netconfcentral logo

openconfig-macsec

HTML

openconfig-macsec@2020-05-01



  module openconfig-macsec {

    yang-version 1;

    namespace
      "http://openconfig.net/yang/macsec";

    prefix oc-macsec;

    import openconfig-extensions {
      prefix oc-ext;
    }
    import openconfig-interfaces {
      prefix oc-if;
    }
    import openconfig-macsec-types {
      prefix macsec-types;
    }
    import openconfig-yang-types {
      prefix oc-yang;
    }

    organization "OpenConfig working group";

    contact
      "Openconfig working group
     www.openconfig.net";

    description
      "This module defines configuration and state data for
     MACsec IEEE Std 802.1AE-2018.";

    revision "2020-05-01" {
      description
        "Move identifiers for scsa-[tr]x out of
      counters container.";
      reference
        "0.2.0";

    }

    revision "2019-07-01" {
      description "Initial public revision";
      reference
        "0.1.0";

    }

    oc-ext:openconfig-version "0.2.0";
    oc-ext:regexp-posix;
    oc-ext:catalog-organization "openconfig";
    oc-ext:origin "openconfig";

    grouping macsec-mka-key-config {
      description "MKA Key config grouping";
      leaf id {
        type oc-yang:hex-string {
          length "1..64";
        }
        description
          "Key identifier is used as the
         Connectivity Association Key name (CKN)";
      }

      leaf key-clear-text {
        type string;
        description
          "The key, used for signing and encrypting. Supplied as a clear text
         string. When read, also returned as clear text string.";
      }

      leaf cryptographic-algorithm {
        type enumeration {
          enum "AES_128_CMAC" {
            value 0;
          }
          enum "AES_256_CMAC" {
            value 1;
          }
        }
        description
          "MKA Cryptographic authentication algorithm to use";
      }

      leaf valid-date-time {
        type union {
          type oc-yang:date-and-time;
          type enumeration {
            enum "VALID_IMMEDIATELY" {
              value 0;
              description
                "Key is valid immediately";
            }
          }
        }
        default 'VALID_IMMEDIATELY';
        description
          "Date and time the key starts being valid according to local date and
         time configuration.";
      }

      leaf expiration-date-time {
        type union {
          type oc-yang:date-and-time;
          type enumeration {
            enum "NO_EXPIRATION" {
              value 0;
              description
                "Key does not expire";
            }
          }
        }
        default 'NO_EXPIRATION';
        description
          "Key date and time expiration according to local date and time
         configuration.";
      }
    }  // grouping macsec-mka-key-config

    grouping macsec-mka-key-top {
      description
        "MKA Key top level grouping";
      container mka-keys {
        description
          "Enclosing container for the list of MKA keys";
        list mka-key {
          key "id";
          description "List of MKA keys";
          leaf id {
            type leafref {
              path "../config/id";
            }
            description
              "Reference to the MKA key id";
          }

          container config {
            description
              "Configuration of MKA key";
            uses macsec-mka-key-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for MKA key";
            uses macsec-mka-key-config;
          }  // container state
        }  // list mka-key
      }  // container mka-keys
    }  // grouping macsec-mka-key-top

    grouping macsec-mka-key-chain-config {
      description
        "MKA Key chain config grouping";
      leaf name {
        type string;
        description "MKA Key-chain name";
      }
    }  // grouping macsec-mka-key-chain-config

    grouping macsec-mka-key-chain-top {
      description
        "MKA key chain top level grouping";
      container key-chains {
        description
          "Enclosing container for the MKA key chains";
        list key-chain {
          key "name";
          description "MKA Key chain name";
          leaf name {
            type leafref {
              path "../config/name";
            }
            description
              "Reference to the MKA Key chain name";
          }

          container config {
            description
              "Configuration of the MKA key chain";
            uses macsec-mka-key-chain-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for MKA key chain";
            uses macsec-mka-key-chain-config;
          }  // container state

          uses macsec-mka-key-top;
        }  // list key-chain
      }  // container key-chains
    }  // grouping macsec-mka-key-chain-top

    grouping macsec-mka-interface-config {
      description
        "MKA interface config grouping";
      leaf mka-policy {
        type leafref {
          path
            "/macsec/mka/policies/policy/name";
        }
        description
          "Apply MKA policy on the interface";
      }

      leaf key-chain {
        type leafref {
          path
            "/macsec/mka/key-chains/key-chain/name";
        }
        description
          "Configure Key Chain name";
      }
    }  // grouping macsec-mka-interface-config

    grouping macsec-mka-interface-counters {
      description
        "MKA interface state grouping";
      leaf in-mkpdu {
        type oc-yang:counter64;
        description
          "Validated MKPDU received count";
      }

      leaf in-sak-mkpdu {
        type oc-yang:counter64;
        description
          "Validated MKPDU received SAK count";
      }

      leaf in-cak-mkpdu {
        type oc-yang:counter64;
        description
          "Validated MKPDU received CAK count";
      }

      leaf out-mkpdu {
        type oc-yang:counter64;
        description "MKPDU sent count";
      }

      leaf out-sak-mkpdu {
        type oc-yang:counter64;
        description "MKPDU SAK sent count";
      }

      leaf out-cak-mkpdu {
        type oc-yang:counter64;
        description "MKPDU CAK sent count";
      }
    }  // grouping macsec-mka-interface-counters

    grouping macsec-mka-interface-state {
      description
        "MKA interface state grouping";
      container counters {
        description "MKA interface counters";
        uses macsec-mka-interface-counters;
      }  // container counters
    }  // grouping macsec-mka-interface-state

    grouping macsec-mka-interface-top {
      description
        "MKA interface top level grouping";
      container mka {
        description
          "Enclosing container for the MKA interface";
        container config {
          description
            "Configuration data for MKA interface";
          uses macsec-mka-interface-config;
        }  // container config

        container state {
          config false;
          description
            "Operational state data for MKA interface";
          uses macsec-mka-interface-config;

          uses macsec-mka-interface-state;
        }  // container state
      }  // container mka
    }  // grouping macsec-mka-interface-top

    grouping macsec-interface-config {
      description
        "Media Access Control Security (MACsec) config grouping";
      leaf name {
        type oc-if:base-interface-ref;
        description
          "Reference to the MACsec Ethernet interface";
      }

      leaf enable {
        type boolean;
        default "false";
        description
          "Enable MACsec on an interface";
      }

      leaf replay-protection {
        type uint16;
        default "0";
        description
          "MACsec window size, as defined by the number of out-of-order frames
        that are accepted. A value of 0 means that frames are accepted only in
        the correct order.";
      }
    }  // grouping macsec-interface-config

    grouping macsec-scsa-tx-interface-state {
      description
        "State leaves assigned with the TX Secure Channel and Secure
      Association";
      leaf sci-tx {
        type oc-yang:hex-string {
          length "16";
        }
        description
          "Secure Channel Identifier.
         Every Transmit Channel is uniquely identified using this field.";
      }
    }  // grouping macsec-scsa-tx-interface-state

    grouping macsec-scsa-tx-interface-stats {
      description
        "TX Secure Channel and Secure Association Information";
      leaf sc-auth-only {
        type oc-yang:counter64;
        description
          "Secure Channel Authenticated only TX Packets counter.
         This counter reflects the number of authenticated only transmitted
         packets in a secure channel.";
      }

      leaf sc-encrypted {
        type oc-yang:counter64;
        description
          "Secure Channel Encrypted TX Packets counter.
         This counter reflects the number of encrypted and authenticated
         transmitted packets in a secure channel.";
      }

      leaf sa-auth-only {
        type oc-yang:counter64;
        description
          "Secure Association Authenticated only TX Packets counter.
         This counter reflects the number of authenticated only, transmitted
         packets in a secure association.";
      }

      leaf sa-encrypted {
        type oc-yang:counter64;
        description
          "Secure Association Encrypted TX Packets counter.
         This counter reflects the number of encrypted and authenticated
         transmitted packets in a secure association.";
      }
    }  // grouping macsec-scsa-tx-interface-stats

    grouping macsec-scsa-rx-interface-state {
      description
        "State associated nwith RX Secure Channel and Secure Association
      Information.";
      leaf sci-rx {
        type oc-yang:hex-string {
          length "16";
        }
        description
          "Secure Channel Identifier.
         Every Receive Channel is uniquely identified using this field.";
      }
    }  // grouping macsec-scsa-rx-interface-state

    grouping macsec-scsa-rx-interface-stats {
      description
        "RX Secure Channel and Secure Association Information";
      leaf sc-invalid {
        type oc-yang:counter64;
        description
          "Invalid Secure Channel RX Packets counter.
         This counter reflects the number of invalid received packets in a
         secure channel.";
      }

