rfc9648.original   rfc9648.txt 
TCPM M. Scharf Internet Engineering Task Force (IETF) M. Scharf
Internet-Draft Hochschule Esslingen Request for Comments: 9648 Hochschule Esslingen
Intended status: Standards Track M. Jethanandani Category: Standards Track M. Jethanandani
Expires: 15 March 2023 Kloud Services ISSN: 2070-1721 Kloud Services
V. Murgai V. Murgai
Samsung F5, Inc.
11 September 2022 August 2024
A YANG Model for Transmission Control Protocol (TCP) Configuration and YANG Data Model for TCP
State
draft-ietf-tcpm-yang-tcp-09
Abstract Abstract
This document specifies a minimal YANG model for TCP on devices that This document specifies a minimal YANG data model for TCP on devices
are configured and managed by network management protocols. The YANG that are configured and managed by network management protocols. The
model defines a container for all TCP connections, and groupings of YANG data model defines a container for all TCP connections and
authentication parameters that can be imported and used in TCP groupings of authentication parameters that can be imported and used
implementations or by other models that need to configure TCP in TCP implementations or by other models that need to configure TCP
parameters. The model also includes basic TCP statistics. The model parameters. The model also includes basic TCP statistics. The model
is compliant with Network Management Datastore Architecture (NMDA) is compliant with Network Management Datastore Architecture (NMDA)
(RFC 8342). (RFC 8342).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 15 March 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9648.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Language
2.1. Note to RFC Editor . . . . . . . . . . . . . . . . . . . 4 3. YANG Module Overview
3. YANG Module Overview . . . . . . . . . . . . . . . . . . . . 4 3.1. Scope
3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Model Design
3.2. Model Design . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Tree Diagram
3.3. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 6 4. TCP YANG Data Model
4. TCP YANG Model . . . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 5.1. The IETF XML Registry
5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 19 5.2. The YANG Module Names Registry
5.2. The YANG Module Names Registry . . . . . . . . . . . . . 20 6. Security Considerations
6. Security Considerations . . . . . . . . . . . . . . . . . . . 20 7. References
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 7.1. Normative References
7.1. Normative References . . . . . . . . . . . . . . . . . . 21 7.2. Informative References
7.2. Informative References . . . . . . . . . . . . . . . . . 23 Appendix A. Examples
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 25 A.1. Keepalive Configuration
Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 25 A.2. TCP-AO Configuration
B.1. Keepalive Configuration . . . . . . . . . . . . . . . . . 26 Appendix B. Complete Tree Diagram
B.2. TCP-AO Configuration . . . . . . . . . . . . . . . . . . 26 Acknowledgements
Appendix C. Complete Tree Diagram . . . . . . . . . . . . . . . 28 Authors' Addresses
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
The Transmission Control Protocol (TCP) [RFC9293] is used by many The Transmission Control Protocol (TCP) [RFC9293] is used by many
applications in the Internet, including control and management applications in the Internet, including control and management
protocols. As such, TCP is implemented on network elements that can protocols. As such, TCP is implemented on network elements that can
be configured and managed via network management protocols such as be configured and managed via network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. Network Configuration Protocol (NETCONF) [RFC6241] or RESTCONF
[RFC8040].
This document specifies a minimal YANG 1.1 [RFC7950] model for This document specifies a minimal YANG 1.1 [RFC7950] data model for
configuring and managing TCP on network elements that support YANG, a configuring and managing TCP on network elements that support YANG, a
TCP connection table, a TCP listener table containing information TCP connection table, a TCP listener table containing information
about a particular TCP listener, and an augmentation of the YANG Data about a particular TCP listener, and an augmentation of the YANG data
Model for Key Chains [RFC8177] to support authentication. The YANG model for key chains [RFC8177] to support authentication. The YANG
module specified in this document is compliant with Network module specified in this document is compliant with Network
Management Datastore Architecture (NMDA) [RFC8342]. Management Datastore Architecture (NMDA) [RFC8342].
The YANG module has a narrow scope and focuses on a subset of The YANG module has a narrow scope and focuses on a subset of
fundamental TCP functions and basic statistics. It defines a fundamental TCP functions and basic statistics. It defines a
container for a list of TCP connections that includes definitions container for a list of TCP connections that includes definitions
from YANG Groupings for TCP Clients and TCP Servers from "YANG Groupings for TCP Clients and TCP Servers" [RFC9643]. The
[I-D.ietf-netconf-tcp-client-server]. The model adheres to the model adheres to the recommendation in "BGP/MPLS IP Virtual Private
recommendation in BGP/MPLS IP Virtual Private Networks [RFC4364]. Networks (VPNs)" [RFC4364]. Therefore, it allows enabling of TCP
Therefore it allows enabling of TCP-AO [RFC5925], and accommodates Authentication Option (TCP-AO) [RFC5925] and accommodates the
the installed base that makes use of MD5. The module can be installed base that makes use of MD5. The module can be augmented or
augmented or updated to address more advanced or implementation- updated to address more advanced or implementation-specific TCP
specific TCP features in the future. features in the future.
This specification does not deprecate the Management Information Base This specification does not deprecate the Management Information Base
(MIB) for the Transmission Control Protocol (TCP) [RFC4022]. The (MIB) for the Transmission Control Protocol (TCP) [RFC4022]. The
basic statistics defined in this document follow the model of the TCP basic statistics defined in this document follow the model of the TCP
MIB. An TCP Extended Statistics MIB [RFC4898] is also available, but MIB. A TCP extended statistics MIB [RFC4898] is also available, but
this document does not cover such extended statistics. The YANG this document does not cover such extended statistics. The YANG
module also omits some selected parameters included in TCP MIB, most module also omits some selected parameters included in TCP MIB, most
notably Retransmission Timeout (RTO) configuration and a maximum notably Retransmission Timeout (RTO) configuration and a maximum
connection limit. This is a conscious decision as these parameters connection limit. This is a conscious decision as these parameters
hardly matter in a state-of-the-art TCP implementation. It would hardly matter in a state-of-the-art TCP implementation. It would
also be possible to translate a MIB into a YANG module, for instance also be possible to translate a MIB into a YANG module, for instance,
using Translation of Structure of Management Information Version 2 using "Translation of Structure of Management Information Version 2
(SMIv2) MIB Modules to YANG Modules [RFC6643]. However, this (SMIv2) MIB Modules to YANG Modules" [RFC6643]. However, this
approach is not used in this document, because a translated model approach is not used in this document, because a translated model
would not be up-to-date. would not be up-to-date.
There are other existing TCP-related YANG models, which are There are other existing TCP-related YANG data models, which are
orthogonal to this specification. Examples are: orthogonal to this specification. Examples are:
* TCP header attributes are modeled in other security-related * TCP header attributes are modeled in other security-related
models, such as YANG Data Model for Network Access Control Lists models, such as those described in "YANG Data Model for Network
(ACLs) [RFC8519], Distributed Denial-of-Service Open Thread Access Control Lists (ACLs)" [RFC8519], "Distributed
Signaling (DOTS) Data Channel Specification [RFC8783], I2NSF Denial-of-Service Open Threat Signaling (DOTS) Data Channel
Capability YANG Data Model [I-D.ietf-i2nsf-capability-data-model], Specification" [RFC8783], "I2NSF Capability YANG Data Model"
or I2NSF Network Security Function-Facing Interface YANG Data [NSF-CAP-YANG], or "I2NSF Network Security Function-Facing
Model [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Interface YANG Data Model" [NSF-FACING-YANG].
