--- 1/draft-ietf-netconf-netconf-client-server-15.txt 2019-11-02 14:13:33.175464898 -0700 +++ 2/draft-ietf-netconf-netconf-client-server-16.txt 2019-11-02 14:13:33.347469242 -0700 @@ -1,18 +1,18 @@ NETCONF Working Group K. Watsen Internet-Draft Watsen Networks -Intended status: Standards Track October 18, 2019 -Expires: April 20, 2020 +Intended status: Standards Track November 1, 2019 +Expires: May 4, 2020 NETCONF Client and Server Models - draft-ietf-netconf-netconf-client-server-15 + draft-ietf-netconf-netconf-client-server-16 Abstract This document defines two YANG modules, one module to configure a NETCONF client and the other module to configure a NETCONF server. Both modules support both the SSH and TLS transport protocols, and support both standard NETCONF and NETCONF Call Home connections. Editorial Note (To be removed by RFC Editor) @@ -44,42 +44,42 @@ o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-ssh-client- server o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-tls-client- server Artwork in this document contains placeholder values for the date of publication of this draft. Please apply the following replacement: - o "2019-10-18" --> the publication date of this draft + o "2019-11-02" --> the publication date of this draft The following Appendix section is to be removed prior to publication: o Appendix B. Change Log Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 20, 2020. + This Internet-Draft will expire on May 4, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -97,43 +97,44 @@ 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 6 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9 4. The NETCONF Server Model . . . . . . . . . . . . . . . . . . 20 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 22 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28 5. Security Considerations . . . . . . . . . . . . . . . . . . . 40 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 41 - 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 42 + 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 41 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 7.1. Normative References . . . . . . . . . . . . . . . . . . 42 7.2. Informative References . . . . . . . . . . . . . . . . . 43 Appendix A. Expanded Tree Diagrams . . . . . . . . . . . . . . . 45 A.1. Expanded Tree Diagram for 'ietf-netconf-client' . . . . . 45 A.2. Expanded Tree Diagram for 'ietf-netconf-server' . . . . . 60 - Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 79 - B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 79 + Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 78 + B.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 78 B.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 79 B.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 79 B.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 79 - B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 80 - B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 80 + B.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 79 + B.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 79 B.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 80 B.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 80 B.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 80 - B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 81 - B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 81 + B.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 80 + B.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 80 B.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 81 - B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 82 - B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 82 - B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 82 + B.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 81 + B.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 81 + B.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 81 + B.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 82 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 82 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 82 1. Introduction This document defines two YANG [RFC7950] modules, one module to configure a NETCONF [RFC6241] client and the other module to configure a NETCONF server. Both modules support both NETCONF over SSH [RFC6242] and NETCONF over TLS [RFC7589] and NETCONF Call Home connections [RFC8071]. @@ -388,21 +389,21 @@ 3.3. YANG Module This YANG module has normative references to [RFC6242], [RFC6991], [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], [I-D.ietf-netconf-ssh-client-server], and [I-D.ietf-netconf-tls-client-server]. - file "ietf-netconf-client@2019-10-18.yang" + file "ietf-netconf-client@2019-11-02.yang" module ietf-netconf-client { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client"; prefix ncc; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; @@ -414,27 +415,27 @@ "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; } import ietf-tcp-server { prefix tcps; reference "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; } import ietf-ssh-client { prefix sshc; - revision-date 2019-10-18; // stable grouping definitions + revision-date 2019-11-02; // stable grouping definitions