      leaf sc-valid {
        type oc-yang:counter64;
        description
          "Valid Secure Channel RX Packets counter.
         This counter reflects the number of valid received packets in a
         secure channel.";
      }

      leaf sa-invalid {
        type oc-yang:counter64;
        description
          "Invalid Secure Association RX Packets counter.
         This counter reflects the number of integrity check fails for received
         packets in a secure association.";
      }

      leaf sa-valid {
        type oc-yang:counter64;
        description
          "Secure Association Valid RX Packets counter.
         This counter reflects the number of packets in a secure association
         that passed integrity check.";
      }
    }  // grouping macsec-scsa-rx-interface-stats

    grouping macsec-interface-counters {
      description
        "MACsec interface state grouping";
      leaf tx-untagged-pkts {
        type oc-yang:counter64;
        description
          "MACsec interface level Transmit untagged Packets counter.
         This counter will increment if MACsec is enabled on interface and the
         outgoing packet is not tagged with MACsec header.";
      }

      leaf rx-untagged-pkts {
        type oc-yang:counter64;
        description
          "MACsec interface level Receive untagged Packets counter.
         This counter will increment if MACsec is enabled on interface and the
         incoming packet does not have MACsec tag.";
      }

      leaf rx-badtag-pkts {
        type oc-yang:counter64;
        description
          "MACsec interface level Receive Bad Tag Packets counter.
         This counter will increment if MACsec is enabled on interface and
         incoming packet has incorrect MACsec tag.";
      }

      leaf rx-unknownsci-pkts {
        type oc-yang:counter64;
        description
          "MACsec interface level Receive Unknown SCI Packets counter.
         This counter will increment if MACsec is enabled on the interface and
         SCI present in the MACsec tag of the incoming packet does not match any
         SCI present in ingress SCI table.";
      }

      leaf rx-nosci-pkts {
        type oc-yang:counter64;
        description
          "MACsec interface level Receive No SCI Packets counter.
         This counter will increment if MACsec is enabled on interface and
         incoming packet does not have SCI field in MACsec tag.";
      }
    }  // grouping macsec-interface-counters

    grouping macsec-scsa-interface-top {
      description
        "Secure channel and Secure Association Statistics";
      container scsa-tx {
        config false;
        description
          "Enclosing container for transmitted packets for Secure Channel and
         Secure Association";
        list scsa-tx {
          key "sci-tx";
          description
            "TX Secure Channel and Secure Association Statistics";
          leaf sci-tx {
            type leafref {
              path "../state/sci-tx";
            }
            description
              "TX Secure Channel and Secure Association Statistics";
          }

          container state {
            description
              "State container for macsec-scsa-tx-interface-stats";
            uses macsec-scsa-tx-interface-state;

            container counters {
              description
                "Counters container for macsec-scsa-tx-interface-stats";
              uses macsec-scsa-tx-interface-stats;
            }  // container counters
          }  // container state
        }  // list scsa-tx
      }  // container scsa-tx

      container scsa-rx {
        config false;
        description
          "Enclosing container for received packets for Secure Channel and
         Secure Association";
        list scsa-rx {
          key "sci-rx";
          description
            "RX Secure Channel and Secure Association Statistics";
          leaf sci-rx {
            type leafref {
              path "../state/sci-rx";
            }
            description
              "RX Secure Channel and Secure Association Statistics";
          }

          container state {
            description
              "State container for macsec-scsa-rx-interface-stats";
            uses macsec-scsa-rx-interface-state;

            container counters {
              description
                "Counters container for macsec-scsa-rx-interface-stats";
              uses macsec-scsa-rx-interface-stats;
            }  // container counters
          }  // container state
        }  // list scsa-rx
      }  // container scsa-rx
    }  // grouping macsec-scsa-interface-top

    grouping macsec-interface-top {
      description "Top-level grouping ";
      container interfaces {
        description
          "Enclosing container for the MACsec interfaces list";
        list interface {
          key "name";
          description
            "List of interfaces on which MACsec is enabled / available";
          leaf name {
            type leafref {
              path "../config/name";
            }
            description
              "Reference to the list key";
          }

          container config {
            description
              "Configuration data for MACsec on each interface";
            uses macsec-interface-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data ";
            uses macsec-interface-config;

            container counters {
              description
                "MACsec interface counters";
              uses macsec-interface-counters;
            }  // container counters
          }  // container state

          uses macsec-scsa-interface-top;

          uses macsec-mka-interface-top;
        }  // list interface
      }  // container interfaces
    }  // grouping macsec-interface-top

    grouping macsec-mka-policy-config {
      description
        "MKA policy config grouping";
      leaf name {
        type string;
        description
          "Name of the MKA policy.";
      }

      leaf key-server-priority {
        type uint8;
        default "16";
        description
          "Specifies the key server priority used by the MACsec Key Agreement
        (MKA) protocol to select the key server when MACsec is enabled using
        static connectivity association key (CAK) security mode. The switch with
        the lower priority-number is selected as the key server. If the
        priority-number is identical on both sides of a point-to-point link, the
        MKA protocol selects the device with the lower MAC address as the key
        server";
      }

      leaf-list macsec-cipher-suite {
        type macsec-types:macsec-cipher-suite;
        description
          "Set Cipher suite(s) for SAK derivation";
      }

      leaf confidentiality-offset {
        type macsec-types:confidentiality-offset;
        default "0_BYTES";
        description
          "The confidentiality offset specifies a number of octets in an Ethernet
         frame that are sent in unencrypted plain-text";
      }

      leaf delay-protection {
        type boolean;
        default "false";
        description
          "Traffic delayed longer than 2 seconds is rejected by the interfaces
         enabled with delay protection.";
      }

      leaf include-icv-indicator {
        type boolean;
        default "true";
        description
          "Generate and include an Integrity Check Value (ICV) field in the MKPDU.
         For compatibility with previous MACsec implementation that do not
         require an ICV";
      }

      leaf sak-rekey-interval {
        type uint32 {
          range "0 | 30..65535";
        }
        default "0";
        description
          "SAK Rekey interval in seconds. The default value is 0 where no rekey is
         performed.";
      }

      leaf sak-rekey-on-live-peer-loss {
        type boolean;
        default "false";
        description "Rekey on peer loss";
      }

      leaf use-updated-eth-header {
        type boolean;
        default "false";
        description
          "Use updated ethernet header for ICV calculation. In case the Ethernet
         frame headers change, use the updated headers to calculate the ICV.";
      }
    }  // grouping macsec-mka-policy-config

    grouping macsec-mka-global-counters {
      description
        "MKA global counters grouping";
      leaf out-mkpdu-errors {
        type oc-yang:counter64;
        description "MKPDU TX error count";
      }

      leaf in-mkpdu-icv-verification-errors {
        type oc-yang:counter64;
        description
          "MKPDU RX ICV verification error count";
      }

      leaf in-mkpdu-validation-errors {
        type oc-yang:counter64;
        description
          "MKPDU RX validation error count";
      }

      leaf in-mkpdu-bad-peer-errors {
        type oc-yang:counter64;
        description
          "MKPDU RX bad peer message number error count";
      }

      leaf in-mkpdu-peer-list-errors {
        type oc-yang:counter64;
        description
          "MKPDU RX non-recent peer list Message Number error count";
      }

      leaf sak-generation-errors {
        type oc-yang:counter64;
        description
          "MKA error SAK generation count";
      }

      leaf sak-hash-errors {
        type oc-yang:counter64;
        description
          "MKA error Hash Key generation count";
      }

      leaf sak-encryption-errors {
        type oc-yang:counter64;
        description
          "MKA error SAK encryption/wrap count";
      }

      leaf sak-decryption-errors {
        type oc-yang:counter64;
        description
          "MKA error SAK decryption/unwrap count";
      }

      leaf sak-cipher-mismatch-errors {
        type oc-yang:counter64;
        description
          "MKA error SAK cipher mismatch count";
      }
    }  // grouping macsec-mka-global-counters

    grouping macsec-mka-global-state {
      description
        "MKA global state grouping";
      container counters {
        description "MKA global counters";
        uses macsec-mka-global-counters;
      }  // container counters
    }  // grouping macsec-mka-global-state

    grouping macsec-mka-global-top {
      description
        "MKA global top level grouping";
      container state {
        config false;
        description
          "Operational state data for MKA";
        uses macsec-mka-global-state;
      }  // container state
    }  // grouping macsec-mka-global-top

    grouping macsec-mka-policy-top {
      description
        "MKA policy top level grouping";
      container policies {
        description
          "Enclosing container for the list of MKA policies";
        list policy {
          key "name";
          description "List of MKA policies";
          leaf name {
            type leafref {
              path "../config/name";
            }
            description
              "Reference to MKA policy name";
          }

          container config {
            description
              "Configuration of the MKA policy";
            uses macsec-mka-policy-config;
          }  // container config

          container state {
            config false;
            description
              "Operational state data for MKA policy";
            uses macsec-mka-policy-config;
          }  // container state
        }  // list policy
      }  // container policies
    }  // grouping macsec-mka-policy-top

    grouping macsec-mka-top {
      description "MKA top level grouping";
      container mka {
        description "The MKA";
        uses macsec-mka-policy-top;

        uses macsec-mka-key-chain-top;

        uses macsec-mka-global-top;
      }  // container mka
    }  // grouping macsec-mka-top

    grouping macsec-top {
      description
        "MACsec top level grouping";
      container macsec {
        description "The MACsec";
        uses macsec-mka-top;

        uses macsec-interface-top;
      }  // container macsec
    }  // grouping macsec-top

    uses macsec-top;
  }  // module openconfig-macsec

Summary

  
  
Organization OpenConfig working group
  
Module openconfig-macsec
Version 2020-05-01
File openconfig-macsec.yang
  
Prefix oc-macsec
Namespace http://openconfig.net/yang/macsec
  
Cooked /cookedmodules/openconfig-macsec/2020-05-01
YANG /src/openconfig-macsec@2020-05-01.yang
XSD /xsd/openconfig-macsec@2020-05-01.xsd
  
Abstract This module defines configuration and state data for MACsec IEEE Std 802.1AE-2018.
  
Contact
Openconfig working group
www.openconfig.net

Description

 
This module defines configuration and state data for
MACsec IEEE Std 802.1AE-2018.

Groupings

Grouping Objects Abstract
macsec-interface-config name enable replay-protection Media Access Control Security (MACsec) config grouping
macsec-interface-counters tx-untagged-pkts rx-untagged-pkts rx-badtag-pkts rx-unknownsci-pkts rx-nosci-pkts MACsec interface state grouping
macsec-interface-top interfaces Top-level grouping
macsec-mka-global-counters out-mkpdu-errors in-mkpdu-icv-verification-errors in-mkpdu-validation-errors in-mkpdu-bad-peer-errors in-mkpdu-peer-list-errors sak-generation-errors sak-hash-errors sak-encryption-errors sak-decryption-errors sak-cipher-mismatch-errors MKA global counters grouping
macsec-mka-global-state counters MKA global state grouping
macsec-mka-global-top state MKA global top level grouping
macsec-mka-interface-config mka-policy key-chain MKA interface config grouping
macsec-mka-interface-counters in-mkpdu in-sak-mkpdu in-cak-mkpdu out-mkpdu out-sak-mkpdu out-cak-mkpdu MKA interface state grouping
macsec-mka-interface-state counters MKA interface state grouping
macsec-mka-interface-top mka MKA interface top level grouping
macsec-mka-key-chain-config name MKA Key chain config grouping
macsec-mka-key-chain-top key-chains MKA key chain top level grouping
macsec-mka-key-config id key-clear-text cryptographic-algorithm valid-date-time expiration-date-time MKA Key config grouping
macsec-mka-key-top mka-keys MKA Key top level grouping
macsec-mka-policy-config name key-server-priority macsec-cipher-suite confidentiality-offset delay-protection include-icv-indicator sak-rekey-interval sak-rekey-on-live-peer-loss use-updated-eth-header MKA policy config grouping
macsec-mka-policy-top policies MKA policy top level grouping
macsec-mka-top mka MKA top level grouping
macsec-scsa-interface-top scsa-tx scsa-rx Secure channel and Secure Association Statistics
macsec-scsa-rx-interface-state sci-rx State associated nwith RX Secure Channel and Secure Association Information.
macsec-scsa-rx-interface-stats sc-invalid sc-valid sa-invalid sa-valid RX Secure Channel and Secure Association Information
macsec-scsa-tx-interface-state sci-tx State leaves assigned with the TX Secure Channel and Secure Association
macsec-scsa-tx-interface-stats sc-auth-only sc-encrypted sa-auth-only sa-encrypted TX Secure Channel and Secure Association Information
macsec-top macsec MACsec top level grouping

