peers. This will be translated in real time by IKE Security Associations established with these nodes."; leafdnx509name { type string; mandatory true; description"Specifies the identity as a ASN.1 X.500 Distinguished Name. An example is C=US,O=Example Organisation,CN=John Smith."; reference "RFC 2247."; }"Identifier for this connection entry."; }case gnx509 {leafgnx509autostartup { typestring;autostartup-type; default add; description"ASN.1 X.509 GeneralName. RFC 3280."; }"By-default: Only add configuration without starting the security association."; }case id-key {leafid-keyinitial-contact { typestring;boolean; default false; description"Opaque octet stream that may be used"The goal of this value is topass vendor-specific information for proprietary typesdeactivate the usage ofidentification."; reference "Section 3.5 in RFC 7296."; }INITIAL_CONTACT notification (true). If this flag remains to false it means the usage of the INITIAL_CONTACT notification will depend on the IKEv2 implementation."; }case id-null {leafid-nullversion { typeempty;auth-protocol-type; default ikev2; description"ID_NULL identification used when IKE identification payload"IKE version. Only version 2 isnot used." ; reference "RFC 7619."; } }supported so far."; } leafauth-protocolfragmentation { typeauth-protocol-type;boolean; defaultikev2;false; description"Only IKEv2 is supported right now but other authentication protocols may be supported in the future.";"Whether or not to enable IKE fragmentation as per RFC 7383 (true or false)."; reference "RFC 7383."; } containerpeer-authenticationike-sa-lifetime-soft { description"This container allows"IKE SA lifetime soft. Two lifetime values can be configured: either rekey time of theSecurity Controller to configureIKE SA or reauth time of theauthentication method (pre-shared key, eap, digitial-signature, null) that will use a particular peer andIKE SA. When thecredentials, which will depend onrekey lifetime expires a rekey of theselected authentication method.";IKE SA starts. When reauth lifetime expires a IKE SA reauthentication starts."; leafauth-methodrekey-time { typeauth-method-type;uint32; defaultpre-shared;0; description"Type of authentication method (pre-shared, eap, digital signature, null)."; reference "Section 2.15"Time inRFC 7296.";seconds between each IKE SA rekey.The value 0 means infinite."; }container eap-method { when "../auth-method = 'eap'";leafeap-typereauth-time { typeuint8; mandatory true;uint32; default 0; description"EAP method type. This information provides the particular EAP method to be used. Depending on the EAP method, pre-shared keys or certificates may be used.";"Time in seconds between each IKE SA reauthentication. The value 0 means infinite."; }description "EAP method description used when authentication method is 'eap'.";reference "Section2.162.8 in RFC 7296."; } containerpre-sharedike-sa-lifetime-hard {when "../auth-method[.='pre-shared' or .='eap']";description "Hard IKE SA lifetime. When this time is reached the IKE SA is removed."; leafsecretover-time {nacm:default-deny-all;typeyang:hex-string;uint32; default 0; description"Pre-shared secret value."Time in seconds before the IKE SA is removed. TheNSF has to prevent read access to thisvaluefor security reasons.";0 means infinite."; }description "Shared secret value for PSK or EAP method authentication based on PSK.";reference "RFC 7296."; }container digital-signature { when "../auth-method[.='digital-signature' or .='eap']"; leaf ds-algorithmleaf-list authalg { typeuint8;ic:integrity-algorithm-type; default 12; ordered-by user; description"The digital signature"Authentication algorithm for establishing the IKE SA. This list isspecified with a value extractedordered following from theIANA Registry. Depending on the algorithm,higher priority to lower priority. First node of thefollowing leafs must contain information. For example if digital signature involves a certificate then leaf 'cert-data' and 'private-key'list willcontainbe the algorithm with higher priority. If thisinformation."; reference "IKEv2 Authentication Method - IANA Registry - Internet Key Exchange Version 2 (IKEv2) Parameters.";list is empty the default integrity algorithm value assumed is NONE."; }choice public-key { mandatory true; leaf raw-public-keyleaf-list encalg { typebinary;ic:encryption-algorithm-type; default 12; ordered-by user; description"A binary that contains"Encryption or AEAD algorithm for thevalue ofIKE SAs. This list is ordered following from thepublic key. The interpretationhigher priority to lower priority. First node of thecontentlist will be the algorithm with higher priority. If this list isdefined byempty thedigital signature algorithm. For example, an RSA keydefault encryption value assumed isrepresented as RSAPublicKey as defined in RFC 8017, and an Elliptic Curve Cryptography (ECC)NULL."; } leaf dh-group { type pfs-group; default 14; description "Group number for Diffie-Hellman Exponentiation used during IKE_SA_INIT for the IKE SA keyis represented usingexchange."; } leaf half-open-ike-sa-timer { type uint32; description "Set the'publicKey' describedhalf-open IKE SA timeout duration."; reference "Section 2 in RFC5915."; reference "RFC XXX: Common YANG Data Types for Cryptography.";7296."; } leafcert-datahalf-open-ike-sa-cookie-threshold { typect:x509;uint32; description"X.509 certificate data - PEM4.";"Number of half-open IKE SAs that activate the cookie mechanism." ; reference"RFC XXX: Common YANG Data Types for Cryptography.";"Section 2.6 in RFC 7296."; } container local { leaf local-pad-entry-name { type string; description"If the Security Controller knows that the NSF already owns a private key associated"Local peer authentication information. This node points tothis public key (the NSF generateda specific entry in thepair public key/private key out of band), it will only configure one ofPAD where theleaf ofauthorization information about thischoice. The NSF, based on the public key value can know the private key to be used.";particular local peer is stored. It MUST match a pad-entry-name."; } description "Local peer authentication information."; } container remote { leafprivate-keyremote-pad-entry-name {nacm:default-deny-all;typebinary;string; description"A binary that contains the value of"Remote peer authentication information. This node points to a specific entry in theprivate key. The interpretation ofPAD where thecontentauthorization information about this particular remote peer isdefined bystored. It MUST match a pad-entry-name."; } description "Remote peer authentication information."; } container encapsulation-type { uses ic:encap; description "This container carries configuration information about thedigital signature algorithm. For example, an RSA key is represented as RSAPrivateKey as defined in RFC 8017,source andan Elliptic Curve Cryptography (ECC) keydestination ports of encapsulation that IKE should use and the type of encapsulation that should use when NAT traversal isrepresented as ECPrivateKeyrequired. However, this is just a best effort since the IKE implementation may need to use a different encapsulation asdefineddescribed in RFC5915.";8229."; reference "RFCXXX: Common YANG Data Types for Cryptography.";8229."; }leaf-list ca-datacontainer spd {type ct:x509;description"List"Configuration oftrusted Certification Authorities (CA) certificates encoded using ASN.1 distinguished encoding rules (DER)."; reference "RFC XXX: Common YANG Data Types for Cryptography."; } leaf crl-data { type ct:crl; description "A CertificateList structure, as specified in RFC 5280, encoded using ASN.1 distinguished encoding rules (DER),as specifiedthe Security Policy Database (SPD). This main information is placed inITU-T X.690."; reference "RFC XXX: Common YANG Data Types for Cryptography."; } leaf crl-uri { type inet:uri; description "X.509 CRL certificate URI."; } leaf oscp-uri { type inet:uri; description "OCSP URI."; } description "Digital Signature container."; } /*container digital-signature*/ } /*container peer-authentication*/ } }the grouping ipsec-policy-grouping."; listconn-entryspd-entry { key "name";description "IKE peer connection information. This list contains the IKE connection for this peer with other peers. This will be translated in real time by IKE Security Associations established with these