public
public copied to clipboard
openconfig
Introducing IPSec and IKE telemetry model
Change Scope
- Add telemetry for monitoring IPSec, IKE
- A follow up PR will add IPSec, IKE configuration
- This change is backwards compatible
Platform Implementations
- Cisco IOSXR supports IPSec.
- Juniper JunOS supports a variety of show security ipsec commands
- Arista EOS supports a variety of show ip security commands
Tree View
+--rw network-instances
+--rw network-instance* [name]
+--rw oc-ipsec:security
+--rw oc-ipsec:ike
| +--rw oc-ipsec:ike-sa
| | +--rw oc-ipsec:ipv4
| | | +--rw oc-ipsec:security-associations
| | | +--ro oc-ipsec:security-association* [initiator-spi responder-spi remote-address local-address]
| | | +--ro oc-ipsec:initiator-spi -> ../state/initiator-spi
| | | +--ro oc-ipsec:responder-spi -> ../state/responder-spi
| | | +--ro oc-ipsec:remote-address -> ../state/remote-address
| | | +--ro oc-ipsec:local-address -> ../state/local-address
| | | +--ro oc-ipsec:state
| | | +--ro oc-ipsec:initiator-spi uint64
| | | +--ro oc-ipsec:responder-spi uint64
| | | +--ro oc-ipsec:remote-address inet:ipv4-address
| | | +--ro oc-ipsec:local-address inet:ipv4-address
| | +--rw oc-ipsec:ipv6
| | +--rw oc-ipsec:security-associations
| | +--ro oc-ipsec:security-association* [initiator-spi responder-spi remote-address local-address]
| | +--ro oc-ipsec:initiator-spi -> ../state/initiator-spi
| | +--ro oc-ipsec:responder-spi -> ../state/responder-spi
| | +--ro oc-ipsec:remote-address -> ../state/remote-address
| | +--ro oc-ipsec:local-address -> ../state/local-address
| | +--ro oc-ipsec:state
| | +--ro oc-ipsec:initiator-spi uint64
| | +--ro oc-ipsec:responder-spi uint64
| | +--ro oc-ipsec:remote-address inet:ipv6-address
| | +--ro oc-ipsec:local-address inet:ipv6-address
| +--rw oc-ipsec:child-sa
| +--rw oc-ipsec:ipv4
| | +--rw oc-ipsec:security-associations
| | +--ro oc-ipsec:security-association* [spi destination-address protocol]
| | +--ro oc-ipsec:spi -> ../state/spi
| | +--ro oc-ipsec:destination-address -> ../state/destination-address
| | +--ro oc-ipsec:protocol -> ../state/protocol
| | +--ro oc-ipsec:state
| | +--ro oc-ipsec:counters
| | | +--ro oc-ipsec:bytes-processed yang:counter64
| | | +--ro oc-ipsec:packets-processed yang:counter64
| | +--ro oc-ipsec:spi uint32
| | +--ro oc-ipsec:destination-address inet:ipv4-address
| | +--ro oc-ipsec:protocol identityref
| | +--ro oc-ipsec:active boolean
| | +--ro oc-ipsec:direction identityref
| | +--ro oc-ipsec:anti-replay-window uint16
| | +--ro oc-ipsec:source-address inet:ipv4-address
| | +--ro oc-ipsec:encryption-algorithm identityref
| | +--ro oc-ipsec:integrity-algorithm identityref
| | +--ro oc-ipsec:pfs-dh-group identityref
| | +--ro oc-ipsec:lifetime
| | | +--ro oc-ipsec:sa-add-time yang:date-and-time
| | | +--ro oc-ipsec:sa-rekey-time yang:date-and-time
| | +--ro oc-ipsec:lifetime-config
| | | +--ro oc-ipsec:time uint64
| | | +--ro oc-ipsec:bytes uint64
| | | +--ro oc-ipsec:packets uint64
| | +--ro oc-ipsec:ike-sa
| | +--ro oc-ipsec:initiator-spi? -> ../../../../../../../ike-sa/ipv4/security-associations/security-association/initiator-spi
