A YANG Data Model for IPsec Flow Protection Based on Software- Defined Networking
RFC 9061, “A YANG Data Model for IPsec Flow Protection Based on Software- Defined Networking”, is a Proposed Standard document published in July 2021 by R. Marin-Lopez, G. Lopez-Millan, F. Pereniguez-Garcia. The canonical text is published by the RFC Editor.
Abstract
This document describes how to provide IPsec-based flow protection (integrity and confidentiality) by means of an Interface to Network Security Function (I2NSF) Controller. It considers two main well-known scenarios in IPsec: gateway-to-gateway and host-to-host. The service described in this document allows the configuration and monitoring of IPsec Security Associations (IPsec SAs) from an I2NSF Controller to one or several flow-based Network Security Functions (NSFs) that rely on IPsec to protect data traffic.
This document focuses on the I2NSF NSF-Facing Interface by providing YANG data models for configuring the IPsec databases, namely Security Policy Database (SPD), Security Association Database (SAD), Peer Authorization Database (PAD), and Internet Key Exchange Version 2 (IKEv2). This allows IPsec SA establishment with minimal intervention by the network administrator. This document defines three YANG modules, but it does not define any new protocol.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 9061 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
- RFC 9060 Secure Telephone Identity Revisited Certificate Delegation
- RFC 9062 Framework and Requirements for Ethernet VPN Operations, Administration, and Maintenance
- RFC 9059 Path Computation Element Communication Protocol Extensions for Associated Bidirectional Label Switched Paths
- RFC 9063 Host Identity Protocol Architecture
- RFC 9058 Multilinear Galois Mode
- RFC 9064 Considerations in the Development of a QoS Architecture for CCNx- Like Information-Centric Networking Protocols
- RFC 9057 Email Author Header Field
- RFC 9065 Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols