[yang]: Add yang model for MACsec (#10559)
Add Yang model to constrain the configuration of MACsec
This commit is contained in:
parent
16f6860e94
commit
a1494577d9
@ -143,7 +143,8 @@ setup(
|
||||
'./yang-models/sonic-tc-queue-map.yang',
|
||||
'./yang-models/sonic-pfc-priority-queue-map.yang',
|
||||
'./yang-models/sonic-pfc-priority-priority-group-map.yang',
|
||||
'./yang-models/sonic-port-qos-map.yang']),
|
||||
'./yang-models/sonic-port-qos-map.yang',
|
||||
'./yang-models/sonic-macsec.yang']),
|
||||
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
|
||||
'./cvlyang-models/sonic-bgp-common.yang',
|
||||
'./cvlyang-models/sonic-bgp-global.yang',
|
||||
@ -194,7 +195,8 @@ setup(
|
||||
'./cvlyang-models/sonic-tc-queue-map.yang',
|
||||
'./cvlyang-models/sonic-pfc-priority-queue-map.yang',
|
||||
'./cvlyang-models/sonic-pfc-priority-priority-group-map.yang',
|
||||
'./cvlyang-models/sonic-port-qos-map.yang']),
|
||||
'./cvlyang-models/sonic-port-qos-map.yang',
|
||||
'./cvlyang-models/sonic-macsec.yang']),
|
||||
],
|
||||
zip_safe=False,
|
||||
)
|
||||
|
@ -426,7 +426,8 @@
|
||||
"admin_status": "up",
|
||||
"index": "0",
|
||||
"asic_port_name": "Eth0-ASIC1",
|
||||
"role": "Ext"
|
||||
"role": "Ext",
|
||||
"macsec": "test"
|
||||
},
|
||||
"Ethernet1": {
|
||||
"alias": "Eth1/2",
|
||||
@ -1686,9 +1687,25 @@
|
||||
"vlan_id": "111",
|
||||
"vsid": "5000"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
|
||||
"MACSEC_PROFILE": {
|
||||
"test": {
|
||||
"priority": "64",
|
||||
"cipher_suite": "GCM-AES-128",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||
"fallback_cak": "00000000000000000000000000000000",
|
||||
"fallback_ckn": "11111111111111111111111111111111",
|
||||
"policy": "security",
|
||||
"enable_replay_protect": "true",
|
||||
"replay_window": "64",
|
||||
"send_sci": "true",
|
||||
"rekey_period": "3600"
|
||||
}
|
||||
}
|
||||
|
||||
},
|
||||
"SAMPLE_CONFIG_DB_UNKNOWN": {
|
||||
"UNKNOWN_TABLE": {
|
||||
|
@ -0,0 +1,29 @@
|
||||
{
|
||||
"VALID_PROFILE": {
|
||||
"desc": "Valid MACsec profile test"
|
||||
},
|
||||
"DUPLICATE_CKN": {
|
||||
"desc": "Primary CKN equals than fallback CKN",
|
||||
"eStrKey": "Must"
|
||||
},
|
||||
"INVALID_CAK_LENGTH": {
|
||||
"desc": "Invalid CAK length",
|
||||
"eStrKey": "Pattern"
|
||||
},
|
||||
"INVALID_CAK_CHARACTER": {
|
||||
"desc": "Invalid CAK character",
|
||||
"eStrKey": "Pattern"
|
||||
},
|
||||
"INVALID_CIPHER_LOWERCASE": {
|
||||
"desc": "Invalid cipher with lowercase",
|
||||
"eStrKey": "Pattern"
|
||||
},
|
||||
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
|
||||
"desc": "Mismatch length of primary and fallback",
|
||||
"eStrKey": "Must"
|
||||
},
|
||||
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
|
||||
"desc": "Set replay window when disable replay protect",
|
||||
"eStrKey": "When"
|
||||
}
|
||||
}
|
@ -0,0 +1,141 @@
|
||||
{
|
||||
"VALID_PROFILE": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test32",
|
||||
"priority": 64,
|
||||
"cipher_suite": "GCM-AES-128",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||
"fallback_cak": "00000000000000000000000000000000",
|
||||
"fallback_ckn": "11111111111111111111111111111111",
|
||||
"policy": "security",
|
||||
"enable_replay_protect": "true",
|
||||
"replay_window": 64,
|
||||
"send_sci": "true",
|
||||
"rekey_period": 3600
|
||||
},
|
||||
{
|
||||
"name": "test64",
|
||||
"priority": 64,
|
||||
"cipher_suite": "GCM-AES-XPN-256",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
|
||||
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
|
||||
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
|
||||
"policy": "security",
|
||||
"enable_replay_protect": "true",
|
||||
"replay_window": 64,
|
||||
"send_sci": "true",
|
||||
"rekey_period": 3600
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"sonic-port:sonic-port": {
|
||||
"sonic-port:PORT": {
|
||||
"PORT_LIST": [
|
||||
{
|
||||
"admin_status": "up",
|
||||
"alias": "eth8",
|
||||
"description": "Ethernet8",
|
||||
"fec": "rs",
|
||||
"lanes": "65",
|
||||
"mtu": 9000,
|
||||
"pfc_asym": "on",
|
||||
"name": "Ethernet8",
|
||||
"tpid": "0x8100",
|
||||
"speed": 25000,
|
||||
"macsec": "test32"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"INVALID_CIPHER_LOWERCASE": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test",