* TCP-related configuration of a NAT (e.g., NAT44, NAT64, * TCP-related configuration of a NAT (e.g., NAT44, NAT64, or
Destination NAT) is defined in A YANG Module for Network Address Destination NAT) is defined in "A YANG Module for Network Address
Translation (NAT) and Network Prefix Translation (NPT) [RFC8512] Translation (NAT) and Network Prefix Translation (NPT)" [RFC8512]
and A YANG Data Model for Dual-Stack Lite (DS-Lite) [RFC8513]. and "A YANG Data Model for Dual-Stack Lite (DS-Lite)" [RFC8513].
* TCP-AO and TCP MD5 configuration for Layer 3 VPNs is modeled in A * TCP-AO and TCP MD5 configuration for Layer 3 VPNs is modeled in "A
Layer 3 VPN Network YANG Model [RFC9182]. This model assumes that YANG Network Data Model for Layer 3 VPNs" [RFC9182]. This model
TCP-AO specific parameters are preconfigured in addition to the assumes that TCP-AO-specific parameters are preconfigured in
keychain parameters. addition to the key chain parameters.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2.1. Note to RFC Editor
This document uses several placeholder values throughout the
document. Please replace them as follows and remove this note before
publication.
RFC XXXX, where XXXX is the number assigned to this document at the
time of publication.
2022-09-11 with the actual date of the publication of this document.
3. YANG Module Overview 3. YANG Module Overview
3.1. Scope 3.1. Scope
TCP is implemented on different system architectures. As a result, TCP is implemented on different system architectures. As a result,
there are many different and often implementation-specific ways to there are many different and often implementation-specific ways to
configure parameters of the TCP engine. In addition, in many TCP/IP configure parameters of the TCP engine. In addition, in many TCP/IP
stacks configuration exists for different scopes: stacks, configuration exists for different scopes:
* System-wide configuration: Many TCP implementations have * System-wide configuration: Many TCP implementations have
configuration parameters that affect all TCP connections from or configuration parameters that affect all TCP connections from or
to this TCP stack. Typical examples include enabling or disabling to this TCP stack. Typical examples include enabling or disabling
optional protocol features. For instance, many implementations optional protocol features. For instance, many implementations
can turn on or off use of window scaling Transmission Control can turn on or off use of window scaling (defined in "Transmission
Protocol (TCP) Specification [RFC9293] for all TCP connections. Control Protocol (TCP)" [RFC9293]) for all TCP connections.
* Interface configuration: It can be useful to use different TCP * Interface configuration: It can be useful to use different TCP
parameters on different interfaces, e.g., different device ports parameters on different interfaces, e.g., different device ports
or IP interfaces. In that case, TCP parameters can be part of the or IP interfaces. In that case, TCP parameters can be part of the
interface configuration. Typical examples are the Maximum Segment interface configuration. Typical examples are the Maximum Segment
Size (MSS) or configuration related to hardware offloading. Size (MSS) or configuration related to hardware offloading.
* Connection parameters: Many implementations have means to * Connection parameters: Many implementations have means to
influence the behavior of each TCP connection, e.g., on the influence the behavior of each TCP connection, e.g., on the
programming interface used by applications. Typical examples are programming interface used by applications. Typical examples are
socket options in the socket API, such as disabling the Nagle socket options in the socket API, such as disabling the Nagle
algorithm Transmission Control Protocol (TCP) Specification algorithm (as described in "Transmission Control Protocol (TCP)"
[RFC9293] by TCP_NODELAY. If an application uses such an [RFC9293]) by TCP_NODELAY. If an application uses such an
interface, it is possible that the configuration of the interface, it is possible that the configuration of the
application or application protocol includes TCP-related application or application protocol includes TCP-related
parameters. An example is the BGP YANG Model for Service Provider parameters. An example is the BGP YANG module for service
Networks [I-D.ietf-idr-bgp-model]. provider networks [BGP-MODEL].
* Application preferences: Setting of TCP parameters can also be * Application preferences: Setting of TCP parameters can also be
part of application preferences, templates, or profiles. An part of application preferences, templates, or profiles. An
example would be the preferences defined in An Abstract example would be the preferences defined in "An Abstract
Application Layer Interface to Transport Services Application Layer Interface to Transport Services"
[I-D.ietf-taps-interface]. [TAPS-INTERFACE].
As a result, there is no ground truth for setting certain TCP As a result, there is no ground truth for setting certain TCP
parameters, and traditionally different TCP implementations have used parameters, and generally different TCP implementations have used
different modeling approaches. For instance, one implementation may different modeling approaches. For instance, one implementation may
define a given configuration parameter globally, while another one define a given configuration parameter globally, while another one
uses per-interface settings, and both approaches work well for the uses per-interface settings, and both approaches work well for the
corresponding use cases. Also, different systems may use different corresponding use cases. Also, different systems may use different
default values. In addition, TCP can be implemented in different default values. In addition, TCP can be implemented in different
ways and design choices by the protocol engine often affect ways and design choices by the protocol engine often affect
configuration options. configuration options.
Nonetheless, a number of TCP stack parameters require configuration Nonetheless, a number of TCP stack parameters require configuration
by YANG models. This document therefore defines a minimal YANG model by YANG data models. This document therefore defines a minimal YANG
with fundamental parameters. An important use case is the TCP data model with fundamental parameters. An important use case is the
configuration on network elements such as routers, which often use TCP configuration on network elements, such as routers, which often
YANG data models. The model therefore specifies TCP parameters that use YANG data models. The model therefore specifies TCP parameters
are important on such TCP stacks. that are important on such TCP stacks.
This in particular applies to the support of TCP-AO [RFC5925] and the In particular, this applies to the support of the TCP Authentication
corresponding cryptographic algorithms [RFC5926]. TCP Authentication Option (TCP-AO) [RFC5925] and the corresponding cryptographic
Option (TCP-AO) is used on routers to secure routing protocols such algorithms [RFC5926]. TCP-AO is used on routers to secure routing
as BGP. In that case, a YANG model for TCP-AO configuration is protocols such as BGP. In that case, a YANG data model for TCP-AO
required. The model defined in this document includes the required configuration is required. The model defined in this document
parameters for TCP-AO configuration, such as the values of SendID and includes the required parameters for TCP-AO configuration, such as
RecvID. The keychain for TCP-AO can be modeled by the YANG Data the values of SendID and RecvID. The key chain for TCP-AO can be
Model for Key Chains [RFC8177]. The groupings defined in this modeled by the YANG data model for key chains [RFC8177]. The
document can be imported and used as part of such a preconfiguration. groupings defined in this document can be imported and used as part
of such a preconfiguration.
