MACsec/ MKA model reworked (on dev_macsec branch) based on review comments from PR #408 (on macsec branch) (#412)

* MACsec OTG model reworked based on review of model from macsec branch

* Update auto generated content

* More rework based on review comments

* Add missing file

* Update auto generated content

* Fix secure channels

* Update auto generated content

* Fix secure channels

* Update auto generated content

* Fix secure channels

* Update auto generated content

* Fix secure channels

* Update auto generated content

* Correct min and max length of hex fields

* Update auto generated content

* Update key time descriptions

* Update auto generated content

* Add MACsec and MKA metrics

* Update auto generated content

* More rework based on review

* Update auto generated content

* Split time offset and key chain start time into subfields

* Update auto generated content

* Fix time fields

* Update auto generated content

* Fix time fields

* Update auto generated content

* Add integer format to time subfields

* Change class name from Macsec to SecureEntity to match field name secure_entity

* Update auto generated content

* Change description of psk_chain_start_time

* Update auto generated content

* Try to set psk chain start time description from the field description itself

* Update auto generated content

* Move re-shared key(PSK) chain start time description

* Update auto generated content

* Add lifetime validity information

* Update auto generated content

* add required fields

* Update auto generated content

* Minutes field max limit set to 59

* Remove encrypt_decrypt engine type from the model as of now as it is not implemented/ tested yet.

* Update auto generated content

* Some change in description to reflect previus change in redocly view

* Update auto generated content

---------

Co-authored-by: Github Actions Bot <[email protected]>

Author: sasubrata

artifacts/openapi.html

@@ -77,6 +77,11 @@ components:
             Configuration for OSPFv2 router.
           $ref: './ospfv2/router.yaml#/components/schemas/Device.Ospfv2Router'
           x-field-uid: 10
+        macsec:
+          description: >-
+            Configuration of MACsec device.
+          $ref: './macsec/macsec.yaml#/components/schemas/Device.Macsec'
+          x-field-uid: 11
       required: [name]
     Protocol.Options:
       description: >-