nodes.";ordered-by user; leaf name { type string; mandatory true; description"Identifier for this connection entry.";"SPD entry unique name to identify the IPsec policy."; }leaf autostartupcontainer ipsec-policy-config {type autostartup-type; default add;description"By-default: Only add configuration without starting"This container carries thesecurity association.";configuration of a IPsec policy."; uses ic:ipsec-policy-grouping; }leaf initial-contact { type boolean; default false;description"The goal"List ofthis value is to deactivateentries which will constitute theusagerepresentation ofINITIAL_CONTACT notification (true). Ifthe SPD. Since we have IKE in thisflag remains to falsecase, itmeans the usage ofis only required to send a IPsec policy from this NSF where 'local' is this NSF and 'remote' theINITIAL_CONTACT notificationother NSF. The IKE implementation willdependinstall IPsec policies in the NSF's kernel in both directions (inbound and outbound) and their corresponding IPsec SAs based on theIKEv2 implementation.";information in this SPD entry."; }leaf versionreference "Section 2.9 in RFC 7296."; } container child-sa-info { leaf-list pfs-groups { typeauth-protocol-type;pfs-group; defaultikev2;0; ordered-by user; description"IKE version. Only version 2"If non-zero, it issupported so far."; } leaf fragmentation { type boolean; default false; description "Whether or not to enable IKE fragmentation as per RFC 7383 (true or false)."; reference "RFC 7383."; } container ike-sa-lifetime-soft { description "IKE SA lifetime soft. Two lifetime values can be configured: either rekey time of the IKE SA or reauth time of the IKErequired perfect forward secrecy when requesting new IPsec SA.When the rekey lifetime expires a rekey of the IKE SA starts. When reauth lifetime expires a IKE SA reauthentication starts."; leaf rekey-time { type uint32; default 0; description "Time in seconds between each IKE SA rekey.The value 0 means infinite."; } leaf reauth-time { type uint32; default 0; description "Time in seconds between each IKE SA reauthentication.The non-zero value0 means infinite."; } reference "Section 2.8 in RFC 7296."; } container ike-sa-lifetime-hard { description "Hard IKE SA lifetime. When this timeisreached the IKE SA is removed."; leaf over-time { type uint32; default 0; description "Time in seconds before the IKE SA is removed. The value 0 means infinite."; } reference "RFC 7296."; } leaf-list authalg { type ic:integrity-algorithm-type; default 12; ordered-by user; description "Authentication algorithm for establishingtheIKE SA.required group number. This list is ordered following from the higher priority to lower priority. First node of the list will be the algorithm with higherpriority. If this list is empty the default integrity algorithm value assumed is NONE.";priority."; }leaf-list encalgcontainer child-sa-lifetime-soft {type ic:encryption-algorithm-type; default 12; ordered-by user;description"Encryption or AEAD algorithm for"Soft IPsec SA lifetime soft. After theIKE SAs. This listlifetime the action isordered following from the higher priority to lower priority. First node of the list will be the algorithm with higher priority. Ifdefined in thislist is emptycontainer in thedefault encryption value assumed is NULL."; }leafdh-groupaction."; uses ic:lifetime; leaf action { typepfs-group;ic:lifetime-action; default14;replace; description"Group number for Diffie-Hellman Exponentiation used during IKE_SA_INIT for"When theIKElifetime of an IPsec SAkey exchange."; } leaf half-open-ike-sa-timer { type uint32; description "Setexpires an action needs to be performed over thehalf-open IKEIPsec SAtimeout duration.";that reached the lifetime. There are three possible options: terminate-clear, terminate-hold and replace."; reference "Section24.5 in RFC 4301 and Section 2.8 in RFC 7296."; }leaf half-open-ike-sa-cookie-threshold} container child-sa-lifetime-hard {type uint32;description"Number of half-open IKE SAs that activate"IPsec SA lifetime hard. The action will be to terminate thecookie mechanism." ;IPsec SA."; uses ic:lifetime; reference "Section2.62.8 in RFC 7296."; } description "Specific information for IPsec SAs SAs. It includes PFS group and IPsec SAs rekey lifetimes."; } containerlocalstate { config false; leaflocal-pad-entry-nameinitiator { typestring;boolean; description"Local peer authentication information. This node points to a specific entry in the PAD where the authorization information about this particular local peer"It isstored. It MUST match a pad-entry-name.";acting as initiator for this connection."; } leaf initiator-ikesa-spi { type ike-spi; description"Local peer authentication information.";"Initiator's IKE SA SPI."; }container remoteleaf responder-ikesa-spi { type ike-spi; description "Responder's IKE SA SPI."; } leafremote-pad-entry-namenat-local { typestring;boolean; description"Remote peer authentication information. This node points to a specific entry in the PAD where the authorization information about this particular remote peer"True, if local endpoint isstored. It MUST matchbehind apad-entry-name.";NAT."; } leaf nat-remote { type boolean; description"Remote peer authentication information.";"True, if remote endpoint is behind a NAT."; } container encapsulation-type { uses ic:encap; description "This containercarries configurationprovides information about the source and destination ports of encapsulation that IKEshould useis using, and the type of encapsulationthat should usewhen NAT traversal isrequired. However, this is just a best effort since the IKE implementation may need to use a different encapsulation as described in RFC 8229.";required."; reference "RFC 8229."; }container spdleaf established { type uint64; description"Configuration of the Security Policy Database (SPD). This main information is placed in the grouping ipsec-policy-grouping."; list spd-entry"Seconds since this IKE SA has been established."; } leaf current-rekey-time {key "name"; ordered-by user;type uint64; description "Seconds before IKE SA must be rekeyed."; } leafnamecurrent-reauth-time { typestring; mandatory true;uint64; description"SPD entry unique name to identify the IPsec policy.";"Seconds before IKE SA must be re-authenticated."; } description "IKE state data for a particular connection."; } /* ike-sa-state */ } /* ike-conn-entries */ containeripsec-policy-confignumber-ike-sas { config false; leaf total { type uint64; description"This container carries the configuration"Total number ofa IPsec policy."; uses ic:ipsec-policy-grouping;active IKE SAs."; } leaf half-open { type uint64; description"List"Number ofentries which will constitute the representationhalf-open active IKE SAs."; } leaf half-open-cookies { type uint64; description "Number of half open active IKE SAs with cookie activated."; } description "General information about theSPD. Since we haveIKEin this case,SAs. In particular, itis only required to send a IPsec policy from this NSF where 'local' is this NSF and 'remote'provides theother NSF. Thecurrent number of IKEimplementation will install IPsec policies in the NSF's kernel in both directions (inbound and outbound) and their corresponding IPsec SAs based on the information in this SPD entry.";SAs."; }reference "Section 2.9 in RFC 7296.";} /* containerchild-sa-infoipsec-ike */ } <CODE ENDS> Appendix C. YANG model for IKE-less case <CODE BEGINS> file "ietf-ipsec-ikeless@2019-08-05.yang" module ietf-ipsec-ikeless {leaf-list pfs-groupsyang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"; prefix "ikeless"; import ietf-yang-types {type pfs-group; default 0; ordered-by user; description "If non-zero, it is required perfect forward secrecy when requesting new IPsec SA. The non-zero value is the required group number. This list is ordered following from the higher priority to lower priority. First node of the list will be the algorithm with higher priority.";prefix yang; }container child-sa-lifetime-softimport ietf-ipsec-common {description "Softprefix ic; reference "Common Data model for SDN-based IPsecSA lifetime soft. After the lifetime the action is defined in this container in the leaf action."; uses ic:lifetime; leaf actionconfiguration."; } import ietf-netconf-acm {type ic:lifetime-action; default replace;prefix nacm; reference "RFC 8341: Network Configuration Access