Given an installed base, the model also allows enabling of the legacy Given an installed base, the model also allows enabling of the legacy
TCP MD5 [RFC2385] signature option. The TCP MD5 signature option was TCP MD5 [RFC2385] signature option. The TCP MD5 signature option was
obsoleted by TCP-AO in 2010. If current implementations require TCP obsoleted by TCP-AO in 2010. If current implementations require TCP
authentication, it is RECOMMENDED to use TCP-AO [RFC5925]. authentication, it is RECOMMENDED to use TCP-AO [RFC5925].
Similar to the TCP MIB [RFC4022], this document also specifies basic Similar to the TCP MIB [RFC4022], this document also specifies basic
statistics, a TCP connection list, and a TCP listener list. statistics, a TCP connection list, and a TCP listener list.
* Statistics: Counters for the number of active/passive opens, sent * Statistics: Counters for the number of active/passive opens, sent
and received TCP segments, errors, and possibly other detailed and received TCP segments, errors, and possibly other detailed
debugging information debugging information.
* TCP connection list: Access to status information for all TCP * TCP connection list: Access to status information for all TCP
connections. Note, the connection table is modeled as a list that connections. Note that the connection table is modeled as a list
is read-writeable, even though a connection cannot be created by that is readable and writeable, even though a connection cannot be
adding entries to the table. Similarly, deletion of connections created by adding entries to the table. Similarly, deletion of
from this list is implementation-specific. connections from this list is implementation-specific.
* TCP listener list: A list containing information about TCP * TCP listener list: A list containing information about TCP
listeners, i.e., applications willing to accept connections. listeners, i.e., applications willing to accept connections.
This allows implementations of TCP MIB [RFC4022] to migrate to the This allows implementations of TCP MIB [RFC4022] to migrate to the
YANG model defined in this memo. Note that the TCP MIB does not YANG data model defined in this memo. Note that the TCP MIB does not
include means to reset statistics, which are defined in this include means to reset statistics, which are defined in this
document. This is not a major addition, as a reset can simply be document. This is not a major addition, as a reset can simply be
implemented by storing offset values for the counters. implemented by storing offset values for the counters.
This version of the module does not model details of Multipath TCP This version of the module does not model details of Multipath TCP
[RFC8684]. This could be addressed in a later version of this [RFC8684]. This could be addressed in a later version of this
document. document.
3.2. Model Design 3.2. Model Design
The YANG model defined in this document includes definitions from the The YANG data model defined in this document includes definitions
YANG Groupings for TCP Clients and TCP Servers from "YANG Groupings for TCP Clients and TCP Servers" [RFC9643].
[I-D.ietf-netconf-tcp-client-server]. Similar to that model, this Similar to that model, this specification defines YANG groupings.
specification defines YANG groupings. This allows reuse of these This allows reuse of these groupings in different YANG data models.
groupings in different YANG data models. It is intended that these It is intended that these groupings will be used either standalone or
groupings will be used either standalone or for TCP-based protocols for TCP-based protocols as part of a stack of protocol-specific
as part of a stack of protocol-specific configuration models. An configuration models. An example could be the one described in "YANG
example could be the BGP YANG Model for Service Provider Networks Model for Border Gateway Protocol (BGP-4)" [BGP-MODEL].
[I-D.ietf-idr-bgp-model].
3.3. Tree Diagram 3.3. Tree Diagram
This section provides an abridged tree diagram for the YANG module This section provides an abridged tree diagram for the YANG module
defined in this document. Annotations used in the diagram are defined in this document. Annotations used in the diagram are
defined in YANG Tree Diagrams [RFC8340]. A complete tree diagram can defined in "YANG Tree Diagrams" [RFC8340]. A complete tree diagram
be found in the Appendix. can be found in Appendix B.
module: ietf-tcp module: ietf-tcp
+--rw tcp! +--rw tcp!
+--rw connections +--rw connections
| ... | ...
+--ro tcp-listeners* [type address port] +--ro tcp-listeners* [type address port]
| ... | ...
+--ro statistics {statistics}? +--ro statistics {statistics}?
... ...
augment /key-chain:key-chains/key-chain:key-chain/key-chain:key: augment /key-chain:key-chains/key-chain:key-chain/key-chain:key:
+--rw authentication {authentication}? +--rw authentication {authentication}?
+--rw keychain? key-chain:key-chain-ref +--rw keychain? key-chain:key-chain-ref
+--rw (authentication)? +--rw (authentication)?
... ...
4. TCP YANG Model 4. TCP YANG Data Model
This YANG module references The TCP Authentication Option [RFC5925], This YANG module references "The TCP Authentication Option"
Protection of BGP Sessions via the TCP MD5 Signature [RFC2385], [RFC5925], "Protection of BGP Sessions via the TCP MD5 Signature
Transmission Control Protocol (TCP) Specification [RFC9293], and Option" [RFC2385], and "Transmission Control Protocol (TCP)"
imports Common YANG Data Types [RFC6991], The NETCONF Access Control [RFC9293] and imports "Common YANG Data Types" [RFC6991], "Network
Model [RFC8341], and YANG Groupings for TCP Clients and TCP Servers Configuration Access Control Model" [RFC8341], and "YANG Groupings
[I-D.ietf-netconf-tcp-client-server]. for TCP Clients and TCP Servers" [RFC9643].
<CODE BEGINS> file "ietf-tcp@2022-09-11.yang" <CODE BEGINS> file "ietf-tcp@2022-09-11.yang"
module ietf-tcp { module ietf-tcp {
yang-version "1.1"; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcp"; namespace "urn:ietf:params:xml:ns:yang:ietf-tcp";
prefix "tcp"; prefix tcp;
import ietf-yang-types { import ietf-yang-types {
prefix "yang"; prefix yang;
reference reference
"RFC 6991: Common YANG Data Types."; "RFC 6991: Common YANG Data Types.";
} }
import ietf-tcp-common { import ietf-tcp-common {
prefix "tcpcmn"; prefix tcpcmn;
reference reference
"I-D.ietf-netconf-tcp-client-server: YANG Groupings for TCP "RFC 9643: YANG Groupings for TCP Clients and TCP Servers.";
Clients and TCP Servers.";
} }
import ietf-inet-types { import ietf-inet-types {
prefix "inet"; prefix inet;
reference reference
"RFC 6991: Common YANG Data Types."; "RFC 6991: Common YANG Data Types.";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model.";
} }
import ietf-key-chain { import ietf-key-chain {
prefix key-chain; prefix key-chain;
reference reference
"RFC 8177: YANG Key Chain."; "RFC 8177: YANG Data Model for Key Chains.";
} }
organization organization
"IETF TCPM Working Group"; "IETF TCPM Working Group";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/tcpm/about> "WG Web: https://datatracker.ietf.org/wg/tcpm/about
WG List: <tcpm@ietf.org> WG List: TCPM WG <tcpm@ietf.org>
Authors: Michael Scharf (michael.scharf at hs-esslingen dot de) Authors: Michael Scharf <michael.scharf@hs-esslingen.de>
Mahesh Jethanandani (mjethanandani at gmail dot com) Mahesh Jethanandani <mjethanandani@gmail.com>
Vishal Murgai (vmurgai at gmail dot com)"; Vishal Murgai <vmurgai@gmail.com>";
description description
"This module focuses on fundamental TCP functions and basic "This module focuses on fundamental TCP functions and basic
statistics. The model can be augmented to address more advanced statistics. The model can be augmented to address more advanced
or implementation specific TCP features. or implementation-specific TCP features.
