openconfig-macsec

openconfig-version: 1.0.0

Description

This module defines configuration and state data for MACsec IEEE Std 802.1AE-2018.

Imports

openconfig-extensions
openconfig-interfaces
openconfig-macsec-types
openconfig-yang-types
openconfig-keychain

Data elements

/
macsec

description:
The MACsec

nodetype: container (rw)

/macsec/
mka

description:
The MKA

nodetype: container (rw)

/macsec/mka/
policies

description:
Enclosing container for the list of MKA policies

nodetype: container (rw)

/macsec/mka/policies/
policy

description:
List of MKA policies

nodetype: list (rw)

list keys: [name]

/macsec/mka/policies/policy/
name

description:
Reference to MKA policy name

nodetype: leaf (list key) (rw)

type: leafref

  • path reference: ../config/name

/macsec/mka/policies/policy/
config

description:
Configuration of the MKA policy

nodetype: container (rw)

/macsec/mka/policies/policy/config/
name

description:
Name of the MKA policy.

nodetype: leaf (rw)

type: string

/macsec/mka/policies/policy/config/
key-server-priority

description:
Specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode. The switch with the lower priority-number is selected as the key server. If the priority-number is identical on both sides of a point-to-point link, the MKA protocol selects the device with the lower MAC address as the key server

nodetype: leaf (rw)

type: uint8

default: 16

/macsec/mka/policies/policy/config/
macsec-cipher-suite

description:
Set Cipher suite(s) for SAK derivation

nodetype: leaf-list (rw)

type: macsec-types:macsec-cipher-suite

/macsec/mka/policies/policy/config/
confidentiality-offset

description:
The confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted plain-text

nodetype: leaf (rw)

type: macsec-types:confidentiality-offset

default: 0_BYTES

/macsec/mka/policies/policy/config/
delay-protection

description:
Traffic delayed longer than 2 seconds is rejected by the interfaces enabled with delay protection.

nodetype: leaf (rw)

type: boolean

default: false

/macsec/mka/policies/policy/config/
include-icv-indicator

description:
Generate and include an Integrity Check Value (ICV) field in the MKPDU. For compatibility with previous MACsec implementation that do not require an ICV

nodetype: leaf (rw)

type: boolean

default: true

/macsec/mka/policies/policy/config/
sak-rekey-interval

description:
SAK Rekey interval in seconds. The default value is 0 where no rekey is performed.

nodetype: leaf (rw)

type: uint32

  • range: 0 | 30..65535

default: 0

/macsec/mka/policies/policy/config/
sak-rekey-on-live-peer-loss

description:
Rekey on peer loss

nodetype: leaf (rw)

type: boolean

default: false

/macsec/mka/policies/policy/config/
use-updated-eth-header

description:
Use updated ethernet header for ICV calculation. In case the Ethernet frame headers change, use the updated headers to calculate the ICV.

nodetype: leaf (rw)

type: boolean

default: false

/macsec/mka/policies/policy/
state

description:
Operational state data for MKA policy

nodetype: container (ro)

/macsec/mka/policies/policy/state/
name

description:
Name of the MKA policy.

nodetype: leaf (ro)

type: string

/macsec/mka/policies/policy/state/
key-server-priority

description:
Specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode. The switch with the lower priority-number is selected as the key server. If the priority-number is identical on both sides of a point-to-point link, the MKA protocol selects the device with the lower MAC address as the key server

nodetype: leaf (ro)

type: uint8

default: 16

/macsec/mka/policies/policy/state/
macsec-cipher-suite

description:
Set Cipher suite(s) for SAK derivation

nodetype: leaf-list (ro)

type: macsec-types:macsec-cipher-suite

/macsec/mka/policies/policy/state/
confidentiality-offset

description:
The confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted plain-text

nodetype: leaf (ro)

type: macsec-types:confidentiality-offset

default: 0_BYTES

/macsec/mka/policies/policy/state/
delay-protection

description:
Traffic delayed longer than 2 seconds is rejected by the interfaces enabled with delay protection.