|
||||
"cipher_suite": "gcm-aes-128",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"DUPLICATE_CKN": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"INVALID_CAK_LENGTH": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"INVALID_CAK_CHARACTER": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test",
|
||||
"primary_cak": "X123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "X162636465666768696A6B6C6D6E6F70"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
|
||||
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
|
||||
"sonic-macsec:sonic-macsec": {
|
||||
"sonic-macsec:MACSEC_PROFILE": {
|
||||
"MACSEC_PROFILE_LIST": [
|
||||
{
|
||||
"name": "test",
|
||||
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
|
||||
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
|
||||
"replay_window": 64
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
116
src/sonic-yang-models/yang-models/sonic-macsec.yang
Normal file
116
src/sonic-yang-models/yang-models/sonic-macsec.yang
Normal file
@ -0,0 +1,116 @@
|
||||
module sonic-macsec {
|
||||
|
||||
yang-version 1.1;
|
||||
|
||||
namespace "http://github.com/Azure/sonic-macsec";
|
||||
|
||||
prefix macsec;
|
||||
|
||||
import sonic-types {
|
||||
prefix stypes;
|
||||
}
|
||||
|
||||
description "MACsec yang Module for SONiC OS";
|
||||
|
||||
revision 2022-04-12 {
|
||||
description "First Revision";
|
||||
}
|
||||
|
||||
container sonic-macsec {
|
||||
|
||||
container MACSEC_PROFILE {
|
||||
|
||||
description "MACsec profile of config_db.json";
|
||||
|
||||
list MACSEC_PROFILE_LIST {
|
||||
|
||||
key "name";
|
||||
|
||||
leaf name {
|
||||
type string {
|
||||
length 1..128;
|
||||
}
|
||||
}
|
||||
|
||||
leaf priority {
|
||||
type uint8;
|
||||
default 255;
|
||||
}
|
||||
|
||||
leaf cipher_suite {
|
||||
type string {
|
||||
pattern "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256";
|
||||
}
|
||||
default "GCM-AES-128";
|
||||
}
|
||||
|
||||
leaf primary_cak {
|
||||
type string {
|
||||
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||
}
|
||||
mandatory true;
|
||||
}
|
||||
|
||||
leaf primary_ckn {
|
||||
type string {
|
||||
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||
}
|
||||
mandatory true;
|
||||
}
|
||||
|
||||
leaf fallback_cak {
|
||||
type string {
|
||||
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||
}
|
||||
}
|
||||
|
||||
leaf fallback_ckn {
|
||||
type string {
|
||||
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
|
||||
}
|
||||
}
|
||||
|
||||
must "string-length(primary_cak) = string-length(primary_ckn)";
|
||||
|
||||
must "string-length(fallback_cak) = string-length(fallback_ckn)";
|
||||
|
||||
must "string-length(fallback_cak) = string-length(primary_cak)";
|
||||
|
||||
must "primary_ckn != fallback_ckn";
|
||||
|
||||
leaf policy {
|
||||
type string {
|
||||
pattern "integrity_only|security";
|
||||
}
|
||||
default "security";
|
||||
}
|
||||
|
||||
leaf enable_replay_protect {
|
||||
type stypes:boolean_type;
|
||||
default "false";
|
||||
}
|
||||
|
||||
leaf replay_window {
|
||||
when "current()/../enable_replay_protect = 'true'";
|
||||
type uint32;
|
||||
}
|
||||
|
||||
leaf send_sci {
|
||||
type stypes:boolean_type;
|
||||
default "true";
|
||||
}
|
||||
|
||||
leaf rekey_period {
|
||||
description "The period of proactively refresh (Unit second).
|
||||
If the value is 0, which means never proactive refresh SAK.";
|
||||
type uint32;
|
||||
default 0;
|
||||
}
|
||||
|
||||
} /* end of list MACSEC_PROFILE_LIST */
|
||||
|
||||
} /* end of container MACSEC_PROFILE */
|
||||
|
||||
} /* end of container sonic-macsec */
|
||||
|
||||
} /* end of module sonic-macsec */
|
@ -13,6 +13,10 @@ module sonic-port{
|
||||
prefix ext;
|
||||
}
|
||||
|
||||
import sonic-macsec {
|
||||
prefix macsec;
|
||||
}
|
||||
|
||||
description "PORT yang Module for SONiC OS";
|
||||
|
||||
revision 2019-07-01 {
|
||||
@ -153,6 +157,12 @@ module sonic-port{
|
||||
type boolean;
|
||||
}
|
||||
|
||||
leaf macsec {
|
||||
type leafref {
|
||||
path "/macsec:sonic-macsec/macsec:MACSEC_PROFILE/macsec:MACSEC_PROFILE_LIST/macsec:name";
|
||||
}
|
||||
}
|
||||
|
||||
} /* end of list PORT_LIST */
|
||||
|
||||
} /* end of container PORT */
|
||||
|
Loading…
Reference in New Issue
Block a user