Skip to content

Commit a149457

Browse files
PterosaurPterosaur
authored
[yang]: Add yang model for MACsec (#10559)
Add Yang model to constrain the configuration of MACsec
1 parent 16f6860 commit a149457

File tree

6 files changed

+319
-4
lines changed

6 files changed

+319
-4
lines changed

src/sonic-yang-models/setup.py

+4-2
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,8 @@ def run(self):
143143
'./yang-models/sonic-tc-queue-map.yang',
144144
'./yang-models/sonic-pfc-priority-queue-map.yang',
145145
'./yang-models/sonic-pfc-priority-priority-group-map.yang',
146-
'./yang-models/sonic-port-qos-map.yang']),
146+
'./yang-models/sonic-port-qos-map.yang',
147+
'./yang-models/sonic-macsec.yang']),
147148
('cvlyang-models', ['./cvlyang-models/sonic-acl.yang',
148149
'./cvlyang-models/sonic-bgp-common.yang',
149150
'./cvlyang-models/sonic-bgp-global.yang',
@@ -194,7 +195,8 @@ def run(self):
194195
'./cvlyang-models/sonic-tc-queue-map.yang',
195196
'./cvlyang-models/sonic-pfc-priority-queue-map.yang',
196197
'./cvlyang-models/sonic-pfc-priority-priority-group-map.yang',
197-
'./cvlyang-models/sonic-port-qos-map.yang']),
198+
'./cvlyang-models/sonic-port-qos-map.yang',
199+
'./cvlyang-models/sonic-macsec.yang']),
198200
],
199201
zip_safe=False,
200202
)

src/sonic-yang-models/tests/files/sample_config_db.json

+19-2
Original file line numberDiff line numberDiff line change
@@ -426,7 +426,8 @@
426426
"admin_status": "up",
427427
"index": "0",
428428
"asic_port_name": "Eth0-ASIC1",
429-
"role": "Ext"
429+
"role": "Ext",
430+
"macsec": "test"
430431
},
431432
"Ethernet1": {
432433
"alias": "Eth1/2",
@@ -1686,8 +1687,24 @@
16861687
"vlan_id": "111",
16871688
"vsid": "5000"
16881689
}
1689-
}
1690+
},
1691+
16901692

1693+
"MACSEC_PROFILE": {
1694+
"test": {
1695+
"priority": "64",
1696+
"cipher_suite": "GCM-AES-128",
1697+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
1698+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
1699+
"fallback_cak": "00000000000000000000000000000000",
1700+
"fallback_ckn": "11111111111111111111111111111111",
1701+
"policy": "security",
1702+
"enable_replay_protect": "true",
1703+
"replay_window": "64",
1704+
"send_sci": "true",
1705+
"rekey_period": "3600"
1706+
}
1707+
}
16911708

16921709
},
16931710
"SAMPLE_CONFIG_DB_UNKNOWN": {

src/sonic-yang-models/tests/yang_model_tests/tests/macsec.json

+29
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"VALID_PROFILE": {
3+
"desc": "Valid MACsec profile test"
4+
},
5+
"DUPLICATE_CKN": {
6+
"desc": "Primary CKN equals than fallback CKN",
7+
"eStrKey": "Must"
8+
},
9+
"INVALID_CAK_LENGTH": {
10+
"desc": "Invalid CAK length",
11+
"eStrKey": "Pattern"
12+
},
13+
"INVALID_CAK_CHARACTER": {
14+
"desc": "Invalid CAK character",
15+
"eStrKey": "Pattern"
16+
},
17+
"INVALID_CIPHER_LOWERCASE": {
18+
"desc": "Invalid cipher with lowercase",
19+
"eStrKey": "Pattern"
20+
},
21+
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
22+
"desc": "Mismatch length of primary and fallback",
23+
"eStrKey": "Must"
24+
},
25+
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
26+
"desc": "Set replay window when disable replay protect",
27+
"eStrKey": "When"
28+
}
29+
}

