Internet Engineering Task Force (IETF) M. Jethanandani
Request for Comments: 9647 Kloud Services
Category: Standards Track B. Stark
ISSN: 2070-1721 AT&T
October 2024
This document defines a data model for the Babel routing protocol. The data model is defined using the YANG data modeling language.
このドキュメントは、BABELルーティングプロトコルのデータモデルを定義しています。データモデルは、Yangデータモデリング言語を使用して定義されます。
This is an Internet Standards Track document.
これは、インターネット標準トラックドキュメントです。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
このドキュメントは、インターネットエンジニアリングタスクフォース(IETF)の製品です。IETFコミュニティのコンセンサスを表しています。公開レビューを受けており、インターネットエンジニアリングステアリンググループ(IESG)からの出版が承認されています。インターネット標準の詳細については、RFC 7841のセクション2で入手できます。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9647.
このドキュメントの現在のステータス、任意のERRATA、およびそのフィードバックを提供する方法に関する情報は、https://www.rfc-editor.org/info/rfc9647で取得できます。
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.
著作権(c)2024 IETF Trustおよび文書著者として特定された人。無断転載を禁じます。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
このドキュメントは、BCP 78およびIETFドキュメント(https://trustee.ietf.org/license-info)に関連するIETF Trustの法的規定の対象となります。この文書に関するあなたの権利と制限を説明するので、これらの文書を注意深く確認してください。このドキュメントから抽出されたコードコンポーネントには、セクション4.Eで説明されている法的規定のセクション4.Eで説明されており、改訂されたBSDライセンスで説明されている保証なしで提供されるように、改訂されたBSDライセンステキストを含める必要があります。
1. Introduction
1.1. Requirements Language
1.2. Tree Diagram Annotations
2. Babel Module
2.1. Information Model
2.2. Tree Diagram
2.3. YANG Module
3. IANA Considerations
3.1. URI Registration
3.2. YANG Module Name Registration
4. Security Considerations
5. References
5.1. Normative References
5.2. Informative References
Appendix A. Tree Diagram and Example Configurations
A.1. Complete Tree Diagram
A.2. Statistics Gathering Enabled
A.3. Automatic Detection of Properties
A.4. Override Default Properties
A.5. Configuring Other Properties
Acknowledgements
Authors' Addresses
This document defines a data model for the Babel routing protocol [RFC8966]. The data model is defined using YANG 1.1 [RFC7950] and is compatible with Network Management Datastore Architecture (NMDA) [RFC8342]. It is based on the Babel information model [RFC9046]. The data model only includes data nodes that are useful for managing Babel over IPv6.
このドキュメントは、BABELルーティングプロトコル[RFC8966]のデータモデルを定義しています。データモデルは、Yang 1.1 [RFC7950]を使用して定義され、ネットワーク管理データストアアーキテクチャ(NMDA)[RFC8342]と互換性があります。これは、BABEL情報モデル[RFC9046]に基づいています。データモデルには、IPv6を介してBabelを管理するのに役立つデータノードのみが含まれています。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
「必須」、「必要」、「必須」、「shall」、「shall」、「suff」、 "not"、 "becommended"、 "becommented"、 "may"、 "optional「このドキュメントでは、BCP 14 [RFC2119] [RFC8174]で説明されているように解釈されます。
For a reference to the annotations used in tree diagrams included in this document, please see "YANG Tree Diagrams" [RFC8340].
このドキュメントに含まれるツリー図に使用される注釈への参照については、「Yang Tree Diagrams」[RFC8340]を参照してください。
This document defines a YANG 1.1 [RFC7950] data model for the configuration and management of Babel. The YANG module is based on the Babel information model [RFC9046].
このドキュメントでは、BABELの構成と管理のためのYang 1.1 [RFC7950]データモデルを定義しています。Yangモジュールは、BABEL情報モデル[RFC9046]に基づいています。
It's worth noting a few differences between the Babel information model and this data module. The information model mandates the definition of some of the attributes, e.g., "babel-implementation-version" or the "babel-self-router-id". These attributes are marked as read-only objects in the information module as well as in this data module. However, there is no way in the data module to mandate that a read-only attribute be present. It is up to the implementation of this data module to make sure that the attributes that are marked "read only" and are mandatory are indeed present.
Babel情報モデルとこのデータモジュールの間にいくつかの違いがあることに注意する価値があります。情報モデルは、属性のいくつかの定義、例えば「Babel-Implementation-version」または「babel-self-router-id」を義務付けています。これらの属性は、情報モジュールおよびこのデータモジュールの読み取り専用オブジェクトとしてマークされています。ただし、データモジュールには、読み取り専用属性が存在することを義務付ける方法はありません。「読み取り専用」と必須である属性が実際に存在することを確認するのは、このデータモジュールの実装次第です。
The following diagram illustrates a top-level hierarchy of the model. In addition to the version implemented by this device, the model contains subtrees on "constants", "interfaces", "mac-key-set", "dtls", and "routes".
次の図は、モデルのトップレベルの階層を示しています。このデバイスによって実装されたバージョンに加えて、モデルには「定数」、「インターフェイス」、「Mac-Key-Set」、「DTLS」、および「ルート」にサブツリーが含まれています。
module: ietf-babel
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol:
+--rw babel!
+--ro version? string
+--rw enable boolean
+--ro router-id? binary
+--ro seqno? uint16
+--rw statistics-enabled? boolean
+--rw constants
| ...
+--rw interfaces* [reference]
| ...
+--rw mac-key-set* [name]
| ...
+--rw dtls* [name]
| ...
+--ro routes* [prefix]
...
The "interfaces" subtree describes attributes such as the "interface" object that is being referenced; the type of link, e.g., wired, wireless, or tunnel, as enumerated by "metric-algorithm" and "split-horizon"; and whether the interface is enabled or not.
「インターフェイス」サブツリーは、参照されている「インターフェイス」オブジェクトなどの属性を記述します。「メトリックアルゴリズム」および「スプリットホリゾン」によって列挙されているリンクのタイプ、有線、ワイヤレス、またはトンネル。インターフェイスが有効になっているかどうか。
The "constants" subtree describes the UDP port used for sending and receiving Babel messages and the multicast group used to send and receive announcements on IPv6.
「定数」サブツリーは、Babelメッセージの送信と受信に使用されるUDPポートと、IPv6で発表を送信および受信するために使用されるマルチキャストグループについて説明しています。
The "routes" subtree describes objects such as the prefix for which the route is advertised, a reference to the neighboring route, and the "next-hop" address.
「ルート」サブツリーは、ルートが宣伝されているプレフィックス、隣接するルートへの参照、「ネクストホップ」アドレスなどのオブジェクトを説明します。
Finally, for security, two subtrees are defined to contain Message Authentication Code (MAC) keys and DTLS certificates. The "mac-key-set" subtree contains keys used with the MAC security mechanism. The boolean flag "default-apply" indicates whether the set of MAC keys is automatically applied to new interfaces. The "dtls" subtree contains certificates used with the DTLS security mechanism. Similar to the MAC mechanism, the boolean flag "default-apply" indicates whether the set of DTLS certificates is automatically applied to new interfaces.
