Skip to content

Commit

Permalink
[yang]: Add yang model for MACsec (#10559)
Browse files Browse the repository at this point in the history
Add Yang model to constrain the configuration of MACsec
  • Loading branch information
Pterosaur authored Apr 18, 2022
1 parent 16f6860 commit a149457
Show file tree
Hide file tree
Showing 6 changed files with 319 additions and 4 deletions.
6 changes: 4 additions & 2 deletions src/sonic-yang-models/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,8 @@ def run(self):
'./yang-models/sonic-tc-queue-map.yang',
'./yang-models/sonic-pfc-priority-queue-map.yang',
'./yang-models/sonic-pfc-priority-priority-group-map.yang',
'./yang-models/sonic-port-qos-map.yang']),
'./yang-models/sonic-port-qos-map.yang',
'./yang-models/sonic-macsec.yang']),
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
'./cvlyang-models/sonic-bgp-common.yang',
'./cvlyang-models/sonic-bgp-global.yang',
Expand Down Expand Up @@ -194,7 +195,8 @@ def run(self):
'./cvlyang-models/sonic-tc-queue-map.yang',
'./cvlyang-models/sonic-pfc-priority-queue-map.yang',
'./cvlyang-models/sonic-pfc-priority-priority-group-map.yang',
'./cvlyang-models/sonic-port-qos-map.yang']),
'./cvlyang-models/sonic-port-qos-map.yang',
'./cvlyang-models/sonic-macsec.yang']),
],
zip_safe=False,
)
21 changes: 19 additions & 2 deletions src/sonic-yang-models/tests/files/sample_config_db.json
Original file line number Diff line number Diff line change
Expand Up @@ -426,7 +426,8 @@
"admin_status": "up",
"index": "0",
"asic_port_name": "Eth0-ASIC1",
"role": "Ext"
"role": "Ext",
"macsec": "test"
},
"Ethernet1": {
"alias": "Eth1/2",
Expand Down Expand Up @@ -1686,8 +1687,24 @@
"vlan_id": "111",
"vsid": "5000"
}
}
},


"MACSEC_PROFILE": {
"test": {
"priority": "64",
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
"replay_window": "64",
"send_sci": "true",
"rekey_period": "3600"
}
}

},
"SAMPLE_CONFIG_DB_UNKNOWN": {
Expand Down
29 changes: 29 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests/macsec.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"VALID_PROFILE": {
"desc": "Valid MACsec profile test"
},
"DUPLICATE_CKN": {
"desc": "Primary CKN equals than fallback CKN",
"eStrKey": "Must"
},
"INVALID_CAK_LENGTH": {
"desc": "Invalid CAK length",
"eStrKey": "Pattern"
},
"INVALID_CAK_CHARACTER": {
"desc": "Invalid CAK character",
"eStrKey": "Pattern"
},
"INVALID_CIPHER_LOWERCASE": {
"desc": "Invalid cipher with lowercase",
"eStrKey": "Pattern"
},
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
"desc": "Mismatch length of primary and fallback",
"eStrKey": "Must"
},
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
"desc": "Set replay window when disable replay protect",
"eStrKey": "When"
}
}
141 changes: 141 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
{
"VALID_PROFILE": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test32",
"priority": 64,
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
"replay_window": 64,
"send_sci": "true",
"rekey_period": 3600
},
{
"name": "test64",
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
"replay_window": 64,
"send_sci": "true",
"rekey_period": 3600
}
]
}
},
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth8",
"description": "Ethernet8",
"fec": "rs",
"lanes": "65",
"mtu": 9000,
"pfc_asym": "on",
"name": "Ethernet8",
"tpid": "0x8100",
"speed": 25000,
"macsec": "test32"
}
]
}
}
},
"INVALID_CIPHER_LOWERCASE": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"cipher_suite": "gcm-aes-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
}
}
},
"DUPLICATE_CKN": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
}
}
},
"INVALID_CAK_LENGTH": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
}
]
}
}
},
"INVALID_CAK_CHARACTER": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "X123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "X162636465666768696A6B6C6D6E6F70"
}
]
}
}
},
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
}
]
}
}
},
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
"sonic-macsec:sonic-macsec": {
"sonic-macsec:MACSEC_PROFILE": {
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"replay_window": 64
}
]
}
}
}
}
116 changes: 116 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-macsec.yang
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
module sonic-macsec {

yang-version 1.1;

namespace "http://github.com/Azure/sonic-macsec";

prefix macsec;

import sonic-types {
prefix stypes;
}

description "MACsec yang Module for SONiC OS";

revision 2022-04-12 {
description "First Revision";
}

container sonic-macsec {

container MACSEC_PROFILE {

description "MACsec profile of config_db.json";

list MACSEC_PROFILE_LIST {

key "name";

leaf name {
type string {
length 1..128;
}
}

leaf priority {
type uint8;
default 255;
}

leaf cipher_suite {
type string {
pattern "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256";
}
default "GCM-AES-128";
}

leaf primary_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
mandatory true;
}

leaf primary_ckn {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
mandatory true;
}

leaf fallback_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
}

leaf fallback_ckn {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
}
}

must "string-length(primary_cak) = string-length(primary_ckn)";

must "string-length(fallback_cak) = string-length(fallback_ckn)";

must "string-length(fallback_cak) = string-length(primary_cak)";

must "primary_ckn != fallback_ckn";

leaf policy {
type string {
pattern "integrity_only|security";
}
default "security";
}

leaf enable_replay_protect {
type stypes:boolean_type;
default "false";
}

leaf replay_window {
when "current()/../enable_replay_protect = 'true'";
type uint32;
}

leaf send_sci {
type stypes:boolean_type;
default "true";
}

leaf rekey_period {
description "The period of proactively refresh (Unit second).
If the value is 0, which means never proactive refresh SAK.";
type uint32;
default 0;
}

} /* end of list MACSEC_PROFILE_LIST */

} /* end of container MACSEC_PROFILE */

} /* end of container sonic-macsec */

} /* end of module sonic-macsec */
10 changes: 10 additions & 0 deletions src/sonic-yang-models/yang-models/sonic-port.yang
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ module sonic-port{
prefix ext;
}

import sonic-macsec {
prefix macsec;
}

description "PORT yang Module for SONiC OS";

revision 2019-07-01 {
Expand Down Expand Up @@ -153,6 +157,12 @@ module sonic-port{
type boolean;
}

leaf macsec {
type leafref {
path "/macsec:sonic-macsec/macsec:MACSEC_PROFILE/macsec:MACSEC_PROFILE_LIST/macsec:name";
}
}

} /* end of list PORT_LIST */

} /* end of container PORT */
Expand Down

0 comments on commit a149457

Please sign in to comment.