| | +--ro oc-ipsec:responder-spi? -> ../../../../../../../ike-sa/ipv4/security-associations/security-association/responder-spi
| | +--ro oc-ipsec:remote-address? -> ../../../../../../../ike-sa/ipv4/security-associations/security-association/remote-address
| | +--ro oc-ipsec:local-address -> ../../../../../../../ike-sa/ipv4/security-associations/security-association/local-address
| +--rw oc-ipsec:ipv6
| +--rw oc-ipsec:security-associations
| +--ro oc-ipsec:security-association* [spi destination-address protocol]
| +--ro oc-ipsec:spi -> ../state/spi
| +--ro oc-ipsec:destination-address -> ../state/destination-address
| +--ro oc-ipsec:protocol -> ../state/protocol
| +--ro oc-ipsec:state
| +--ro oc-ipsec:counters
| | +--ro oc-ipsec:bytes-processed yang:counter64
| | +--ro oc-ipsec:packets-processed yang:counter64
| +--ro oc-ipsec:spi uint32
| +--ro oc-ipsec:destination-address inet:ipv6-address
| +--ro oc-ipsec:protocol identityref
| +--ro oc-ipsec:active boolean
| +--ro oc-ipsec:direction identityref
| +--ro oc-ipsec:anti-replay-window uint16
| +--ro oc-ipsec:source-address inet:ipv6-address
| +--ro oc-ipsec:encryption-algorithm identityref
| +--ro oc-ipsec:integrity-algorithm identityref
| +--ro oc-ipsec:pfs-dh-group identityref
| +--ro oc-ipsec:lifetime
| | +--ro oc-ipsec:sa-add-time yang:date-and-time
| | +--ro oc-ipsec:sa-rekey-time yang:date-and-time
| +--ro oc-ipsec:lifetime-config
| | +--ro oc-ipsec:time uint64
| | +--ro oc-ipsec:bytes uint64
| | +--ro oc-ipsec:packets uint64
| +--ro oc-ipsec:ike-sa
| +--ro oc-ipsec:initiator-spi? -> ../../../../../../../ike-sa/ipv6/security-associations/security-association/initiator-spi
| +--ro oc-ipsec:responder-spi? -> ../../../../../../../ike-sa/ipv6/security-associations/security-association/responder-spi
| +--ro oc-ipsec:remote-address? -> ../../../../../../../ike-sa/ipv6/security-associations/security-association/remote-address
| +--ro oc-ipsec:local-address -> ../../../../../../../ike-sa/ipv6/security-associations/security-association/local-address
+--rw oc-ipsec:ipsec
+--rw oc-ipsec:ipv4
| +--rw oc-ipsec:connections
| +--ro oc-ipsec:connection* [name]
| +--ro oc-ipsec:name -> ../state/name
| +--ro oc-ipsec:state
| | +--ro oc-ipsec:name string
| | +--ro oc-ipsec:profile-name string
| | +--ro oc-ipsec:tunnel-interface -> /oc-if:interfaces/interface/name
| | +--ro oc-ipsec:status identityref
| | +--ro oc-ipsec:local-address inet:ipv4-address
| | +--ro oc-ipsec:remote-address inet:ipv4-address
| | +--ro oc-ipsec:connection-uptime yang:date-and-time
| | +--ro oc-ipsec:next-sa-rekey-time yang:date-and-time
| | +--ro oc-ipsec:error string
| | +--ro oc-ipsec:counters
| | +--ro oc-ipsec:input-bytes yang:counter64
| | +--ro oc-ipsec:input-packets yang:counter64
| | +--ro oc-ipsec:output-bytes yang:counter64
| | +--ro oc-ipsec:output-packets yang:counter64
| | +--ro oc-ipsec:replay-failure yang:counter64
| | +--ro oc-ipsec:integrity-failure yang:counter64
| | +--ro oc-ipsec:encryption-failure yang:counter64
| +--ro oc-ipsec:ike-security-associations
| | +--ro oc-ipsec:security-association* [initiator-spi responder-spi remote-address local-address]
| | +--ro oc-ipsec:initiator-spi -> ../../../../../../../ike/ike-sa/ipv4/security-associations/security-association/initiator-spi
