YANG Model for Transmission Control
Protocol (TCP) ConfigurationHochschule Esslingen -
University of Applied SciencesFlandernstr. 10173732EsslingenGermanymichael.scharf@hs-esslingen.deKloud Servicesmjethanandani@gmail.comSamsungvmurgai@gmail.com
Transport
TCPMYANGThis document specifies a minimal YANG model for TCP on devices that are
configured by network management protocols. The YANG model defines a
container for all TCP connections and groupings of authentication
parameters that can be imported and used in TCP implementations or by
other models that need to configure TCP parameters. The model also
includes basic TCP statistics. The model is NMDA (RFC 8342)
compliant.The Transmission Control
Protocol (TCP) Specification
is used by many applications in the Internet, including control
and management protocols. Therefore, TCP is implemented on network
elements that can be configured via network management protocols such as
NETCONF or RESTCONF. This document specifies a minimal
YANG 1.1 model for configuring TCP on
network elements that support YANG data models, and is Network Management Datastore Architecture (NMDA)
compliant. The model has a narrow scope and focuses on a subset of
fundamental TCP functions and basic statistics. It defines a container
for TCP connection that includes definitions from YANG Groupings for TCP
Clients and TCP Servers. The model also enables configuration
of TCP-AO, which is a relevant TCP feature
on network elements such as routers. The model can be augmented or
updated to address more advanced or implementation-specific TCP features
in the future.Many protocol stacks on Internet hosts use other methods to configure
TCP, such as operating system configuration or policies. Many TCP/IP
stacks cannot be configured by network management protocols such as
NETCONF or RESTCONF. Moreover, many existing TCP/IP stacks
do not use YANG data models. Such TCP implementations often have other
means to configure the parameters listed in this document, which are
outside the scope of this document.This specification is orthogonal to the Management Information Base (MIB) for the Transmission
Control Protocol (TCP). The basic statistics defined in this
document follow the model of the TCP MIB. An TCP
Extended Statistics MIB is also available, but this document does
not cover such extended statistics. It is possible also to translate a
MIB into a YANG model, for instance using Translation of Structure of Management Information
Version 2 (SMIv2) MIB Modules to YANG Modules. However, this
approach is not used in this document, as such a translated model would
not be up-to-date.There are other existing TCP-related YANG models, which are
orthogonal to this specification. Examples are:TCP header attributes are modeled in other models, such as YANG Data Model for Network Access Control Lists
(ACLs) and Distributed
Denial-of-Service Open Thread Signaling (DOTS) Data Channel
Specification.TCP-related configuration of a NAT (e.g., NAT44, NAT64,
Destination NAT, ...) is defined in A YANG
Module for Network Address Translation (NAT) and Network Prefix
Translation (NPT) and A YANG Data
Model for Dual-Stack Lite (DS-Lite) .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only when,
they appear in all capitals, as shown here.This document uses several placeholder values throughout the
document. Please replace them as follows and remove this note before
publication.RFC XXXX, where XXXX is the number assigned to this document at the
time of publication.2021-10-25 with the actual date of the publication of this
document.TCP is implemented on many different system architectures. As a
result, there are may different and often implementation-specific ways
to configure parameters of the TCP protocol engine. In addition, in
many TCP/IP stacks configuration exists for different scopes:Global configuration: Many TCP implementations have
configuration parameters that affect all TCP connections. Typical
examples include enabling or disabling optional protocol
features.Interface configuration: It can be useful to use different TCP
parameters on different interfaces, e.g., different device ports
or IP interfaces. In that case, TCP parameters can be part of the
interface configuration. Typical examples are the Maximum Segment
Size (MSS) or configuration related to hardware offloading.Connection parameters: Many implementations have means to
influence the behavior of each TCP connection, e.g., on the
programming interface used by applications. A typical example are
socket options in the socket API, such as disabling the Nagle
algorithm by TCP_NODELAY. If an application uses such an
interface, it is possible that the configuration of the
application or application protocol includes TCP-related
parameters. An example is the BGP YANG Model for Service
Provider Networks .Policies: Setting of TCP parameters can also be part of system
policies, templates, or profiles. An example would be the
preferences defined in An
Abstract Application Layer Interface to Transport
Services.As a result, there is no ground truth for setting certain TCP
parameters, and traditionally different TCP implementation have used
different modeling approaches. For instance, one implementation may
define a given configuration parameter globally, while another one
uses per-interface settings, and both approaches work well for the
corresponding use cases. Also, different systems may use different
default values. In addition, TCP can be implemented in different ways
and design choices by the protocol engine often affect configuration
options.Nonetheless, a number of TCP stack parameters require configuration
by YANG models. This document therefore defines a minimal YANG model
with fundamental parameters directly following from TCP standards.An important use case is the TCP configuration on network elements
such as routers, which often use YANG data models. The model therefore
specifies TCP parameters that are important on such TCP stacks.This in particular applies to the support of TCP-AO. TCP Authentication Option (TCP-AO) is
used on routers to secure routing protocols such as BGP. In that case,
a YANG model for TCP-AO configuration is required. The model defined
in this document includes the required parameters for TCP-AO
configuration, such as the values of SendID and RecvID. The
key chain for TCP-AO can be modeled by the YANG
Data Model for Key Chains.Given an installed base, the model also allows enabling of the
legacy TCP MD5 signature option. As the
TCP MD5 signature option is obsoleted by TCP-AO, it is strongly
RECOMMENDED to use TCP-AO.Similar to the TCP MIB, this document
also specifies basic statistics and a TCP connection table.Statistics: Counters for the number of active/passive opens,
sent and received segments, errors, and possibly other detailed
debugging informationTCP connection table: Access to status information for all TCP
connections. Note, the connection table is modeled as a list
that is read-writeable, even though a connection cannot be
created by adding entries to the table. Similarly, deletion
of connections from this list is implementation-specific.This allows implementations of TCP
MIB to migrate to the YANG model defined in this memo.