最後に、セキュリティの場合、メッセージ認証コード(MAC)キーとDTLS証明書を含むように2つのサブツリーが定義されています。「Mac-Key-Set」サブツリーには、Macセキュリティメカニズムとともに使用されるキーが含まれています。ブールフラグ「デフォルトアプリ」は、Macキーのセットが新しいインターフェイスに自動的に適用されるかどうかを示します。「DTLS」サブツリーには、DTLSセキュリティメカニズムで使用される証明書が含まれています。MACメカニズムと同様に、ブールフラグ「デフォルトアプリ」は、DTLS証明書のセットが新しいインターフェイスに自動的に適用されるかどうかを示します。
This YANG module augments the YANG routing management module [RFC8349] to provide a common framework for all routing subsystems. By augmenting the module, it provides a common building block for routes and Routing Information Bases (RIBs). It also has a reference to an interface defined by "A YANG Data Model for Interface Management" [RFC8343].
このYangモジュールは、Yangルーティング管理モジュール[RFC8349]を拡張して、すべてのルーティングサブシステムに共通のフレームワークを提供します。モジュールを拡張することにより、ルートとルーティング情報ベース(リブ)に共通のビルディングブロックを提供します。また、「インターフェイス管理のためのヤンデータモデル」[RFC8343]で定義されたインターフェイスへの参照もあります。
A router running the Babel routing protocol can sometimes determine the parameters it needs to use for an interface based on the interface name. For example, it can detect that eth0 is a wired interface and that wlan0 is a wireless interface. This is not true for a tunnel interface, where the link parameters need to be configured explicitly.
バベルルーティングプロトコルを実行するルーターは、インターフェイス名に基づいてインターフェイスに使用する必要があるパラメーターを決定することがあります。たとえば、ETH0は有線インターフェイスであり、WLAN0がワイヤレスインターフェイスであることを検出できます。これは、リンクパラメーターを明示的に構成する必要があるトンネルインターフェイスには当てはまりません。
For a wired interface, it will assume "two-out-of-three" is set for "metric-algorithm" and "split-horizon" is set to true. On the other hand, for a wireless interface, it will assume "etx" is set for "metric-algorithm" and "split-horizon" is set to false. However, if the wired link is connected to a wireless radio, the values can be overridden by setting "metric-algorithm" to "etx" and "split-horizon" to false. Similarly, an interface that is a metered 3G link and is used for fallback connectivity needs much higher default time constants, e.g., "mcast-hello-interval" and "update-interval", in order to avoid carrying control traffic as much as possible.
有線インターフェイスの場合、「メトリックアルゴリズム」と「スプリットホリゾン」がTRUEに設定されている「2回の3」が設定されていると仮定します。一方、ワイヤレスインターフェイスの場合、「Metric-Algorithm」に「ETX」が設定され、「Split-Horizon」がfalsに設定されていると仮定します。ただし、有線リンクがワイヤレス無線に接続されている場合、「メトリックアルゴリズム」を「ETX」に、「スプリットホリゾン」にfalseに設定することにより、値をオーバーライドできます。同様に、メーター付きの3Gリンクであり、フォールバック接続に使用されるインターフェイスは、制御トラフィックを可能な限り運ぶのを避けるために、「Mcast-Hello-interval」や「Update-Interval」など、はるかに高いデフォルトの時間定数を必要とします。。
In addition to the modules used above, this module imports definitions from "Common YANG Data Types" [RFC6991] and references "HMAC: Keyed-Hashing for Message Authentication" [RFC2104], "Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec" [RFC4868], "Textual Encodings of PKIX, PKCS, and CMS Structures" [RFC7468], "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)" [RFC7693], "Network Configuration Access Control Model" [RFC8341], "The Babel Routing Protocol" [RFC8966], "MAC Authentication for the Babel Routing Protocol" [RFC8967], "Babel Information Model" [RFC9046], "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3" [RFC9147], and "YANG Data Types and Groupings for Cryptography" [RFC9640].
上記で使用したモジュールに加えて、このモジュールは「一般的なヤンデータ型」[RFC6991]および「HMAC:メッセージ認証のためのキー付きヘッシング」[RFC2104]、HMAC-SHA-256、HMAC-SHA-からの参照から定義をインポートします。384、およびIpsec "[rfc4868]、「pkix、pkcs、およびcms構造のテキストエンコーディング」[rfc7468]、" Blake2暗号化ハッシュおよびメッセージ認証コード(MAC)[RFC7693]、ネットワーク "構成アクセス制御モデル "[RFC8341]、「The Babel Routing Protocol" [RFC8966]、「BABELルーティングプロトコル」[RFC8967]のMAC認証[RFC8967]、「BABEL情報モデル」[RFC9046]、「データグラムトランスポートレイヤーセキュリティ(DTLS)プロトコルバージョン1.3 "[RFC9147]、および「暗号化のためのYangデータ型とグループ化」[RFC9640]。
module ietf-babel {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-babel";
prefix babel;
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Data Model for Interface Management";
}
import ietf-routing {
prefix rt;
reference
"RFC 8349: A YANG Data Model for Routing Management (NMDA
Version)";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC 9640: YANG Data Types and Groupings
for Cryptography";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
organization
"IETF Babel routing protocol Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/babel/
WG List: babel@ietf.org
Editor: Mahesh Jethanandani
mjethanandani@gmail.com
Editor: Barbara Stark
bs7652@att.com";
description
"This YANG module defines a model for the Babel routing
protocol.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 9647
(https://www.rfc-editor.org/info/rfc9647); see the RFC itself
for full legal notices.";
revision 2024-10-10 {
description
"Initial version.";
reference
"RFC 9647: A YANG Data Model for Babel";
}
/*
* Features
*/
feature two-out-of-three-supported {
description
"This implementation supports the '2-out-of-3'
computation algorithm.";
}
feature etx-supported {
description
"This implementation supports the Expected Transmission Count
(ETX) metric computation algorithm.";
}
feature mac-supported {
description
"This implementation supports MAC-based security.";
reference
"RFC 8967: MAC Authentication for the Babel Routing
Protocol";
}
feature dtls-supported {
description
"This implementation supports DTLS-based security.";
reference
"RFC 8968: Babel Routing Protocol over Datagram
Transport Layer Security";
}
feature hmac-sha256-supported {
description
"This implementation supports the HMAC-SHA256 MAC algorithm.";
reference
"RFC 8967: MAC Authentication for the Babel Routing
Protocol";
}
feature blake2s-supported {
description
"This implementation supports BLAKE2s MAC algorithms.";
reference
"RFC 8967: MAC Authentication for the Babel Routing
Protocol";
}
feature x-509-supported {
description
"This implementation supports the X.509 certificate type.";
reference
"RFC 8968: Babel Routing Protocol over Datagram
Transport Layer Security";
}
feature raw-public-key-supported {
description
"This implementation supports the raw public key certificate
type.";
reference
"RFC 8968: Babel Routing Protocol over Datagram
Transport Layer Security";
}
/*
* Identities
*/
identity metric-comp-algorithms {
description
"Base identity from which all Babel metric computation
algorithms MUST be derived.";
}
identity two-out-of-three {
if-feature "two-out-of-three-supported";
base metric-comp-algorithms;
description
"2-out-of-3 algorithm.";
reference
"RFC 8966: The Babel Routing Protocol, Section A.2.1";
}
identity etx {
if-feature "etx-supported";
base metric-comp-algorithms;
description
"Expected Transmission Count (ETX) metric computation
algorithm.";
reference
"RFC 8966: The Babel Routing Protocol, Section A.2.2";
}
/*
* Babel MAC algorithms identities.
*/
identity mac-algorithms {
description
"Base identity for all Babel MAC algorithms.";
}
identity hmac-sha256 {
if-feature "mac-supported";
if-feature "hmac-sha256-supported";
base mac-algorithms;
description
"HMAC-SHA256 algorithm supported.";
reference
"RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
with IPsec";
}
identity blake2s {
if-feature "mac-supported";
if-feature "blake2s-supported";
base mac-algorithms;
description
"BLAKE2s algorithms supported. Specifically, BLAKE2-128 is
supported.";
reference
"RFC 7693: The BLAKE2 Cryptographic Hash and Message
Authentication Code (MAC)";
}
/*
* Babel Cert Types
*/
identity dtls-cert-types {
description
"Base identity for Babel DTLS certificate types.";
}
identity x-509 {
if-feature "dtls-supported";
if-feature "x-509-supported";
base dtls-cert-types;
description
"X.509 certificate type.";
}
identity raw-public-key {
if-feature "dtls-supported";
if-feature "raw-public-key-supported";
base dtls-cert-types;
description
"Raw public key certificate type.";
}
/*
* Babel routing protocol identity.
*/
identity babel {
base rt:routing-protocol;
description
"Babel routing protocol";
}
/*
* Groupings
*/
grouping routes {
list routes {
key "prefix";
config false;
leaf prefix {
type inet:ip-prefix;
description
"Prefix (expressed in ip-address/prefix-length format) for
which this route is advertised.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
leaf router-id {
type binary {
length "8";
}
description
"router-id of the source router for which this route is
advertised.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
leaf neighbor {
type leafref {
path "/rt:routing/rt:control-plane-protocols/"
+ "rt:control-plane-protocol/babel/interfaces/"
+ "neighbor-objects/neighbor-address";
}
description
"Reference to the neighbor-objects entry for the neighbor
that advertised this route.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
leaf received-metric {
type union {
type enumeration {
enum null {
description
"Route was not received from a neighbor.";
}
}
type uint16;
}
description
"The metric with which this route was advertised by the
neighbor, or maximum value (infinity) to indicate the
route was recently retracted and is temporarily
unreachable. This metric will be NULL if the
route was not received from a neighbor but instead was
injected through means external to the Babel routing
protocol. At least one of calculated-metric or
received-metric MUST be non-NULL.";
reference
"RFC 9046: Babel Information Model, Section 3.6
RFC 8966: The Babel Routing Protocol, Section 2.1";
}
leaf calculated-metric {
type union {
type enumeration {
enum null {
description
"Route has not been calculated.";
}
}
type uint16;
}
description
"A calculated metric for this route. How the metric is
calculated is implementation specific. Maximum value
(infinity) indicates the route was recently retracted
and is temporarily unreachable. At least one of
calculated-metric or received-metric MUST be non-NULL.";
reference
"RFC 9046: Babel Information Model, Section 3.6
RFC 8966: The Babel Routing Protocol, Section 2.1";
}
leaf seqno {
type uint16;
description
"The sequence number with which this route was
advertised.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
leaf next-hop {
type union {
type enumeration {
enum null {
description
"Route has no next-hop address.";
}
}
type inet:ip-address;
}
description
"The next-hop address of this route. This will be NULL
if this route has no next-hop address.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
leaf feasible {
type boolean;
description
"A boolean flag indicating whether this route is
feasible.";
reference
"RFC 9046: Babel Information Model, Section 3.6
RFC 8966, The Babel Routing Protocol, Section 3.5.1";
}
leaf selected {
type boolean;
description
"A boolean flag indicating whether this route is selected,
i.e., whether it is currently being used for forwarding
and is being advertised.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
description
"A set of babel-route-obj objects. Contains routes known to
this node.";
reference
"RFC 9046: Babel Information Model, Section 3.6";
}
description
"Common grouping for routing used in RIB.";
}
/*
* Data model
*/
augment "/rt:routing/rt:control-plane-protocols/"
+ "rt:control-plane-protocol" {
when "derived-from-or-self(rt:type, 'babel')" {
description
"Augmentation is valid only when the instance of the routing
type is of type 'babel'.";
}
description
"Augments the routing module to support a common structure
between routing protocols.";
reference
"RFC 8349: A YANG Data Model for Routing Management (NMDA
Version)";
container babel {
presence "A Babel container.";
description
"Babel information objects.";
reference
"RFC 9046: Babel Information Model, Section 3";
leaf version {
type string;
config false;
description
"The name and version of this implementation of the Babel
protocol.";
reference
"RFC 9046: Babel Information Model, Section 3.1";
}
leaf enable {
type boolean;
mandatory true;
description
"When written, it configures whether the protocol should be
enabled. A read from the <running> or <intended> datastore
therefore indicates the configured administrative value of
whether the protocol is enabled or not.
A read from the <operational> datastore indicates whether
the protocol is actually running or not, i.e., it
indicates the operational state of the protocol.";
reference
"RFC 9046: Babel Information Model, Section 3.1";
}
leaf router-id {
type binary;
must '../enable = "true"';
config false;
description
"Every Babel speaker is assigned a router-id, which is an
arbitrary string of 8 octets that is assumed to be unique
across the routing domain.
The router-id is valid only if the protocol is enabled,
at which time a non-zero value is assigned.";
reference
"RFC 9046: Babel Information Model, Section 3.1
RFC 8966: The Babel Routing Protocol, Section 3";
}
leaf seqno {
type uint16;
config false;
description
"Sequence number included in route updates for routes
originated by this node.";
reference
"RFC 9046: Babel Information Model, Section 3.1";
}
leaf statistics-enabled {
type boolean;
description
"Indicates whether statistics collection is enabled
('true') or disabled ('false') on all interfaces.
On transition to enabled, existing statistics
values are not cleared and will be incremented as
new packets are counted.";
}
container constants {
description
"Babel constants object.";
reference
"RFC 9046: Babel Information Model, Section 3.1";
leaf udp-port {
type inet:port-number;
default "6696";
description
"UDP port for sending and receiving Babel messages. The
default port is 6696.";
reference
"RFC 9046: Babel Information Model, Section 3.2";
}
leaf mcast-group {
type inet:ip-address;
default "ff02::1:6";
description
"Multicast group for sending and receiving multicast
announcements on IPv6.";
reference
"RFC 9046: Babel Information Model, Section 3.2";
}
}
list interfaces {
key "reference";
description
"A set of Babel interface objects.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
leaf reference {
type if:interface-ref;
description
"References the name of the interface over which Babel
packets are sent and received.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf enable {
type boolean;
default "true";
description
"If 'true', Babel sends and receives messages on this
interface. If 'false', Babel messages received on
this interface are ignored and none are sent.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf metric-algorithm {
type identityref {
base metric-comp-algorithms;
}
mandatory true;
description
"Indicates the metric computation algorithm used on this
interface. The value MUST be one of those identities
based on 'metric-comp-algorithms'.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf split-horizon {
type boolean;
description
"Indicates whether or not the split-horizon optimization
is used when calculating metrics on this interface.
A value of 'true' indicates the split-horizon
optimization is used.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf mcast-hello-seqno {
type uint16;
config false;
description
"The current sequence number in use for multicast Hellos
sent on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf mcast-hello-interval {
type uint16;
units "centiseconds";
description
"The current multicast Hello interval in use for Hellos
sent on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf update-interval {
type uint16;
units "centiseconds";
description
"The current update interval in use for this interface.
