--- 1/draft-ietf-i2nsf-sdn-ipsec-flow-protection-09.txt 2020-10-21 07:13:21.928549798 -0700 +++ 2/draft-ietf-i2nsf-sdn-ipsec-flow-protection-10.txt 2020-10-21 07:13:22.144555270 -0700 @@ -1,20 +1,20 @@ I2NSF R. Marin-Lopez Internet-Draft G. Lopez-Millan Intended status: Standards Track University of Murcia -Expires: April 15, 2021 F. Pereniguez-Garcia +Expires: April 24, 2021 F. Pereniguez-Garcia University Defense Center - October 12, 2020 + October 21, 2020 Software-Defined Networking (SDN)-based IPsec Flow Protection - draft-ietf-i2nsf-sdn-ipsec-flow-protection-09 + draft-ietf-i2nsf-sdn-ipsec-flow-protection-10 Abstract This document describes how to provide IPsec-based flow protection (integrity and confidentiality) by means of an Interface to Network Security Function (I2NSF) controller. It considers two main well- known scenarios in IPsec: (i) gateway-to-gateway and (ii) host-to- host. The service described in this document allows the configuration and monitoring of IPsec Security Associations (SAs) from a I2NSF Controller to one or several flow-based Network Security @@ -34,21 +34,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 15, 2021. + This Internet-Draft will expire on April 24, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -82,24 +82,24 @@ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 10.1. Normative References . . . . . . . . . . . . . . . . . . 26 10.2. Informative References . . . . . . . . . . . . . . . . . 29 Appendix A. Common YANG model for IKE and IKE-less cases . . . . 31 Appendix B. YANG model for IKE case . . . . . . . . . . . . . . 46 Appendix C. YANG model for IKE-less case . . . . . . . . . . . . 65 Appendix D. XML configuration example for IKE case (gateway-to- gateway) . . . . . . . . . . . . . . . . . . . . . . 76 Appendix E. XML configuration example for IKE-less case (host- - to-host) . . . . . . . . . . . . . . . . . . . . . . 79 + to-host) . . . . . . . . . . . . . . . . . . . . . . 80 Appendix F. XML notification examples . . . . . . . . . . . . . 84 - Appendix G. Operational use cases examples . . . . . . . . . . . 85 - G.1. Example of IPsec SA establishment . . . . . . . . . . . . 85 + Appendix G. Operational use cases examples . . . . . . . . . . . 86 + G.1. Example of IPsec SA establishment . . . . . . . . . . . . 86 G.1.1. IKE case . . . . . . . . . . . . . . . . . . . . . . 86 G.1.2. IKE-less case . . . . . . . . . . . . . . . . . . . . 88 G.2. Example of the rekeying process in IKE-less case . . . . 90 G.3. Example of managing NSF state loss in IKE-less case . . . 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 1. Introduction Software-Defined Networking (SDN) is an architecture that enables users to directly program, orchestrate, control and manage network @@ -624,24 +624,24 @@ | +--rw name string | +--rw autostartup? autostartup-type | +--rw initial-contact? boolean | +--rw version? auth-protocol-type | +--rw fragmentation? boolean | +--rw ike-sa-lifetime-soft | | +--rw rekey-time? uint32 | | +--rw reauth-time? uint32 | +--rw ike-sa-lifetime-hard | | +--rw over-time? uint32 - | +--rw authalg* ic:integrity-algorithm-type + | +--rw authalg* nsfikec:integrity-algorithm-type | +--rw encalg* [id] | | +--rw id uint8 - | | +--rw algorithm-type? ic:encryption-algorithm-type + | | +--rw algorithm-type? nsfikec:encryption-algorithm-type | | +--rw key-length? uint16 | +--rw dh-group? pfs-group | +--rw half-open-ike-sa-timer? uint32 | +--rw half-open-ike-sa-cookie-threshold? uint32 | +--rw local | | +--rw local-pad-entry-name string | +--rw remote | | +--rw remote-pad-entry-name string | +--rw encapsulation-type | | +--rw espencap? esp-encap @@ -669,41 +669,41 @@ | | | +--rw pfp-flag? boolean | | | +--rw ext-seq-num? boolean | | | +--rw seq-overflow? boolean | | | +--rw stateful-frag-check? boolean | | | +--rw mode? ipsec-mode | | | +--rw protocol-parameters? ipsec-protocol-parameters | | | +--rw esp-algorithms | | | | +--rw integrity* integrity-algorithm-type | | | | +--rw encryption* [id] | | | | | +--rw id uint8 - | | | | | +--rw algorithm-type? ic:encryption-algorithm-type + | | | | | +--rw algorithm-type? nsfikec:encryption-algorithm-type | | | | | +--rw key-length? uint16 | | | | +--rw tfc-pad? boolean | | | +--rw tunnel | | | +--rw local inet:ip-address | | | +--rw remote inet:ip-address | | | +--rw df-bit? enumeration | | | +--rw bypass-dscp? boolean | | | +--rw dscp-mapping? yang:hex-string | | | +--rw ecn? boolean | | +--rw spd-mark | | +--rw mark? uint32 | | +--rw mask? yang:hex-string | +--rw child-sa-info | | +--rw pfs-groups* pfs-group | | +--rw child-sa-lifetime-soft | | | +--rw time? uint32 | | | +--rw bytes? uint32 | | | +--rw packets? uint32 | | | +--rw idle? uint32 - | | | +--rw action? ic:lifetime-action + | | | +--rw action? nsfikec:lifetime-action | | +--rw child-sa-lifetime-hard | | +--rw time? uint32 | | +--rw bytes? uint32 | | +--rw packets? uint32 | | +--rw idle? uint32 | +--ro state | +--ro initiator? boolean | +--ro initiator-ikesa-spi? ike-spi | +--ro responder-ikesa-spi? ike-spi | +--ro nat-local? boolean @@ -776,21 +776,21 @@ The definition of the SAD model has been mainly extracted from the specification in section 4.4.2 in [RFC4301] though with some changes, namely: o Each IPsec SA (sad-entry) contains one traffic selector, instead of a list of them. The reason is that we have observed actual kernel implementations only admit a single traffic selector per IPsec SA. - o Each IPsec SA contains a identifier (reqid) to relate the policy + o Each IPsec SA contains a identifier (reqid) to relate the IPsec SA with the IPsec Policy. The reason is that we have observed real kernel implementations allow to include this value. o Each IPsec SA has also a name in the same way as IPsec policies. o Combined algorithm has been removed because encryption algorithm MAY include authenticated encryption with associated data (AEAD). o Tunnel information has been extended with information about Differentiated Services Code Point (DSCP) mapping and Explicit @@ -812,21 +812,21 @@ The data model for the IKE-less case is defined by YANG model "ietf- i2nsf-ikeless". Its structure is depicted in the following diagram, using the notation syntax for YANG tree diagrams ([RFC8340]). module: ietf-i2nsf-ikeless +--rw ipsec-ikeless +--rw spd | +--rw spd-entry* [name] | +--rw name string - | +--rw direction ic:ipsec-traffic-direction + | +--rw direction nsfikec:ipsec-traffic-direction | +--rw reqid? uint64 | +--rw ipsec-policy-config | +--rw anti-replay-window? uint64 | +--rw traffic-selector | | +--rw local-subnet inet:ip-prefix | | +--rw remote-subnet inet:ip-prefix | | +--rw inner-protocol? ipsec-inner-protocol | | +--rw local-ports* [start end] | | | +--rw start inet:port-number | | | +--rw end inet:port-number @@ -839,21 +839,21 @@ | | +--rw pfp-flag? boolean | | +--rw ext-seq-num? boolean | | +--rw seq-overflow? boolean | | +--rw stateful-frag-check? boolean | | +--rw mode? ipsec-mode | | +--rw protocol-parameters? ipsec-protocol-parameters | | +--rw esp-algorithms | | | +--rw integrity* integrity-algorithm-type | | | +--rw encryption* [id] | | | | +--rw id uint8 - | | | | +--rw algorithm-type?ic:encryption-algorithm-type + | | | |+--rw algorithm-type? nsfikec:encryption-algorithm-type | | | | +--rw key-length? uint16 | | | +--rw tfc-pad? boolean | | +--rw tunnel | | +--rw local inet:ip-address | | +--rw remote inet:ip-address | | +--rw df-bit? enumeration | | +--rw bypass-dscp? boolean | | +--rw dscp-mapping? yang:hex-string | | +--rw ecn? boolean | +--rw spd-mark @@ -872,41 +872,41 @@ | +--rw traffic-selector | | +--rw local-subnet inet:ip-prefix | | +--rw remote-subnet inet:ip-prefix | | +--rw inner-protocol? ipsec-inner-protocol | | +--rw local-ports* [start end] | | | +--rw start inet:port-number | | | +--rw end inet:port-number | | +--rw remote-ports* [start end] | | +--rw start inet:port-number | | +--rw end inet:port-number - | +--rw protocol-parameters? ic:ipsec-protocol-parameters - | +--rw mode? ic:ipsec-mode + | +--rw protocol-parameters? nsfikec:ipsec-protocol-parameters + | +--rw mode? nsfikec:ipsec-mode | +--rw esp-sa | | +--rw encryption - | | | +--rw encryption-algorithm? ic:encryption-algorithm-type + | | |+--rw encryption-algorithm? nsfikec:encryption-algorithm-type | | | +--rw key? yang:hex-string | | | +--rw iv? yang:hex-string | | +--rw integrity - | | +--rw integrity-algorithm? ic:integrity-algorithm-type + | | +--rw integrity-algorithm? nsfikec:integrity-algorithm-type | | +--rw key? yang:hex-string | +--rw sa-lifetime-hard | | +--rw time? uint32 | | +--rw bytes? uint32 | | +--rw packets? uint32 | | +--rw idle? uint32 | +--rw sa-lifetime-soft | | +--rw time? uint32 | | +--rw bytes? uint32 | | +--rw packets? uint32 | | +--rw idle? uint32 - | | +--rw action? ic:lifetime-action + | | +--rw action? nsfikec:lifetime-action | +--rw tunnel | | +--rw local inet:ip-address | | +--rw remote inet:ip-address | | +--rw df-bit? enumeration | | +--rw bypass-dscp? boolean | | +--rw dscp-mapping? yang:hex-string | | +--rw ecn? boolean | +--rw encapsulation-type | +--rw espencap? esp-encap | +--rw sport? inet:port-number @@ -918,43 +918,43 @@ | +--ro bytes? uint32 | +--ro packets? uint32 | +--ro idle? uint32 +--ro replay-stats +--ro replay-window? uint64 +--ro packet-dropped? uint64 +--ro failed? uint32 +--ro seq-number-counter? uint64 notifications: - +---n sadb-acquire + +---n sadb-acquire {ikeless-notification}? | +--ro ipsec-policy-name string | +--ro traffic-selector | +--ro local-subnet inet:ip-prefix | +--ro remote-subnet inet:ip-prefix | +--ro inner-protocol? ipsec-inner-protocol | +--ro local-ports* [start end] | | +--ro start inet:port-number | | +--ro end inet:port-number | +--ro remote-ports* [start end] | +--ro start inet:port-number | +--ro end inet:port-number - +---n sadb-expire + +---n sadb-expire {ikeless-notification}? | +--ro ipsec-sa-name string | +--ro soft-lifetime-expire? boolean | +--ro lifetime-current | +--ro time? uint32 | +--ro bytes? uint32 | +--ro packets? uint32 | +--ro idle? uint32 - +---n sadb-seq-overflow + +---n sadb-seq-overflow {ikeless-notification}? | +--ro ipsec-sa-name string - +---n sadb-bad-spi + +---n sadb-bad-spi {ikeless-notification}? +--ro spi uint32 The data model consists of a unique "ipsec-ikeless" container which, in turn, is integrated by two additional containers: "spd" and "sad". The "spd" container consists of a list of entries that conform the Security Policy Database. Compared to the IKE case data model, this part specifies a few additional parameters necessary due to the absence of an IKE software in the NSF: traffic direction to apply the IPsec policy, and a value to link an IPsec policy with its associated IPsec SAs. The "sad" container is a list of entries that conform the @@ -991,31 +991,31 @@ URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless Registrant Contact: The IESG. XML: N/A, the requested URI is an XML namespace. This document registers three YANG modules in the "YANG Module Names" registry [RFC6020]. Following the format in [RFC6020], the following registrations are requested: Name: ietf-i2nsf-ikec Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec - Prefix: ic + Prefix: nsfikec Reference: RFC XXXX Name: ietf-i2nsf-ike Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike - Prefix: ike + Prefix: nsfike Reference: RFC XXXX Name: ietf-i2nsf-ikeless Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless - Prefix: ikeless + Prefix: nsfikels Reference: RFC XXXX 8. Security Considerations First of all, this document shares all the security issues of SDN that are specified in the "Security Considerations" section of [ITU-T.Y.3300] and [RFC7426]. On the one hand, it is important to note that there MUST exist a security association between the I2NSF Controller and the NSFs to @@ -1095,21 +1095,21 @@ any other entity (including the I2NSF Controller itself) once they have been applied (i.e. write only operations) into the NSFs. Nevertheless, if the attacker has access to the I2NSF Controller during the period of time that key material is generated, it may obtain these values. In other words, the attacker might be able to observe the IPsec traffic and decrypt, or even modify and re-encrypt, the traffic between peers. 