Control Model."; } organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/about/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> "; description"When"Data model for IKE-less case in thelifetime of anSDN-base IPsecSA expires an action needs to be performed overflow protection service. Copyright (c) 2019 IETF Trust and theIPsec SA that reachedpersons identified as authors of thelifetime. There are three possible options: terminate-clear, terminate-holdcode. All rights reserved. Redistribution andreplace."; reference "Section 4.5use inRFC 4301source andSection 2.8 in RFC 7296."; } } container child-sa-lifetime-hard { description "IPsec SA lifetime hard. The action will bebinary forms, with or without modification, is permitted pursuant to, and subject toterminatetheIPsec SA."; uses ic:lifetime; reference "Section 2.8license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC7296.";XXXX;; see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision "2019-08-05" { description "Revision 06"; reference "RFC XXXX: YANG model for IKE case."; } container ipsec-ikeless { description"Specific information"Container for configuration of the IKE-less case. The container contains two additional containers: 'spd' and 'sad'. The first allows the I2NSF Controller to configure IPsecSAs SAs. It includes PFS grouppolicies in the Security Policy Database SPD, and the second allows to configure IPsecSAs rekey lifetimes."; }Security Associations (IPsec SAs) in the Security Association Database (SAD)."; reference "RFC 4301."; containerstate { config false; leaf initiatorspd {type boolean;description"It is acting as initiator for this connection."; }"Configuration of the Security Policy Database (SPD.)"; reference "Section 4.4.1.2 in RFC 4301."; list spd-entry { key "name"; ordered-by user; leafinitiator-ikesa-spiname { typeike-spi;string; mandatory true; description"Initiator's IKE SA SPI.";"SPD entry unique name to identify this entry."; } leafresponder-ikesa-spidirection { typeike-spi;ic:ipsec-traffic-direction; description"Responder's IKE SA SPI.";"Inbound traffic or outbound traffic. In the IKE-less case the I2NSF Controller needs to specify the policy direction to be applied in the NSF. In the IKE case this direction does not need to be specified since IKE will determine the direction that IPsec policy will require."; } leafnat-localreqid { typeboolean;uint64; default 0; description"True, if local endpoint"This value allows to link this IPsec policy with IPsec SAs with the same reqid. It isbehind a NAT."; } leaf nat-remote { type boolean; description "True, if remote endpointonly required in the IKE-less model since, in the IKE case this link isbehind a NAT.";handled internally by IKE."; } containerencapsulation-typeipsec-policy-config {uses ic:encap;description "This containerprovides information aboutcarries thesource and destination portsconfiguration ofencapsulation that IKEa IPsec policy."; uses ic:ipsec-policy-grouping; } description "The SPD isusing, and the typerepresented as a list ofencapsulation when NAT traversal is required."; reference "RFC 8229.";SPD entries, where each SPD entry represents an IPsec policy."; } /*list spd-entry*/ } /*container spd*/ container sad { description "Configuration of the IPsec Security Association Database (SAD)"; reference "Section 4.4.2.1 in RFC 4301."; list sad-entry { key "name"; ordered-by user; leafestablishedname { typeuint64;string; description"Seconds since"SAD entry unique name to identify thisIKE SA has been established.";entry."; } leafcurrent-rekey-timereqid { type uint64; default 0; description"Seconds before IKE"This value allows to link this IPsec SAmust be rekeyed.";with an IPsec policy with the same reqid."; } container ipsec-sa-config { description "This container allows configuring details of an IPsec SA."; leafcurrent-reauth-timespi { typeuint64;uint32 { range "0..max"; } mandatory true; description"Seconds before IKE SA must be re-authenticated."; } description "IKE state data for a particular connection."; } /* ike-sa-state */"Security Parameter Index (SPI)'s IPsec SA."; }/* ike-conn-entries */ container number-ike-sas { config false;leaftotalext-seq-num { typeuint64;boolean; default true; description"Total number of active IKE SAs.";"True if this IPsec SA is using extended sequence numbers. True 64 bit counter, FALSE 32 bit."; } leafhalf-openseq-number-counter { type uint64; default 0; description"Number of half-open active IKE SAs.";"A 64-bit counter when this IPsec SA is using Extended Sequence Number or 32-bit counter when it is not. It used to generate the initial Sequence Number field in ESP headers."; } leafhalf-open-cookiesseq-overflow { typeuint64;boolean; default false; description"Number"The flag indicating whether overflow ofhalf open active IKE SAs with cookie activated."; } description "General information abouttheIKE SAs. In particular, it provides the currentsequence number counter should prevent transmission ofIKE SAs.";additional packets on the IPsec SA (false) and, therefore needs to be rekeyed, or whether rollover is permitted (true). If Authenticated Encryption with Associated Data (AEAD) is used this flag MUST BE false."; } leaf anti-replay-window { type uint32; default 32; description "A 32-bit counter and a bit-map (or equivalent) used to determine whether an inbound ESP packet is a replay. If set to 0 no anti-replay mechanism is performed."; }/*containeripsec-ike */ } <CODE ENDS> Appendix C. Appendix C: YANG model for IKE-less case <CODE BEGINS> file "ietf-ipsec-ikeless@2019-08-05.yang" module ietf-ipsec-ikeless { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"; prefix "ikeless"; import ietf-yang-typestraffic-selector {prefix yang;uses ic:selector-grouping; description "The IPsec SA traffic selector."; }import ietf-ipsec-commonleaf protocol-parameters {prefix ic; reference "Common Data model for SDN-based IPSec configuration.";type ic:ipsec-protocol-parameters; default esp; description "Security protocol of IPsec SA: Only ESP so far."; }import ietf-netconf-acmleaf mode {prefix nacm; reference "RFC 8341: Network Configuration Access Control Model.";type ic:ipsec-mode; description "Tunnel or transport mode."; }organization "IETF I2NSF Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/i2nsf/about/> WG List: <mailto:i2nsf@ietf.org> Author: Rafael Marin-Lopez <mailto:rafa@um.es> Author: Gabriel Lopez-Millan <mailto:gabilm@um.es> Author: Fernando Pereniguez-Garcia <mailto:fernando.pereniguez@cud.upct.es> ";container esp-sa { when "../protocol-parameters = 'esp'"; description"Data model for IKE-less"In caseintheSDN-baseIPsecflow protection service. Copyright (c) 2019 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification,SA ispermitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG moduleEncapsulation Security Payload (ESP), it ispart of RFC XXXX;; see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document arerequired tobe interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when,specify encryption andonly when, they appear in all capitals, as shown here."; revision "2019-08-05"integrity algorithms, and key material."; container encryption { description"Revision 06"; reference "RFC XXXX: YANG model"Configuration of encryption or AEAD algorithm forIKE case."; } container ipsec-ikeless { description "Container for configuration of the IKE-less case. The container contains two additional containers: 'spd' and 'sad'. The first allows the Security Controller to configure IPsec policies in the Security Policy Database SPD, and the second allows to configure IPsec Security Associations (IPsec SAs) in the Security Association Database (SAD)."; reference "RFC 4301."; container spdIPsec Encapsulation Security Payload (ESP)."; leaf encryption-algorithm { type ic:encryption-algorithm-type; description "Configuration of ESP encryption. With AEAD algorithms, theSecurity Policy Database (SPD.)"; reference "Section 4.4.1.2 in RFC 4301."; list spd-entry { key "name"; ordered-by user;integrity node is not used."; } leafnamekey { nacm:default-deny-all; typestring; mandatory true;yang:hex-string; description"SPD entry unique name to identify this entry.";"ESP encryption key value."; } leafdirectioniv { nacm:default-deny-all; typeic:ipsec-traffic-direction;yang:hex-string; description"Inbound traffic or outbound traffic. In