Note that the TCP MIB does not include means to reset statistics, which
are defined in this document. This is not a major addition, as a reset
can simply be implemented by storing offset values for the counters.The YANG model defined in this document includes definitions from
the YANG Groupings
for TCP Clients and TCP Servers. Similar to that model, this
specification defines YANG groupings. This allows reuse of these
groupings in different YANG data models. It is intended that these
groupings will be used either standalone or for TCP-based protocols as
part of a stack of protocol-specific configuration models. An example
could be the BGP YANG Model for
Service Provider Networks .This section provides a abridged tree diagram for the YANG module
defined in this document. Annotations used in the diagram are defined
in YANG Tree Diagrams .This document registers an URI in the "ns" subregistry of the
IETF XML Registry . Following the format
in IETF XML Registry , the following
registration is requested:This document registers a YANG module in the "YANG Module Names"
registry YANG - A Data Modeling Language
. Following the format in YANG - A Data
Modeling Language , the following registrations are
requested:The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such as
NETCONF or RESTCONF
. The lowest NETCONF layer is the secure transport layer, and the
mandatory-to-implement secure transport is Secure Shell (SSH) described
in Using the NETCONF protocol over SSH .
The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement
secure transport is TLS .The Network Configuration Access Control Model
(NACM) provides the means to restrict access for particular
NETCONF or RESTCONF users to a preconfigured subset of all available
NETCONF or RESTCONF protocol operations and content.There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., "config true", which is the
default). These data nodes may be considered sensitive or vulnerable in
some network environments. Write operations (e.g., edit-config) to these
data nodes without proper protection can have a negative effect on
network operations. These are the subtrees and data nodes and their
sensitivity/vulnerability:Common configuration included from
NETCONF Client
and Server Models . Unrestricted
access to all the nodes, e.g., keepalive idle-timer,
can cause connections to fail or to timeout prematurely.Authentication configuration. Unrestricted access to the nodes under
authentication configuration can prevent the use of authenticated
communication and cause connection setups to fail. This can result
in massive security vulnerabilities and service disruption for the
traffic requiring authentication.Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data nodes
and their sensitivity/vulnerability:Unrestricted access to connection information of the client or
server can be used by a malicious user to launch an attack, e.g.
MITM.Similarly, unrestricted access to statistics of the client or
server can be used by a malicious user to exploit any
vulnerabilities of the system.Some of the RPC operations in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control access to these operations. These are the
operations and their sensitivity/vulnerability:The YANG module allows for the statistics to be cleared by
executing the reset action. This action should be restricted to
users with the right permission.Michael Scharf was supported by the StandICT.eu project, which is
funded by the European Commission under the Horizon 2020 Programme.The following persons have contributed to this document by reviews:
Mohamed BoucadairChanges compared to draft-scharf-tcpm-yang-tcp-04Removed congestion controlRemoved global stack parametersChanges compared to draft-scharf-tcpm-yang-tcp-03Updated TCP-AO groupingAdded congestion controlChanges compared to draft-scharf-tcpm-yang-tcp-02Initial proposal of a YANG model including base configuration
parameters, TCP-AO configuration, and a connection listEditorial bugfixes and outdated references reported by Mohamed
BoucadairAdditional co-author Mahesh JethanandaniChanges compared to draft-scharf-tcpm-yang-tcp-01Alignment with Removing backward-compatibility to the TCP MIBAdditional co-author Vishal MurgaiChanges compared to draft-scharf-tcpm-yang-tcp-00Editorial improvementsThis particular example demonstrates how both a particular
connection can be configured for keepalives.The following example demonstrates how to model a TCP-AO configuration for the example in TCP-AO Test Vectors,
Section 5.1.1.Here is the complete tree diagram for the TCP YANG model.