Units are centiseconds.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf mac-enable {
type boolean;
description
"Indicates whether the MAC security mechanism is enabled
('true') or disabled ('false').";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf-list mac-key-sets {
type leafref {
path "../../mac-key-set/name";
}
description
"List of references to the MAC entries that apply
to this interface. When an interface instance is
created, all MAC instances with default-apply 'true'
will be included in this list.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf mac-verify {
type boolean;
description
"A boolean flag indicating whether MACs in
incoming Babel packets are required to be present and
are verified. If this parameter is 'true', incoming
packets are required to have a valid MAC.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf dtls-enable {
type boolean;
description
"Indicates whether the DTLS security mechanism is enabled
('true') or disabled ('false').";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf-list dtls-certs {
type leafref {
path "../../dtls/name";
}
description
"List of references to the dtls entries that apply to
this interface. When an interface instance
is created, all dtls instances with default-apply
'true' will be included in this list.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf dtls-cached-info {
type boolean;
description
"Indicates whether the cached_info extension is enabled.
The extension is enabled for inclusion in ClientHello
and ServerHello messages if the value is 'true'.";
reference
"RFC 9046: Babel Information Model, Section 3.3
RFC 8968: Babel Routing Protocol over
Datagram Transport Layer Security, Appendix A";
}
leaf-list dtls-cert-prefer {
type leafref {
path "../../dtls/certs/type";
}
ordered-by user;
description
"List of supported certificate types, in order of
preference. The values MUST be the 'type' attribute
in the list 'certs' of the list 'dtls'
(../../dtls/certs/type). This list is used to populate
the server_certificate_type extension in a ClientHello.
Values that are present in at least one instance in the
certs object under dtls of a referenced dtls instance
and that have a non-empty private key will be used to
populate the client_certificate_type extension in a
ClientHello.";
reference
"RFC 9046: Babel Information Model, Section 3.3
RFC 8968: Babel Routing Protocol over
Datagram Transport Layer Security, Appendix A";
}
leaf packet-log-enable {
type boolean;
description
"If 'true', logging of babel packets received on this
interface is enabled; if 'false', babel packets are
not logged.";
reference
"RFC 9046: Babel Information Model, Section 3.3";
}
leaf packet-log {
type inet:uri;
config false;
description
"A reference or url link to a file that contains a
timestamped log of packets received and sent on
udp-port on this interface. The [libpcap] file
format with .pcap file extension SHOULD be supported for
packet log files. Logging is enabled / disabled by
packet-log-enable.";
reference
"RFC 9046: Babel Information Model, Section 3.3
libpcap: Libpcap File Format, Wireshark Foundation";
}
container statistics {
config false;
description
"Statistics collection object for this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
leaf discontinuity-time {
type yang:date-and-time;
mandatory true;
description
"The time on the most recent occasion at which any one
or more of counters suffered a discontinuity. If no
such discontinuities have occurred since the last
re-initialization of the local management subsystem,
then this node contains the time the local management
subsystem re-initialized itself.";
}
leaf sent-mcast-hello {
type yang:counter32;
description
"A count of the number of multicast Hello packets sent
on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
}
leaf sent-mcast-update {
type yang:counter32;
description
"A count of the number of multicast update packets sent
on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
}
leaf sent-ucast-hello {
type yang:counter32;
description
"A count of the number of unicast Hello packets sent
on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
}
leaf sent-ucast-update {
type yang:counter32;
description
"A count of the number of unicast update packets sent
on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
}
leaf sent-ihu {
type yang:counter32;
description
"A count of the number of 'I Heard You' (IHU) packets
sent on this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
}
leaf received-packets {
type yang:counter32;
description
"A count of the number of Babel packets received on
this interface.";
reference
"RFC 9046: Babel Information Model, Section 3.4";
}
action reset {
description
"The information model (RFC 9046) defines reset
action as a system-wide reset of Babel statistics.
In YANG, the reset action is associated with the
container where the action is defined. In this case,
the action is associated with the statistics container
inside an interface. The action will therefore
reset statistics at an interface level.
Implementations that want to support a system-wide
reset of Babel statistics need to call this action
for every instance of the interface.";
reference
"RFC 9046: Babel Information Model";
input {
leaf reset-at {
type yang:date-and-time;
description
"The time when the reset was issued.";
}
}
output {
leaf reset-finished-at {
type yang:date-and-time;
description
"The time when the reset finished.";
}
}
}
}
list neighbor-objects {
key "neighbor-address";
config false;
description
"A set of babel neighbor objects.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
leaf neighbor-address {
type inet:ip-address;
description
"The IPv4 or IPv6 address from which the neighbor sends
packets.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf hello-mcast-history {
type string;
description
"The multicast Hello history of whether or not the
multicast Hello packets prior to exp-mcast-
hello-seqno were received, with a '1' for the most
recent Hello placed in the most significant bit and
prior Hellos shifted right (with '0' bits placed
between prior Hellos and the most recent Hello for any
Hellos not received); represented as a string of
hex digits encoded in utf-8. A bit that is set
indicates that the corresponding Hello was received,
and a bit that is cleared indicates that the
corresponding Hello was not received.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf hello-ucast-history {
type string;
description
"The unicast Hello history of whether or not the
unicast Hello packets prior to exp-ucast-hello-seqno
were received, with a '1' for the most
recent Hello placed in the most significant bit and
prior Hellos shifted right (with '0' bits placed
between prior Hellos and the most recent Hello for any
Hellos not received); represented as a string using
hex digits encoded in utf-8 where a '1' bit = Hello
received and a '0' bit = Hello not received.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf txcost {
type int32;
default "0";
description
"Transmission cost value from the last IHU packet
received from this neighbor, or maximum value
(infinity) to indicate the IHU hold timer for this
neighbor has an expired description.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf exp-mcast-hello-seqno {
type union {
type enumeration {
enum null {
description
"Multicast Hello packets are not expected, or
processing of multicast packets is not
enabled.";
}
}
type uint16;
}
description
"Expected multicast Hello sequence number of next Hello
to be received from this neighbor; if multicast Hello
packets are not expected, or processing of multicast
packets is not enabled, this MUST be NULL.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf exp-ucast-hello-seqno {
type union {
type enumeration {
enum null {
description
"Unicast Hello packets are not expected, or
processing of unicast packets is not enabled.";
}
}
type uint16;
}
default "null";
description
"Expected unicast Hello sequence number of next Hello
to be received from this neighbor; if unicast Hello
packets are not expected, or processing of unicast
packets is not enabled, this MUST be NULL.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf ucast-hello-seqno {
type union {
type enumeration {
enum null {
description
"Unicast Hello packets are not being sent.";
}
}
type uint16;
}
default "null";
description
"The current sequence number in use for unicast Hellos
sent to this neighbor. If unicast Hellos are not being
sent, this MUST be NULL.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf ucast-hello-interval {
type uint16;
units "centiseconds";
description
"The current interval in use for unicast Hellos sent to
this neighbor. Units are centiseconds.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf rxcost {
type uint16;
description
"Reception cost calculated for this neighbor. This
value is usually derived from the Hello history, which
may be combined with other data, such as statistics
maintained by the link layer. The rxcost is sent to a
neighbor in each IHU.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
leaf cost {
type int32;
description
"Link cost is computed from the values maintained in
the neighbor table. The statistics are kept in the
neighbor table about the reception of Hellos, and the
txcost is computed from received IHU packets.";
reference
"RFC 9046: Babel Information Model, Section 3.5";
}
}
}
list mac-key-set {
key "name";
description
"A MAC key set object. If this object is implemented, it
provides access to parameters related to the MAC security
mechanism.";
reference
"RFC 9046: Babel Information Model, Section 3.7";
leaf name {
type string;
description
"A string that uniquely identifies the MAC object.";
}
leaf default-apply {
type boolean;
description
"A boolean flag indicating whether this object
instance is applied to all new interfaces, by default.