the IKE-less case the"ESP encryption IV value."; } } container integrity { description "Configuration of integrity for IPsec Encapsulation SecurityController needsPayload (ESP). This container allows tospecify the policy directionconfigure integrity algorithm when no AEAD algorithms are used, and integrity is required."; leaf integrity-algorithm { type ic:integrity-algorithm-type; description "Message Authentication Code (MAC) algorithm tobe appliedprovide integrity inthe NSF. In the IKE case this direction does not need to be specified since IKE will determine the direction that IPsec policy will require.";ESP."; } leafreqidkey { nacm:default-deny-all; typeuint64; default 0;yang:hex-string; description"This value allows to link this IPsec policy with IPsec SAs with the same reqid. It is only required in the IKE-less model since, in the IKE case this link is handled internally by IKE.";"ESP integrity key value."; } } } /*container esp-sa*/ containeripsec-policy-configsa-lifetime-hard { description"This container carries the configuration of a IPsec policy.";"IPsec SA hard lifetime. The action associated is terminate and hold."; usesic:ipsec-policy-grouping;ic:lifetime; } container sa-lifetime-soft { description"The SPD is represented as a list of SPD entries, where each SPD entry represents an IPsec policy.";"IPsec SA soft lifetime."; uses ic:lifetime; leaf action { type ic:lifetime-action; description "Action lifetime: terminate-clear, terminate-hold or replace."; }/*list spd-entry*/}/*container spd*/containersadtunnel { when "../mode = 'tunnel'"; uses ic:tunnel-grouping; description"Configuration"Endpoints of theIPSec Security Association Database (SAD)"; reference "Section 4.4.2.1IPsec tunnel."; } container encapsulation-type { uses ic:encap; description "This container carries configuration information about the source and destination ports which will be used for ESP encapsulation that ESP packets the type of encapsulation when NAT traversal is inRFC 4301."; list sad-entryplace."; } } /*ipsec-sa-config*/ container ipsec-sa-state {key "name"; ordered-by user; leaf nameconfig false; description "Container describing IPsec SA state data."; container sa-lifetime-current {type string;uses ic:lifetime; description "SADentry unique name to identify this entry.";lifetime current."; } container replay-stats { description "State data about the anti-replay window."; leafreqidreplay-window { type uint64;default 0;description"This value allows to link this IPsec SA with an IPsec policy with"Current state of thesame reqid.";replay window."; }container ipsec-sa-configleaf packet-dropped { type uint64; description"This container allows configuring details"Packets detected out ofan IPsec SA.";the replay window and dropped because they are replay packets."; } leafspifailed { typeuint32 { range "0..max"; } mandatory true;uint32; description"Security Parameter Index (SPI)'s IPsec SA.";"Number of packets detected out of the replay window."; } leafext-seq-numseq-number-counter { typeboolean; default true;uint64; description"True if this IPsec SA is using extended sequence numbers. True 64 bit counter, FALSE 32 bit."; } leaf seq-number-counter { type uint64; default 0; description "A 64-bit counter when"A 64-bit counter when this IPsec SA is using Extended Sequence Number or 32-bit counter when it is not.It used to generate the initial Sequence Number field in ESP headers."; } leaf seq-overflow { type boolean; default false; description "The flag indicating whether overflowCurrent value ofthesequencenumber counter should prevent transmissionnumber."; } } /* container replay-stats*/ } /*ipsec-sa-state*/ description "List ofadditional packets onSAD entries that conforms the SAD."; } /*list sad-entry*/ } /*container sad*/ }/*container ipsec-ikeless*/ /* Notifications */ notification sadb-acquire { description "An IPsec SA(false) and, therefore needs to be rekeyed, or whether rollover is permitted (true). If Authenticated Encryption with Associated Data (AEAD)isused this flag MUST BE false."; }required. The traffic-selector container contains information about the IP packet that triggers the acquire notification."; leafanti-replay-windowipsec-policy-name { typeuint32; default 32;string; mandatory true; description"A 32-bit counter and a bit-map (or equivalent) used to determine whether an inbound ESP"It contains the SPD entry name (unique) of the IPsec policy that hits the IP packet required IPsec SA. It is assumed the I2NSF Controller will have areplay. If set to 0 no anti-replay mechanismcopy of the information of this policy so it can extract all the information with this unique identifier. The type of IPsec SA isperformed.";defined in the policy so the Security Controller can also know the type of IPsec SA that must be generated."; } container traffic-selector {uses ic:selector-grouping;description "The IP packet that triggered the acquire and requires an IPsecSA traffic selector."; } leaf protocol-parameters { type ic:ipsec-protocol-parameters; default esp; description "SecuritySA. Specifically it will contain the IP source/mask and IP destination/mask; protocolof IPsec SA: Only ESP so far.";(udp, tcp, etc...); and source and destination ports."; uses ic:selector-grouping; }leaf mode} notification sadb-expire {type ic:ipsec-mode;description"Tunnel"An IPsec SA expiration (soft ortransport mode."; } container esp-sahard)."; leaf ipsec-sa-name {when "../protocol-parameters = 'esp'";type string; mandatory true; description"In case"It contains the SAD entry name (unique) of the IPsec SA that has expired. It isEncapsulation Security Payload (ESP), it is required to specify encryptionassumed the I2NSF Controller will have a copy of the IPsec SA information (except the cryptographic material andintegritystate data) indexed by this name (unique identifier) so it can know all the information (crypto algorithms,and key material."; container encryption { description "Configuration of encryptionetc.) about the IPsec SA that has expired in order to perform a rekey (soft lifetime) orAEAD algorithm for IPSec Encapsulation Security Payload (ESP).";delete it (hard lifetime) with this unique identifier."; } leafencryption-algorithmsoft-lifetime-expire { typeic:encryption-algorithm-type;boolean; default true; description"Configuration of ESP encryption. With AEAD algorithms,"If this value is true theintegrity nodelifetime expired isnot used.";soft. If it is false is hard."; }leaf keycontainer lifetime-current {nacm:default-deny-all; type yang:hex-string;description"ESP encryption key value.";"IPsec SA current lifetime. If soft-lifetime-expired is true this container is set with the lifetime information about current soft lifetime."; uses ic:lifetime; }leaf iv} notification sadb-seq-overflow {nacm:default-deny-all; type yang:hex-string;description"ESP encryption IV value."; } } container integrity"Sequence overflow notification."; leaf ipsec-sa-name { type string; mandatory true; description"Configuration"It contains the SAD entry name (unique) ofintegrity for IPSec Encapsulation Security Payload (ESP). This container allowsthe IPsec SA that is about toconfigure integrity algorithm when no AEAD algorithms are used,have sequence number overflow andintegrityrollover isrequired."; leaf integrity-algorithm { type ic:integrity-algorithm-type; description "Message Authentication Code (MAC) algorithm to provide integrity in ESP."; } leaf key { nacm:default-deny-all; type yang:hex-string; description "ESP integrity key value."; } } } /*container esp-sa*/ container sa-lifetime-hard { description "IPsec SA hard lifetime. The action associatednot permitted. It isterminate and hold."; uses ic:lifetime; } container sa-lifetime-soft { description "IPSec SA soft lifetime."; uses ic:lifetime; leaf action { type ic:lifetime-action; description "Action lifetime: terminate-clear, terminate-hold or replace."; } } container tunnel { when "../mode = 'tunnel'"; uses ic:tunnel-grouping; description "Endpointsassumed the I2NSF Controller will have a copy of the IPsectunnel."; } container encapsulation-type { uses ic:encap; description "This container carries configurationSA informationabout(except thesourcecryptographic material anddestination ports which will be used for ESP encapsulation that ESP packetsstate data) indexed by this name (unique identifier) so the it can