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
macsec container The MACsec
   interfaces container Enclosing container for the MACsec interfaces list
      interface list List of interfaces on which MACsec is enabled / available
         config container Configuration data for MACsec on each interface
            enable leaf Enable MACsec on an interface
            name leaf Reference to the MACsec Ethernet interface
            replay-protection leaf MACsec window size, as defined by the number of out-of-order frames that are accepted. A value of 0 means that frames are accepted only in the correct order.
         mka container Enclosing container for the MKA interface
            config container Configuration data for MKA interface
               key-chain leaf Configure Key Chain name
               mka-policy leaf Apply MKA policy on the interface
            state container Operational state data for MKA interface
               counters container MKA interface counters
                  in-cak-mkpdu leaf Validated MKPDU received CAK count
                  in-mkpdu leaf Validated MKPDU received count
                  in-sak-mkpdu leaf Validated MKPDU received SAK count
                  out-cak-mkpdu leaf MKPDU CAK sent count
                  out-mkpdu leaf MKPDU sent count
                  out-sak-mkpdu leaf MKPDU SAK sent count
               key-chain leaf Configure Key Chain name
               mka-policy leaf Apply MKA policy on the interface
         name leaf Reference to the list key
         scsa-rx container Enclosing container for received packets for Secure Channel and Secure Association
            scsa-rx list RX Secure Channel and Secure Association Statistics
               sci-rx leaf RX Secure Channel and Secure Association Statistics
               state container State container for macsec-scsa-rx-interface-stats
                  counters container Counters container for macsec-scsa-rx-interface-stats
                     sa-invalid leaf Invalid Secure Association RX Packets counter. This counter reflects the number of integrity check fails for received packets in a secure association.
                     sa-valid leaf Secure Association Valid RX Packets counter. This counter reflects the number of packets in a secure association that passed integrity check.
                     sc-invalid leaf Invalid Secure Channel RX Packets counter. This counter reflects the number of invalid received packets in a secure channel.
                     sc-valid leaf Valid Secure Channel RX Packets counter. This counter reflects the number of valid received packets in a secure channel.
                  sci-rx leaf Secure Channel Identifier. Every Receive Channel is uniquely identified using this field.
         scsa-tx container Enclosing container for transmitted packets for Secure Channel and Secure Association
            scsa-tx list TX Secure Channel and Secure Association Statistics
               sci-tx leaf TX Secure Channel and Secure Association Statistics
               state container State container for macsec-scsa-tx-interface-stats
                  counters container Counters container for macsec-scsa-tx-interface-stats
                     sa-auth-only leaf Secure Association Authenticated only TX Packets counter. This counter reflects the number of authenticated only, transmitted packets in a secure association.
                     sa-encrypted leaf Secure Association Encrypted TX Packets counter. This counter reflects the number of encrypted and authenticated transmitted packets in a secure association.
                     sc-auth-only leaf Secure Channel Authenticated only TX Packets counter. This counter reflects the number of authenticated only transmitted packets in a secure channel.
                     sc-encrypted leaf Secure Channel Encrypted TX Packets counter. This counter reflects the number of encrypted and authenticated transmitted packets in a secure channel.
                  sci-tx leaf Secure Channel Identifier. Every Transmit Channel is uniquely identified using this field.
         state container Operational state data
            counters container MACsec interface counters
               rx-badtag-pkts leaf MACsec interface level Receive Bad Tag Packets counter. This counter will increment if MACsec is enabled on interface and incoming packet has incorrect MACsec tag.
               rx-nosci-pkts leaf MACsec interface level Receive No SCI Packets counter. This counter will increment if MACsec is enabled on interface and incoming packet does not have SCI field in MACsec tag.
               rx-unknownsci-pkts leaf MACsec interface level Receive Unknown SCI Packets counter. This counter will increment if MACsec is enabled on the interface and SCI present in the MACsec tag of the incoming packet does not match any SCI present in ingress SCI table.
               rx-untagged-pkts leaf MACsec interface level Receive untagged Packets counter. This counter will increment if MACsec is enabled on interface and the incoming packet does not have MACsec tag.
               tx-untagged-pkts leaf MACsec interface level Transmit untagged Packets counter. This counter will increment if MACsec is enabled on interface and the outgoing packet is not tagged with MACsec header.
            enable leaf Enable MACsec on an interface
            name leaf Reference to the MACsec Ethernet interface
            replay-protection leaf MACsec window size, as defined by the number of out-of-order frames that are accepted. A value of 0 means that frames are accepted only in the correct order.