src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json

+141
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
{
2+
"VALID_PROFILE": {
3+
"sonic-macsec:sonic-macsec": {
4+
"sonic-macsec:MACSEC_PROFILE": {
5+
"MACSEC_PROFILE_LIST": [
6+
{
7+
"name": "test32",
8+
"priority": 64,
9+
"cipher_suite": "GCM-AES-128",
10+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
11+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
12+
"fallback_cak": "00000000000000000000000000000000",
13+
"fallback_ckn": "11111111111111111111111111111111",
14+
"policy": "security",
15+
"enable_replay_protect": "true",
16+
"replay_window": 64,
17+
"send_sci": "true",
18+
"rekey_period": 3600
19+
},
20+
{
21+
"name": "test64",
22+
"priority": 64,
23+
"cipher_suite": "GCM-AES-XPN-256",
24+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
25+
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
26+
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
27+
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
28+
"policy": "security",
29+
"enable_replay_protect": "true",
30+
"replay_window": 64,
31+
"send_sci": "true",
32+
"rekey_period": 3600
33+
}
34+
]
35+
}
36+
},
37+
"sonic-port:sonic-port": {
38+
"sonic-port:PORT": {
39+
"PORT_LIST": [
40+
{
41+
"admin_status": "up",
42+
"alias": "eth8",
43+
"description": "Ethernet8",
44+
"fec": "rs",
45+
"lanes": "65",
46+
"mtu": 9000,
47+
"pfc_asym": "on",
48+
"name": "Ethernet8",
49+
"tpid": "0x8100",
50+
"speed": 25000,
51+
"macsec": "test32"
52+
}
53+
]
54+
}
55+
}
56+
},
57+
"INVALID_CIPHER_LOWERCASE": {
58+
"sonic-macsec:sonic-macsec": {
59+
"sonic-macsec:MACSEC_PROFILE": {
60+
"MACSEC_PROFILE_LIST": [
61+
{
62+
"name": "test",
63+
"cipher_suite": "gcm-aes-128",
64+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
65+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
66+
}
67+
]
68+
}
69+
}
70+
},
71+
"DUPLICATE_CKN": {
72+
"sonic-macsec:sonic-macsec": {
73+
"sonic-macsec:MACSEC_PROFILE": {
74+
"MACSEC_PROFILE_LIST": [
75+
{
76+
"name": "test",
77+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
78+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
79+
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
80+
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
81+
}
82+
]
83+
}
84+
}
85+
},
86+
"INVALID_CAK_LENGTH": {
87+
"sonic-macsec:sonic-macsec": {
88+
"sonic-macsec:MACSEC_PROFILE": {
89+
"MACSEC_PROFILE_LIST": [
90+
{
91+
"name": "test",
92+
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
93+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
94+
}
95+
]
96+
}
97+
}
98+
},
99+
"INVALID_CAK_CHARACTER": {
100+
"sonic-macsec:sonic-macsec": {
101+
"sonic-macsec:MACSEC_PROFILE": {
102+
"MACSEC_PROFILE_LIST": [
103+
{
104+
"name": "test",
105+
"primary_cak": "X123456789ABCDEF0123456789ABCDEF",
106+
"primary_ckn": "X162636465666768696A6B6C6D6E6F70"
107+
}
108+
]
109+
}
110+
}
111+
},
112+
"MISMATCH_LENGTH_PRIMARY_FALLBACK": {
113+
"sonic-macsec:sonic-macsec": {
114+
"sonic-macsec:MACSEC_PROFILE": {
115+
"MACSEC_PROFILE_LIST": [
116+
{
117+
"name": "test",
118+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
119+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
120+
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
121+
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
122+
}
123+
]
124+
}
125+
}
126+
},
127+
"SET_REPLAY_WINDOW_WHEN_DISABLE_REPLAY_PROTECT": {
128+
"sonic-macsec:sonic-macsec": {
129+
"sonic-macsec:MACSEC_PROFILE": {
130+
"MACSEC_PROFILE_LIST": [
131+
{
132+
"name": "test",
133+
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
134+
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
135+
"replay_window": 64
136+
}
137+
]
138+
}
139+
}
140+
}
141+
}