8.3. YANG modules - The YANG modules specified in this document defines a schema for data + The YANG modules specified in this document define a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446]. The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or @@ -1155,23 +1155,23 @@ /ipsec-ike/pad: This container includes sensitive information to read operations. This information should never be returned to a client. For example, cryptographic material configured in the NSFs: peer-authentication/pre-shared/secret and peer- authentication/digital-signature/private-key are already protected by the NACM extension "default-deny-all" in this document. For the IKE-less case (ietf-i2nsf-ikeless): - /ipsec-ikeless/sad/ipsec-sa-config/esp-sa: This container - includes symmetric keys for the IPsec SAs. For example, - encryption/key contains a ESP encryption key value and + /ipsec-ikeless/sad/sad-entry/ipsec-sa-config/esp-sa: This + container includes symmetric keys for the IPsec SAs. For + example, encryption/key contains a ESP encryption key value and encryption/iv contains a initialization vector value. Similarly, integrity/key has ESP integrity key value. Those values must not be read by anyone and are protected by the NACM extension "default-deny-all" in this document. 9. Acknowledgements Authors want to thank Paul Wouters, Valery Smyslov, Sowmini Varadhan, David Carrel, Yoav Nir, Tero Kivinen, Martin Bjorklund, Graham Bartlett, Sandeep Kampati, Linda Dunbar, Mohit Sethi, Martin @@ -1408,26 +1408,26 @@ Appendix A. Common YANG model for IKE and IKE-less cases This Appendix is Normative. This YANG module has normative references to [RFC3947], [RFC4301], [RFC4303], [RFC8174], [RFC8221] and [IKEv2-Parameters]. This YANG module has informative references to [RFC3948] and [RFC8229]. - file "ietf-i2nsf-ikec@2020-10-12.yang" + file "ietf-i2nsf-ikec@2020-10-21.yang" module ietf-i2nsf-ikec { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikec"; - prefix "ic"; + prefix "nsfikec"; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } @@ -1464,21 +1464,21 @@ This version of this YANG module is part of RFC XXXX;; see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision "2020-10-12" { + revision "2020-10-21" { description "Initial version."; reference "RFC XXXX: Software-Defined Networking (SDN)-based IPsec Flow Protection."; } typedef encryption-algorithm-type { type uint16; description "The encryption algorithm is specified with a 16-bit number extracted from IANA Registry. The acceptable @@ -2038,25 +2038,24 @@ key id; ordered-by user; leaf id { type uint8; description "The index of list with the different encryption algorithms and its key-length (if required)."; } leaf algorithm-type { - type ic:encryption-algorithm-type; + type nsfikec:encryption-algorithm-type; default 20; description - "Default value 20 - (ENCR_AES_GCM_16)"; + "Default value 20 (ENCR_AES_GCM_16)"; } leaf key-length { type uint16; default 128; description "By default key length is 128 bits"; } description "Encryption or AEAD algorithm for the @@ -2130,21 +2128,21 @@ This Appendix is Normative. This YANG module has normative references to [RFC2247], [RFC5280], [RFC4301], [RFC5280], [RFC5915], [RFC6991], [RFC7296], [RFC7383], [RFC7427], [RFC7619], [RFC8017], [RFC8174], [RFC8341], [ITU-T.X.690], [I-D.draft-ietf-netconf-crypto-types] and [IKEv2-Parameters]. This YANG module has informative references to [RFC8229]. - file "ietf-i2nsf-ike@2020-10-12.yang" + file "ietf-i2nsf-ike@2020-10-21.yang" module ietf-i2nsf-ike { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ike"; prefix "nsfike"; import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } @@ -2154,21 +2152,21 @@ reference "RFC 6991: Common YANG Data Types"; } import ietf-crypto-types { prefix ct; reference "RFC XXXX: YANG Data Types and Groupings for Cryptography."; } import ietf-i2nsf-ikec { - prefix ic; + prefix nsfikec; reference "Common Data model for SDN-based IPsec configuration."; } import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model."; @@ -2210,21 +2208,21 @@ This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision "2020-10-12" { + revision "2020-10-21" { description "Initial version."; reference "RFC XXXX: Software-Defined Networking (SDN)-based IPsec Flow Protection."; } typedef ike-spi { type uint64 { range "0..max"; } description "Security Parameter Index (SPI)'s IKE SA."; @@ -2757,21 +2755,21 @@ type uint32; default 0; description "Time in seconds before the IKE SA is removed. The value 0 means infinite."; } reference "RFC 7296."; } leaf-list authalg { - type ic:integrity-algorithm-type; + type nsfikec:integrity-algorithm-type; default 12; ordered-by user; description "Authentication algorithm for establishing the IKE SA. This list is ordered following from the higher priority to lower priority. First node of the list will be the algorithm with higher