   mka container The MKA
      key-chains container Enclosing container for the MKA key chains
         key-chain list MKA Key chain name
            config container Configuration of the MKA key chain
               name leaf MKA Key-chain name
            mka-keys container Enclosing container for the list of MKA keys
               mka-key list List of MKA keys
                  config container Configuration of MKA key
                     cryptographic-algorithm leaf MKA Cryptographic authentication algorithm to use
                     expiration-date-time leaf Key date and time expiration according to local date and time configuration.
                     id leaf Key identifier is used as the Connectivity Association Key name (CKN)
                     key-clear-text leaf The key, used for signing and encrypting. Supplied as a clear text string. When read, also returned as clear text string.
                     valid-date-time leaf Date and time the key starts being valid according to local date and time configuration.
                  id leaf Reference to the MKA key id
                  state container Operational state data for MKA key
                     cryptographic-algorithm leaf MKA Cryptographic authentication algorithm to use
                     expiration-date-time leaf Key date and time expiration according to local date and time configuration.
                     id leaf Key identifier is used as the Connectivity Association Key name (CKN)
                     key-clear-text leaf The key, used for signing and encrypting. Supplied as a clear text string. When read, also returned as clear text string.
                     valid-date-time leaf Date and time the key starts being valid according to local date and time configuration.
            name leaf Reference to the MKA Key chain name
            state container Operational state data for MKA key chain
               name leaf MKA Key-chain name
      policies container Enclosing container for the list of MKA policies
         policy list List of MKA policies
            config container Configuration of the MKA policy
               confidentiality-offset leaf The confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted plain-text
               delay-protection leaf Traffic delayed longer than 2 seconds is rejected by the interfaces enabled with delay protection.
               include-icv-indicator leaf Generate and include an Integrity Check Value (ICV) field in the MKPDU. For compatibility with previous MACsec implementation that do not require an ICV
               key-server-priority leaf Specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode. The switch with the lower priority-number is selected as the k...
               macsec-cipher-suite leaf-list Set Cipher suite(s) for SAK derivation
               name leaf Name of the MKA policy.
               sak-rekey-interval leaf SAK Rekey interval in seconds. The default value is 0 where no rekey is performed.
               sak-rekey-on-live-peer-loss leaf Rekey on peer loss
               use-updated-eth-header leaf Use updated ethernet header for ICV calculation. In case the Ethernet frame headers change, use the updated headers to calculate the ICV.
            name leaf Reference to MKA policy name
            state container Operational state data for MKA policy
               confidentiality-offset leaf The confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted plain-text
               delay-protection leaf Traffic delayed longer than 2 seconds is rejected by the interfaces enabled with delay protection.
               include-icv-indicator leaf Generate and include an Integrity Check Value (ICV) field in the MKPDU. For compatibility with previous MACsec implementation that do not require an ICV
               key-server-priority leaf Specifies the key server priority used by the MACsec Key Agreement (MKA) protocol to select the key server when MACsec is enabled using static connectivity association key (CAK) security mode. The switch with the lower priority-number is selected as the k...
               macsec-cipher-suite leaf-list Set Cipher suite(s) for SAK derivation
               name leaf Name of the MKA policy.
               sak-rekey-interval leaf SAK Rekey interval in seconds. The default value is 0 where no rekey is performed.
               sak-rekey-on-live-peer-loss leaf Rekey on peer loss
               use-updated-eth-header leaf Use updated ethernet header for ICV calculation. In case the Ethernet frame headers change, use the updated headers to calculate the ICV.
      state container Operational state data for MKA
         counters container MKA global counters
            in-mkpdu-bad-peer-errors leaf MKPDU RX bad peer message number error count
            in-mkpdu-icv-verification-errors leaf MKPDU RX ICV verification error count
            in-mkpdu-peer-list-errors leaf MKPDU RX non-recent peer list Message Number error count
            in-mkpdu-validation-errors leaf MKPDU RX validation error count
            out-mkpdu-errors leaf MKPDU TX error count
            sak-cipher-mismatch-errors leaf MKA error SAK cipher mismatch count
            sak-decryption-errors leaf MKA error SAK decryption/unwrap count
            sak-encryption-errors leaf MKA error SAK encryption/wrap count
            sak-generation-errors leaf MKA error SAK generation count
            sak-hash-errors leaf MKA error Hash Key generation count