artifacts/openapi.yaml

@@ -0,0 +1,129 @@
+components:
+  schemas:
+    SecureEntity.CryptoEngine:
+      description: >-
+        A container of crypto engine properties of a SecY.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Engine type based on encryption and/ or decryption capability. Supported types: encrypt_only - engine can only encrypt transmitted packets but it cannot decrypt packets upon arrival. As the packets cannot be decrypted on arrival, such packets cannot be delivered to the receiving device. Hence only stateless traffic can be sent.
+          type: string
+          default: encrypt_only
+          x-field-uid: 1
+          x-enum:
+            encrypt_only:
+              x-field-uid: 1
+        encrypt_only:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly'
+          x-field-uid: 2
+    SecureEntity.CryptoEngine.EncryptOnly:
+      description: >-
+        The container for encrypt only engine configuration.
+      type: object
+      properties:
+        secure_channels:
+          type: array
+          items:
+            $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly.TxSc'
+          x-field-uid: 1
+        traffic_options:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly.TrafficOptions'
+          x-field-uid: 2
+    SecureEntity.CryptoEngine.EncryptOnly.TxSc:
+      description: >-
+        The container for Tx secure channel configuration.
+      type: object
+      properties:
+        tx_pn:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly.TxSc.TxPn'
+          x-field-uid: 1
+    SecureEntity.CryptoEngine.EncryptOnly.TxSc.TxPn:
+      description: >-
+        Tx packet number(PN) configuration.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Types of Tx packet number(PN) series. Supported choices: 1) fixed PN - MACsec packets will be sent out with the configured fixed PN or lower half of configured fixed XPN. 2) incrementing PN - MACsec packets will be sent out by single device with an incrementing PN or XPN.
+          type: string
+          default: fixed_pn
+          x-field-uid: 1
+          x-enum:
+            fixed_pn:
+              x-field-uid: 1
+            incrementing_pn:
+              x-field-uid: 2
+        fixed:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly.FixedPn'
+          x-field-uid: 2
+        incrementing:
+          $ref: '#/components/schemas/SecureEntity.CryptoEngine.EncryptOnly.IncrementingPn'
+          x-field-uid: 3
+    SecureEntity.CryptoEngine.EncryptOnly.FixedPn:
+      description: >-
+        Fixed packet number(PN) configuration.
+      type: object
+      properties:
+        pn:
+          description: >-
+            Fixed Tx packet number(PN). 4 bytes PN with which all packets will be sent out.
+          type: integer
+          format: uint32
+          minimum: 1
+          maximum: 4294967295
+          default: 6 
+          x-field-uid: 1
+        xpn:
+          description: >-
+            Fixed Tx extended packet number(XPN). 8 bytes XPN with which all packets will be sent out.
+          type: string
+          format: hex
+          minLength: 1
+          maxLength: 16
+          minimum: 1
+          default: "0x0000000000000006"
+          x-field-uid: 2
+    SecureEntity.CryptoEngine.EncryptOnly.IncrementingPn:
+      description: >-
+        Incrementing packet number(PN) configuration.
+      type: object
+      properties:
+        count:
+          description: >-
+            Count of packet numbers in series. 
+          type: integer
+          format: uint32
+          minimum: 2
+          maximum: 1000000
+          default: 100
+          x-field-uid: 1
+        starting_pn:
+          description: >-
+            The starting packet number(PN).
+          type: integer
+          format: uint32
+          minimum: 1
+          default: 10000
+          x-field-uid: 2
+        starting_xpn:
+          description: >-
+            The starting extended packet number(XPN).
+          type: string
+          format: hex
+          minLength: 1
+          maxLength: 16
+          minimum: 1
+          default: "0x0000000000010000"
+          x-field-uid: 3
+    SecureEntity.CryptoEngine.EncryptOnly.TrafficOptions:
+      description: >-
+        Encrypt only traffic options.
+      type: object
+      properties:
+        send_gratuitous_arp:
+          description: >-
+            Send gratuitous ARP or not.
+          type: boolean
+          default: true 
+          x-field-uid: 1

artifacts/otg.proto

@@ -0,0 +1,45 @@
+components:
+  schemas:
+    SecureEntity.DataPlane:
+      description: >-
+        A container of data plane properties.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Choose "encapsulation" so that data packets are sent with MACsec encapsulation. Choose "no_encapsulation" so that data packets are sent without MACsec encapsulation.
+          type: string
+          default: encapsulation
+          x-field-uid: 1
+          x-enum:
+            encapsulation:
+              x-field-uid: 1
+            no_encapsulation:
+              x-field-uid: 2
+        encapsulation:
+          description: >-
+            A container of encapsulation properties for a secure entity(SecY).
+          $ref: './tx.yaml#/components/schemas/SecureEntity.DataPlane.Encapsulation'
+          x-field-uid: 2
+
+    SecureEntity.DataPlane.Encapsulation:
+      description: >-
+        A container of encapsulation properties for a secure entity(SecY).
+      type: object
+      required: [crypto_engine]
+      properties:
+        tx:
+          description: >-
+            Tx properties of SecY.
+          $ref: './tx.yaml#/components/schemas/SecureEntity.DataPlane.Tx'
+          x-field-uid: 1
+        rx:
+          description: >-
+            Rx properties of SecY.
+          $ref: './rx.yaml#/components/schemas/SecureEntity.DataPlane.Rx'
+          x-field-uid: 2
+        crypto_engine:
+          description: >-
+            Crypto engine properties of SecY.
+          $ref: './cryptoengine.yaml#/components/schemas/SecureEntity.CryptoEngine'
+          x-field-uid: 3