priority."; } @@ -2781,21 +2779,21 @@ ordered-by user; leaf id { type uint8; description "The index of the list with the different encryption algorithms and its key-length (if required). E.g. AES-CBC, 128 bits"; } leaf algorithm-type { - type ic:encryption-algorithm-type; + type nsfikec:encryption-algorithm-type; default 12; description "Default value 12 (ENCR_AES_CBC)"; } leaf key-length { type uint16; default 128; description "By default key length is 128 bits"; } @@ -2859,21 +2857,21 @@ the PAD where the authorization information about this particular remote peer is stored. It MUST match a pad-entry-name."; } description "Remote peer authentication information."; } container encapsulation-type { - uses ic:encap; + uses nsfikec:encap; description "This container carries configuration information about the source and destination ports of encapsulation that IKE should use and the type of encapsulation that should use when NAT traversal is required. However, this is just a best effort since the IKE implementation may need to use a different encapsulation as described in RFC 8229."; @@ -2892,21 +2890,21 @@ leaf name { type string; description "SPD entry unique name to identify the IPsec policy."; } container ipsec-policy-config { description "This container carries the configuration of a IPsec policy."; - uses ic:ipsec-policy-grouping; + uses nsfikec:ipsec-policy-grouping; } description "List of entries which will constitute the representation of the SPD. Since we have IKE in this case, it is only required to send a IPsec policy from this NSF where 'local' is this NSF and 'remote' the other NSF. The IKE implementation will install IPsec policies in the NSF's kernel in both @@ -2931,42 +2929,42 @@ priority to lower priority. First node of the list will be the algorithm with higher priority."; } container child-sa-lifetime-soft { description "Soft IPsec SA lifetime soft. After the lifetime the action is defined in this container in the leaf action."; - uses ic:lifetime; + uses nsfikec:lifetime; leaf action { - type ic:lifetime-action; + type nsfikec:lifetime-action; default replace; description "When the lifetime of an IPsec SA expires an action needs to be performed over the IPsec SA that reached the lifetime. There are three possible options: terminate-clear, terminate-hold and replace."; reference "Section 4.5 in RFC 4301 and Section 2.8 in RFC 7296."; } } container child-sa-lifetime-hard { description "IPsec SA lifetime hard. The action will be to terminate the IPsec SA."; - uses ic:lifetime; + uses nsfikec:lifetime; reference "Section 2.8 in RFC 7296."; } description "Specific information for IPsec SAs SAs. It includes PFS group and IPsec SAs rekey lifetimes."; } container state { config false; @@ -2996,21 +2994,21 @@ } leaf nat-remote { type boolean; description "True, if remote endpoint is behind a NAT."; } container encapsulation-type { - uses ic:encap; + uses nsfikec:encap; description "This container provides information about the source and destination ports of encapsulation that IKE is using, and the type of encapsulation when NAT traversal is required."; reference "RFC 8229."; } leaf established { @@ -3064,35 +3062,35 @@ Appendix C. YANG model for IKE-less case This Appendix is Normative. This YANG module has normative references to [RFC4301], [RFC6991], [RFC8174] and [RFC8341]. - file "ietf-i2nsf-ikeless@2020-10-12.yang" + file "ietf-i2nsf-ikeless@2020-10-21.yang" module ietf-i2nsf-ikeless { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-ikeless"; prefix "nsfikels"; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-i2nsf-ikec { - prefix ic; + prefix nsfikec; reference "Common Data model for SDN-based IPsec configuration."; } import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model."; @@ -3130,26 +3128,35 @@ This version of this YANG module is part of RFC XXXX;; see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision "2020-10-12" { + revision "2020-10-21" { description "Initial version."; reference "RFC XXXX: Software-Defined Networking (SDN)-based IPsec Flow Protection."; } + feature ikeless-notification { + description + "To ensure broader applicability of this module, + the notifications are marked as a feature. + For the implementation of ikeless case, + the NSF is expected to