[yang]: Add yang model for MACsec (#10559)
Add Yang model to constrain the configuration of MACsec
This commit is contained in:
parent
16f6860e94
commit
a1494577d9
@ -143,7 +143,8 @@ setup(
|
|||||||
'./yang-models/sonic-tc-queue-map.yang',
|
'./yang-models/sonic-tc-queue-map.yang',
|
||||||
'./yang-models/sonic-pfc-priority-queue-map.yang',
|
'./yang-models/sonic-pfc-priority-queue-map.yang',
|
||||||
'./yang-models/sonic-pfc-priority-priority-group-map.yang',
|
'./yang-models/sonic-pfc-priority-priority-group-map.yang',
|
||||||
'./yang-models/sonic-port-qos-map.yang']),
|
'./yang-models/sonic-port-qos-map.yang',
|
||||||
|
'./yang-models/sonic-macsec.yang']),
|
||||||
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
|
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
|
||||||
'./cvlyang-models/sonic-bgp-common.yang',
|
'./cvlyang-models/sonic-bgp-common.yang',
|
||||||
'./cvlyang-models/sonic-bgp-global.yang',
|
'./cvlyang-models/sonic-bgp-global.yang',
|
||||||
@ -194,7 +195,8 @@ setup(
|
|||||||
'./cvlyang-models/sonic-tc-queue-map.yang',
|
'./cvlyang-models/sonic-tc-queue-map.yang',
|
||||||
'./cvlyang-models/sonic-pfc-priority-queue-map.yang',
|
'./cvlyang-models/sonic-pfc-priority-queue-map.yang',
|
||||||
'./cvlyang-models/sonic-pfc-priority-priority-group-map.yang',
|
'./cvlyang-models/sonic-pfc-priority-priority-group-map.yang',
|
||||||
'./cvlyang-models/sonic-port-qos-map.yang']),
|
'./cvlyang-models/sonic-port-qos-map.yang',
|
||||||
|
'./cvlyang-models/sonic-macsec.yang']),
|
||||||
],
|
],
|
||||||
zip_safe=False,
|
zip_safe=False,
|
||||||
)
|
)
|
||||||
|
@ -426,7 +426,8 @@
|
|||||||
"admin_status": "up",
|
"admin_status": "up",
|
||||||
"index": "0",
|
"index": "0",
|
||||||
"asic_port_name": "Eth0-ASIC1",
|
"asic_port_name": "Eth0-ASIC1",
|
||||||
"role": "Ext"
|
"role": "Ext",
|
||||||
|
"macsec": "test"
|
||||||
},
|
},
|
||||||
"Ethernet1": {
|
"Ethernet1": {
|
||||||
"alias": "Eth1/2",
|
"alias": "Eth1/2",
|
||||||
@ -1686,9 +1687,25 @@
|
|||||||
"vlan_id": "111",
|
"vlan_id": "111",
|
||||||
"vsid": "5000"
|
"vsid": "5000"
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
|
||||||
|
|
||||||
|
"MACSEC_PROFILE": {
|
||||||
|
"test": {
|
||||||
|
"priority": "64",
|
||||||
|
"cipher_suite": "GCM-AES-128",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||||
|
"fallback_cak": "00000000000000000000000000000000",
|
||||||
|
"fallback_ckn": "11111111111111111111111111111111",
|
||||||
|
"policy": "security",
|
||||||
|
"enable_replay_protect": "true",
|
||||||
|
"replay_window": "64",
|
||||||
|
"send_sci": "true",
|
||||||
|
"rekey_period": "3600"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
},
|
},
|
||||||
"SAMPLE_CONFIG_DB_UNKNOWN": {
|
"SAMPLE_CONFIG_DB_UNKNOWN": {
|
||||||
"UNKNOWN_TABLE": {
|
"UNKNOWN_TABLE": {
|
||||||
|
@ -0,0 +1,29 @@
|
|||||||
|
{
|
||||||
|
"VALID_PROFILE": {
|
||||||
|
"desc": "Valid MACsec profile test"
|
||||||
|
},
|
||||||
|
"DUPLICATE_CKN": {
|
||||||
|
"desc": "Primary CKN equals than fallback CKN",
|
||||||
|
"eStrKey": "Must"
|
||||||
|
},
|
||||||
|
"INVALID_CAK_LENGTH": {
|
||||||
|
"desc": "Invalid CAK length",
|
||||||
|
"eStrKey": "Pattern"
|
||||||
|
},
|
||||||
|
"INVALID_CAK_CHARACTER": {
|
||||||
|
"desc": "Invalid CAK character",
|
||||||
|
"eStrKey": "Pattern"
|
||||||
|
},
|
||||||
|
"INVALID_CIPHER_LOWERCASE": {
|
||||||
|
"desc": "Invalid cipher with lowercase",
|
||||||
|
"eStrKey": "Pattern"
|
||||||
|
},
|
||||||
|
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
|
||||||
|
"desc": "Mismatch length of primary and fallback",