Copyright (c) 2022 IETF Trust and the persons identified as The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC 9648
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfc9648); see the RFC itself
for full legal notices. for full legal notices.";
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.";
revision "2022-09-11" { revision 2022-09-11 {
description description
"Initial Version"; "Initial version.";
reference reference
"RFC XXXX, A YANG Model for Transmission Control Protocol (TCP) "RFC 9648: YANG Data Model for TCP.";
Configuration and State.";
} }
// Typedefs // Typedefs
typedef mss { typedef mss {
type uint16; type uint16;
description description
"Type definition for Maximum Segment Size."; "Type definition for the Maximum Segment Size.";
} }
// Features // Features
feature statistics { feature statistics {
description description
"This implementation supports statistics reporting."; "This implementation supports statistics reporting.";
} }
feature authentication { feature authentication {
description description
"This implementation supports authentication."; "This implementation supports authentication.";
} }
// Identities // Identities
identity aes-128 { identity aes-128 {
base key-chain:crypto-algorithm; base key-chain:crypto-algorithm;
description description
"AES128 authentication algorithm used by TCP-AO."; "AES128 authentication algorithm used by TCP-AO.";
reference reference
"RFC 5926: Cryptographic Algorithms for the TCP "RFC 5926: Cryptographic Algorithms for the TCP
Authentication Option (TCP-AO)."; Authentication Option (TCP-AO).";
} }
// TCP-AO Groupings // TCP-AO Groupings
grouping ao { grouping ao {
leaf send-id { leaf send-id {
type uint8 { type uint8 {
range "0..max"; range "0..max";
} }
description description
"The SendID is inserted as the KeyID of the TCP-AO option "The SendID is inserted as the KeyID of the TCP-AO option
of outgoing segments. In a consistent configuration, the of outgoing segments. In a consistent configuration, the
SendID matches the RecvID at the other endpoint."; SendID matches the RecvID at the other endpoint.";
reference reference
"RFC 5925: The TCP Authentication Option, Section 3.1."; "RFC 5925: The TCP Authentication Option, Section 3.1.";
} }
leaf recv-id { leaf recv-id {
type uint8 { type uint8 {
range "0..max"; range "0..max";
} }
description description
"The RecvID is matched against the TCP-AO KeyID of incoming "The RecvID is matched against the TCP-AO KeyID of incoming
segments. In a consistent configuration, the RecvID matches segments. In a consistent configuration, the RecvID matches
the SendID at the other endpoint."; the SendID at the other endpoint.";
reference reference
"RFC 5925: The TCP Authentication Option, Section 3.1."; "RFC 5925: The TCP Authentication Option, Section 3.1.";
} }
leaf include-tcp-options { leaf include-tcp-options {
type boolean; type boolean;
default true; default "true";
description description
"When set to true, TCP options are included in MAC "When set to true, TCP options are included in the message
calculation."; authentication code (MAC) calculation.";
reference reference
"RFC 5925: The TCP Authentication Option, Section 3.1."; "RFC 5925: The TCP Authentication Option, Section 3.1.";
} }
leaf accept-key-mismatch { leaf accept-key-mismatch {
type boolean; type boolean;
description description
"Accept, when set to true, TCP segments with a Master Key "Accept, when set to true, TCP segments with a Master Key
Tuple (MKT) that is not configured."; Tuple (MKT) that is not configured.";
reference reference
skipping to change at page 11, line 4 skipping to change at line 452
i.e., the desired 'receive next' key ID."; i.e., the desired 'receive next' key ID.";
reference reference
"RFC 5925: The TCP Authentication Option."; "RFC 5925: The TCP Authentication Option.";
} }
description description
"Authentication Option (AO) for TCP."; "Authentication Option (AO) for TCP.";
reference reference
"RFC 5925: The TCP Authentication Option."; "RFC 5925: The TCP Authentication Option.";
} }
// TCP configuration // TCP configuration
container tcp { container tcp {
presence "The container for TCP configuration."; presence "The container for TCP configuration.";
description description
"TCP container."; "TCP container.";
container connections { container connections {
list connection { list connection {
key "local-address remote-address local-port remote-port"; key "local-address remote-address local-port remote-port";
leaf local-address { leaf local-address {
type inet:ip-address; type inet:ip-address;
description description
"Identifies the address that is used by the local "Identifies the address that is used by the local
endpoint for the connection, and is one of the four endpoint for the connection and is one of the four
elements that form the connection identifier."; elements that form the connection identifier.";
} }
leaf remote-address { leaf remote-address {
type inet:ip-address; type inet:ip-address;
description description
"Identifies the address that is used by the remote "Identifies the address that is used by the remote
endpoint for the connection, and is one of the four endpoint for the connection and is one of the four
elements that form the connection identifier."; elements that form the connection identifier.";
} }
leaf local-port { leaf local-port {
type inet:port-number; type inet:port-number;
description description
"Identifies the local TCP port used for the connection, "Identifies the local TCP port used for the connection
and is one of the four elements that form the and is one of the four elements that form the
connection identifier."; connection identifier.";
} }
leaf remote-port { leaf remote-port {
type inet:port-number; type inet:port-number;
description description
"Identifies the remote TCP port used for the connection, "Identifies the remote TCP port used for the connection
and is one of the four elements that form the and is one of the four elements that form the
connection identifier."; connection identifier.";
} }
leaf mss { leaf mss {
type mss; type mss;
description description
"Maximum Segment Size (MSS) desired on this connection. "Maximum Segment Size (MSS) desired on this connection.