If 'true', this instance is applied to new babel-
interfaces instances at the time they are created
by including it in the mac-key-sets list under
the interface. If 'false', this instance is not applied
to new interface instances when they are created.";
reference
"RFC 9046: Babel Information Model, Section 3.7";
}
list keys {
key "name";
min-elements 1;
description
"A set of keys objects.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
leaf name {
type string;
description
"A unique name for this MAC key that can be used to
identify the key in this object instance since the
key value is not allowed to be read. This value can
only be provided when this instance is created and is
not subsequently writable.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
leaf use-send {
type boolean;
mandatory true;
description
"Indicates whether this key value is used to compute a
MAC and include that MAC in the sent Babel packet. A
MAC for sent packets is computed using this key if the
value is 'true'. If the value is 'false', this key is
not used to compute a MAC to include in sent Babel
packets.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
leaf use-verify {
type boolean;
mandatory true;
description
"Indicates whether this key value is used to verify
incoming Babel packets. This key is used to verify
incoming packets if the value is 'true'. If the value
is 'false', no MAC is computed from this key for
comparing an incoming packet.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
leaf value {
nacm:default-deny-all;
type binary;
mandatory true;
description
"The value of the MAC key.
This value is of a length suitable for the associated
babel-mac-key-algorithm. If the algorithm is based on
the Hashed Message Authentication Code (HMAC)
construction (RFC 2104), the length MUST be between 0
and an upper limit that is at least the size of the
output length (where the 'HMAC-SHA256' output length
is 32 octets as described in RFC 4868). Longer lengths
MAY be supported but are not necessary if the
management system has the ability to generate a
suitably random value (e.g., by randomly generating a
value or by using a key derivation technique as
recommended in the security considerations of RFC
8967. If the algorithm is 'BLAKE2s-128', the length
MUST be between 0 and 32 bytes inclusive as specified
by RFC 7693.";
reference
"RFC 9046: Babel Information Model, Section 3.8
RFC 2104: HMAC: Keyed-Hashing for Message
Authentication
RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and
HMAC-SHA-512 with IPsec
RFC 7693: The BLAKE2 Cryptographic Hash and Message
Authentication Code (MAC)
RFC 8967: MAC Authentication for Babel";
}
leaf algorithm {
type identityref {
base mac-algorithms;
}
mandatory true;
description
"The MAC algorithm used with this key. The
value MUST be one of the identities
listed with the base of 'mac-algorithms'.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
action test {
description
"An operation that allows the MAC key and MAC
algorithm to be tested to see if they produce an
expected outcome. Input to this operation is a
binary string and a calculated MAC (also in the
format of a binary string) for the binary string.
The implementation is expected to create a MAC over
the binary string using the value and algorithm.
The output of this operation is a binary indication
that the calculated MAC matched the input MAC
('true') or the MACs did not match ('false').";
reference
"RFC 9046: Babel Information Model, Section 3.8";
input {
leaf test-string {
type binary;
mandatory true;
description
"Input to this operation is a binary string.
The implementation is expected to create
a MAC over this string using the value and
the algorithm defined as part of the
mac-key-set.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
leaf mac {
type binary;
mandatory true;
description
"Input to this operation includes a MAC.
The implementation is expected to calculate a MAC
over the string using the value and algorithm of
this key object and compare its calculated MAC to
this input MAC.";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
}
output {
leaf indication {
type boolean;
mandatory true;
description
"The output of this operation is a binary
indication that the calculated MAC matched the
input MAC ('true') or the MACs did not match
('false').";
reference
"RFC 9046: Babel Information Model, Section 3.8";
}
}
}
}
}
list dtls {
key "name";
description
"A dtls object. If this object is implemented,
it provides access to parameters related to the DTLS
security mechanism.";
reference
"RFC 9046: Babel Information Model, Section 3.9";
leaf name {
type string;
description
"A string that uniquely identifies a dtls object.";
}
leaf default-apply {
type boolean;
mandatory true;
description
"A boolean flag indicating whether this object
instance is applied to all new interfaces, by default.
If 'true', this instance is applied to new interface
instances at the time they are created by including it
in the dtls-certs list under the interface. If 'false',
this instance is not applied to new interface
instances when they are created.";
reference
"RFC 9046: Babel Information Model, Section 3.9";
}
list certs {
key "name";
min-elements 1;
description
"A set of cert objects. This contains
both certificates for this implementation to present
for authentication and to accept from others.
Certificates with a non-empty private key
can be presented by this implementation for
authentication.";
reference
"RFC 9046: Babel Information Model, Section 3.10";
leaf name {
type string;
description
"A unique name for this certificate that can be
used to identify the certificate in this object
instance, since the value is too long to be useful
for identification. This value MUST NOT be empty
and can only be provided when this instance is created
(i.e., it is not subsequently writable).";
reference
"RFC 9046: Babel Information Model, Section 3.10";
}
leaf value {
nacm:default-deny-write;
type string;
mandatory true;
description
"The certificate in Privacy-Enhanced Mail (PEM) format
(RFC 7468). This value can only be provided when this
instance is created and is not subsequently
writable.";
reference
"RFC 9046: Babel Information Model, Section 3.10
RFC 7468: Textual Encodings of PKIX, PKCS, and CMS
Structures";
}
leaf type {
nacm:default-deny-write;
type identityref {
base dtls-cert-types;
}
mandatory true;
description
"The certificate type of this object instance.
The value MUST be the same as one of the
identities listed with the base 'dtls-cert-types'.
This value can only be provided when this
instance is created and is not subsequently
writable.";
reference
"RFC 9046: Babel Information Model, Section 3.10";
}
leaf private-key {
nacm:default-deny-all;
type binary;
mandatory true;
description
"The value of the private key. If this is non-empty,
this certificate can be used by this implementation to
provide a certificate during DTLS handshaking.";
reference
"RFC 9046: Babel Information Model, Section 3.10";
}
leaf algorithm {
nacm:default-deny-write;
type identityref {
base ct:private-key-format;
}
mandatory true;
description
"Identifies the algorithm identity with which the
private key has been encoded. This value can only be
provided when this instance is created and is not
subsequently writable.";
}
}
}
uses routes;
}
}
}
IANA has registered the following URI in the "ns" registry of the "IETF XML Registry" [RFC3688].
IANAは、「IETF XMLレジストリ」[RFC3688]の「NS」レジストリに次のURIを登録しています。
URI:
URI:
urn:ietf:params:xml:ns:yang:ietf-babel
urn:ietf:params:xml:ns:yang:ietf-babel
Registrant Contact:
登録者の連絡先:
The IESG
IESG
XML:
XML:
N/A; the requested URI is an XML namespace.
n/a;要求されたURIはXMLネームスペースです。
IANA has registered the following in the "YANG Module Names" registry [RFC6020].