src/sonic-yang-models/yang-models/sonic-macsec.yang

+116
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
module sonic-macsec {
2+
3+
yang-version 1.1;
4+
5+
namespace "http://github.com/Azure/sonic-macsec";
6+
7+
prefix macsec;
8+
9+
import sonic-types {
10+
prefix stypes;
11+
}
12+
13+
description "MACsec yang Module for SONiC OS";
14+
15+
revision 2022-04-12 {
16+
description "First Revision";
17+
}
18+
19+
container sonic-macsec {
20+
21+
container MACSEC_PROFILE {
22+
23+
description "MACsec profile of config_db.json";
24+
25+
list MACSEC_PROFILE_LIST {
26+
27+
key "name";
28+
29+
leaf name {
30+
type string {
31+
length 1..128;
32+
}
33+
}
34+
35+
leaf priority {
36+
type uint8;
37+
default 255;
38+
}
39+
40+
leaf cipher_suite {
41+
type string {
42+
pattern "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256";
43+
}
44+
default "GCM-AES-128";
45+
}
46+
47+
leaf primary_cak {
48+
type string {
49+
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
50+
}
51+
mandatory true;
52+
}
53+
54+
leaf primary_ckn {
55+
type string {
56+
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
57+
}
58+
mandatory true;
59+
}
60+
61+
leaf fallback_cak {
62+
type string {
63+
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
64+
}
65+
}
66+
67+
leaf fallback_ckn {
68+
type string {
69+
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
70+
}
71+
}
72+
73+
must "string-length(primary_cak) = string-length(primary_ckn)";
74+
75+
must "string-length(fallback_cak) = string-length(fallback_ckn)";
76+
77+
must "string-length(fallback_cak) = string-length(primary_cak)";
78+
79+
must "primary_ckn != fallback_ckn";
80+
81+
leaf policy {
82+
type string {
83+
pattern "integrity_only|security";
84+
}
85+
default "security";
86+
}
87+
88+
leaf enable_replay_protect {
89+
type stypes:boolean_type;
90+
default "false";
91+
}
92+
93+
leaf replay_window {
94+
when "current()/../enable_replay_protect = 'true'";
95+
type uint32;
96+
}
97+
98+
leaf send_sci {
99+
type stypes:boolean_type;
100+
default "true";
101+
}
102+
103+
leaf rekey_period {
104+
description "The period of proactively refresh (Unit second).
105+
If the value is 0, which means never proactive refresh SAK.";
106+
type uint32;
107+
default 0;
108+
}
109+
110+
} /* end of list MACSEC_PROFILE_LIST */
111+
112+
} /* end of container MACSEC_PROFILE */
113+
114+
} /* end of container sonic-macsec */
115+
116+
} /* end of module sonic-macsec */

src/sonic-yang-models/yang-models/sonic-port.yang

+10
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,10 @@ module sonic-port{
1313
prefix ext;
1414
}
1515

16+
import sonic-macsec {
17+
prefix macsec;
18+
}
19+
1620
description "PORT yang Module for SONiC OS";
1721

1822
revision 2019-07-01 {
@@ -153,6 +157,12 @@ module sonic-port{
153157
type boolean;
154158
}
155159

160+
leaf macsec {
161+
type leafref {
162+
path "/macsec:sonic-macsec/macsec:MACSEC_PROFILE/macsec:MACSEC_PROFILE_LIST/macsec:name";
163+
}
164+
}
165+
156166
} /* end of list PORT_LIST */
157167

158168
} /* end of container PORT */

0 commit comments

Comments
 (0)