Note that the 'effective send MSS' can be smaller than
Note, the 'effective send MSS' can be smaller than
what is configured here."; what is configured here.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf pmtud { leaf pmtud {
type boolean; type boolean;
default false; default "false";
description description
"Turns Path Maximum Transmission Unit Discovery (PMTUD) "Turns Path Maximum Transmission Unit Discovery (PMTUD)
on (true) or off (false)."; on (true) or off (false).";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
uses tcpcmn:tcp-common-grouping; uses tcpcmn:tcp-common-grouping;
leaf state { leaf state {
type enumeration { type enumeration {
enum closed { enum closed {
value 1; value 1;
description description
"Connection is closed. Connections in this state "Connection is closed. Connections in this state
skipping to change at page 13, line 6 skipping to change at line 549
enum syn-received { enum syn-received {
value 4; value 4;
description description
"Represents waiting for a confirming connection "Represents waiting for a confirming connection
request acknowledgment after having both received request acknowledgment after having both received
and sent a connection request."; and sent a connection request.";
} }
enum established { enum established {
value 5; value 5;
description description
"Represents an open connection, data received can be "Represents an open connection; data received can be
delivered to the user. The normal state for the data delivered to the user. The normal state for the
transfer phase of the connection."; data transfer phase of the connection.";
} }
enum fin-wait-1 { enum fin-wait-1 {
value 6; value 6;
description description
"Represents waiting for a connection termination "Represents waiting for a connection termination
request from the remote TCP peer, or an request from the remote TCP peer or an
acknowledgment of the connection termination request acknowledgment of the connection termination
previously sent."; request previously sent.";
} }
enum fin-wait-2 { enum fin-wait-2 {
value 7; value 7;
description description
"Represents waiting for a connection termination "Represents waiting for a connection termination
request from the remote TCP peer."; request from the remote TCP peer.";
} }
enum close-wait { enum close-wait {
value 8; value 8;
description description
skipping to change at page 13, line 38 skipping to change at line 581
request from the local user."; request from the local user.";
} }
enum last-ack { enum last-ack {
value 9; value 9;
description description
"Represents waiting for an acknowledgment of the "Represents waiting for an acknowledgment of the
connection termination request previously sent to connection termination request previously sent to
the remote TCP peer (this termination request sent the remote TCP peer (this termination request sent
to the remote TCP peer already included an to the remote TCP peer already included an
acknowledgment of the termination request sent from acknowledgment of the termination request sent from
the remote TCP peer)"; the remote TCP peer).";
} }
enum closing { enum closing {
value 10; value 10;
description description
"Represents waiting for a connection termination "Represents waiting for a connection termination
request acknowledgment from the remote TCP peer."; request acknowledgment from the remote TCP peer.";
} }
enum time-wait { enum time-wait {
value 11; value 11;
description description
"Represents waiting for enough time to pass to be "Represents waiting for enough time to pass to be
sure the remote TCP peer received the acknowledgment sure the remote TCP peer received the
of its connection termination request, and to avoid acknowledgment of its connection termination
new connections being impacted by delayed segments request and to avoid new connections being impacted
from previous connections."; by delayed segments from previous connections.";
} }
} }
config false; config false;
description description
"The state of this TCP connection."; "The state of this TCP connection.";
} }
description description
"List of TCP connections with their parameters. "List of TCP connections with their parameters.
The list is modeled as writeable even though only some of The list is modeled as writeable even though only some of
the nodes are writeable, e.g. keepalive. Connections the nodes are writeable, e.g., keepalive. Connections
that are created and match this list SHOULD apply the that are created and match this list SHOULD apply the
writeable parameters. At the same time, implementations writeable parameters. At the same time, implementations
may not allow creation of new TCP connections simply by may not allow creation of new TCP connections simply by
adding entries to the list. Furthermore, the behavior adding entries to the list. Furthermore, the behavior
upon removal is implementation-specific. Implementations upon removal is implementation-specific. Implementations
may not support closing or resetting a TCP connection may not support closing or resetting a TCP connection
upon an operation that removes the entry from the list. upon an operation that removes the entry from the list.
The operational state of this list SHOULD reflect The operational state of this list SHOULD reflect
connections that have configured, but not created, and connections that have configured but not created and
connections that have been created. Connections in connections that have been created. Connections in the
CLOSED state are not reflected on this list."; CLOSED state are not reflected on this list.";
} }
description description
"A container of all TCP connections."; "A container of all TCP connections.";
} }
list tcp-listeners { list tcp-listeners {
key "type address port"; key "type address port";
config false; config false;
skipping to change at page 15, line 6 skipping to change at line 645
description description
"The address type of address. The value "The address type of address. The value
should be unspecified (0) if connection initiations should be unspecified (0) if connection initiations
to all local IP addresses are accepted."; to all local IP addresses are accepted.";
} }
leaf address { leaf address {
type union { type union {
type inet:ip-address; type inet:ip-address;
type string { type string {
length 0; length "0";
} }
} }
description description
"The local IP address for this TCP connection. "The local IP address for this TCP connection.
The value of this node can be represented in three The value of this node can be represented in three
possible ways, depending on the characteristics of the possible ways, depending on the characteristics of the
listening application: listening application:
1. For an application willing to accept both IPv4 and 1. For an application willing to accept both IPv4 and
IPv6 datagrams, the value of this node must be IPv6 datagrams, the value of this node must be
''h (a zero-length octet-string), with the value ''h (a zero-length octet string), with the value
of the corresponding 'type' object being of the corresponding 'type' object being
unspecified (0). unspecified (0).
2. For an application willing to accept only IPv4 or 2. For an application willing to accept only IPv4 or
IPv6 datagrams, the value of this node must be IPv6 datagrams, the value of this node must be
'0.0.0.0' or '::' respectively, with '0.0.0.0' or '::' respectively, with
'type' representing the appropriate address type. 'type' representing the appropriate address type.
3. For an application which is listening for data 3. For an application that is listening for data
destined only to a specific IP address, the value destined only to a specific IP address, the value
of this node is the specific local address, with of this node is the specific local address, with
'type' representing the appropriate address type."; 'type' representing the appropriate address type.";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
description description
"The local port number for this TCP connection."; "The local port number for this TCP connection.";
} }
} }
container statistics { container statistics {
if-feature statistics; if-feature "statistics";
config false; config false;
leaf active-opens { leaf active-opens {
type yang:counter64; type yang:counter64;
description description
"The number of times that TCP connections have made a "The number of times that TCP connections have made a
direct transition to the SYN-SENT state from the CLOSED direct transition to the SYN-SENT state from the CLOSED
state."; state.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf passive-opens { leaf passive-opens {
type yang:counter64; type yang:counter64;
description description
"The number of times TCP connections have made a direct "The number of times TCP connections have made a direct
transition to the SYN-RCVD state from the LISTEN state."; transition to the SYN-RCVD state from the LISTEN state.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf attempt-fails { leaf attempt-fails {
type yang:counter64; type yang:counter64;
description description
"The number of times that TCP connections have made a "The number of times that TCP connections have made a
direct transition to the CLOSED state from either the direct transition to the CLOSED state from either the
SYN-SENT state or the SYN-RCVD state, plus the number of SYN-SENT state or the SYN-RCVD state, plus the number of
times that TCP connections have made a direct transition times that TCP connections have made a direct transition
to the LISTEN state from the SYN-RCVD state."; to the LISTEN state from the SYN-RCVD state.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf establish-resets { leaf establish-resets {
type yang:counter64; type yang:counter64;
description description
"The number of times that TCP connections have made a "The number of times that TCP connections have made a
direct transition to the CLOSED state from either the direct transition to the CLOSED state from either the
ESTABLISHED state or the CLOSE-WAIT state."; ESTABLISHED state or the CLOSE-WAIT state.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf currently-established { leaf currently-established {
type yang:gauge32; type yang:gauge32;
description description
"The number of TCP connections for which the current state "The number of TCP connections for which the current state
is either ESTABLISHED or CLOSE-WAIT."; is either ESTABLISHED or CLOSE-WAIT.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf in-segments { leaf in-segments {
type yang:counter64; type yang:counter64;
description description
"The total number of TCP segments received, including those "The total number of TCP segments received, including those
received in error. This count includes TCP segments received in error. This count includes TCP segments
received on currently established connections."; received on currently established connections.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf out-segments { leaf out-segments {
type yang:counter64; type yang:counter64;
description description
"The total number of TCP segments sent, including those on "The total number of TCP segments sent, including those on
current connections but excluding those containing only current connections but excluding those containing only
retransmitted octets."; retransmitted octets.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf retransmitted-segments { leaf retransmitted-segments {
type yang:counter64; type yang:counter64;
description description
"The total number of TCP segments retransmitted; that is, "The total number of TCP segments retransmitted; that is,
the number of TCP segments transmitted containing one or the number of TCP segments transmitted containing one or
more previously transmitted octets."; more previously transmitted octets.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf in-errors { leaf in-errors {
type yang:counter64; type yang:counter64;
description description
"The total number of TCP segments received in error "The total number of TCP segments received in error
(e.g., bad TCP checksums)."; (e.g., bad TCP checksums).";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf out-resets { leaf out-resets {
type yang:counter64; type yang:counter64;
description description
"The number of TCP segments sent containing the RST flag."; "The number of TCP segments sent containing the RST flag.";
reference reference
"RFC 9293: Transmission Control Protocol (TCP) "RFC 9293: Transmission Control Protocol (TCP).";
Specification.";
} }
leaf auth-failures { leaf auth-failures {
if-feature authentication; if-feature "authentication";
type yang:counter64; type yang:counter64;
description description
"The number of times that authentication has failed either "The number of times that authentication has failed either
with TCP-AO or MD5."; with TCP-AO or MD5.";
} }
action reset { action reset {
nacm:default-deny-all; nacm:default-deny-all;
description description
"Reset statistics action command."; "Reset statistics action command.";
skipping to change at page 18, line 46 skipping to change at line 819
"Statistics across all connections."; "Statistics across all connections.";
} }
} }
augment "/key-chain:key-chains/key-chain:key-chain/key-chain:key" { augment "/key-chain:key-chains/key-chain:key-chain/key-chain:key" {
description description
"Augmentation of the key-chain model to add TCP-AO and TCP-MD5 "Augmentation of the key-chain model to add TCP-AO and TCP-MD5
authentication."; authentication.";
container authentication { container authentication {
if-feature authentication; if-feature "authentication";
leaf keychain { leaf keychain {
type key-chain:key-chain-ref; type key-chain:key-chain-ref;
description description
"Reference to the key chain that will be used by "Reference to the key chain that will be used by
this model. Applicable for TCP-AO and TCP-MD5 this model. Applicable for TCP-AO and TCP-MD5
only"; only.";
reference reference
"RFC 8177: YANG Key Chain."; "RFC 8177: YANG Data Model for Key Chains.";
} }
choice authentication { choice authentication {
container ao { container ao {
presence "Presence container for all TCP-AO related" + presence "Presence container for all TCP-AO related"
" configuration"; + " configuration";
uses ao; uses ao;
description description
"Use TCP-AO to secure the connection."; "Use TCP-AO to secure the connection.";
} }
container md5 { container md5 {
presence "Presence container for all MD5 related" + presence "Presence container for all MD5 related"
" configuration"; + " configuration";
description description
"Use TCP-MD5 to secure the connection. As the TCP MD5 "Use TCP-MD5 to secure the connection. As the TCP MD5
signature option is obsoleted by TCP-AO, it is signature option is obsoleted by TCP-AO, it is
RECOMMENDED to use TCP-AO instead."; RECOMMENDED to use TCP-AO instead.";
reference reference
"RFC 2385: Protection of BGP Sessions via the TCP MD5 "RFC 2385: Protection of BGP Sessions via the TCP MD5
Signature."; Signature Option.";
} }
description description
"Choice of TCP authentication."; "Choice of TCP authentication.";
} }
description description
"Authentication definitions for TCP configuration. "Authentication definitions for TCP configuration.
This includes parameters such as how to secure the This includes parameters such as how to secure the
connection, that can be part of either the client connection, which can be part of either the client
or server."; or server.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
5. IANA Considerations 5. IANA Considerations
5.1. The IETF XML Registry 5.1. The IETF XML Registry
This document registers an URI in the "ns" subregistry of the IETF IANA has registered the following URI in the "ns" registry defined in
XML Registry [RFC3688]. Following the format in IETF XML Registry the "IETF XML Registry" [RFC3688].
[RFC3688], the following registration is requested:
URI: urn:ietf:params:xml:ns:yang:ietf-tcp URI: urn:ietf:params:xml:ns:yang:ietf-tcp
Registrant Contact: The IESG. Registrant Contact: The IESG
XML: N/A, the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
5.2. The YANG Module Names Registry 5.2. The YANG Module Names Registry
The following entry is requested to be added to the "YANG Module IANA has registered the following in the "YANG Module Names" registry
Names" registry created by YANG - A Data Modeling Language for the created by "YANG - A Data Modeling Language for the Network
Network Configuration Protocol (NETCONF) [RFC6020]: Configuration Protocol (NETCONF)" [RFC6020].
name: ietf-tcp Name: ietf-tcp
namespace: urn:ietf:params:xml:ns:yang:ietf-tcp Namespace: urn:ietf:params:xml:ns:yang:ietf-tcp
prefix: tcp Prefix: tcp
reference: RFC XXXX (this document) Reference: RFC 9648
The registration is not maintained by IANA. This is not an IANA maintained module; however, the URI and other
details of the module are maintained by IANA.
6. Security Considerations 6. Security Considerations
The YANG module specified in this document defines a schema for data The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) described in Using the NETCONF transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
protocol over SSH [RFC6242]. The lowest RESTCONF layer is HTTPS, and is HTTPS, and the mandatory-to-implement secure transport is TLS
the mandatory-to-implement secure transport is TLS [RFC8446]. [RFC8446].
The Network Configuration Access Control Model (NACM) [RFC8341] The Network Configuration Access Control Model (NACM) [RFC8341]
provides the means to restrict access for particular NETCONF or provides the means to restrict access for particular NETCONF or
RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or
RESTCONF protocol operations and content. RESTCONF protocol operations and content.
There are a number of data nodes defined in this YANG module that are There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., "config true", which is the writable/creatable/deletable (i.e., "config true", which is the
default). These data nodes may be considered sensitive or vulnerable default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., edit-config) in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability: and their sensitivity/vulnerability:
* Common configuration included from NETCONF Client and Server * Common configuration included from NETCONF client and server
Models [I-D.ietf-netconf-tcp-client-server]. Unrestricted access models [RFC9643]. Unrestricted access to all the nodes, e.g.,
to all the nodes, e.g., keepalive idle-timer, can cause keepalive idle timer, can cause connections to fail or to timeout
connections to fail or to timeout prematurely. prematurely.
* Authentication configuration. Unrestricted access to the nodes * Authentication configuration. Unrestricted access to the nodes
under authentication configuration can prevent the use of under authentication configuration can prevent the use of
authenticated communication and cause connection setups to fail. authenticated communication and cause connection setups to fail.
