Developing and contributing to the YDK sample apps has been an awesome learning experience, and while the first post targeted a more basic NTP YANG model, Shifted this recent contribution to a use case customers running MACsec in IOS-XR can instantly benefit from (for more information on next-gen MACsec, see: https://tinyurl.com/kws27ca ).
This MACsec key chain app (https://git.io/vSDLA ) is focused on leveraging the new YANG models for MACsec in IOS-XR, specifically around simplifying the re-key process for customers using MACsec with pre-shared keys. Customers leveraging MACsec (or any encryption solution using pre-shared keys) know, changing keys can be a rigorous repeatable process, to the point keys remain in place much longer than they should. Leveraging this YDK app for MACsec key chain modification, will offer operators the ability to automate the MACsec key chain configuration through the new YANG models, opening up more options for developers and/or other applications to leverage the model-driven method YANG offers, and simplified app YDK provides, for encryption operations in this example.
The sample YDK apps in this repo include:
- One key using AES-128-GCM ciphers (infinite lifetime)
- One key using AES-256-GCM ciphers (infinite lifetime)
- Two AES-256-GCM keys, with finite lifetimes (rolling keys example)
These are just examples of common configurations one could use, but there are a ton of variations for key change processes, depending on the organizations policies, key duration, encryption strength, etc.
One final note. If you are new to automation and programmability, and are not sure where to start, don't try to boil the ocean. A great first step is to look at any operational process you perform daily in your network, or a process that is repeatable across multiple network elements (like changing pre-shared keys in MACsec). Tackling one of those processes with NETCONF/YANG using YDK is an excellent starting point and will quickly show the power of automation.