[yang]: Add yang model for MACsec (#10559)

Add Yang model to constrain the configuration of MACsec
This commit is contained in:
Ze Gan 2022-04-18 10:34:52 +08:00 committed by GitHub
parent 16f6860e94
commit a1494577d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 319 additions and 4 deletions

View File

@ -143,7 +143,8 @@ setup(
'./yang-models/sonic-tc-queue-map.yang',
'./yang-models/sonic-pfc-priority-queue-map.yang',
'./yang-models/sonic-pfc-priority-priority-group-map.yang',
'./yang-models/sonic-port-qos-map.yang']),
'./yang-models/sonic-port-qos-map.yang',
'./yang-models/sonic-macsec.yang']),
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
'./cvlyang-models/sonic-bgp-common.yang',
'./cvlyang-models/sonic-bgp-global.yang',
@ -194,7 +195,8 @@ setup(
'./cvlyang-models/sonic-tc-queue-map.yang',
'./cvlyang-models/sonic-pfc-priority-queue-map.yang',
'./cvlyang-models/sonic-pfc-priority-priority-group-map.yang',
'./cvlyang-models/sonic-port-qos-map.yang']),
'./cvlyang-models/sonic-port-qos-map.yang',
'./cvlyang-models/sonic-macsec.yang']),
],
zip_safe=False,
)

View File

@ -426,7 +426,8 @@
"admin_status": "up",
"index": "0",
"asic_port_name": "Eth0-ASIC1",
"role": "Ext"
"role": "Ext",
"macsec": "test"
},
"Ethernet1": {
"alias": "Eth1/2",
@ -1686,9 +1687,25 @@
"vlan_id": "111",
"vsid": "5000"
}
}
},
"MACSEC_PROFILE": {
"test": {
"priority": "64",
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
"replay_window": "64",
"send_sci": "true",
"rekey_period": "3600"
}
}
},
"SAMPLE_CONFIG_DB_UNKNOWN": {
"UNKNOWN_TABLE": {

View File

@ -0,0 +1,29 @@
{
"VALID_PROFILE": {
"desc": "Valid MACsec profile test"
},
"DUPLICATE_CKN": {
"desc": "Primary CKN equals than fallback CKN",
"eStrKey": "Must"
},
"INVALID_CAK_LENGTH": {
"desc": "Invalid CAK length",
"eStrKey": "Pattern"
},
"INVALID_CAK_CHARACTER": {
"desc": "Invalid CAK character",
"eStrKey": "Pattern"
},
"INVALID_CIPHER_LOWERCASE": {
"desc": "Invalid cipher with lowercase",
"eStrKey": "Pattern"
},
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
"desc": "Mismatch length of primary and fallback",
"eStrKey": "Must"
},
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
"desc": "Set replay window when disable replay protect",
"eStrKey": "When"
}
}

View File

@ -0,0 +1,141 @@
{
"VALID_PROFILE": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test32",
"priority": 64,
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
"replay_window": 64,
"send_sci": "true",
"rekey_period": 3600
},
{
"name": "test64",
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
"replay_window": 64,
"send_sci": "true",
"rekey_period": 3600
}
]
}
},
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth8",
"description": "Ethernet8",
"fec": "rs",
"lanes": "65",
"mtu": 9000,
"pfc_asym": "on",
"name": "Ethernet8",
"tpid": "0x8100",
"speed": 25000,
"macsec": "test32"
}
]
}
}
},
"INVALID_CIPHER_LOWERCASE": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"cipher_suite": "gcm-aes-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
}
}
},
"DUPLICATE_CKN": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
}
}
},
"INVALID_CAK_LENGTH": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
}
]
}
}
},
"INVALID_CAK_CHARACTER": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "X123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "X162636465666768696A6B6C6D6E6F70"
}
]
}
}
},
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
}
]
}
}
},
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"replay_window": 64
}
]
}
}
}
}

View File

@ -0,0 +1,116 @@
module sonic-macsec {
yang-version 1.1;
namespace "http://github.com/Azure/sonic-macsec";
prefix macsec;
import sonic-types {
prefix stypes;
}
description "MACsec yang Module for SONiC OS";
revision 2022-04-12 {
description "First Revision";
}
container sonic-macsec {
container MACSEC_PROFILE {
description "MACsec profile of config_db.json";
list MACSEC_PROFILE_LIST {
key "name";
leaf name {
type string {
length 1..128;
}
}
leaf priority {
type uint8;
default 255;
}
leaf cipher_suite {
type string {
pattern "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256";
}
default "GCM-AES-128";
}
leaf primary_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
mandatory true;
}
leaf primary_ckn {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
mandatory true;
}
leaf fallback_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
}
leaf fallback_ckn {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
}
must "string-length(primary_cak) = string-length(primary_ckn)";
must "string-length(fallback_cak) = string-length(fallback_ckn)";
must "string-length(fallback_cak) = string-length(primary_cak)";
must "primary_ckn != fallback_ckn";
leaf policy {
type string {
pattern "integrity_only|security";
}
default "security";
}
leaf enable_replay_protect {
type stypes:boolean_type;
default "false";
}
leaf replay_window {
when "current()/../enable_replay_protect = 'true'";
type uint32;
}
leaf send_sci {
type stypes:boolean_type;
default "true";
}
leaf rekey_period {
description "The period of proactively refresh (Unit second).
If the value is 0, which means never proactive refresh SAK.";
type uint32;
default 0;
}
} /* end of list MACSEC_PROFILE_LIST */
} /* end of container MACSEC_PROFILE */
} /* end of container sonic-macsec */
} /* end of module sonic-macsec */

View File

@ -13,6 +13,10 @@ module sonic-port{
prefix ext;
}
import sonic-macsec {
prefix macsec;
}
description "PORT yang Module for SONiC OS";
revision 2019-07-01 {
@ -153,6 +157,12 @@ module sonic-port{
type boolean;
}
leaf macsec {
type leafref {
path "/macsec:sonic-macsec/macsec:MACSEC_PROFILE/macsec:MACSEC_PROFILE_LIST/macsec:name";
}
}
} /* end of list PORT_LIST */
} /* end of container PORT */