This can result in massive security vulnerabilities and service This can result in massive security vulnerabilities and service
disruption for the traffic requiring authentication. disruption for the traffic requiring authentication.
Some of the readable data nodes in this YANG module may be considered Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or important to control read access (e.g., via get, get-config, or
skipping to change at page 21, line 35 skipping to change at line 946
sensitive or vulnerable in some network environments. It is thus sensitive or vulnerable in some network environments. It is thus
important to control access to these operations. These are the important to control access to these operations. These are the
operations and their sensitivity/vulnerability: operations and their sensitivity/vulnerability:
* The YANG module allows for the statistics to be cleared by * The YANG module allows for the statistics to be cleared by
executing the reset action. This action should be restricted to executing the reset action. This action should be restricted to
users with the right permission. users with the right permission.
The module specified in this document supports MD5 to basically The module specified in this document supports MD5 to basically
accommodate the installed BGP base. MD5 suffers from the security accommodate the installed BGP base. MD5 suffers from the security
weaknesses discussed in Section 2 of RFC 6151 [RFC6151] or weaknesses discussed in Section 2 of [RFC6151] or Section 2.1 of
Section 2.1 of RFC 6952 [RFC6952]. [RFC6952].
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-netconf-tcp-client-server]
Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
and TCP Servers", Work in Progress, Internet-Draft, draft-
ietf-netconf-tcp-client-server-13, 24 May 2022,
<https://www.ietf.org/archive/id/draft-ietf-netconf-tcp-
client-server-13.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, DOI 10.17487/RFC2385, August Signature Option", RFC 2385, DOI 10.17487/RFC2385, August
1998, <https://www.rfc-editor.org/info/rfc2385>. 1998, <https://www.rfc-editor.org/info/rfc2385>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
skipping to change at page 23, line 32 skipping to change at line 1032
<https://www.rfc-editor.org/info/rfc8342>. <https://www.rfc-editor.org/info/rfc8342>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)", [RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)",
STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022,
<https://www.rfc-editor.org/info/rfc9293>. <https://www.rfc-editor.org/info/rfc9293>.
7.2. Informative References [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, May
2024, <https://www.rfc-editor.org/info/rfc9643>.
[I-D.ietf-i2nsf-capability-data-model] 7.2. Informative References
Hares, S., Jeong, J. P., Kim, J. T., Moskowitz, R., and Q.
Lin, "I2NSF Capability YANG Data Model", Work in Progress,
Internet-Draft, draft-ietf-i2nsf-capability-data-model-32,
23 May 2022, <https://www.ietf.org/archive/id/draft-ietf-
i2nsf-capability-data-model-32.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [BGP-MODEL]
Kim, J. T., Jeong, J. P., Park, J., Hares, S., and Q. Lin, Jethanandani, M., Patel, K., Hares, S., and J. Haas, "YANG
"I2NSF Network Security Function-Facing Interface YANG Model for Border Gateway Protocol (BGP-4)", Work in
Data Model", Work in Progress, Internet-Draft, draft-ietf- Progress, Internet-Draft, draft-ietf-idr-bgp-model-17, 5
i2nsf-nsf-facing-interface-dm-29, 1 June 2022, July 2023, <https://datatracker.ietf.org/doc/html/draft-
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- ietf-idr-bgp-model-17>.
facing-interface-dm-29.txt>.
[I-D.ietf-idr-bgp-model] [NSF-CAP-YANG]
Jethanandani, M., Patel, K., Hares, S., and J. Haas, "BGP Hares, S., Ed., Jeong, J., Ed., Kim, J., Moskowitz, R.,
YANG Model for Service Provider Networks", Work in and Q. Lin, "I2NSF Capability YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-idr-bgp-model-14, 3 Progress, Internet-Draft, draft-ietf-i2nsf-capability-
July 2022, <https://www.ietf.org/archive/id/draft-ietf- data-model-32, 23 May 2022,
idr-bgp-model-14.txt>. <https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-
capability-data-model-32>.
[I-D.ietf-taps-interface] [NSF-FACING-YANG]
Trammell, B., Welzl, M., Enghardt, T., Fairhurst, G., Kim, J., Ed., Jeong, J., Ed., Park, J., Hares, S., and Q.
Kuehlewind, M., Perkins, C., Tiesel, P. S., and T. Pauly, Lin, "I2NSF Network Security Function-Facing Interface
"An Abstract Application Layer Interface to Transport YANG Data Model", Work in Progress, Internet-Draft, draft-
Services", Work in Progress, Internet-Draft, draft-ietf- ietf-i2nsf-nsf-facing-interface-dm-29, 1 June 2022,
taps-interface-16, 31 August 2022, <https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-
<https://www.ietf.org/archive/id/draft-ietf-taps- nsf-facing-interface-dm-29>.
interface-16.txt>.
[RFC4022] Raghunarayan, R., Ed., "Management Information Base for [RFC4022] Raghunarayan, R., Ed., "Management Information Base for
the Transmission Control Protocol (TCP)", RFC 4022, the Transmission Control Protocol (TCP)", RFC 4022,
DOI 10.17487/RFC4022, March 2005, DOI 10.17487/RFC4022, March 2005,
<https://www.rfc-editor.org/info/rfc4022>. <https://www.rfc-editor.org/info/rfc4022>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February Networks (VPNs)", RFC 4364, DOI 10.17487/RFC4364, February
2006, <https://www.rfc-editor.org/info/rfc4364>. 2006, <https://www.rfc-editor.org/info/rfc4364>.
skipping to change at page 25, line 40 skipping to change at line 1125
[RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M., [RFC9182] Barguil, S., Gonzalez de Dios, O., Ed., Boucadair, M.,
Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model Ed., Munoz, L., and A. Aguado, "A YANG Network Data Model
for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182, for Layer 3 VPNs", RFC 9182, DOI 10.17487/RFC9182,
February 2022, <https://www.rfc-editor.org/info/rfc9182>. February 2022, <https://www.rfc-editor.org/info/rfc9182>.
[RFC9235] Touch, J. and J. Kuusisaari, "TCP Authentication Option [RFC9235] Touch, J. and J. Kuusisaari, "TCP Authentication Option
(TCP-AO) Test Vectors", RFC 9235, DOI 10.17487/RFC9235, (TCP-AO) Test Vectors", RFC 9235, DOI 10.17487/RFC9235,
May 2022, <https://www.rfc-editor.org/info/rfc9235>. May 2022, <https://www.rfc-editor.org/info/rfc9235>.
Appendix A. Acknowledgements [TAPS-INTERFACE]
Trammell, B., Ed., Welzl, M., Ed., Enghardt, R.,
Michael Scharf was supported by the StandICT.eu project, which is Fairhurst, G., Kühlewind, M., Perkins, C., Tiesel, P., and
funded by the European Commission under the Horizon 2020 Programme. T. Pauly, "An Abstract Application Layer Interface to
Transport Services", Work in Progress, Internet-Draft,
The following persons have contributed to this document by reviews draft-ietf-taps-interface-26, 16 March 2024,
(in alphabetical order): Mohamed Boucadair, Gorry Fairhurst, Jeffrey <https://datatracker.ietf.org/doc/html/draft-ietf-taps-
Haas, and Tom Petch. interface-26>.
