This module defines configuration and state data for MACsec IEEE Std 802.1AE-2018.
openconfig-extensions
openconfig-interfaces
openconfig-macsec-types
openconfig-yang-types
openconfig-keychain
description:
The MACsec
nodetype: container (rw)
description:
The MKA
nodetype: container (rw)
description:
Enclosing container for the list of MKA policies
nodetype: container (rw)
description:
List of MKA policies
nodetype: list (rw)
list keys: [name]
description:
Reference to MKA policy name
nodetype: leaf (list key) (rw)
type: leafref
description:
Configuration of the MKA policy
nodetype: container (rw)
description:
Name of the MKA policy.
nodetype: leaf (rw)
type: string
description:
Specifies the key server priority used by the MACsec Key Agreement
(MKA) protocol to select the key server when MACsec is enabled using
static connectivity association key (CAK) security mode. The switch with
the lower priority-number is selected as the key server. If the
priority-number is identical on both sides of a point-to-point link, the
MKA protocol selects the device with the lower MAC address as the key
server
nodetype: leaf (rw)
type: uint8
default: 16
description:
Set Cipher suite(s) for SAK derivation
nodetype: leaf-list (rw)
type: macsec-types:macsec-cipher-suite
description:
The confidentiality offset specifies a number of octets in an Ethernet
frame that are sent in unencrypted plain-text
nodetype: leaf (rw)
type: macsec-types:confidentiality-offset
default: 0_BYTES
description:
Traffic delayed longer than 2 seconds is rejected by the interfaces
enabled with delay protection.
nodetype: leaf (rw)
type: boolean
default: false
description:
Generate and include an Integrity Check Value (ICV) field in the MKPDU.
For compatibility with previous MACsec implementation that do not
require an ICV
nodetype: leaf (rw)
type: boolean
default: true
description:
SAK Rekey interval in seconds. The default value is 0 where no rekey is
performed.
nodetype: leaf (rw)
type: uint32
default: 0
description:
Rekey on peer loss
nodetype: leaf (rw)
type: boolean
default: false
description:
Use updated ethernet header for ICV calculation. In case the Ethernet
frame headers change, use the updated headers to calculate the ICV.
nodetype: leaf (rw)
type: boolean
default: false
description:
Operational state data for MKA policy
nodetype: container (ro)
description:
Name of the MKA policy.
nodetype: leaf (ro)
type: string
description:
Specifies the key server priority used by the MACsec Key Agreement
(MKA) protocol to select the key server when MACsec is enabled using
static connectivity association key (CAK) security mode. The switch with
the lower priority-number is selected as the key server. If the
priority-number is identical on both sides of a point-to-point link, the
MKA protocol selects the device with the lower MAC address as the key
server
nodetype: leaf (ro)
type: uint8
default: 16
description:
Set Cipher suite(s) for SAK derivation
nodetype: leaf-list (ro)
type: macsec-types:macsec-cipher-suite
description:
The confidentiality offset specifies a number of octets in an Ethernet
frame that are sent in unencrypted plain-text
nodetype: leaf (ro)
type: macsec-types:confidentiality-offset
default: 0_BYTES
description:
Traffic delayed longer than 2 seconds is rejected by the interfaces
enabled with delay protection.
nodetype: leaf (ro)
type: boolean
default: false
description:
Generate and include an Integrity Check Value (ICV) field in the MKPDU.
For compatibility with previous MACsec implementation that do not
require an ICV
nodetype: leaf (ro)
type: boolean
default: true
description:
SAK Rekey interval in seconds. The default value is 0 where no rekey is
performed.
nodetype: leaf (ro)
type: uint32
default: 0
description:
Rekey on peer loss
nodetype: leaf (ro)
type: boolean
default: false
description:
Use updated ethernet header for ICV calculation. In case the Ethernet
frame headers change, use the updated headers to calculate the ICV.
nodetype: leaf (ro)
type: boolean
default: false
description:
Operational state data for MKA
nodetype: container (ro)
description:
MKA global counters
nodetype: container (ro)
description:
MKPDU TX error count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKPDU RX ICV verification error count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKPDU RX validation error count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKPDU RX bad peer message number error count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKPDU RX non-recent peer list Message Number error count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKA error SAK generation count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKA error Hash Key generation count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKA error SAK encryption/wrap count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKA error SAK decryption/unwrap count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKA error SAK cipher mismatch count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Enclosing container for the MACsec interfaces list
nodetype: container (rw)
description:
List of interfaces on which MACsec is enabled / available
nodetype: list (rw)
list keys: [name]
description:
Reference to the list key
nodetype: leaf (list key) (rw)
type: leafref
description:
Configuration data for MACsec on each interface
nodetype: container (rw)
description:
Reference to the MACsec Ethernet interface
nodetype: leaf (rw)
type: oc-if:base-interface-ref
description:
Enable MACsec on an interface
nodetype: leaf (rw)
type: boolean
default: false
description:
MACsec window size, as defined by the number of out-of-order frames
that are accepted. A value of 0 means that frames are accepted only in
the correct order.
nodetype: leaf (rw)
type: uint16
default: 0
description:
Operational state data
nodetype: container (ro)
description:
Reference to the MACsec Ethernet interface
nodetype: leaf (ro)
type: oc-if:base-interface-ref
description:
Enable MACsec on an interface
nodetype: leaf (ro)
type: boolean
default: false
description:
MACsec window size, as defined by the number of out-of-order frames
that are accepted. A value of 0 means that frames are accepted only in
the correct order.
nodetype: leaf (ro)
type: uint16
default: 0
description:
MACsec interface counters
nodetype: container (ro)
description:
MACsec interface level Transmit untagged Packets counter.