nodetype: leaf (ro)

type: boolean

default: false

/macsec/mka/policies/policy/state/
include-icv-indicator

description:
Generate and include an Integrity Check Value (ICV) field in the MKPDU. For compatibility with previous MACsec implementation that do not require an ICV

nodetype: leaf (ro)

type: boolean

default: true

/macsec/mka/policies/policy/state/
sak-rekey-interval

description:
SAK Rekey interval in seconds. The default value is 0 where no rekey is performed.

nodetype: leaf (ro)

type: uint32

  • range: 0 | 30..65535

default: 0

/macsec/mka/policies/policy/state/
sak-rekey-on-live-peer-loss

description:
Rekey on peer loss

nodetype: leaf (ro)

type: boolean

default: false

/macsec/mka/policies/policy/state/
use-updated-eth-header

description:
Use updated ethernet header for ICV calculation. In case the Ethernet frame headers change, use the updated headers to calculate the ICV.

nodetype: leaf (ro)

type: boolean

default: false

/macsec/mka/
state

description:
Operational state data for MKA

nodetype: container (ro)

/macsec/mka/state/
counters

description:
MKA global counters

nodetype: container (ro)

/macsec/mka/state/counters/
out-mkpdu-errors

description:
MKPDU TX error count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
in-mkpdu-icv-verification-errors

description:
MKPDU RX ICV verification error count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
in-mkpdu-validation-errors

description:
MKPDU RX validation error count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
in-mkpdu-bad-peer-errors

description:
MKPDU RX bad peer message number error count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
in-mkpdu-peer-list-errors

description:
MKPDU RX non-recent peer list Message Number error count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
sak-generation-errors

description:
MKA error SAK generation count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
sak-hash-errors

description:
MKA error Hash Key generation count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
sak-encryption-errors

description:
MKA error SAK encryption/wrap count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
sak-decryption-errors

description:
MKA error SAK decryption/unwrap count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/mka/state/counters/
sak-cipher-mismatch-errors

description:
MKA error SAK cipher mismatch count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/
interfaces

description:
Enclosing container for the MACsec interfaces list

nodetype: container (rw)

/macsec/interfaces/
interface

description:
List of interfaces on which MACsec is enabled / available

nodetype: list (rw)

list keys: [name]

/macsec/interfaces/interface/
name

description:
Reference to the list key

nodetype: leaf (list key) (rw)

type: leafref

  • path reference: ../config/name

/macsec/interfaces/interface/
config

description:
Configuration data for MACsec on each interface

nodetype: container (rw)

/macsec/interfaces/interface/config/
name

description:
Reference to the MACsec Ethernet interface

nodetype: leaf (rw)

type: oc-if:base-interface-ref

/macsec/interfaces/interface/config/
enable

description:
Enable MACsec on an interface

nodetype: leaf (rw)

type: boolean

default: false

/macsec/interfaces/interface/config/
replay-protection

description:
MACsec window size, as defined by the number of out-of-order frames that are accepted. A value of 0 means that frames are accepted only in the correct order.

nodetype: leaf (rw)

type: uint16

default: 0

/macsec/interfaces/interface/
state

description:
Operational state data

nodetype: container (ro)

/macsec/interfaces/interface/state/
name

description:
Reference to the MACsec Ethernet interface

nodetype: leaf (ro)

type: oc-if:base-interface-ref

/macsec/interfaces/interface/state/
enable

description:
Enable MACsec on an interface

nodetype: leaf (ro)

type: boolean

default: false

/macsec/interfaces/interface/state/
replay-protection

description:
MACsec window size, as defined by the number of out-of-order frames that are accepted. A value of 0 means that frames are accepted only in the correct order.

nodetype: leaf (ro)

type: uint16

default: 0

/macsec/interfaces/interface/state/
counters

description:
MACsec interface counters

nodetype: container (ro)