Appendix B. Examples Appendix A. Examples
B.1. Keepalive Configuration
This particular example demonstrates how both a particular connection A.1. Keepalive Configuration
can be configured for keepalives.
NOTE: '\' line wrapping per RFC 8792 This particular example demonstrates how a particular connection can
be configured for keepalives.
<?xml version="1.0" encoding="UTF-8"?> NOTE: '\' line wrapping per RFC 8792
<!--
This example shows how TCP keepalive, MSS and PMTU can be configured \
for a given connection. An idle connection is dropped after <?xml version="1.0" encoding="UTF-8"?>
idle-time + (max-probes * probe-interval). <!--
--> This example shows how TCP keepalive, MSS, and PMTU can be configure\
<tcp d for a given connection. An idle connection is dropped after
xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> idle-time + (max-probes * probe-interval).
<connections> -->
<connection> <tcp
<local-address>192.0.2.1</local-address> xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp">
<remote-address>192.0.2.2</remote-address> <connections>
<local-port>1025</local-port> <connection>
<remote-port>22</remote-port> <local-address>192.0.2.1</local-address>
<mss>1400</mss> <remote-address>192.0.2.2</remote-address>
<pmtud>true</pmtud> <local-port>1025</local-port>
<keepalives> <remote-port>22</remote-port>
<idle-time>5</idle-time> <mss>1400</mss>
<max-probes>5</max-probes> <pmtud>true</pmtud>
<probe-interval>10</probe-interval> <keepalives>
</keepalives> <idle-time>5</idle-time>
</connection> <max-probes>5</max-probes>
</connections> <probe-interval>10</probe-interval>
</tcp> </keepalives>
</connection>
</connections>
</tcp>
B.2. TCP-AO Configuration A.2. TCP-AO Configuration
The following example demonstrates how to model a TCP-AO [RFC5925] The following example demonstrates how to model a TCP-AO [RFC5925]
configuration for the example in TCP-AO Test Vectors [RFC9235]. The configuration for the example in "TCP Authentication Option (TCP-AO)
IP addresses and other parameters are taken from the test vectors. Test Vectors" [RFC9235]. The IP addresses and other parameters are
taken from the test vectors.
NOTE: '\' line wrapping per RFC 8792 NOTE: '\' line wrapping per RFC 8792
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- <!--
This example sets TCP-AO configuration parameters similar to This example sets TCP-AO configuration parameters similarly to
the examples in RFC 9235. the examples in RFC 9235.
-->
<key-chains <key-chains
xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain> <key-chain>
<name>ao-config</name> <name>ao-config</name>
<description>"An example for TCP-AO configuration."</description>\ <description>"An example for TCP-AO configuration."</description>
<key>
<key-id>55</key-id>
<lifetime>
<send-lifetime>
<start-date-time>2017-01-01T00:00:00Z</start-date-time>
<end-date-time>2017-02-01T00:00:00Z</end-date-time>
</send-lifetime>
<accept-lifetime>
<start-date-time>2016-12-31T23:59:55Z</start-date-time>
<end-date-time>2017-02-01T00:00:05Z</end-date-time>
</accept-lifetime>
</lifetime>
<crypto-algorithm
xmlns:tcp=
"urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto\
-algorithm>
<key-string>
<keystring>testvector</keystring>
</key-string>
<authentication
xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp">
<keychain>ao-config</keychain>
<ao>
<send-id>61</send-id>
<recv-id>84</recv-id>
</ao>
</authentication>
</key>
</key-chain>
</key-chains>
<key> Appendix B. Complete Tree Diagram
<key-id>55</key-id>
<lifetime>
<send-lifetime>
<start-date-time>2017-01-01T00:00:00Z</start-date-time>
<end-date-time>2017-02-01T00:00:00Z</end-date-time>
</send-lifetime>
<accept-lifetime>
<start-date-time>2016-12-31T23:59:55Z</start-date-time>
<end-date-time>2017-02-01T00:00:05Z</end-date-time>
</accept-lifetime>
</lifetime>
<crypto-algorithm
xmlns:tcp=
"urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto-algorit\
hm>
<key-string>
<keystring>testvector</keystring>
</key-string>
<authentication
xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp">
<keychain>ao-config</keychain>
<ao>
<send-id>61</send-id>
<recv-id>84</recv-id>
</ao>
</authentication>
</key>
</key-chain>
</key-chains>
Appendix C. Complete Tree Diagram
Here is the complete tree diagram for the TCP YANG model. Here is the complete tree diagram for the TCP YANG data model.
module: ietf-tcp module: ietf-tcp
+--rw tcp! +--rw tcp!
+--rw connections +--rw connections
| +--rw connection* | +--rw connection*
| [local-address remote-address local-port remote-port] | [local-address remote-address local-port remote-port]
| +--rw local-address inet:ip-address | +--rw local-address inet:ip-address
| +--rw remote-address inet:ip-address | +--rw remote-address inet:ip-address
| +--rw local-port inet:port-number | +--rw local-port inet:port-number
| +--rw remote-port inet:port-number | +--rw remote-port inet:port-number
skipping to change at page 29, line 13 skipping to change at line 1276
+--:(ao) +--:(ao)
| +--rw ao! | +--rw ao!
| +--rw send-id? uint8 | +--rw send-id? uint8
| +--rw recv-id? uint8 | +--rw recv-id? uint8
| +--rw include-tcp-options? boolean | +--rw include-tcp-options? boolean
| +--rw accept-key-mismatch? boolean | +--rw accept-key-mismatch? boolean
| +--ro r-next-key-id? uint8 | +--ro r-next-key-id? uint8
+--:(md5) +--:(md5)
+--rw md5! +--rw md5!
Acknowledgements
Michael Scharf was supported by the StandICT.eu project, which is
funded by the European Commission under the Horizon 2020 Programme.
The following persons have contributed to this document by reviews
(in alphabetical order): Mohamed Boucadair, Gorry Fairhurst, Jeffrey
Haas, and Tom Petch.
Authors' Addresses Authors' Addresses
Michael Scharf Michael Scharf
Hochschule Esslingen - University of Applied Sciences Hochschule Esslingen
University of Applied Sciences
Kanalstr. 33 Kanalstr. 33
73728 Esslingen 73728 Esslingen am Neckar
Germany Germany
Email: michael.scharf@hs-esslingen.de Email: michael.scharf@hs-esslingen.de
Mahesh Jethanandani Mahesh Jethanandani
Kloud Services Kloud Services
Email: mjethanandani@gmail.com Email: mjethanandani@gmail.com
Vishal Murgai Vishal Murgai
Samsung F5, Inc.
Email: vmurgai@gmail.com Email: vmurgai@gmail.com
 End of changes. 133 change blocks. 
395 lines changed or deleted 367 lines changed or added

This html diff was produced by rfcdiff 1.48.