This counter will increment if MACsec is enabled on interface and the
outgoing packet is not tagged with MACsec header.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MACsec interface level Receive untagged Packets counter.
This counter will increment if MACsec is enabled on interface and the
incoming packet does not have MACsec tag.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MACsec interface level Receive Bad Tag Packets counter.
This counter will increment if MACsec is enabled on interface and
incoming packet has incorrect MACsec tag.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MACsec interface level Receive Unknown SCI Packets counter.
This counter will increment if MACsec is enabled on the interface and
SCI present in the MACsec tag of the incoming packet does not match any
SCI present in ingress SCI table.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MACsec interface level Receive No SCI Packets counter.
This counter will increment if MACsec is enabled on interface and
incoming packet does not have SCI field in MACsec tag.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MACsec interface level Receive Late Packets counter.
This counter will increment if MACsec is enabled on the interface and
packet number of incoming packet is less than the lowest acceptable
packet number and replay protection is enabled.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Enclosing container for transmitted packets for Secure Channel and
Secure Association
nodetype: container (ro)
description:
TX Secure Channel and Secure Association Statistics
nodetype: list (ro)
list keys: [sci-tx]
description:
TX Secure Channel and Secure Association Statistics
nodetype: leaf (list key) (ro)
type: leafref
description:
State container for macsec-scsa-tx-interface-stats
nodetype: container (ro)
description:
Secure Channel Identifier.
Every Transmit Channel is uniquely identified using this field.
nodetype: leaf (ro)
type: oc-yang:hex-string
description:
Counters container for macsec-scsa-tx-interface-stats
nodetype: container (ro)
description:
Secure Channel Authenticated only TX Packets counter.
This counter reflects the number of authenticated only transmitted
packets in a secure channel.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Secure Channel Encrypted TX Packets counter.
This counter reflects the number of encrypted and authenticated
transmitted packets in a secure channel.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Secure Association Authenticated only TX Packets counter.
This counter reflects the number of authenticated only, transmitted
packets in a secure association.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Secure Association Encrypted TX Packets counter.
This counter reflects the number of encrypted and authenticated
transmitted packets in a secure association.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Enclosing container for received packets for Secure Channel and
Secure Association
nodetype: container (ro)
description:
RX Secure Channel and Secure Association Statistics
nodetype: list (ro)
list keys: [sci-rx]
description:
RX Secure Channel and Secure Association Statistics
nodetype: leaf (list key) (ro)
type: leafref
description:
State container for macsec-scsa-rx-interface-stats
nodetype: container (ro)
description:
Secure Channel Identifier.
Every Receive Channel is uniquely identified using this field.
nodetype: leaf (ro)
type: oc-yang:hex-string
description:
Counters container for macsec-scsa-rx-interface-stats
nodetype: container (ro)
description:
Invalid Secure Channel RX Packets counter.
This counter reflects the number of invalid received packets in a
secure channel.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Valid Secure Channel RX Packets counter.
This counter reflects the number of valid received packets in a
secure channel.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Invalid Secure Association RX Packets counter.
This counter reflects the number of integrity check fails for received
packets in a secure association.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Secure Association Valid RX Packets counter.
This counter reflects the number of packets in a secure association
that passed integrity check.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Enclosing container for the MKA interface
nodetype: container (rw)
description:
Configuration data for MKA interface
nodetype: container (rw)
description:
Apply MKA policy on the interface
nodetype: leaf (rw)
type: leafref
description:
Configure Key Chain name
nodetype: leaf (rw)
type: leafref
description:
Operational state data for MKA interface
nodetype: container (ro)
description:
Apply MKA policy on the interface
nodetype: leaf (ro)
type: leafref
description:
Configure Key Chain name
nodetype: leaf (ro)
type: leafref
description:
MKA interface counters
nodetype: container (ro)
description:
Validated MKPDU received count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Validated MKPDU received SAK count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Count of validated MKPDU connectivity association key (CAK) pdus
received. This counter is related to the group-cak feature in the
802.1X-2010 standard.
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKPDU sent count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
MKPDU SAK sent count
nodetype: leaf (ro)
type: oc-yang:counter64
description:
Count of MKPDU connectivity association key (CAK) pdu's sent.
This counter is related to the group-cak feature in the
802.1X-2010 standard.
nodetype: leaf (ro)
type: oc-yang:counter64
This module defines types related to the MACsec configuration and operational state model.
openconfig-extensions
description:
Set Cipher suite(s) for SAK derivation
type: enumeration
description:
The confidentiality offset specifies a number of octets in an Ethernet
frame that are sent in unencrypted plain-text
type: enumeration