know all the information (crypto algorithms, etc.) about thetype of encapsulation when NAT traversal is in place."; } } /*ipsec-sa-config*/ container ipsec-sa-state { config false; description "Container describingIPsec SAstate data."; container sa-lifetime-current { uses ic:lifetime; description "SAD lifetime current.";that has expired in order to perform a rekey of the IPsec SA."; }container replay-stats} notification sadb-bad-spi { description"State data about"Notify when theanti-replay window.";NSF receives a packet with an incorrect SPI (i.e. not present in the SAD)."; leafreplay-windowspi { typeuint64;uint32 { range "0..max"; } mandatory true; description"Current state of the replay window."; } leaf packet-dropped { type uint64; description "Packets detected out of the replay window and dropped because they are replay packets."; } leaf failed { type uint32; description "Number of packets detected out of"SPI number contained in thereplay window."; } leaf seq-number-counter { type uint64; description "A 64-bit counter when thiserroneous IPsecSA is using Extended Sequence Number or 32-bit counter when it is not. Current value of sequence number."; } } /* container replay-stats*/ } /*ipsec-sa-state*/ description "List of SAD entries that conforms the SAD.";packet."; }/*list sad-entry*/}/*container sad*/ }/*container ipsec-ikeless*/ /* Notifications */ notification sadb-acquire { description "An IPsec SA is required. The traffic-selector container contains information about the IP packet that triggers the acquire notification."; leaf ipsec-policy-name { type string; mandatory true; description "It contains the SPD entry name (unique) of the IPsec policy that hits the IP packet required IPsec SA. It is assumed}/*module ietf-ipsec*/ <CODE ENDS> Appendix D. XML configuration example for IKE case (gateway-to-gateway) This example shows a XML configuration file sent by theSecurityI2NSF Controllerwill haveto establish acopy of the information of this policy so it can extract all the information with this unique identifier. The type ofIPsecSA is definedSecurity Association between two NSFs (see Figure 3) in tunnel mode (gateway-to-gateway) with ESP, authentication based on X.509 certificates and applying thepolicy so the SecurityIKE case. +------------------+ | I2NSF Controllercan also know the type of IPsec SA that must be generated."; } container traffic-selector { description "The IP packet that triggered| +------------------+ I2NSF NSF-Facing | Interface | /------------------+-----------------\ / \ / \ +----+ +--------+ +--------+ +----+ | h1 |--| nsf_h1 |== IPsec_ESP_Tunnel_mode == | nsf_h2 |--| h2 | +----+ +--------+ +--------+ +----+ :1 :100 :200 :1 (2001:DB8:1:/64) (2001:DB8:123:/64) (2001:DB8:2:/64) Figure 3: IKE case, tunnel mode , X.509 certificate authentication. <ipsec-ike xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ike" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> <pad> <pad-entry> <name>nsf_h1_pad</name> <ipv6-address>2001:DB8:123::100</ipv6-address> <peer-authentication> <auth-method>digital-signature</auth-method> <digital-signature> <cert-data>base64encodedvalue==</cert-data> <private-key>base64encodedvalue==</private-key> <ca-data>base64encodedvalue==</ca-data> </digital-signature> </peer-authentication> </pad-entry> <pad-entry> <name>nsf_h2_pad</name> <ipv6-address>2001:DB8:123::200</ipv6-address> <auth-protocol>ikev2</auth-protocol> <peer-authentication> <auth-method>digital-signature</auth-method> <digital-signature> <!-- RSA Digital Signature --> <ds-algorithm>1</ds-algorithm> <cert-data>base64encodedvalue==</cert-data> <ca-data>base64encodedvalue==</ca-data> </digital-signature> </peer-authentication> </pad-entry> </pad> <conn-entry> <name>nsf_h1-nsf_h2</name> <autostartup>start</autostartup> <version>ikev2</version> <initial-contact>false</initial-contact> <fragmentation>true</fragmentation> <ike-sa-lifetime-soft> <rekey-time>60</rekey-time> <reauth-time>120</reauth-time> </ike-sa-lifetime-soft> <ike-sa-lifetime-hard> <over-time>3600</over-time> </ike-sa-lifetime-hard> <authalg>7</authalg> <!--AUTH_HMAC_SHA1_160--> <encalg>3</encalg> <!--ENCR_3DES --> <dh-group>18</dh-group> <!--8192-bit MODP Group--> <half-open-ike-sa-timer>30</half-open-ike-sa-timer> <half-open-ike-sa-cookie-threshold> 15 </half-open-ike-sa-cookie-threshold> <local> <local-pad-entry-name>nsf_h1_pad</local-pad-entry-name> </local> <remote> <remote-pad-entry-name>nsf_h2_pad</remote-pad-entry-name> </remote> <spd> <spd-entry> <name>nsf_h1-nsf_h2</name> <ipsec-policy-config> <anti-replay-window>32</anti-replay-window> <traffic-selector> <local-subnet>2001:DB8:1::0/64</local-subnet> <remote-subnet>2001:DB8:2::0/64</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <processing-info> <action>protect</action> <ipsec-sa-cfg> <pfp-flag>false</pfp-flag> <ext-seq-num>true</ext-seq-num> <seq-overflow>false</seq-overflow> <stateful-frag-check>false</stateful-frag-check> <mode>tunnel</mode> <protocol-parameters>esp</protocol-parameters> <esp-algorithms> <!-- AUTH_HMAC_SHA1_96 --> <integrity>2</integrity> <!-- ENCR_AES_CBC --> <encryption>12</encryption> <tfc-pad>false</tfc-pad> </esp-algorithms> <tunnel> <local>2001:DB8:123::100</local> <remote>2001:DB8:123::200</remote> <df-bit>clear</df-bit> <bypass-dscp>true</bypass-dscp> <ecn>false</ecn> </tunnel> </ipsec-sa-cfg> </processing-info> </ipsec-policy-config> </spd-entry> </spd> <child-sa-info> <!--8192-bit MODP Group --> <pfs-groups>18</pfs-groups> <child-sa-lifetime-soft> <bytes>1000000</bytes> <packets>1000</packets> <time>30</time> <idle>60</idle> <action>replace</action> </child-sa-lifetime-soft> <child-sa-lifetime-hard> <bytes>2000000</bytes> <packets>2000</packets> <time>60</time> <idle>120</idle> </child-sa-lifetime-hard> </child-sa-info> </conn-entry> </ipsec-ike> Appendix E. XML configuration example for IKE-less case (host-to-host) This example shows a XML configuration file sent by theacquire and requires anI2NSF Controller to establish a IPsecSA. Specifically it will contain the IP source/mask and IP destination/mask; protocol (udp, tcp, etc...); and sourceSecurity Association between two NSFs (see Figure 4) in transport mode (host-to-host) with ESP, anddestination ports."; uses ic:selector-grouping; } } notification sadb-expire { description "An IPsec SA expiration (soft or hard)."; leaf ipsec-sa-name { type string; mandatory true; description "It containsapplying theSAD entry name (unique)IKE-less case. +------------------+ | I2NSF Controller | +------------------+ I2NSF NSF-Facing | Interface | /--------------------+-------------------\ / \ / \ +--------+ +--------+ | nsf_h1 |===== IPsec_ESP_Transport_mode =====| nsf_h2 | +--------+ +--------+ :100 (2001:DB8:123:/64) :200 Figure 4: IKE-less case, transport mode. <ipsec-ikeless xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> <spd> <spd-entry> <name> in/trans/2001:DB8:123::200/2001:DB8:123::100 </name> <direction>inbound</direction> <reqid>1</reqid> <ipsec-policy-config> <traffic-selector> <local-subnet>2001:DB8:123::200/128</local-subnet> <remote-subnet>2001:DB8:123::100/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <processing-info> <action>protect</action> <ipsec-sa-cfg> <ext-seq-num>true</ext-seq-num> <seq-overflow>true</seq-overflow> <mode>transport</mode> <protocol-parameters>esp</protocol-parameters> <esp-algorithms> <!--AUTH_HMAC_SHA1_96--> <integrity>2</integrity> <!--ENCR_AES_CBC --> <encryption>12</encryption> </esp-algorithms> </ipsec-sa-cfg> </processing-info> </ipsec-policy-config> </spd-entry> <spd-entry> <name>out/trans/2001:DB8:123::100/2001:DB8:123::200</name> <direction>outbound</direction> <reqid>1</reqid> <ipsec-policy-config> <traffic-selector> <local-subnet>2001:DB8:123::100/128</local-subnet> <remote-subnet>2001:DB8:123::200/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <processing-info> <action>protect</action> <ipsec-sa-cfg> <ext-seq-num>true</ext-seq-num> <seq-overflow>true</seq-overflow> <mode>transport</mode> <protocol-parameters>esp</protocol-parameters> <esp-algorithms> <!-- AUTH_HMAC_SHA1_96 --> <integrity>2</integrity> <!