Skip to content

Commit ba8cccb

Browse files
mihirramrajpal2
authored and
mrajpal2
committed
New IPSec Model and Cleanup
1 parent 9ce0b2f commit ba8cccb

File tree

4 files changed

+439
-0
lines changed

4 files changed

+439
-0
lines changed

release/models/ipsec/.spec.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
- name: openconfig-macsec
2+
docs:
3+
- yang/macsec/openconfig-ipsec.yang
4+
- yang/macsec/openconfig-ipsec-types.yang
5+
build:
6+
- yang/macsec/openconfig-ipsec.yang
7+
run-ci: true
Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
module openconfig-ipsec-types {
2+
yang-version "1";
3+
namespace "http://openconfig.net/yang/ipsec/types";
4+
prefix "oc-ipsect";
5+
6+
import openconfig-extensions { prefix oc-ext; }
7+
8+
organization "OpenConfig working group";
9+
contact
10+
"OpenConfig working group
11+
www.openconfig.net";
12+
description
13+
"This module defines types related to the MACsec configuration
14+
and operational state model.";
15+
16+
oc-ext:openconfig-version "0.1.0";
17+
oc-ext:regexp-posix;
18+
oc-ext:catalog-organization "openconfig";
19+
oc-ext:origin "openconfig";
20+
21+
revision 2025-04-23 {
22+
description
23+
"Initial public revision";
24+
reference
25+
"0.1.0";
26+
}
27+
28+
// Not all vendors will support all algorithms
29+
// FIPS mode only allows AES based algorithms
30+
typedef ipsec-cipher-suite {
31+
type union {
32+
type enumeration {
33+
enum ENCR_AES_CBC { description "ENCR_AES_CBC Cipher Suite. Key length 128, 192, or 256 bits."; }
34+
enum ENCR_AES_CTR { description "ENCR_AES_CTR Cipher Suite. Key length 128, 192, or 256 bits."; }
35+
enum ENCR_AES_CCM_8 { description "ENCR_AES_CCM_8 Cipher Suite. Key length 128, 192, or 256 bits. AEAD."; }
36+
enum ENCR_AES_CCM_12 { description "ENCR_AES_CCM_8 Cipher Suite. Key length 128, 192, or 256 bits. AEAD."; }
37+
enum ENCR_AES_CCM_16 { description "ENCR_AES_CCM_8 Cipher Suite. Key length 128, 192, or 256 bits. AEAD."; }
38+
enum ENCR_AES_GCM_8 { description "ENCR_AES_GCM_16 Cipher Suite. Key length 128, 192, or 256 bits. AEAD."; }
39+
enum ENCR_AES_GCM_12 { description "ENCR_AES_GCM_16 Cipher Suite. Key length 128, 192, or 256 bits. AEAD."; }
40+
enum ENCR_AES_GCM_16 { description "ENCR_AES_GCM_16 Cipher Suite. Key length 128, 192, or 256 bits. RECOMMENDED. AEAD."; }
41+
enum ENCR_CHACHA20_POLY1305 { description "ENCR_CHACHA20_POLY1305 Cipher Suite. Key length 128, 192, or 256 bits. AEAD."; }
42+
}
43+
type uint8 {
44+
range 1..35;
45+
}
46+
}
47+
description
48+
"Set Cipher suite(s) for IPSec by either the IANA number or the algorithm name
49+
(only specified for commonly used, recommended algorithms).";
50+
}
51+
52+
53+
// Not all vendors will support all algorithms
54+
// FIPS mode only allows SHA2 based algorithms
55+
typedef ipsec-hash-algorithms {
56+
type union {
57+
type enumeration {
58+
enum AUTH_NONE { description "AUTH_NONE Hash Algorithm. DO NOT USE UNLESS USING AEAD Cipher Suite."; }
59+
enum AUTH_AES_128_GMAC { description "AUTH_AES_128_GMAC Hash Algorithm."; }
60+
enum AUTH_AES_256_GMAC { description "AUTH_AES_256_GMAC Hash Algorithm."; }
61+