IANAは、「Yang Module Names」レジストリ[RFC6020]で以下を登録しています。
Name:
名前:
ietf-babel
ietf-babel
Namespace:
名前空間:
urn:ietf:params:xml:ns:yang:ietf-babel
urn:ietf:params:xml:ns:yang:ietf-babel
Prefix:
プレフィックス:
babel
バベル
Reference:
参照:
RFC 9647
RFC 9647
This section is modeled after the template defined in Section 3.7.1 of [RFC8407].
このセクションは、[RFC8407]のセクション3.7.1で定義されているテンプレートをモデルにしています。
The "ietf-babel" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These protocols have mandatory-to-implement secure transport layers (e.g., Secure Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and mandatory-to-implement mutual authentication.
「IETF-Babel」Yangモジュールは、NetConf [RFC6241]やRestConf [RFC8040]などのYangベースの管理プロトコルを介してアクセスするように設計されたデータモデルを定義します。これらのプロトコルには、必須の安全性の安全な輸送層(例:セキュアシェル(SSH)[RFC4252]、TLS [RFC8446]、およびQUIC [RFC9000])および義務的な相互認証があります。
The Network Configuration Access Control Model (NACM) [RFC8341] provides the means to restrict access for particular NETCONF users to a preconfigured subset of all available NETCONF protocol operations and content.
ネットワーク構成アクセス制御モデル(NACM)[RFC8341]は、特定のNetConfユーザーのアクセスを利用可能なすべてのNetConfプロトコル操作とコンテンツの事前に構成されたサブセットに制限する手段を提供します。
The security considerations outlined here are specific to the YANG data model and do not cover security considerations of the Babel protocol or its security mechanisms in "The Babel Routing Protocol" [RFC8966], "MAC Authentication for the Babel Routing Protocol" [RFC8967], and "Babel Routing Protocol over Datagram Transport Layer Security" [RFC8968]. Each of these has its own Security Considerations section for considerations that are specific to it.
ここで概説されているセキュリティの考慮事項は、Yangデータモデルに固有のものであり、「The Babel Routing Protocol」[RFC8966]、「BABELルーティングプロトコルのMAC認証」[RFC8967]のBABELプロトコルまたはそのセキュリティメカニズムのセキュリティに関する考慮事項をカバーしていません[RFC8967]、および「データグラムトランスポートレイヤーセキュリティを介したバベルルーティングプロトコル」[RFC8968]。これらのそれぞれには、それに固有の考慮事項については、独自のセキュリティに関する考慮事項があります。
There are a number of data nodes defined in the YANG module that are writable/created/deleted (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., <edit-config>) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability from a config true perspective:
Yangモジュールには、作成可能/作成/削除/削除されたデータノードが多数あります(つまり、デフォルトであるConfig True)。これらのデータノードは、一部のネットワーク環境で敏感または脆弱と見なされる場合があります。適切な保護なしにこれらのデータノードに操作を書き込む(<edit-config>など)は、ネットワーク操作に悪影響を与える可能性があります。これらは、サブツリーとデータノードであり、構成真の観点からの感度/脆弱性です。
'babel':
「バベル」:
This container includes an 'enable' parameter that can be used to enable or disable use of Babel on a router.
このコンテナには、ルーターでのバベルの使用を有効または無効にするために使用できる「有効」パラメーターが含まれています。
'babel/constants':
「バベル/定数」:
This container includes configuration parameters that can prevent reachability if misconfigured.
このコンテナには、誤解された場合に到達可能性を防ぐことができる構成パラメーターが含まれています。
'babel/interfaces':
「バベル/インターフェイス」:
This leaf-list has configuration parameters that can enable/disable security mechanisms and change performance characteristics of the Babel protocol. For example, enabling logging of packets and giving unintended access to the log files gives an attacker detailed knowledge of the network and allows it to launch an attack on the traffic traversing the network device.
このリーフリストには、セキュリティメカニズムを有効/無効にし、BABELプロトコルのパフォーマンス特性を変更できる構成パラメーターがあります。たとえば、パケットのロギングを有効にし、ログファイルへの意図しないアクセスを提供すると、攻撃者にネットワークの詳細な知識が得られ、ネットワークデバイスを通過するトラフィックへの攻撃を開始できます。
'babel/hmac' and 'babel/dtls':
'babel/hmac'および 'babel/dtls':
These contain security credentials that influence whether incoming packets are trusted and whether outgoing packets are produced in such a way that the receiver will treat them as trusted.
これらには、着信パケットが信頼されているかどうか、および発信パケットがレシーバーがそれらを信頼できるように扱うように生成されるかどうかに影響するセキュリティ資格情報が含まれています。
Some of the readable data or config false nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability from a config false perspective:
このYangモジュールの読み取り可能なデータまたは構成の誤ったノードの一部は、一部のネットワーク環境で敏感または脆弱と見なされる場合があります。したがって、これらのデータノードへの読み取りアクセス(GET、GetConfig、または通知を介して)を制御することが重要です。これらは、サブツリーとデータノードであり、構成の誤った視点からの感度/脆弱性です。
'babel':
「バベル」:
Access to the information in the various nodes can disclose the network topology. Additionally, the routes used by a network device may be used to mount a subsequent attack on traffic traversing the network device.
さまざまなノード内の情報へのアクセスは、ネットワークトポロジを開示できます。さらに、ネットワークデバイスで使用されるルートを使用して、ネットワークデバイスを横断するトラフィックへのその後の攻撃を取り付けることができます。
'babel/hmac' and 'babel/dtls':
'babel/hmac'および 'babel/dtls':
These contain security credentials, including private credentials of the router; however, it is required that these values not be readable.
これらには、ルーターのプライベート資格情報を含むセキュリティ資格情報が含まれています。ただし、これらの値は読み取らないことが必要です。
Some of the RPC operations in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control access to these operations. These are the operations and their sensitivity/vulnerability from an RPC operation perspective:
このヤンモジュールのRPC操作の一部は、一部のネットワーク環境で敏感または脆弱と見なされる場合があります。したがって、これらの操作へのアクセスを制御することが重要です。これらは、RPC操作の観点からの操作とその感度/脆弱性です。
This model defines two actions. Resetting the statistics within an interface container would be visible to any monitoring processes, which should be designed to account for the possibility of such a reset. The "test" action allows for validation that a MAC key and MAC algorithm have been properly configured. The MAC key is a sensitive piece of information, and it is important to prevent an attacker that does not know the MAC key from being able to determine the MAC value by trying different input parameters. The "test" action has been designed to not reveal such information directly. Such information might also be revealed indirectly due to side channels such as the time it takes to produce a response to the action. Implementations SHOULD use a constant-time comparison between the input MAC and the locally generated MAC value for comparison in order to avoid such side channel leakage.
このモデルは2つのアクションを定義します。インターフェイスコンテナ内の統計をリセットすることは、任意の監視プロセスに表示されます。これは、そのようなリセットの可能性を説明するように設計する必要があります。「テスト」アクションにより、MacキーとMacアルゴリズムが適切に構成されていることが検証できます。Macキーは敏感な情報であり、Macキーが異なる入力パラメーターを試してMac値を決定できることを知らない攻撃者を防ぐことが重要です。「テスト」アクションは、そのような情報を直接明らかにしないように設計されています。このような情報は、アクションへの応答を生成するのにかかる時間などのサイドチャネルのために間接的に明らかにされる可能性があります。実装は、このようなサイドチャネルの漏れを避けるために、入力MACとローカルで生成されたMAC値の間の比較の間の一定の比較を使用する必要があります。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/info/rfc4252>.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868,
DOI 10.17487/RFC4868, May 2007,
<https://www.rfc-editor.org/info/rfc4868>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>.