-- ENCR_AES_CBC --> <encryption>12</encryption> </esp-algorithms> </ipsec-sa-cfg> </processing-info> </ipsec-policy-config> </spd-entry> </spd> <sad> <sad-entry> <name>out/trans/2001:DB8:123::100/2001:DB8:123::200</name> <reqid>1</reqid> <ipsec-sa-config> <spi>34501</spi> <ext-seq-num>true</ext-seq-num> <seq-number-counter>100</seq-number-counter> <seq-overflow>true</seq-overflow> <anti-replay-window>32</anti-replay-window> <traffic-selector> <local-subnet>2001:DB8:123::100/128</local-subnet> <remote-subnet>2001:DB8:123::200/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <protocol-parameters>esp</protocol-parameters> <mode>transport</mode> <esp-sa> <encryption> <!-- //ENCR_AES_CBC --> <encryption-algorithm>12</encryption-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> <iv>01:23:45:67:89:AB:CE:DF</iv> </encryption> <integrity> <!-- //AUTH_HMAC_SHA1_96 --> <integrity-algorithm>2</integrity-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> </integrity> </esp-sa> </ipsec-sa-config> </sad-entry> <sad-entry> <name>in/trans/2001:DB8:123::200/2001:DB8:123::100</name> <reqid>1</reqid> <ipsec-sa-config> <spi>34502</spi> <ext-seq-num>true</ext-seq-num> <seq-number-counter>100</seq-number-counter> <seq-overflow>true</seq-overflow> <anti-replay-window>32</anti-replay-window> <traffic-selector> <local-subnet>2001:DB8:123::200/128</local-subnet> <remote-subnet>2001:DB8:123::100/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <protocol-parameters>esp</protocol-parameters> <mode>transport</mode> <esp-sa> <encryption> <!-- //ENCR_AES_CBC --> <encryption-algorithm>12</encryption-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> <iv>01:23:45:67:89:AB:CE:DF</iv> </encryption> <integrity> <!-- //AUTH_HMAC_SHA1_96 --> <integrity-algorithm>2</integrity-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> </integrity> </esp-sa> <sa-lifetime-hard> <bytes>2000000</bytes> <packets>2000</packets> <time>60</time> <idle>120</idle> </sa-lifetime-hard> <sa-lifetime-soft> <bytes>1000000</bytes> <packets>1000</packets> <time>30</time> <idle>60</idle> <action>replace</action> </sa-lifetime-soft> </ipsec-sa-config> </sad-entry> </sad> </ipsec-ikeless> Appendix F. XML notification examples Below we show several XML files that represent different types of notifications defined in theIPsec SA that has expired. It is assumedIKE-less YANG model, which are sent by theSecurity Controller will have a copy ofNSF to the I2NSF Controller. The notifications happen in the IKE-less case. <sadb-expire xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <ipsec-sa-name>in/trans/2001:DB8:123::200/2001:DB8:123::100 </ipsec-sa-name> <soft-lifetime-expire>true</soft-lifetime-expire> <lifetime-current> <bytes>1000000</bytes> <packets>1000</packets> <time>30</time> <idle>60</idle> </lifetime-current> </sadb-expire> Figure 5: Example of sadb-expire notification. <sadb-acquire xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <ipsec-policy-name>in/trans/2001:DB8:123::200/2001:DB8:123::100 </ipsec-policy-name> <traffic-selector> <local-subnet>2001:DB8:123::200/128</local-subnet> <remote-subnet>2001:DB8:123::100/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> </sadb-acquire> Figure 6: Example of sadb-acquire notification. <sadb-seq-overflow xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <ipsec-sa-name>in/trans/2001:DB8:123::200/2001:DB8:123::100 </ipsec-sa-name> </sadb-seq-overflow> Figure 7: Example of sadb-seq-overflow notification. <sadb-bad-spi xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <spi>666</spi> </sadb-bad-spi> Figure 8: Example of sadb-bad-spi notification. Appendix G. Operational use cases examples G.1. Example of IPsec SAinformation (exceptestablishment This appendix exemplifies thecryptographic materialapplicability of IKE case andstate data) indexed by this name (unique identifier) so it can know all the information (crypto algorithms, etc.) about theIKE-less case to traditional IPsecSAconfigurations, thathas expiredis, host-to-host and gateway-to-gateway. The examples we show inorder to perform a rekey (soft lifetime) or delete it (hard lifetime) with this unique identifier."; } leaf soft-lifetime-expire { type boolean; default true; description "If this value is true the lifetime expired is soft. If it is false is hard."; } container lifetime-current { description "IPsec SA current lifetime. If soft-lifetime-expired is true this container is set withthelifetime information about current soft lifetime."; uses ic:lifetime; } } notification sadb-seq-overflow { description "Sequence overflow notification."; leaf ipsec-sa-name { type string; mandatory true; description "It containsfollowing assume theSAD entry name (unique)existence ofthetwo NSFs needing to establish an end-to-end IPsec SA to protect their communications. Both NSFs could be two hosts thatis aboutexchange traffic (host-to-host) or gateways (gateway-to-gateway), for example, within an enterprise that needs tohave sequence number overflow and rollover is not permitted. It is assumedprotect theSecurity Controller will have a copy oftraffic between the networks of two branch offices. Applicability of these configurations appear in current and new networking scenarios. For example, SD-WAN technologies are providing dynamic and on-demand VPN connections between branch offices, or between branches and SaaS cloud services. Beside, IaaS services providing virtualization environments are deployments solutions based on IPsecSA information (except the cryptographic materialto provide secure channels between virtual instances (host- to-host) andstate data) indexed by this name (unique identifier) so the it can know allproviding VPN solutions for virtualized networks (gateway-to-gateway). As we will show in theinformation (crypto algorithms, etc.) aboutfollowing, the I2NSF-based IPsecSA that has expired in ordermanagement system (for IKE and IKE-less cases), exhibits various advantages: 1. It allows toperform a rekey of thecreate IPsecSA."; } } notification sadb-bad-spi { description "Notify whenSAs among two NSFs, based only on theNSF receivesapplication of general Flow-based Protection Policies at the I2NSF User. Thus, administrators can manage all security associations in apacketcentralized point with anincorrect SPI (i.e. not present inabstracted view of theSAD)."; leaf spi { type uint32 { range "0..max"; } mandatory true; description "SPI number containednetwork. 2. Any NSF deployed in theerroneous IPsec packet."; } } }/*module ietf-ipsec*/ <CODE ENDS> Appendix D. Example of IKE case, tunnel mode (gateway-to-gateway) with X.509 certificate authentication. This example shows a XML configuration file sent by the Security Controller to establish a IPsec Security Association between two NSFssystem does not need manual configuration, therefore allowing its deployment intunnel mode (gateway-to-gateway) with ESP, and authentication based on X.509 certificates using IKEv2. Securityan automated manner. G.1.1. IKE case +----------------------------------------+ | I2NSF User (IPsec Management System) | +----------------------------------------+ | (1) Flow-based I2NSF Consumer-Facing Protection Policy Interface | +---------|------------------------------+ | | | | | I2NSF Controller |/---- Southbound interface -----\ / \ / \ / \| V | | +--------------+ (2)+--------------+ | | |Translate into|--->| NETCONF/ | | | |IPsec Policies| | RESTCONF | | | +--------------+ +--------------+ | | | | | | | | | +--------------------------|-----|-------+ | | I2NSF NSF-Facing Interface | | | (3) | |-------------------------+ +---| V V +----------------------+ +----------------------+ | NSF A | | NSF B | | IKEv2/IPsec(SPD/PAD) | | IKEv2/IPsec(SPD/PAD) | +----------------------+ +----------------------+ Figure 9: Host-to-host /\ nsf_h1 nsf_h2 h1---- (:1/:100)===== IPsec_ESP_Tunnel_mode =====(:200/:1)-------h2 2001:DB8:1:/64 (2001:DB8:123:/64) 2001:DB8:2:/64gateway-to-gateway for the IKE case. Figure7:9 describes the application of the IKEcase, tunnel mode , X.509 certicate authentication. <ipsec-ike xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ike" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> <pad> <pad-entry> <name>nsf_h1_pad</name> <ipv6-address>2001:DB8:123::100</ipv6-address> <peer-authentication> <auth-method>digital-signature</auth-method> <digital-signature> <cert-data>base64encodedvalue==</cert-data> <private-key>base64encodedvalue==</private-key> <ca-data>base64encodedvalue==</ca-data> </digital-signature> </peer-authentication> </pad-entry> <pad-entry> <name>nsf_h2_pad</name> <ipv6-address>2001:DB8:123::200</ipv6-address> <auth-protocol>ikev2</auth-protocol> <peer-authentication> <auth-method>digital-signature</auth-method> <digital-signature> <!