|
||||||
|
"eStrKey": "Must"
|
||||||
|
},
|
||||||
|
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
|
||||||
|
"desc": "Set replay window when disable replay protect",
|
||||||
|
"eStrKey": "When"
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,141 @@
|
|||||||
|
{
|
||||||
|
"VALID_PROFILE": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test32",
|
||||||
|
"priority": 64,
|
||||||
|
"cipher_suite": "GCM-AES-128",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||||
|
"fallback_cak": "00000000000000000000000000000000",
|
||||||
|
"fallback_ckn": "11111111111111111111111111111111",
|
||||||
|
"policy": "security",
|
||||||
|
"enable_replay_protect": "true",
|
||||||
|
"replay_window": 64,
|
||||||
|
"send_sci": "true",
|
||||||
|
"rekey_period": 3600
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "test64",
|
||||||
|
"priority": 64,
|
||||||
|
"cipher_suite": "GCM-AES-XPN-256",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
|
||||||
|
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
|
||||||
|
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
|
||||||
|
"policy": "security",
|
||||||
|
"enable_replay_protect": "true",
|
||||||
|
"replay_window": 64,
|
||||||
|
"send_sci": "true",
|
||||||
|
"rekey_period": 3600
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sonic-port:sonic-port": {
|
||||||
|
"sonic-port:PORT": {
|
||||||
|
"PORT_LIST": [
|
||||||
|
{
|
||||||
|
"admin_status": "up",
|
||||||
|
"alias": "eth8",
|
||||||
|
"description": "Ethernet8",
|
||||||
|
"fec": "rs",
|
||||||
|
"lanes": "65",
|
||||||
|
"mtu": 9000,
|
||||||
|
"pfc_asym": "on",
|
||||||
|
"name": "Ethernet8",
|
||||||
|
"tpid": "0x8100",
|
||||||
|
"speed": 25000,
|
||||||
|
"macsec": "test32"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"INVALID_CIPHER_LOWERCASE": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test",
|
||||||
|
"cipher_suite": "gcm-aes-128",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"DUPLICATE_CKN": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||||
|
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"INVALID_CAK_LENGTH": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"INVALID_CAK_CHARACTER": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test",
|
||||||
|
"primary_cak": "X123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "X162636465666768696A6B6C6D6E6F70"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||||
|
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
|
||||||
|
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
|
||||||
|
"sonic-macsec:sonic-macsec": {
|
||||||
|
"sonic-macsec:MACSEC_PROFILE": {
|
||||||
|
"MACSEC_PROFILE_LIST": [
|
||||||
|
{
|
||||||
|
"name": "test",
|
||||||
|
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||||
|
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||||
|
"replay_window": 64
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
116
src/sonic-yang-models/yang-models/sonic-macsec.yang
Normal file
116
src/sonic-yang-models/yang-models/sonic-macsec.yang
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
module sonic-macsec {
|
||||||
|
|
||||||
|
yang-version 1.1;
|
||||||
|
|
||||||
|
namespace "http://github.com/Azure/sonic-macsec";
|
||||||
|
|
||||||
|
prefix macsec;
|
||||||
|
|
||||||
|
import sonic-types {
|
||||||
|
prefix stypes;
|
||||||
|
}
|
||||||
|
|
||||||
|
description "MACsec yang Module for SONiC OS";
|
||||||
|
|
||||||
|
revision 2022-04-12 {
|
||||||
|
description "First Revision";
|
||||||
|
}
|
||||||
|
|
||||||
|
container sonic-macsec {
