Skip to content

Commit

Permalink
Feat(eos_cli_config_gen): Extend CLI model for ip_security (#3312)
Browse files Browse the repository at this point in the history 
Co-authored-by: Claus Holbech <[email protected]>
Co-authored-by: Guillaume Mulocher <[email protected]>
  • Loading branch information
@gusmb @ClausHolbechArista @gmuloc
3 people authored Nov 10, 2023
1 parent ad99dce commit 9e8a1fd
Show file tree
Hide file tree
Showing 9 changed files with 161 additions and 27 deletions.
21 changes: 17 additions & 4 deletions ...ons/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
- [Management Interfaces](#management-interfaces)
- [IP Security](#ip-security)
- [IKE policies](#ike-policies)
- [Security Association policies](#security-association-policies)
- [IPSec profiles](#ipsec-profiles)
- [Key controller](#key-controller)
- [IP Security Configuration](#ip-security-configuration)
Expand Down Expand Up @@ -42,10 +43,18 @@ interface Management1

### IKE policies

| Policy name | Local ID |
| ----------- | -------- |
| IKE-1 | 192.168.100.1 |
| IKE-2 | - |
| Policy name | IKE lifetime | Encryption | DH group | Local ID |
| ----------- | ------------ | ---------- | -------- | -------- |
| IKE-1 | 24 | aes256 | 20 | 192.168.100.1 |
| IKE-2 | - | - | - | - |

### Security Association policies

| Policy name | ESP Integrity | ESP Encryption | PFS DH Group |
| ----------- | ------------- | -------------- | ------------ |
| SA-1 | - | aes128 | 14 |
| SA-2 | - | aes128 | 14 |
| SA-3 | disabled | disabled | 17 |