enum AUTH_HMAC_SHA2_256_128 { description "AUTH_HMAC_SHA2_256_128 Hash Algorithm."; }
62+
enum AUTH_HMAC_SHA2_384_102 { description "AUTH_HMAC_SHA2_384_192 Hash Algorithm."; }
63+
enum AUTH_HMAC_SHA2_512_256 { description "AUTH_HMAC_SHA2_512_256 Hash Algorithm. RECOMMENDED"; }
64+
}
65+
type uint8 {
66+
range 1..14;
67+
}
68+
}
69+
description
70+
"Set Hash Algoritm(s) for IPSec by either the IANA number or the algorithm name
71+
(only specified for commonly used, recommended algorithms).";
72+
}
73+
74+
75+
// Not all vendors will support all algorithms
76+
// FIPS mode only allows SHA2 based algorithms
77+
typedef ipsec-prf-algorithms {
78+
type union {
79+
type enumeration {
80+
enum PRF_AES128_XCBC { description "PRF_AES128_XCBC PRF Algorithm."; }
81+
enum PRF_HMAC_SHA2_256 { description "PRF_HMAC_SHA2_256 PRF Algorithm."; }
82+
enum PRF_HMAC_SHA2_384 { description "PRF_HMAC_SHA2_384 PRF Algorithm."; }
83+
enum PRF_HMAC_SHA2_512 { description "PRF_HMAC_SHA2_512 PRF Algorithm. RECOMMENDED"; }
84+
enum PRF_AES128_CMAC { description "PRF_AES128_CMAC PRF Algorithm."; }
85+
}
86+
type uint8 {
87+
range 1..14;
88+
}
89+
}
90+
description
91+
"Set PRF Algorithm(s) for IPSec by either the IANA number or the algorithm name
92+
(only specified for commonly used, recommended algorithms).";
93+
}
94+
95+
96+
// Not all vendors will support all algorithms
97+
// FIPS mode only allows AES and SHA2 based algorithms
98+
typedef ipsec-authentication-algorithms {
99+
type union {
100+
type enumeration {
101+
enum RSA_DIGITAL_SIGNATURE { description "RSA Digital Signature Authentication method. Key size must be between 2048 and 4096 for FIPS, larger than 3072 recommended."; }
102+
enum SHARED_KEY_MESSAGE_INTEGRITY_CODE { description "Shared Key Message Integrity Code Authentication method. Key size field unused."; }
103+
enum ECDSA_SHA_256_P_256 { description "ECDSA with SHA-256 on the P-256 curve Authentication method. Key size field unused."; }
104+
enum ECDSA_SHA_384_P_384 { description "ECDSA with SHA-384 on the P-384 curve Authentication method. Key size field unused."; }
105+
enum ECDSA_SHA_512_P_521 { description "ECDSA with SHA-512 on the P-521 curve Authentication method. Key size field unused."; }
106+
enum DIGITAL_SIGNATURE { description "Digital Signature Authentication method. Key size depends on algorithm. Digital Signature leaf must be filled in."; }
107+
}
108+
type uint8 {
109+
range 1..14;
110+
}
111+
}
112+
description
113+
"Set Authentication method(s) for IPSec by either the IANA number or the algorithm name
114+
(only specified for commonly used, recommended algorithms).";
115+
}
116+
117+
typedef ipsec-type {
118+
type enumeration {
119+
enum AH { description "Use Authentication Header."; }
120+
enum ESP { description "Use Encapsulating Security Payload."; }
121+
}
122+
description
123+
"The Type of IPSec to use.";
124+
}
125+
126+
identity DIGITAL_SIGNATURE_TYPE {
127+
description
128+
"Base Type for Digital Signature methods supported.
129+
Specific values should derive from this type and depend on the platform.";
130+
}
131+
132+
}

0 commit comments

Comments
 (0)