implement this + feature."; + } + container ipsec-ikeless { description "Container for configuration of the IKE-less case. The container contains two additional containers: 'spd' and 'sad'. The first allows the I2NSF Controller to configure IPsec policies in the Security Policy Database SPD, and the second allows to configure IPsec Security Associations (IPsec SAs) in the Security Association Database (SAD)."; @@ -3163,21 +3170,21 @@ list spd-entry { key "name"; ordered-by user; leaf name { type string; description "SPD entry unique name to identify this entry."; } leaf direction { - type ic:ipsec-traffic-direction; + type nsfikec:ipsec-traffic-direction; mandatory true; description "Inbound traffic or outbound traffic. In the IKE-less case the I2NSF Controller needs to specify the policy direction to be applied in the NSF. In the IKE case this direction does not need to be specified since IKE will determine the direction that @@ -3192,21 +3199,21 @@ same reqid. It is only required in the IKE-less model since, in the IKE case this link is handled internally by IKE."; } container ipsec-policy-config { description "This container carries the configuration of a IPsec policy."; - uses ic:ipsec-policy-grouping; + uses nsfikec:ipsec-policy-grouping; } description "The SPD is represented as a list of SPD entries, where each SPD entry represents an IPsec policy."; } /*list spd-entry*/ } /*container spd*/ container sad { description @@ -3280,33 +3287,33 @@ type uint32; default 32; description "A 32-bit counter and a bit-map (or equivalent) used to determine whether an inbound ESP packet is a replay. If set to 0 no anti-replay mechanism is performed."; } container traffic-selector { - uses ic:selector-grouping; + uses nsfikec:selector-grouping; description "The IPsec SA traffic selector."; } leaf protocol-parameters { - type ic:ipsec-protocol-parameters; + type nsfikec:ipsec-protocol-parameters; default esp; description "Security protocol of IPsec SA: Only ESP so far."; } leaf mode { - type ic:ipsec-mode; + type nsfikec:ipsec-mode; default transport; description "Tunnel or transport mode."; } container esp-sa { when "../protocol-parameters = 'esp'"; description "In case the IPsec SA is Encapsulation Security Payload @@ -3315,21 +3322,21 @@ algorithms, and key material."; container encryption { description "Configuration of encryption or AEAD algorithm for IPsec Encapsulation Security Payload (ESP)."; leaf encryption-algorithm { - type ic:encryption-algorithm-type; + type nsfikec:encryption-algorithm-type; default 12; description "Configuration of ESP encryption. With AEAD algorithms, the integrity leaf is not used."; } leaf key { nacm:default-deny-all; @@ -3358,21 +3366,21 @@ container integrity { description "Configuration of integrity for IPsec Encapsulation Security Payload (ESP). This container allows to configure integrity algorithm when no AEAD algorithms are used, and integrity is required."; leaf integrity-algorithm { - type ic:integrity-algorithm-type; + type nsfikec:integrity-algorithm-type; default 12; description "Message Authentication Code (MAC) algorithm to provide integrity in ESP (default AUTH_HMAC_SHA2_256_128). With AEAD algorithms, the integrity leaf is not used."; @@ -3391,61 +3399,62 @@ the key configured."; } } } /*container esp-sa*/ container sa-lifetime-hard { description "IPsec SA hard lifetime. The action associated is terminate and hold."; - uses ic:lifetime; + uses nsfikec:lifetime; } container sa-lifetime-soft { description "IPsec SA soft lifetime."; - uses ic:lifetime; + uses nsfikec:lifetime; leaf action { - type ic:lifetime-action; + type nsfikec:lifetime-action; description "Action lifetime: terminate-clear, terminate-hold or replace."; + } } container tunnel { when "../mode = 'tunnel'"; - uses ic:tunnel-grouping; + uses nsfikec:tunnel-grouping; description "Endpoints of the IPsec tunnel."; } container encapsulation-type { - uses ic:encap; + uses nsfikec:encap; description "This container carries configuration information about the source and destination ports which will be used for ESP encapsulation that ESP packets the type of encapsulation when NAT traversal is in place."; } } /*ipsec-sa-config*/ container ipsec-sa-state { config false; description "Container describing IPsec SA state