### IPSec profiles

Expand All @@ -68,6 +77,9 @@ ip security
!
ike policy IKE-1
local-id 192.168.100.1
ike-lifetime 24
encryption aes256
dh-group 20
!
ike policy IKE-2
!
Expand All @@ -80,6 +92,7 @@ ip security
pfs dh-group 14
!
sa policy SA-3
esp integrity null
esp encryption null
pfs dh-group 17
!
Expand Down
4 changes: 4 additions & 0 deletions ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ ip security
!
ike policy IKE-1
local-id 192.168.100.1
ike-lifetime 24
encryption aes256
dh-group 20
!
ike policy IKE-2
!
Expand All @@ -23,6 +26,7 @@ ip security
pfs dh-group 14
!
sa policy SA-3
esp integrity null
esp encryption null
pfs dh-group 17
!
Expand Down
7 changes: 5 additions & 2 deletions ...le_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ ip_security:
ike_policies:
- name: IKE-1
local_id: 192.168.100.1
ike_lifetime: 24
encryption: aes256
dh_group: 20
- name: IKE-2
sa_policies:
- name: SA-1
Expand All @@ -15,8 +18,8 @@ ip_security:
pfs_dh_group: 14
- name: SA-3
esp:
integrity: "null"
encryption: "null"
integrity: disabled
encryption: disabled
pfs_dh_group: 17
profiles:
- name: Profile-1
Expand Down
12 changes: 9 additions & 3 deletions ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@
| [<samp>&nbsp;&nbsp;ike_policies</samp>](## "ip_security.ike_policies") | List, items: Dictionary | | | | Internet Security Association and Key Mgmt Protocol. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.ike_policies.[].name") | String | Required, Unique | | | Policy name. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;local_id</samp>](## "ip_security.ike_policies.[].local_id") | String | | | | Local IKE Identification.<br>Can be an IPv4 or an IPv6 address.<br> |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ike_lifetime</samp>](## "ip_security.ike_policies.[].ike_lifetime") | Integer | | | Min: 1<br>Max: 24 | IKE lifetime in hours. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.ike_policies.[].encryption") | String | | | Valid Values:<br>- 3des<br>- aes128<br>- aes256 | IKE encryption algorithm. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dh_group</samp>](## "ip_security.ike_policies.[].dh_group") | Integer | | | Valid Values:<br>- 1<br>- 2<br>- 5<br>- 14<br>- 15<br>- 16<br>- 17<br>- 20<br>- 21<br>- 24 | Diffie-Hellman group for the key exchange. |
| [<samp>&nbsp;&nbsp;sa_policies</samp>](## "ip_security.sa_policies") | List, items: Dictionary | | | | Security Association policies. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.sa_policies.[].name") | String | Required, Unique | | | Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0 |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;esp</samp>](## "ip_security.sa_policies.[].esp") | Dictionary | | | | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;integrity</samp>](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:<br>- null<br>- sha1<br>- sha256 | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:<br>- null<br>- aes128<br>- aes128gcm128<br>- aes128gcm64<br>- aes256<br>- aes256gcm256 | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;integrity</samp>](## "ip_security.sa_policies.[].esp.integrity") | String | | | Valid Values:<br>- disabled<br>- sha1<br>- sha256<br>- null | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.sa_policies.[].esp.encryption") | String | | | Valid Values:<br>- disabled<br>- aes128<br>- aes128gcm128<br>- aes128gcm64<br>- aes256<br>- aes256gcm256<br>- null | |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pfs_dh_group</samp>](## "ip_security.sa_policies.[].pfs_dh_group") | Integer | | | Valid Values:<br>- 1<br>- 2<br>- 5<br>- 14<br>- 15<br>- 16<br>- 17<br>- 20<br>- 21<br>- 24 | |
| [<samp>&nbsp;&nbsp;profiles</samp>](## "ip_security.profiles") | List, items: Dictionary | | | | IPSec profiles. |
| [<samp>&nbsp;&nbsp;&nbsp;&nbsp;- name</samp>](## "ip_security.profiles.[].name") | String | Required, Unique | | | Name of the IPsec profile. |
Expand All @@ -38,6 +41,9 @@
ike_policies:
- name: <str>
local_id: <str>
ike_lifetime: <int>
encryption: <str>
dh_group: <int>
sa_policies:
- name: <str>
esp:
Expand Down
46 changes: 41 additions & 5 deletions ...ollections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6597,6 +6597,40 @@
"type": "string",
"description": "Local IKE Identification.\nCan be an IPv4 or an IPv6 address.\n",
"title": "Local ID"
},
"ike_lifetime": {
"type": "integer",
"minimum": 1,
"maximum": 24,
"description": "IKE lifetime in hours.",
"title": "Ike Lifetime"
},
"encryption": {
"type": "string",
"enum": [
"3des",
"aes128",
"aes256"
],
"description": "IKE encryption algorithm.",
"title": "Encryption"
},
"dh_group": {
"type": "integer",
"enum": [
1,
2,
5,
14,
15,
16,
17,
20,
21,
24
],
"description": "Diffie-Hellman group for the key exchange.",
"title": "Dh Group"
}
},
"additionalProperties": false,
Expand All @@ -6617,7 +6651,7 @@
"properties": {
"name": {
"type": "string",
"description": "Name of the SA policy.",
"description": "Name of the SA policy. The \"null\" value is deprecated and will be removed in AVD 5.0.0",
"title": "Name"
},
"esp": {
Expand All @@ -6626,21 +6660,23 @@
"integrity": {
"type": "string",
"enum": [
"null",
"disabled",
"sha1",
"sha256"
"sha256",
"null"
],
"title": "Integrity"
},
"encryption": {
"type": "string",
"enum": [
"null",
"disabled",
"aes128",
"aes128gcm128",
"aes128gcm64",
"aes256",
"aes256gcm256"
"aes256gcm256",
"null"
],
"title": "Encryption"
}
Expand Down
39 changes: 36 additions & 3 deletions ...ble_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3789,6 +3789,36 @@ keys:
Can be an IPv4 or an IPv6 address.
'
ike_lifetime:
type: int
convert_types:
- str
min: 1
max: 24
description: IKE lifetime in hours.
encryption:
type: str
valid_values:
- 3des
- aes128
- aes256
description: IKE encryption algorithm.
dh_group:
type: int
convert_types:
- str
valid_values:
- 1
- 2
- 5
- 14
- 15
- 16
- 17
- 20
- 21
- 24
description: Diffie-Hellman group for the key exchange.
sa_policies:
type: list
description: Security Association policies.
Expand All @@ -3798,25 +3828,28 @@ keys:
keys:
name:
type: str
description: Name of the SA policy.
description: Name of the SA policy. The "null" value is deprecated and
will be removed in AVD 5.0.0
esp:
type: dict
keys:
integrity:
type: str
valid_values:
- 'null'
- disabled
- sha1
- sha256
- 'null'
encryption:
type: str
valid_values:
- 'null'
- disabled
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256
- 'null'
pfs_dh_group:
type: int
convert_types:
Expand Down
28 changes: 25 additions & 3 deletions ...tions/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,26 @@ keys:
description: |
Local IKE Identification.
Can be an IPv4 or an IPv6 address.
ike_lifetime:
type: int
convert_types:
- str
min: 1
max: 24
description: IKE lifetime in hours.
encryption:
type: str
valid_values:
- 3des
- aes128
- aes256
description: IKE encryption algorithm.
dh_group:
type: int
convert_types:
- str
valid_values: [1, 2, 5, 14, 15, 16, 17, 20, 21, 24]
description: Diffie-Hellman group for the key exchange.
sa_policies:
type: list
description: Security Association policies.
Expand All @@ -33,25 +53,27 @@ keys:
keys:
name:
type: str
description: Name of the SA policy.
description: Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0
esp:
type: dict
keys:
integrity:
type: str
valid_values:
- "null"
- disabled
- sha1
- sha256
- "null" # TODO: AVD 5.0.0
encryption:
type: str
valid_values:
- "null"
- disabled
- aes128
- aes128gcm128
- aes128gcm64
- aes256
- aes256gcm256
- "null" # TODO: AVD 5.0.0
pfs_dh_group:
type: int
convert_types:
Expand Down
10 changes: 5 additions & 5 deletions ...le_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,20 @@