|
||||||
|
|
||||||
|
container MACSEC_PROFILE {
|
||||||
|
|
||||||
|
description "MACsec profile of config_db.json";
|
||||||
|
|
||||||
|
list MACSEC_PROFILE_LIST {
|
||||||
|
|
||||||
|
key "name";
|
||||||
|
|
||||||
|
leaf name {
|
||||||
|
type string {
|
||||||
|
length 1..128;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf priority {
|
||||||
|
type uint8;
|
||||||
|
default 255;
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf cipher_suite {
|
||||||
|
type string {
|
||||||
|
pattern "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256";
|
||||||
|
}
|
||||||
|
default "GCM-AES-128";
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf primary_cak {
|
||||||
|
type string {
|
||||||
|
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||||
|
}
|
||||||
|
mandatory true;
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf primary_ckn {
|
||||||
|
type string {
|
||||||
|
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||||
|
}
|
||||||
|
mandatory true;
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf fallback_cak {
|
||||||
|
type string {
|
||||||
|
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf fallback_ckn {
|
||||||
|
type string {
|
||||||
|
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
must "string-length(primary_cak) = string-length(primary_ckn)";
|
||||||
|
|
||||||
|
must "string-length(fallback_cak) = string-length(fallback_ckn)";
|
||||||
|
|
||||||
|
must "string-length(fallback_cak) = string-length(primary_cak)";
|
||||||
|
|
||||||
|
must "primary_ckn != fallback_ckn";
|
||||||
|
|
||||||
|
leaf policy {
|
||||||
|
type string {
|
||||||
|
pattern "integrity_only|security";
|
||||||
|
}
|
||||||
|
default "security";
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf enable_replay_protect {
|
||||||
|
type stypes:boolean_type;
|
||||||
|
default "false";
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf replay_window {
|
||||||
|
when "current()/../enable_replay_protect = 'true'";
|
||||||
|
type uint32;
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf send_sci {
|
||||||
|
type stypes:boolean_type;
|
||||||
|
default "true";
|
||||||
|
}
|
||||||
|
|
||||||
|
leaf rekey_period {
|
||||||
|
description "The period of proactively refresh (Unit second).
|
||||||
|
If the value is 0, which means never proactive refresh SAK.";
|
||||||
|
type uint32;
|
||||||
|
default 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
} /* end of list MACSEC_PROFILE_LIST */
|
||||||
|
|
||||||
|
} /* end of container MACSEC_PROFILE */
|
||||||
|
|
||||||
|
} /* end of container sonic-macsec */
|
||||||
|
|
||||||
|
} /* end of module sonic-macsec */
|
@ -13,6 +13,10 @@ module sonic-port{
|
|||||||
prefix ext;
|
prefix ext;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
import sonic-macsec {
|
||||||
|
prefix macsec;
|
||||||
|
}
|
||||||
|
|
||||||
description "PORT yang Module for SONiC OS";
|
description "PORT yang Module for SONiC OS";
|
||||||
|
|
||||||
revision 2019-07-01 {
|
revision 2019-07-01 {
|
||||||
@ -153,6 +157,12 @@ module sonic-port{
|
|||||||
type boolean;
|
type boolean;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
leaf macsec {
|
||||||
|
type leafref {
|
||||||
|
path "/macsec:sonic-macsec/macsec:MACSEC_PROFILE/macsec:MACSEC_PROFILE_LIST/macsec:name";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
} /* end of list PORT_LIST */
|
} /* end of list PORT_LIST */
|
||||||
|
|
||||||
} /* end of container PORT */
|
} /* end of container PORT */
|
||||||
|
Loading…
Reference in New Issue
Block a user