/macsec/interfaces/interface/state/counters/
tx-untagged-pkts

description:
MACsec interface level Transmit untagged Packets counter. This counter will increment if MACsec is enabled on interface and the outgoing packet is not tagged with MACsec header.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/state/counters/
rx-untagged-pkts

description:
MACsec interface level Receive untagged Packets counter. This counter will increment if MACsec is enabled on interface and the incoming packet does not have MACsec tag.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/state/counters/
rx-badtag-pkts

description:
MACsec interface level Receive Bad Tag Packets counter. This counter will increment if MACsec is enabled on interface and incoming packet has incorrect MACsec tag.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/state/counters/
rx-unknownsci-pkts

description:
MACsec interface level Receive Unknown SCI Packets counter. This counter will increment if MACsec is enabled on the interface and SCI present in the MACsec tag of the incoming packet does not match any SCI present in ingress SCI table.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/state/counters/
rx-nosci-pkts

description:
MACsec interface level Receive No SCI Packets counter. This counter will increment if MACsec is enabled on interface and incoming packet does not have SCI field in MACsec tag.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/
scsa-tx

description:
Enclosing container for transmitted packets for Secure Channel and Secure Association

nodetype: container (ro)

/macsec/interfaces/interface/scsa-tx/
scsa-tx

description:
TX Secure Channel and Secure Association Statistics

nodetype: list (ro)

list keys: [sci-tx]

/macsec/interfaces/interface/scsa-tx/scsa-tx/
sci-tx

description:
TX Secure Channel and Secure Association Statistics

nodetype: leaf (list key) (ro)

type: leafref

  • path reference: ../state/sci-tx

/macsec/interfaces/interface/scsa-tx/scsa-tx/
state

description:
State container for macsec-scsa-tx-interface-stats

nodetype: container (ro)

/macsec/interfaces/interface/scsa-tx/scsa-tx/state/
sci-tx

description:
Secure Channel Identifier. Every Transmit Channel is uniquely identified using this field.

nodetype: leaf (ro)

type: oc-yang:hex-string

/macsec/interfaces/interface/scsa-tx/scsa-tx/state/
counters

description:
Counters container for macsec-scsa-tx-interface-stats

nodetype: container (ro)

/macsec/interfaces/interface/scsa-tx/scsa-tx/state/counters/
sc-auth-only

description:
Secure Channel Authenticated only TX Packets counter. This counter reflects the number of authenticated only transmitted packets in a secure channel.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/scsa-tx/scsa-tx/state/counters/
sc-encrypted

description:
Secure Channel Encrypted TX Packets counter. This counter reflects the number of encrypted and authenticated transmitted packets in a secure channel.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/scsa-tx/scsa-tx/state/counters/
sa-auth-only

description:
Secure Association Authenticated only TX Packets counter. This counter reflects the number of authenticated only, transmitted packets in a secure association.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/scsa-tx/scsa-tx/state/counters/
sa-encrypted

description:
Secure Association Encrypted TX Packets counter. This counter reflects the number of encrypted and authenticated transmitted packets in a secure association.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/
scsa-rx

description:
Enclosing container for received packets for Secure Channel and Secure Association

nodetype: container (ro)

/macsec/interfaces/interface/scsa-rx/
scsa-rx

description:
RX Secure Channel and Secure Association Statistics

nodetype: list (ro)

list keys: [sci-rx]

/macsec/interfaces/interface/scsa-rx/scsa-rx/
sci-rx

description:
RX Secure Channel and Secure Association Statistics

nodetype: leaf (list key) (ro)

type: leafref

  • path reference: ../state/sci-rx

/macsec/interfaces/interface/scsa-rx/scsa-rx/
state

description:
State container for macsec-scsa-rx-interface-stats

nodetype: container (ro)

/macsec/interfaces/interface/scsa-rx/scsa-rx/state/
sci-rx

description:
Secure Channel Identifier. Every Receive Channel is uniquely identified using this field.

nodetype: leaf (ro)

type: oc-yang:hex-string

/macsec/interfaces/interface/scsa-rx/scsa-rx/state/
counters

description:
Counters container for macsec-scsa-rx-interface-stats

nodetype: container (ro)

/macsec/interfaces/interface/scsa-rx/scsa-rx/state/counters/
sc-invalid

description:
Invalid Secure Channel RX Packets counter. This counter reflects the number of invalid received packets in a secure channel.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/scsa-rx/scsa-rx/state/counters/
sc-valid

description:
Valid Secure Channel RX Packets counter. This counter reflects the number of valid received packets in a secure channel.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/scsa-rx/scsa-rx/state/counters/
sa-invalid

description:
Invalid Secure Association RX Packets counter. This counter reflects the number of integrity check fails for received packets in a secure association.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/scsa-rx/scsa-rx/state/counters/
sa-valid

description:
Secure Association Valid RX Packets counter. This counter reflects the number of packets in a secure association that passed integrity check.

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/
mka

description:
Enclosing container for the MKA interface

nodetype: container (rw)

/macsec/interfaces/interface/mka/
config

description:
Configuration data for MKA interface

nodetype: container (rw)

/macsec/interfaces/interface/mka/config/
mka-policy

description:
Apply MKA policy on the interface

nodetype: leaf (rw)

type: leafref

  • path reference: /macsec/mka/policies/policy/name

/macsec/interfaces/interface/mka/config/
key-chain

description:
Configure Key Chain name

nodetype: leaf (rw)

type: leafref

  • path reference: /keychains/keychain/name

/macsec/interfaces/interface/mka/
state

description:
Operational state data for MKA interface

nodetype: container (ro)

/macsec/interfaces/interface/mka/state/
mka-policy

description:
Apply MKA policy on the interface

nodetype: leaf (ro)

type: leafref

  • path reference: /macsec/mka/policies/policy/name

/macsec/interfaces/interface/mka/state/
key-chain

description:
Configure Key Chain name

nodetype: leaf (ro)

type: leafref

  • path reference: /keychains/keychain/name

/macsec/interfaces/interface/mka/state/
counters

description:
MKA interface counters

nodetype: container (ro)

/macsec/interfaces/interface/mka/state/counters/
in-mkpdu

description:
Validated MKPDU received count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/mka/state/counters/
in-sak-mkpdu

description:
Validated MKPDU received SAK count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/mka/state/counters/
in-cak-mkpdu

description:
Validated MKPDU received CAK count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/mka/state/counters/
out-mkpdu

description:
MKPDU sent count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/mka/state/counters/
out-sak-mkpdu

description:
MKPDU SAK sent count

nodetype: leaf (ro)

type: oc-yang:counter64

/macsec/interfaces/interface/mka/state/counters/
out-cak-mkpdu

description:
MKPDU CAK sent count

nodetype: leaf (ro)

type: oc-yang:counter64

openconfig-macsec-types

openconfig-version: 0.1.0

Description

This module defines types related to the MACsec configuration and operational state model.

Imports

openconfig-extensions

Defined types

macsec-cipher-suite

description:
Set Cipher suite(s) for SAK derivation

type: enumeration

  • GCM_AES_128
    GCM-AES-128 Cipher Suite
  • GCM_AES_256
    GCM-AES-256 Cipher Suite
  • GCM_AES_XPN_128
    GCM-AES-XPN-128 Cipher Suite
  • GCM_AES_XPN_256
    GCM-AES-XPN-256 Cipher Suite

confidentiality-offset

description:
The confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted plain-text

type: enumeration

  • 0_BYTES
    No octets are sent unencrypted
  • 30_BYTES
    30 octects are sent unencrypted
  • 50_BYTES
    50 octects are sent unencrypted

Data elements