-- RSA Digital Signature --> <ds-algorithm>1</ds-algorithm> <cert-data>base64encodedvalue==</cert-data> <ca-data>base64encodedvalue==</ca-data> </digital-signature> </peer-authentication> </pad-entry> </pad> <conn-entry> <name>nsf_h1-nsf_h2</name> <autostartup>start</autostartup> <version>ikev2</version> <initial-contact>false</initial-contact> <fragmentation>true</fragmentation> <ike-sa-lifetime-soft> <rekey-time>60</rekey-time> <reauth-time>120</reauth-time> </ike-sa-lifetime-soft> <ike-sa-lifetime-hard> <over-time>3600</over-time> </ike-sa-lifetime-hard> <authalg>7</authalg> <!--AUTH_HMAC_SHA1_160--> <encalg>3</encalg> <!--ENCR_3DES --> <dh-group>18</dh-group> <!--8192-bit MODP Group--> <half-open-ike-sa-timer>30</half-open-ike-sa-timer> <half-open-ike-sa-cookie-threshold> 15 </half-open-ike-sa-cookie-threshold> <local> <local-pad-entry-name>nsf_h1_pad</local-pad-entry-name> </local> <remote> <remote-pad-entry-name>nsf_h2_pad</remote-pad-entry-name> </remote> <spd> <spd-entry> <name>nsf_h1-nsf_h2</name> <ipsec-policy-config> <anti-replay-window>32</anti-replay-window> <traffic-selector> <local-subnet>2001:DB8:1::0/64</local-subnet> <remote-subnet>2001:DB8:2::0/64</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <processing-info> <action>protect</action> <ipsec-sa-cfg> <pfp-flag>false</pfp-flag> <ext-seq-num>true</ext-seq-num> <seq-overflow>false</seq-overflow> <stateful-frag-check>false</stateful-frag-check> <mode>tunnel</mode> <protocol-parameters>esp</protocol-parameters> <esp-algorithms> <!-- AUTH_HMAC_SHA1_96 --> <integrity>2</integrity> <!-- ENCR_AES_CBC --> <encryption>12</encryption> <tfc-pad>false</tfc-pad> </esp-algorithms> <tunnel> <local>2001:DB8:123::100</local> <remote>2001:DB8:123::200</remote> <df-bit>clear</df-bit> <bypass-dscp>true</bypass-dscp> <ecn>false</ecn> </tunnel> </ipsec-sa-cfg> </processing-info> </ipsec-policy-config> </spd-entry> </spd> <child-sa-info> <!--8192-bit MODP Group --> <pfs-groups>18</pfs-groups> <child-sa-lifetime-soft> <bytes>1000000</bytes> <packets>1000</packets> <time>30</time> <idle>60</idle> <action>replace</action> </child-sa-lifetime-soft> <child-sa-lifetime-hard> <bytes>2000000</bytes> <packets>2000</packets> <time>60</time> <idle>120</idle> </child-sa-lifetime-hard> </child-sa-info> </conn-entry> </ipsec-ike> Appendix E. Example of IKE-less case, transport mode (host-to-host). This example showscase when aXML configuration file sent by the Security Controllerdata packet needs toestablishbe protected in the path between the NSF A and NSF B: 1. The I2NSF User defines aIPsec Security associationgeneral flow-based protection policy (e.g. protect data traffic betweentwoNSF A and B). The I2NSF Controller looks for the NSFs involved (NSF A and NSF B). 2. The I2NSF Controller generates IKEv2 credentials for them and translates the policies into SPD and PAD entries. 3. The I2NSF Controller inserts an IKEv2 configuration that includes the SPD and PAD entries intransport mode (host-to-host)both NSF A and NSF B. If some of operations withESP. SecurityNSF A and NSF B fail the I2NSF Controller| /---- Southbound interface -----\ / \ / \ / \ / \ nsf_h1 nsf_h2 (:100)===== IPsec_ESP_Transport_mode =====(:200) (2001:DB8:123:/64) Figure 8:will stop the process and perform a rollback operation by deleting any IKEv2, SPD and PAD configuration that had been successfully installed in NSF A or B. If the previous steps are successful, the flow is protected by means of the IPsec SA established with IKEv2 between NSF A and NSF B. G.1.2. IKE-lesscase, transport mode. <ipsec-ikeless xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"> <spd> <spd-entry> <name> in/trans/2001:DB8:123::200/2001:DB8:123::100 </name> <direction>inbound</direction> <reqid>1</reqid> <ipsec-policy-config> <traffic-selector> <local-subnet>2001:DB8:123::200/128</local-subnet> <remote-subnet>2001:DB8:123::100/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <processing-info> <action>protect</action> <ipsec-sa-cfg> <ext-seq-num>true</ext-seq-num> <seq-overflow>true</seq-overflow> <mode>transport</mode> <protocol-parameters>esp</protocol-parameters> <esp-algorithms> <!--AUTH_HMAC_SHA1_96--> <integrity>2</integrity> <!--ENCR_AES_CBC --> <encryption>12</encryption> </esp-algorithms> </ipsec-sa-cfg> </processing-info> </ipsec-policy-config> </spd-entry> <spd-entry> <name>out/trans/2001:DB8:123::100/2001:DB8:123::200</name> <direction>outbound</direction> <reqid>1</reqid> <ipsec-policy-config> <traffic-selector> <local-subnet>2001:DB8:123::100/128</local-subnet> <remote-subnet>2001:DB8:123::200/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <processing-info> <action>protect</action> <ipsec-sa-cfg> <ext-seq-num>true</ext-seq-num> <seq-overflow>true</seq-overflow> <mode>transport</mode> <protocol-parameters>esp</protocol-parameters> <esp-algorithms> <!-- AUTH_HMAC_SHA1_96 --> <integrity>2</integrity> <!-- ENCR_AES_CBC --> <encryption>12</encryption> </esp-algorithms> </ipsec-sa-cfg> </processing-info> </ipsec-policy-config> </spd-entry> </spd> <sad> <sad-entry> <name>out/trans/2001:DB8:123::100/2001:DB8:123::200</name> <reqid>1</reqid> <ipsec-sa-config> <spi>34501</spi> <ext-seq-num>true</ext-seq-num> <seq-number-counter>100</seq-number-counter> <seq-overflow>true</seq-overflow> <anti-replay-window>32</anti-replay-window> <traffic-selector> <local-subnet>2001:DB8:123::100/128</local-subnet> <remote-subnet>2001:DB8:123::200/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <protocol-parameters>esp</protocol-parameters> <mode>transport</mode> <esp-sa> <encryption> <!-- //ENCR_AES_CBC --> <encryption-algorithm>12</encryption-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> <iv>01:23:45:67:89:AB:CE:DF</iv> </encryption> <integrity> <!-- //AUTH_HMAC_SHA1_96 --> <integrity-algorithm>2</integrity-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> </integrity> </esp-sa> </ipsec-sa-config> </sad-entry> <sad-entry> <name>in/trans/2001:DB8:123::200/2001:DB8:123::100</name> <reqid>1</reqid> <ipsec-sa-config> <spi>34502</spi> <ext-seq-num>true</ext-seq-num> <seq-number-counter>100</seq-number-counter> <seq-overflow>true</seq-overflow> <anti-replay-window>32</anti-replay-window> <traffic-selector> <local-subnet>2001:DB8:123::200/128</local-subnet> <remote-subnet>2001:DB8:123::100/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> <protocol-parameters>esp</protocol-parameters> <mode>transport</mode> <esp-sa> <encryption> <!-- //ENCR_AES_CBC --> <encryption-algorithm>12</encryption-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> <iv>01:23:45:67:89:AB:CE:DF</iv> </encryption> <integrity> <!-- //AUTH_HMAC_SHA1_96 --> <integrity-algorithm>2</integrity-algorithm> <key>01:23:45:67:89:AB:CE:DF</key> </integrity> </esp-sa> <sa-lifetime-hard> <bytes>2000000</bytes> <packets>2000</packets> <time>60</time> <idle>120</idle> </sa-lifetime-hard> <sa-lifetime-soft> <bytes>1000000</bytes> <packets>1000</packets> <time>30</time> <idle>60</idle> <action>replace</action> </sa-lifetime-soft> </ipsec-sa-config> </sad-entry> </sad> </ipsec-ikeless> Appendix F. Examplescase +----------------------------------------+ | I2NSF User (IPsec Management System) | +----------------------------------------+ | (1) Flow-based I2NSF Consumer-Facing Protection Policy Interface | +---------|------------------------------+ | | | | | I2NSF Controller | | V | | +--------------+ (2) +--------------+ | | |Translate into|---->| NETCONF/ | | | |IPsec Policies| | RESTCONF | | | +--------------+ +--------------+ | | | | | +-------------------------|-----|--------+ | | I2NSF NSF-Facing Interface | | | (3) | |----------------------+ +--| V V +----------------+ +----------------+ | NSF A | | NSF B | | IPsec(SPD/SAD) | | IPsec(SPD/SAD) | +----------------+ +----------------+ Figure 10: Host-to-host / gateway-to-gateway for IKE-less case. Figure 10 describes the application of the IKE-less case when a data packet needs to be protected in the path between the NSF A and NSF B: 1. The I2NSF User establishes a general Flow-based Protection Policy and the I2NSF Controller looks for the involved NSFs. 2. The I2NSF Controller translates the flow-based security policies into IPsec SPD and SAD entries. 