[RFC7693] Saarinen, M., Ed. and J. Aumasson, "The BLAKE2
Cryptographic Hash and Message Authentication Code (MAC)",
RFC 7693, DOI 10.17487/RFC7693, November 2015,
<https://www.rfc-editor.org/info/rfc7693>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/info/rfc8343>.
[RFC8349] Lhotka, L., Lindem, A., and Y. Qu, "A YANG Data Model for
Routing Management (NMDA Version)", RFC 8349,
DOI 10.17487/RFC8349, March 2018,
<https://www.rfc-editor.org/info/rfc8349>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8966] Chroboczek, J. and D. Schinazi, "The Babel Routing
Protocol", RFC 8966, DOI 10.17487/RFC8966, January 2021,
<https://www.rfc-editor.org/info/rfc8966>.
[RFC8967] Dô, C., Kolodziejak, W., and J. Chroboczek, "MAC
Authentication for the Babel Routing Protocol", RFC 8967,
DOI 10.17487/RFC8967, January 2021,
<https://www.rfc-editor.org/info/rfc8967>.
[RFC8968] Décimo, A., Schinazi, D., and J. Chroboczek, "Babel
Routing Protocol over Datagram Transport Layer Security",
RFC 8968, DOI 10.17487/RFC8968, January 2021,
<https://www.rfc-editor.org/info/rfc8968>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>.
[RFC9046] Stark, B. and M. Jethanandani, "Babel Information Model",
RFC 9046, DOI 10.17487/RFC9046, June 2021,
<https://www.rfc-editor.org/info/rfc9046>.
[RFC9147] Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version
1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022,
<https://www.rfc-editor.org/info/rfc9147>.
[RFC9640] Watsen, K., "YANG Data Types and Groupings for
Cryptography", RFC 9640, DOI 10.17487/RFC9640, October
2024, <https://www.rfc-editor.org/info/rfc9640>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX,
PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468,
April 2015, <https://www.rfc-editor.org/info/rfc7468>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K.,
and R. Wilton, "Network Management Datastore Architecture
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018,
<https://www.rfc-editor.org/info/rfc8342>.
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of
Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>.
[W3C.REC-xml-20081126]
Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E.,
and F. Yergeau, "Extensible Markup Language (XML) 1.0
(Fifth Edition)", W3C Recommendation REC-xml-20081126,
November 2008, <https://www.w3.org/TR/xml/>.
This section is devoted to including a complete tree diagram and examples that demonstrate how Babel can be configured.
このセクションは、完全なツリー図と、バベルの構成方法を示す例を含めることに専念しています。
Note that various examples are encoded using Extensible Markup Language (XML) [W3C.REC-xml-20081126].
拡張可能なマークアップ言語(XML)[W3C.REC-XML-20081126]を使用して、さまざまな例がエンコードされていることに注意してください。
This section includes the complete tree diagram for the Babel YANG module.
このセクションには、バベルヤンモジュールの完全なツリー図が含まれています。
module: ietf-babel
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol:
+--rw babel!
+--ro version? string
+--rw enable boolean
+--ro router-id? binary
+--ro seqno? uint16
+--rw statistics-enabled? boolean
+--rw constants
| +--rw udp-port? inet:port-number
| +--rw mcast-group? inet:ip-address
+--rw interfaces* [reference]
| +--rw reference if:interface-ref
| +--rw enable? boolean
| +--rw metric-algorithm identityref
| +--rw split-horizon? boolean
| +--ro mcast-hello-seqno? uint16
| +--rw mcast-hello-interval? uint16
| +--rw update-interval? uint16
| +--rw mac-enable? boolean
| +--rw mac-key-sets* -> ../../mac-key-set/name
| +--rw mac-verify? boolean
| +--rw dtls-enable? boolean
| +--rw dtls-certs* -> ../../dtls/name
| +--rw dtls-cached-info? boolean
| +--rw dtls-cert-prefer* -> ../../dtls/certs/type
| +--rw packet-log-enable? boolean
| +--ro packet-log? inet:uri
| +--ro statistics
| | +--ro discontinuity-time yang:date-and-time
| | +--ro sent-mcast-hello? yang:counter32
| | +--ro sent-mcast-update? yang:counter32
| | +--ro sent-ucast-hello? yang:counter32
| | +--ro sent-ucast-update? yang:counter32
| | +--ro sent-ihu? yang:counter32
| | +--ro received-packets? yang:counter32
| | +---x reset
| | +---w input
| | | +---w reset-at? yang:date-and-time
| | +--ro output
| | +--ro reset-finished-at? yang:date-and-time
| +--ro neighbor-objects* [neighbor-address]
| +--ro neighbor-address inet:ip-address
| +--ro hello-mcast-history? string
| +--ro hello-ucast-history? string
| +--ro txcost? int32
| +--ro exp-mcast-hello-seqno? union
| +--ro exp-ucast-hello-seqno? union
| +--ro ucast-hello-seqno? union
| +--ro ucast-hello-interval? uint16
| +--ro rxcost? uint16
| +--ro cost? int32
+--rw mac-key-set* [name]
| +--rw name string
| +--rw default-apply? boolean
| +--rw keys* [name]
| +--rw name string
| +--rw use-send boolean
| +--rw use-verify boolean
| +--rw value binary
| +--rw algorithm identityref
| +---x test
| +---w input
| | +---w test-string binary
| | +---w mac binary
| +--ro output
| +--ro indication boolean
+--rw dtls* [name]
| +--rw name string
| +--rw default-apply boolean
| +--rw certs* [name]
| +--rw name string
| +--rw value string
| +--rw type identityref
| +--rw private-key binary
| +--rw algorithm identityref
+--ro routes* [prefix]
+--ro prefix inet:ip-prefix
+--ro router-id? binary
+--ro neighbor? leafref
+--ro received-metric? union
+--ro calculated-metric? union
+--ro seqno? uint16
+--ro next-hop? union
+--ro feasible? boolean
+--ro selected? boolean
In this example, interface eth0 is being configured for routing protocol Babel, and statistics gathering is enabled. For security, HMAC-SHA256 is supported. Every sent Babel packet is signed with the key value provided, and every received Babel packet is verified with the same key value.