| | +--ro oc-ipsec:responder-spi -> ../../../../../../../ike/ike-sa/ipv4/security-associations/security-association/responder-spi
| | +--ro oc-ipsec:remote-address -> ../../../../../../../ike/ike-sa/ipv4/security-associations/security-association/remote-address
| | +--ro oc-ipsec:local-address -> ../../../../../../../ike/ike-sa/ipv4/security-associations/security-association/local-address
| +--ro oc-ipsec:child-security-associations
| +--ro oc-ipsec:security-association* [spi destination-address protocol]
| +--ro oc-ipsec:spi -> ../../../../../../../ike/child-sa/ipv4/security-associations/security-association/spi
| +--ro oc-ipsec:destination-address -> ../../../../../../../ike/child-sa/ipv4/security-associations/security-association/destination-address
| +--ro oc-ipsec:protocol -> ../../../../../../../ike/child-sa/ipv4/security-associations/security-association/protocol
+--rw oc-ipsec:ipv6
+--rw oc-ipsec:connections
+--ro oc-ipsec:connection* [name]
+--ro oc-ipsec:name -> ../state/name
+--ro oc-ipsec:state
| +--ro oc-ipsec:name string
| +--ro oc-ipsec:profile-name string
| +--ro oc-ipsec:tunnel-interface -> /oc-if:interfaces/interface/name
| +--ro oc-ipsec:status identityref
| +--ro oc-ipsec:local-address inet:ipv6-address
| +--ro oc-ipsec:remote-address inet:ipv6-address
| +--ro oc-ipsec:connection-uptime yang:date-and-time
| +--ro oc-ipsec:next-sa-rekey-time yang:date-and-time
| +--ro oc-ipsec:error string
| +--ro oc-ipsec:counters
| +--ro oc-ipsec:input-bytes yang:counter64
| +--ro oc-ipsec:input-packets yang:counter64
| +--ro oc-ipsec:output-bytes yang:counter64
| +--ro oc-ipsec:output-packets yang:counter64
| +--ro oc-ipsec:replay-failure yang:counter64
| +--ro oc-ipsec:integrity-failure yang:counter64
| +--ro oc-ipsec:encryption-failure yang:counter64
+--ro oc-ipsec:ike-security-associations
| +--ro oc-ipsec:security-association* [initiator-spi responder-spi remote-address local-address]
| +--ro oc-ipsec:initiator-spi -> ../../../../../../../ike/ike-sa/ipv6/security-associations/security-association/initiator-spi
| +--ro oc-ipsec:responder-spi -> ../../../../../../../ike/ike-sa/ipv6/security-associations/security-association/responder-spi
| +--ro oc-ipsec:remote-address -> ../../../../../../../ike/ike-sa/ipv6/security-associations/security-association/remote-address
| +--ro oc-ipsec:local-address -> ../../../../../../../ike/ike-sa/ipv6/security-associations/security-association/local-address
+--ro oc-ipsec:child-security-associations
+--ro oc-ipsec:security-association* [spi destination-address protocol]
+--ro oc-ipsec:spi -> ../../../../../../../ike/child-sa/ipv6/security-associations/security-association/spi
+--ro oc-ipsec:destination-address -> ../../../../../../../ike/child-sa/ipv6/security-associations/security-association/destination-address
+--ro oc-ipsec:protocol -> ../../../../../../../ike/child-sa/ipv6/security-associations/security-association/protocol
No major YANG version changes in commit 1f2ee4b722b05baa09a03398cc7ae60852a31407
Reviewed in December 16, 2025 OC Operators meeting without objections. Setting to last call for comments. This will merge on Jan 13, 2026