### IKE policies

| Policy name | Local ID |
| ----------- | -------- |
| Policy name | IKE lifetime | Encryption | DH group | Local ID |
| ----------- | ------------ | ---------- | -------- | -------- |
{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %}
| {{ ike_policy.name }} | {{ ike_policy.local_id | arista.avd.default("-") }} |
| {{ ike_policy.name }} | {{ ike_policy.ike_lifetime | arista.avd.default("-") }} | {{ ike_policy.encryption | arista.avd.default("-") }} | {{ ike_policy.dh_group | arista.avd.default("-") }} | {{ ike_policy.local_id | arista.avd.default("-") }} |
{% endfor %}
{% endif %}
{% if ip_security.ike_policie is arista.avd.defined %}
{% if ip_security.sa_policies is arista.avd.defined %}

### Security Association policies

| Policy name | ESP Integrity | ESP Encryption | PFS DH Group |
| ----------- | ------------- | -------------- | ------------ |
{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %}
| {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} |
| {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} |
{% endfor %}
{% endif %}
{% if ip_security.profiles is arista.avd.defined %}
Expand Down
21 changes: 19 additions & 2 deletions ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,32 @@ ip security
{% if ike_policy.local_id is arista.avd.defined %}
local-id {{ ike_policy.local_id }}
{% endif %}
{% if ike_policy.ike_lifetime is arista.avd.defined %}
ike-lifetime {{ ike_policy.ike_lifetime }}
{% endif %}
{% if ike_policy.encryption is arista.avd.defined %}
encryption {{ ike_policy.encryption }}
{% endif %}
{% if ike_policy.dh_group is arista.avd.defined %}
dh-group {{ ike_policy.dh_group }}
{% endif %}
{% endfor %}
{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %}
!
sa policy {{ sa_policy.name }}
{% if sa_policy.esp.intergrity is arista.avd.defined %}
esp intergrity {{ sa_policy.esp.intergrity }}
{% if sa_policy.esp.integrity is arista.avd.defined %}
{% if sa_policy.esp.integrity == "disabled" %}
esp integrity null
{% else %}
esp integrity {{ sa_policy.esp.integrity }}
{% endif %}
{% endif %}
{% if sa_policy.esp.encryption is arista.avd.defined %}
{% if sa_policy.esp.encryption == "disabled" %}
esp encryption null
{% else %}
esp encryption {{ sa_policy.esp.encryption }}
{% endif %}
{% endif %}
{% if sa_policy.pfs_dh_group is arista.avd.defined %}
pfs dh-group {{ sa_policy.pfs_dh_group }}
Expand Down

0 comments on commit 9e8a1fd

Please sign in to comment.