この例では、インターフェイスETH0がルーティングプロトコルBabel用に構成されており、統計収集が有効になっています。セキュリティのために、HMAC-SHA256がサポートされています。送信されるすべてのバベルパケットは、提供されたキー値で署名され、受け取ったすべてのバベルパケットは同じキー値で検証されます。
<?xml version="1.0" encoding="UTF-8"?>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"
xmlns:ianaift="urn:ietf:params:xml:ns:yang:iana-if-type">
<interface>
<name>eth0</name>
<type>ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
</interfaces>
<routing
xmlns="urn:ietf:params:xml:ns:yang:ietf-routing">
<control-plane-protocols>
<control-plane-protocol>
<type
xmlns:babel=
"urn:ietf:params:xml:ns:yang:ietf-babel">babel:babel</type>
<name>name:babel</name>
<babel
xmlns="urn:ietf:params:xml:ns:yang:ietf-babel">
<enable>true</enable>
<statistics-enabled>true</statistics-enabled>
<interfaces>
<reference>eth0</reference>
<metric-algorithm>two-out-of-three</metric-algorithm>
<split-horizon>true</split-horizon>
</interfaces>
<mac-key-set>
<name>hmac-sha256</name>
<keys>
<name>hmac-sha256-keys</name>
<use-send>true</use-send>
<use-verify>true</use-verify>
<value>base64encodedvalue==</value>
<algorithm>hmac-sha256</algorithm>
</keys>
</mac-key-set>
</babel>
</control-plane-protocol>
</control-plane-protocols>
</routing>
In this example, babeld is configured on two interfaces:
この例では、Babeldは2つのインターフェイスで構成されています。
interface eth0
インターフェイスETH0
interface wlan0
インターフェイスWLAN0
This says to run Babel on interfaces eth0 and wlan0. Babeld will automatically detect that eth0 is wired and wlan0 is wireless and will configure the right parameters automatically.
これは、インターフェイスETH0およびWLAN0でBabelを実行することを示しています。Babeldは、Eth0が有線でwlan0がワイヤレスであることを自動的に検出し、適切なパラメーターを自動的に構成します。
<?xml version="1.0" encoding="UTF-8"?>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"
xmlns:ianaift="urn:ietf:params:xml:ns:yang:iana-if-type">
<interface>
<name>eth0</name>
<type>ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
<interface>
<name>wlan0</name>
<type>ianaift:ieee80211</type>
<enabled>true</enabled>
</interface>
</interfaces>
<routing
xmlns="urn:ietf:params:xml:ns:yang:ietf-routing">
<control-plane-protocols>
<control-plane-protocol>
<type
xmlns:babel=
"urn:ietf:params:xml:ns:yang:ietf-babel">babel:babel</type>
<name>name:babel</name>
<babel
xmlns="urn:ietf:params:xml:ns:yang:ietf-babel">
<enable>true</enable>
<interfaces>
<reference>eth0</reference>
<enable>true</enable>
<metric-algorithm>two-out-of-three</metric-algorithm>
<split-horizon>true</split-horizon>
</interfaces>
<interfaces>
<reference>wlan0</reference>
<enable>true</enable>
<metric-algorithm>etx</metric-algorithm>
<split-horizon>false</split-horizon>
</interfaces>
</babel>
</control-plane-protocol>
</control-plane-protocols>
</routing>
In this example, babeld is configured on three interfaces:
この例では、Babeldは3つのインターフェイスで構成されています。
interface eth0
インターフェイスETH0
interface eth1 type wireless
インターフェイスETH1タイプワイヤレス
interface tun0 type tunnel
インターフェイスTun0タイプトンネル
Here, interface eth1 is an Ethernet bridged to a wireless radio, so babeld's autodetection fails, and the interface type needs to be configured manually. Tunnels are not detected automatically, so this needs to be specified.
ここで、インターフェイスETH1はワイヤレス無線にブリッジされたイーサネットであるため、Babeldの自動検出が失敗し、インターフェイスタイプを手動で構成する必要があります。トンネルは自動的に検出されないため、これを指定する必要があります。
This is equivalent to the following:
これは次のものと同等です。
interface eth0 metric-algorithm 2-out-of-3 split-horizon true
インターフェイスETH0メトリックアルゴリズム2-of-of-3スプリットホリゾンTrue
interface eth1 metric-algorithm etx split-horizon false
インターフェイスETH1メトリックアルゴリズムETXスプリットホリゾンFALSE
interface tun0 metric-algorithm 2-out-of-3 split-horizon true
インターフェイスTUN0メトリックアルゴリズム2-OUT-OR-3スプリットホリゾンTRUE
<?xml version="1.0" encoding="UTF-8"?>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"
xmlns:ianaift="urn:ietf:params:xml:ns:yang:iana-if-type">
<interface>
<name>eth0</name>
<type>ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
<interface>
<name>eth1</name>
<type>ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
<interface>
<name>tun0</name>
<type>ianaift:tunnel</type>
<enabled>true</enabled>
</interface>
</interfaces>
<routing
xmlns="urn:ietf:params:xml:ns:yang:ietf-routing">
<control-plane-protocols>
<control-plane-protocol>
<type
xmlns:babel=
"urn:ietf:params:xml:ns:yang:ietf-babel">babel:babel</type>
<name>name:babel</name>
<babel
xmlns="urn:ietf:params:xml:ns:yang:ietf-babel">
<enable>true</enable>
<interfaces>
<reference>eth0</reference>
<enable>true</enable>
<metric-algorithm>two-out-of-three</metric-algorithm>
<split-horizon>true</split-horizon>
</interfaces>
<interfaces>
<reference>eth1</reference>
<enable>true</enable>
<metric-algorithm>etx</metric-algorithm>
<split-horizon>false</split-horizon>
</interfaces>
<interfaces>
<reference>tun0</reference>
<enable>true</enable>
<metric-algorithm>two-out-of-three</metric-algorithm>
<split-horizon>true</split-horizon>
</interfaces>
</babel>
</control-plane-protocol>
</control-plane-protocols>
</routing>
In this example, two interfaces are configured for babeld:
この例では、Babeld用に2つのインターフェイスが構成されています。
interface eth0
インターフェイスETH0
interface ppp0 hello-interval 30 update-interval 120
インターフェイスPPP0 hello-interval 30 update-interval 120
Here, ppp0 is a metered 3G link used for fallback connectivity. It runs with much higher than default time constants in order to avoid control traffic as much as possible.
ここでは、PPP0はフォールバック接続に使用されるメーターの3Gリンクです。制御トラフィックを可能な限り回避するために、デフォルトよりもはるかに高い時間定数で動作します。
<?xml version="1.0" encoding="UTF-8"?>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"
xmlns:ianaift="urn:ietf:params:xml:ns:yang:iana-if-type">
<interface>
<name>eth0</name>
<type>ianaift:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
<interface>
<name>ppp0</name>
<type>ianaift:ppp</type>
<enabled>true</enabled>
</interface>
</interfaces>
<routing
xmlns="urn:ietf:params:xml:ns:yang:ietf-routing">
<control-plane-protocols>
<control-plane-protocol>
<type
xmlns:babel=
"urn:ietf:params:xml:ns:yang:ietf-babel">babel:babel</type>
<name>name:babel</name>
<babel
xmlns="urn:ietf:params:xml:ns:yang:ietf-babel">
<enable>true</enable>
<interfaces>
<reference>eth0</reference>
<enable>true</enable>
<metric-algorithm>two-out-of-three</metric-algorithm>
<split-horizon>true</split-horizon>
</interfaces>
<interfaces>
<reference>ppp0</reference>
<enable>true</enable>
<mcast-hello-interval>30</mcast-hello-interval>
<update-interval>120</update-interval>
<metric-algorithm>two-out-of-three</metric-algorithm>
</interfaces>
</babel>
</control-plane-protocol>
</control-plane-protocols>
</routing>
Juliusz Chroboczek provided most of the example configurations for babel that are shown in Appendix A.
Juliusz Chroboczekは、付録Aに示されているBabelの例のほとんどの構成を提供しました。
Mahesh Jethanandani
Kloud Services
California
United States of America
Email: mjethanandani@gmail.com
Barbara Stark
AT&T
Atlanta, GA
United States of America
Email: barbara.stark@att.com