device/device.yaml

@@ -0,0 +1,21 @@
+components:
+  schemas:
+    SecureEntity.DataPlane.Rx:
+      description: >-
+        A container for Rx settings of SecY.
+      type: object
+      properties:
+        replay_protection:
+          description: |-
+            Enable replay protection on not. 
+          type: boolean
+          default: false
+          x-field-uid: 1
+        replay_window:
+          description: |-
+            Replay window size. 
+          type: integer
+          format: uint32
+          minimum: 1
+          default: 1
+          x-field-uid: 2

device/macsec/dataplane/cryptoengine.yaml

@@ -0,0 +1,19 @@
+components:
+  schemas:
+    SecureEntity.DataPlane.Tx:
+      description: >-
+        A container of Tx properties of SecY.
+      type: object
+      properties:
+        end_station:
+          description: |-
+            End station on not.
+          type: boolean
+          default: false
+          x-field-uid: 1
+        include_sci:
+          description: |-
+            Include SCI on not.
+          type: boolean
+          default: false
+          x-field-uid: 2

device/macsec/dataplane/dataplane.yaml

@@ -0,0 +1,82 @@
+components:
+  schemas:
+    Device.Macsec:
+      description: >-
+        A container of properties for a MACsec capable device. Reference https://1.ieee802.org/security/802-1ae/.
+      type: object
+      required: [ethernet_interfaces]
+      properties:
+        ethernet_interfaces:
+          description: |-
+            Ethernet Interfaces
+          type: array
+          items:
+            $ref: '#/components/schemas/Device.Macsec.EthernetInterface'
+          x-field-uid: 1
+    Device.Macsec.EthernetInterface:
+      description: >-
+        Configuration for single MACsec interface.
+      type: object
+      required: [eth_name, secure_entity]
+      properties:
+        eth_name:
+          description: >-
+            The unique name of the Ethernet interface on which MACsec
+            is enabled.
+          type: string
+          x-constraint:
+          - '/components/schemas/Device.Ethernet/properties/name'
+          x-field-uid: 1
+        secure_entity:
+          description: >-
+            This contains the properties of Secure Entity (SecY).
+          $ref: '#/components/schemas/SecureEntity'
+          x-field-uid: 2
+
+    SecureEntity:
+      description: >-
+        Configuration of a Secure Entity (SecY).
+      type: object
+      required: [name, key_generation_protocol]
+      properties:
+        name:
+          x-include: ../../common/common.yaml#/components/schemas/Named.Object/properties/name
+          x-field-uid: 1
+        key_generation_protocol:
+          description: >-
+            This contains the properties of key generation protocol of Secure Entity (SecY).
+          $ref: '#/components/schemas/SecureEntity.KeyGenerationProtocol'
+          x-field-uid: 2
+        data_plane:
+          description: >-
+            This contains the properties of data plane of Secure Entity (SecY).
+          $ref: './dataplane/dataplane.yaml#/components/schemas/SecureEntity.DataPlane'
+          x-field-uid: 3
+
+    SecureEntity.KeyGenerationProtocol:
+      description: >-
+        Container of Key generation protocol configuration.
+      type: object
+      properties:
+        choice:
+          description: >-
+            Key generation protocol choices. Choose "mka" for dynamic key distribution using MACsec key agreement(MKA) protocol. Choose "static_key" for static configuration of secure association key(SAK).
+          type: string
+          default: mka
+          x-field-uid: 1
+          x-enum:
+            mka:
+              x-field-uid: 1
+            static_key:
+              x-field-uid: 2
+        mka:
+          description: |-
+            This contains the properties of Key Agreement Entity (KaY) in MKA supplicant.
+          x-field-uid: 2
+          $ref: './mka/mka.yaml#/components/schemas/Mka'
+
+        static_key:
+          description: >-
+            Static key properties properties of SecY. Static key is used in absence MKA.
+          $ref: './statickey/statickey.yaml#/components/schemas/SecureEntity.StaticKey'
+          x-field-uid: 3