3. The I2NSF Controller inserts these entries in both NSF A and NSF B IPsec databases (SPD and SAD). The following text describes how this would happen: * The I2NSF Controller chooses two random values as SPIs: for example, SPIa1 for NSF A and SPIb1 for NSF B. These numbers MUST NOT be in conflict with any IPsec SA in NSF A or NSF B. It also generates fresh cryptographic material for the new inbound/outbound IPsec SAs and their parameters. * After that, the I2NSF Controller sends simultaneously the new inbound IPsec SA with SPIa1 and new outbound IPsec SA with SPIb1 to NSF A; and the new inbound IPsec SA with SPIb1 and new outbound IPsec SA with SPIa1 to B, together with the corresponding IPsec policies. * Once the I2NSF Controller receives confirmation from NSF A and NSF B, it knows that the IPsec SAs are correctly installed and ready. Other alternative to this operation is: the I2NSF Controller sends first the IPsec policies and new inbound IPsec SAs to A and B and once it obtains a successful confirmation of these operations from NSF A and NSF B, it proceeds with installing to the new outbound IPsec SAs. Despite this procedure may increase the latency to complete the process, no traffic is sent over the network until the IPsec SAs are completely operative. In any case other alternatives MAY be possible to implement step 3. 4. If some of the operations described above fails (e.g. the NSF A reports an error when the I2NSF Controller is trying to install the SPD entry, the new inbound or outbound IPsec SAs) the I2NSF Controller must perform rollback operations by deleting any new inbound or outbound SA and SPD entry that had been successfully installed in any of the NSFs (e.g NSF B) and stop the process. Note that the I2NSF Controller may retry several times before giving up. 5. Otherwise, if the steps 1 to 3 are successful, the flow between NSF A and NSF B is protected by means of the IPsec SAs established by the I2NSF Controller. It is worth mentioning that the I2NSF Controller associates a lifetime to the new IPsec SAs. When this lifetime expires, the NSF will send a sadb-expire notification to the I2NSF Controller in order to start the rekeying process. Instead of installing IPsec policies (in the SPD) and IPsec SAs (in the SAD) in step 3 (proactive mode), it is also possible that the I2NSF Controller only installs the SPD entries in step 3 (reactive mode). In such a case, when a data packet requires to be protected with IPsec, the NSF that saw first the data packet will send a sadb- acquire notification that informs the I2NSF Controller that needs SAD entries with the IPsec SAs to process the data packet. In such as reactive mode, upon reception of the sadb-acquire notification, the I2NSF Controller installs the new IPsec SAs in NSF A and B (following the procedure previously described in step 3) but without sending any IPsec policies, since IPsec policies are already installed in the SPD. Again, if some of the operations installing the new inbound/ outbound IPsec SAs fail, the I2NSF Controller stops the process and performs a rollback operation by deleting any new inbound/outbound SAs that had been successfully installed. G.2. Example of the rekeying process in IKE-less case To explain an example of the rekeying process between two IPsec NSFs A and B, let assume that SPIa1 identifies the inbound IPsec SA in A, and SPIb1 the inbound IPsec SA in B. The rekeying process will take the following steps: 1. The I2NSF Controller chooses two random values as SPI for the new inbound IPsec SAs: for example, SPIa2 for A and SPIb2 for B. These numbers MUST NOT be in conflict with any IPsec SA in A or B. Then, the I2NSF Controller creates an inbound IPsec SA with SPIa2 in A and another inbound IPsec SA in B with SPIb2. It can send this information simultaneously to A and B. 2. Once the I2NSF Controller receives confirmation from A and B, the controller knows that the inbound IPsec SAs are correctly installed. Then it proceeds to send in parallel to A and B, the outbound IPsec SAs: the outbound IPsec SA to A with SPIb2, and the outbound IPsec SA to B with SPIa2. At this point the new IPsec SAs are ready. 3. Once the I2NSF Controller receives confirmation from A and B that the outbound IPsec SAs have been installed, the I2NSF Controller, in parallel, deletes the old IPsec SAs from A (inbound SPIa1 and outbound SPIb1) and B (outbound SPIa1 and inbound SPIb1). If some ofnotifications. Below we showthe operations in step 1 fail (e.g. the NSF A reports an error when the I2NSF Controller is trying to install a new inbound IPsec SA) the I2NSF Controller must perform rollback operations by removing any new inbound SA that had been successfully installed during step 1. If step 1 is successful but some of the operations in step 2 fails (e.g. the NSF A reports an error when the I2NSF Controller is trying to install the new outbound IPsec SA), the I2NSF Controller must perform a rollback operation by deleting any new outbound SA that had been successfully installed during step 2 and by deleting the inbound SAs created in step 1. If the steps 1 an 2 are successful and the step 3 fails, the I2NSF Controller will avoid any rollback of the operations carried out in step 1 and step 2 since new and valid IPsec SAs were created and are functional. The I2NSF Controller may reattempt to remove the old inbound and outbound SAs in NSF A and NSF B severalXML files that represent different typestimes until it receives a success or it gives up. In the last case, the old IPsec SAs will be removed when their corresponding hard lifetime is reached. G.3. Example ofnotifications definedmanaging NSF state loss in IKE-less case In the IKE-lessYANG model, which are sent bycase, if the I2NSF Controller detects that a NSFtohas lost theSecurity Controller.IPsec state, it could follow the next steps: 1. Thenotifications happenI2NSF Controller SHOULD delete the old IPsec SAs on the non- failed nodes, established with the failed node. This prevents the non-failed nodes from leaking plaintext. 2. If the affected node restarts, the I2NSF Controller configures the new inbound IPsec SAs between the affected node and all the nodes it was talking to. 3. After these inbound IPsec SAs have been established, the I2NSF Controller configures the outbound IPsec SAs in parallel. Step 2 and step 3 can be performed at theIKE-less case. <sadb-expire xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <ipsec-sa-name>in/trans/2001:DB8:123::200/2001:DB8:123::100 </ipsec-sa-name> <soft-lifetime-expire>true</soft-lifetime-expire> <lifetime-current> <bytes>1000000</bytes> <packets>1000</packets> <time>30</time> <idle>60</idle> </lifetime-current> </sadb-expire> Figure 9: Example of sadb-expire notification. <sadb-acquire xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <ipsec-policy-name>in/trans/2001:DB8:123::200/2001:DB8:123::100 </ipsec-policy-name> <traffic-selector> <local-subnet>2001:DB8:123::200/128</local-subnet> <remote-subnet>2001:DB8:123::100/128</remote-subnet> <inner-protocol>any</inner-protocol> <local-ports> <start>0</start> <end>0</end> </local-ports> <remote-ports> <start>0</start> <end>0</end> </remote-ports> </traffic-selector> </sadb-acquire> Figure 10: Example of sadb-acquire notification. <sadb-seq-overflow xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <ipsec-sa-name>in/trans/2001:DB8:123::200/2001:DB8:123::100 </ipsec-sa-name> </sadb-seq-overflow> Figure 11: Examplesame time at the cost ofsadb-seq-overflow notification. <sadb-bad-spi xmlns="urn:ietf:params:xml:ns:yang:ietf-ipsec-ikeless"> <spi>666</spi> </sadb-bad-spi> Figure 12: Examplea potential packet loss. If this is not critic then it is an optimization since the number ofsadb-bad-spi notification.exchanges between I2NSF Controller and NSFs is lower. Authors' Addresses Rafa Marin-Lopez University of Murcia Campus de Espinardo S/N, Faculty of Computer Science Murcia 30100 Spain Phone: +34 868 88 85 01 EMail: rafa@um.es Gabriel Lopez-Millan University of Murcia Campus de Espinardo S/N, Faculty of Computer Science Murcia 30100 Spain Phone: +34 868 88 85 04 EMail: gabilm@um.es Fernando Pereniguez-Garcia University Defense Center Spanish Air Force Academy, MDE-UPCT San Javier (Murcia) 30720 Spain Phone: +34 968 18 99 46 EMail: fernando.pereniguez@cud.upct.es