data."; container sa-lifetime-current { - uses ic:lifetime; + uses nsfikec:lifetime; description "SAD lifetime current."; } container replay-stats { description "State data about the anti-replay window."; leaf replay-window { type uint64; description @@ -3480,20 +3489,21 @@ } /*ipsec-sa-state*/ description "List of SAD entries that conforms the SAD."; } /*list sad-entry*/ } /*container sad*/ }/*container ipsec-ikeless*/ /* Notifications */ notification sadb-acquire { + if-feature ikeless-notification; description "An IPsec SA is required. The traffic-selector container contains information about the IP packet that triggers the acquire notification."; leaf ipsec-policy-name { type string; mandatory true; description "It contains the SPD entry name (unique) of the IPsec policy that hits the IP packet @@ -3498,35 +3508,36 @@ "It contains the SPD entry name (unique) of the IPsec policy that hits the IP packet required IPsec SA. It is assumed the I2NSF Controller will have a copy of the information of this policy so it can extract all the information with this unique identifier. The type of IPsec SA is defined in the policy so the Security Controller can also know the type of IPsec SA that must be generated."; + } container traffic-selector { description "The IP packet that triggered the acquire and requires an IPsec SA. Specifically it will contain the IP source/mask and IP destination/mask; protocol (udp, tcp, etc...); and source and destination ports."; - uses ic:selector-grouping; + uses nsfikec:selector-grouping; } - } notification sadb-expire { + if-feature ikeless-notification; description "An IPsec SA expiration (soft or hard)."; leaf ipsec-sa-name { type string; mandatory true; description "It contains the SAD entry name (unique) of the IPsec SA that has expired. It is assumed the I2NSF Controller will have a copy of the IPsec SA information (except the cryptographic material and state data) indexed by this name @@ -3542,42 +3553,44 @@ description "If this value is true the lifetime expired is soft. If it is false is hard."; } container lifetime-current { description "IPsec SA current lifetime. If soft-lifetime-expired is true this container is set with the lifetime information about current soft lifetime."; - uses ic:lifetime; + uses nsfikec:lifetime; } } notification sadb-seq-overflow { + if-feature ikeless-notification; description "Sequence overflow notification."; leaf ipsec-sa-name { type string; mandatory true; description "It contains the SAD entry name (unique) of the IPsec SA that is about to have sequence number overflow and rollover is not permitted. It is assumed the I2NSF Controller will have a copy of the IPsec SA information (except the cryptographic material and state data) indexed by this name (unique identifier) so the it can know all the information (crypto algorithms, etc.) about the IPsec SA that has expired in order to perform a rekey of the IPsec SA."; } } notification sadb-bad-spi { + if-feature ikeless-notification; description "Notify when the NSF receives a packet with an incorrect SPI (i.e. not present in the SAD)."; leaf spi { type uint32 { range "0..max"; } mandatory true; description "SPI number contained in the erroneous IPsec packet."; } @@ -4231,21 +4246,21 @@ removing any new inbound SA that had been successfully installed during step 1. If step 1 is successful but some of the operations in step 2 fails (e.g. the NSF A reports an error when the I2NSF Controller is trying to install the new outbound IPsec SA), the I2NSF Controller must perform a rollback operation by deleting any new outbound SA that had been successfully installed during step 2 and by deleting the inbound SAs created in step 1. - If the steps 1 an 2 are successful and the step 3 fails, the I2NSF + If the steps 1 and 2 are successful but the step 3 fails, the I2NSF Controller will avoid any rollback of the operations carried out in step 1 and step 2 since new and valid IPsec SAs were created and are functional. The I2NSF Controller may reattempt to remove the old inbound and outbound SAs in NSF A and NSF B several times until it receives a success or it gives up. In the last case, the old IPsec SAs will be removed when their corresponding hard lifetime is reached. G.3. Example of managing NSF state loss in IKE-less case