From a1494577d9cc55dac99f55dc7031bcac37d7d9e5 Mon Sep 17 00:00:00 2001 From: Ze Gan Date: Mon, 18 Apr 2022 10:34:52 +0800 Subject: [PATCH] [yang]: Add yang model for MACsec (#10559) Add Yang model to constrain the configuration of MACsec --- src/sonic-yang-models/setup.py | 6 +- .../tests/files/sample_config_db.json | 21 ++- .../tests/yang_model_tests/tests/macsec.json | 29 ++++ .../yang_model_tests/tests_config/macsec.json | 141 ++++++++++++++++++ .../yang-models/sonic-macsec.yang | 116 ++++++++++++++ .../yang-models/sonic-port.yang | 10 ++ 6 files changed, 319 insertions(+), 4 deletions(-) create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests/macsec.json create mode 100644 src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json create mode 100644 src/sonic-yang-models/yang-models/sonic-macsec.yang diff --git a/src/sonic-yang-models/setup.py b/src/sonic-yang-models/setup.py index 4295492558..4ca8d065c6 100644 --- a/src/sonic-yang-models/setup.py +++ b/src/sonic-yang-models/setup.py @@ -143,7 +143,8 @@ setup( './yang-models/sonic-tc-queue-map.yang', './yang-models/sonic-pfc-priority-queue-map.yang', './yang-models/sonic-pfc-priority-priority-group-map.yang', - './yang-models/sonic-port-qos-map.yang']), + './yang-models/sonic-port-qos-map.yang', + './yang-models/sonic-macsec.yang']), ('cvlyang-models', ['./cvlyang-models/sonic-acl.yang', './cvlyang-models/sonic-bgp-common.yang', './cvlyang-models/sonic-bgp-global.yang', @@ -194,7 +195,8 @@ setup( './cvlyang-models/sonic-tc-queue-map.yang', './cvlyang-models/sonic-pfc-priority-queue-map.yang', './cvlyang-models/sonic-pfc-priority-priority-group-map.yang', - './cvlyang-models/sonic-port-qos-map.yang']), + './cvlyang-models/sonic-port-qos-map.yang', + './cvlyang-models/sonic-macsec.yang']), ], zip_safe=False, ) diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index 6618ed8232..8c5a8c0af9 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -426,7 +426,8 @@ "admin_status": "up", "index": "0", "asic_port_name": "Eth0-ASIC1", - "role": "Ext" + "role": "Ext", + "macsec": "test" }, "Ethernet1": { "alias": "Eth1/2", @@ -1686,9 +1687,25 @@ "vlan_id": "111", "vsid": "5000" } - } + }, + "MACSEC_PROFILE": { + "test": { + "priority": "64", + "cipher_suite": "GCM-AES-128", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70", + "fallback_cak": "00000000000000000000000000000000", + "fallback_ckn": "11111111111111111111111111111111", + "policy": "security", + "enable_replay_protect": "true", + "replay_window": "64", + "send_sci": "true", + "rekey_period": "3600" + } + } + }, "SAMPLE_CONFIG_DB_UNKNOWN": { "UNKNOWN_TABLE": { diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/macsec.json b/src/sonic-yang-models/tests/yang_model_tests/tests/macsec.json new file mode 100644 index 0000000000..9d4329e8d7 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/macsec.json @@ -0,0 +1,29 @@ +{ + "VALID_PROFILE": { + "desc": "Valid MACsec profile test" + }, + "DUPLICATE_CKN": { + "desc": "Primary CKN equals than fallback CKN", + "eStrKey": "Must" + }, + "INVALID_CAK_LENGTH": { + "desc": "Invalid CAK length", + "eStrKey": "Pattern" + }, + "INVALID_CAK_CHARACTER": { + "desc": "Invalid CAK character", + "eStrKey": "Pattern" + }, + "INVALID_CIPHER_LOWERCASE": { + "desc": "Invalid cipher with lowercase", + "eStrKey": "Pattern" + }, + "MISMATCH_LENGTH_PRIMARY_FALLBACK": { + "desc": "Mismatch length of primary and fallback", + "eStrKey": "Must" + }, + "SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": { + "desc": "Set replay window when disable replay protect", + "eStrKey": "When" + } +} diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json new file mode 100644 index 0000000000..cfd7c512a6 --- /dev/null +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json @@ -0,0 +1,141 @@ +{ + "VALID_PROFILE": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test32", + "priority": 64, + "cipher_suite": "GCM-AES-128", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70", + "fallback_cak": "00000000000000000000000000000000", + "fallback_ckn": "11111111111111111111111111111111", + "policy": "security", + "enable_replay_protect": "true", + "replay_window": 64, + "send_sci": "true", + "rekey_period": 3600 + }, + { + "name": "test64", + "priority": 64, + "cipher_suite": "GCM-AES-XPN-256", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", + "policy": "security", + "enable_replay_protect": "true", + "replay_window": 64, + "send_sci": "true", + "rekey_period": 3600 + } + ] + } + }, + "sonic-port:sonic-port": { + "sonic-port:PORT": { + "PORT_LIST": [ + { + "admin_status": "up", + "alias": "eth8", + "description": "Ethernet8", + "fec": "rs", + "lanes": "65", + "mtu": 9000, + "pfc_asym": "on", + "name": "Ethernet8", + "tpid": "0x8100", + "speed": 25000, + "macsec": "test32" + } + ] + } + } + }, + "INVALID_CIPHER_LOWERCASE": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test", + "cipher_suite": "gcm-aes-128", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70" + } + ] + } + } + }, + "DUPLICATE_CKN": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70", + "fallback_cak": "0123456789ABCDEF0123456789ABCDEF", + "fallback_ckn": "6162636465666768696A6B6C6D6E6F70" + } + ] + } + } + }, + "INVALID_CAK_LENGTH": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test", + "primary_cak": "0123456789ABCDEF0123456789ABCDEFA", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70A" + } + ] + } + } + }, + "INVALID_CAK_CHARACTER": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test", + "primary_cak": "X123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "X162636465666768696A6B6C6D6E6F70" + } + ] + } + } + }, + "MISMATCH_LENGTH_PRIMARY_FALLBACK": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111" + } + ] + } + } + }, + "SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": { + "sonic-macsec:sonic-macsec": { + "sonic-macsec:MACSEC_PROFILE": { + "MACSEC_PROFILE_LIST": [ + { + "name": "test", + "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_ckn": "6162636465666768696A6B6C6D6E6F70", + "replay_window": 64 + } + ] + } + } + } +} diff --git a/src/sonic-yang-models/yang-models/sonic-macsec.yang b/src/sonic-yang-models/yang-models/sonic-macsec.yang new file mode 100644 index 0000000000..4e3412f86a --- /dev/null +++ b/src/sonic-yang-models/yang-models/sonic-macsec.yang @@ -0,0 +1,116 @@ +module sonic-macsec { + + yang-version 1.1; + + namespace "http://github.com/Azure/sonic-macsec"; + + prefix macsec; + + import sonic-types { + prefix stypes; + } + + description "MACsec yang Module for SONiC OS"; + + revision 2022-04-12 { + description "First Revision"; + } + + container sonic-macsec { + + container MACSEC_PROFILE { + + description "MACsec profile of config_db.json"; + + list MACSEC_PROFILE_LIST { + + key "name"; + + leaf name { + type string { + length 1..128; + } + } + + leaf priority { + type uint8; + default 255; + } + + leaf cipher_suite { + type string { + pattern "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256"; + } + default "GCM-AES-128"; + } + + leaf primary_cak { + type string { + pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + } + mandatory true; + } + + leaf primary_ckn { + type string { + pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + } + mandatory true; + } + + leaf fallback_cak { + type string { + pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + } + } + + leaf fallback_ckn { + type string { + pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + } + } + + must "string-length(primary_cak) = string-length(primary_ckn)"; + + must "string-length(fallback_cak) = string-length(fallback_ckn)"; + + must "string-length(fallback_cak) = string-length(primary_cak)"; + + must "primary_ckn != fallback_ckn"; + + leaf policy { + type string { + pattern "integrity_only|security"; + } + default "security"; + } + + leaf enable_replay_protect { + type stypes:boolean_type; + default "false"; + } + + leaf replay_window { + when "current()/../enable_replay_protect = 'true'"; + type uint32; + } + + leaf send_sci { + type stypes:boolean_type; + default "true"; + } + + leaf rekey_period { + description "The period of proactively refresh (Unit second). + If the value is 0, which means never proactive refresh SAK."; + type uint32; + default 0; + } + + } /* end of list MACSEC_PROFILE_LIST */ + + } /* end of container MACSEC_PROFILE */ + + } /* end of container sonic-macsec */ + +} /* end of module sonic-macsec */ diff --git a/src/sonic-yang-models/yang-models/sonic-port.yang b/src/sonic-yang-models/yang-models/sonic-port.yang index d296eaa05c..add4de25ce 100644 --- a/src/sonic-yang-models/yang-models/sonic-port.yang +++ b/src/sonic-yang-models/yang-models/sonic-port.yang @@ -13,6 +13,10 @@ module sonic-port{ prefix ext; } + import sonic-macsec { + prefix macsec; + } + description "PORT yang Module for SONiC OS"; revision 2019-07-01 { @@ -153,6 +157,12 @@ module sonic-port{ type boolean; } + leaf macsec { + type leafref { + path "/macsec:sonic-macsec/macsec:MACSEC_PROFILE/macsec:MACSEC_PROFILE_LIST/macsec:name"; + } + } + } /* end of list PORT_LIST */ } /* end of container PORT */