openconfig-security

openconfig-version: 0.1.0

Description

This module defines top-level configuration and operational state data related to security.

For modularity purposes, the top-level security container provides a natural attachment point for implementations such as IPSec, IKE, and Certificates.

Imports

openconfig-extensions
openconfig-network-instance

Data elements

openconfig-security-ike

openconfig-version: 0.1.0

Description

This module defines configuration and operational state for IPSec.

Imports

ietf-inet-types
ietf-yang-types
openconfig-extensions
openconfig-network-instance
openconfig-keychain-types
openconfig-security
openconfig-security-types

Data elements

openconfig-security-ipsec

openconfig-version: 0.1.0

Description

This module defines configuration and operational state for IPSec.

Imports

ietf-inet-types
ietf-yang-types
openconfig-extensions
openconfig-network-instance
openconfig-interfaces
openconfig-security
openconfig-security-types
openconfig-security-ike

Data elements

openconfig-security-types

openconfig-version: 0.1.0

Description

This module defines identities and types used with the OpenConfig security modules.

Imports

openconfig-extensions

Identities

base: CONNECTION_STATUS

description:
Base identity for the operational status of an IPsec connection

UNKNOWN

description:
No connection state is currently present or known.

base identity: CONNECTION_STATUS

CONNECTING

description:
In the process of negotiating an IPsec connection.

base identity: CONNECTION_STATUS

IDLE

description:
Waiting for an incoming IPsec negotiation.

base identity: CONNECTION_STATUS

ACTIVE

description:
The IPsec negotiation is complete and ready for data transfer.

base identity: CONNECTION_STATUS

INVALID

description:
The connection is in an invalid state due to a configuration or system error that prevents connection establishment.

base identity: CONNECTION_STATUS

ESTABLISHED

description:
The IPsec negotiation is complete.

base identity: CONNECTION_STATUS

base: CONNECTION_ROLE

description:
Base identity for the role of IPsec connection.

INITIATOR

description:
This device starts the connection attempt.

base identity: CONNECTION_ROLE

RESPONDER

description:
This device only accepts incoming connection requests.

base identity: CONNECTION_ROLE

base: DH_GROUP

description:
Base identity for Diffie-Hellman groups used for key exchange (IKE Phase 1) and Perfect Forward Secrecy (PFS in Phase 2).

DH_GROUP_1

description:
Diffie-Hellman group 1 (768 bit)

base identity: DH_GROUP

DH_GROUP_2

description:
Diffie-Hellman group 2 (1024 bit)

base identity: DH_GROUP

DH_GROUP_5

description:
Diffie-Hellman group 5 (1536 bit)

base identity: DH_GROUP

DH_GROUP_14

description:
Diffie-Hellman group 14 (2048 bit)

base identity: DH_GROUP

DH_GROUP_15

description:
Diffie-Hellman group 15 (3072 bit)

base identity: DH_GROUP

DH_GROUP_16

description:
Diffie-Hellman group 16 (4096 bit)

base identity: DH_GROUP

DH_GROUP_17

description:
Diffie-Hellman group 17 (6144 bit)

base identity: DH_GROUP

DH_GROUP_19

description:
Diffie-Hellman group 19 (256 bit ecp)

base identity: DH_GROUP

DH_GROUP_20

description:
Diffie-Hellman group 20 (384 bit ecp)

base identity: DH_GROUP

DH_GROUP_21

description:
Diffie-Hellman group 21 (521 bit ecp)

base identity: DH_GROUP

DH_GROUP_24

description:
Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)

base identity: DH_GROUP

base: IKE_AUTH_METHOD

description:
Base identity for the authentication method used in the IKE exchange.

PRE_SHARED_KEY

description:
Authentication using a pre-configured symmetric key (PSK).

base identity: IKE_AUTH_METHOD

PKI_CERTS

description:
Authentication using PKI certificates.

base identity: IKE_AUTH_METHOD

base: IKE_VERSION

description:
Base identity for the Internet Key Exchange protocol version.

IKEV1

description:
Internet Key Exchange Protocol Version 1 (Legacy).

base identity: IKE_VERSION

IKEV2

description:
Internet Key Exchange Protocol Version 2 (Recommended standard).

base identity: IKE_VERSION

base: IPSEC_MODE

description:
Base identity for the IPsec mode of operation.

TUNNEL

description:
IPsec Tunnel mode, where the original IP packet is encapsulated with new IP headers.

base identity: IPSEC_MODE

TRANSPORT

description:
IPsec Transport mode, where the IPsec header is inserted between the original IP header and the transport layer (TCP/UDP).

base identity: IPSEC_MODE

base: IPSEC_PROTOCOL

description:
Base identity for the IPsec protocol encapsulation.

IPPROTO_ESP

description:
Encapsulating Security Payload (ESP), providing confidentiality (encryption), integrity, and authentication.

base identity: IPSEC_PROTOCOL

IPPROTO_AH

description:
Authentication Header (AH), providing integrity and authentication, but *no* confidentiality (encryption).

base identity: IPSEC_PROTOCOL

base: SA_DIRECTION

description:
Base identity for the direction of a Security Association.

EGRESS

description:
The Security Association used for encrypting outgoing traffic.

base identity: SA_DIRECTION

INGRESS

description:
The Security Association used for decrypting incoming traffic.

base identity: SA_DIRECTION

base: TUNNEL_MODE

description:
Base identity for the encapsulation mode of the tunnel interface.

IPSEC

description:
A Layer 3 IPsec tunnel, often referred to as a VTI (Virtual Tunnel Interface) or equivalent, used for route-based VPNs.

base identity: TUNNEL_MODE

GRE

description:
Generic Routing Encapsulation (GRE) tunnel encapsulation.

base identity: TUNNEL_MODE

Data elements