reference "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers"; } import ietf-tls-client { prefix tlsc; - revision-date 2019-10-18; // stable grouping definitions + revision-date 2019-11-02; // stable grouping definitions reference "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: @@ -459,21 +460,21 @@ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices.; The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2019-10-18 { + revision 2019-11-02 { description "Initial version"; reference "RFC XXXX: NETCONF Client and Server Models"; } // Features feature ssh-initiate { description "The 'ssh-initiate' feature indicates that the NETCONF client @@ -1076,36 +1077,33 @@ /truststore-reference> 1 11:0A:05:11:00 - x509c2n:san-any + x509c2n:specified + scooby-doo 2 - B3:4F:A1:8C:54 - x509c2n:specified - scooby-doo + x509c2n:san-any - - config-mgr east-data-center east.config-mgr.example.com30 3 1 11:0A:05:11:00 - x509c2n:san-any + x509c2n:specified + scooby-doo 2 - B3:4F:A1:8C:54 - x509c2n:specified - scooby-doo + x509c2n:san-any west-data-center @@ -1276,32 +1273,31 @@ 30 3 1 11:0A:05:11:00 - x509c2n:san-any + x509c2n:specified + scooby-doo 2 - B3:4F:A1:8C:54 - x509c2n:specified - scooby-doo - + x509c2n:san-any + first-listed 3 @@ -1310,21 +1306,21 @@ 4.3. YANG Module This YANG module has normative references to [RFC6242], [RFC6991], [RFC7407], [RFC7589], [RFC8071], [I-D.kwatsen-netconf-tcp-client-server], [I-D.ietf-netconf-ssh-client-server], and [I-D.ietf-netconf-tls-client-server]. - file "ietf-netconf-server@2019-10-18.yang" + file "ietf-netconf-server@2019-11-02.yang" module ietf-netconf-server { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server"; prefix ncs; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; @@ -1343,28 +1339,28 @@ } import ietf-tcp-server { prefix tcps; reference "RFC AAAA: YANG Groupings for TCP Clients and TCP Servers"; } import ietf-ssh-server { prefix sshs; - revision-date 2019-10-18; // stable grouping definitions + revision-date 2019-11-02; // stable grouping definitions reference "RFC BBBB: YANG Groupings for SSH Clients and SSH Servers"; } import ietf-tls-server { prefix tlss; - revision-date 2019-10-18; // stable grouping definitions + revision-date 2019-11-02; // stable grouping definitions reference "RFC CCCC: YANG Groupings for TLS Clients and TLS Servers"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: @@ -1382,29 +1379,28 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices.; - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2019-10-18 { + revision 2019-11-02 { description "Initial version"; reference "RFC XXXX: NETCONF Client and Server Models"; } // Features feature ssh-listen { description @@ -1459,26 +1456,35 @@ statement in a container called, e.g., 'netconf-server-parameters'. This model purposely does not do this itself so as to provide maximum flexibility to consuming models."; container client-identification { description "Specifies a mapping through which clients MAY be identified (i.e., the NETCONF username) from a supplied certificate. Note that a client MAY alternatively be identified via an - HTTP-level authentication schema. This configuration does - not necessitate clients send a certificate (that can be - controlled via the ietf-netconf-server module)."; + alternate authentication scheme."; container cert-maps { when "../../../../tls"; - uses x509c2n:cert-to-name; + uses x509c2n:cert-to-name { + refine "cert-to-name/fingerprint" { + mandatory false; + description + "A 'fingerprint' value does not need to be specified + when the 'cert-to-name' mapping is independent of + fingerprint matching. A 'cert-to-name' having no + fingerprint value will match any client certificate + and therefore should only be present at the end of + the user-ordered 'cert-to-name' list."; + } + } description "The cert-maps container is used by TLS-based NETCONF servers (even if the TLS sessions are terminated externally) to map the NETCONF client's presented X.509 certificate to a NETCONF username. If no matching and valid cert-to-name list entry can be found, then the NETCONF server MUST close the connection, and MUST NOT accept NETCONF messages over it."; reference @@ -1549,45 +1554,47 @@ IANA-assigned well-known port value for 'netconf-tls' (6513) if no value is specified."; } } } container tls-server-parameters { description "A wrapper around the TLS server parameters to avoid name collisions."; - uses tlss:tls-server-grouping { + uses tlss:tls-server-grouping; /* { + FIXME: commented out since auth could also be external. + ^-- need a better 'must' expression? refine "client-authentication" { - //must 'ca-certs or client-certs'; + must 'ca-certs or client-certs'; description "NETCONF/TLS servers MUST validate client certificates."; } - } + }*/ } container netconf-server-parameters { description "A wrapper around the NETCONF server parameters to avoid name collisions."; uses ncs:netconf-server-grouping; } + } } } } grouping netconf-server-callhome-stack-grouping { description "A reusable grouping for configuring a NETCONF server 'call-home' protocol stack, for a single connection."; - choice transport { mandatory true; description "Selects between available transports."; case ssh { if-feature "ssh-call-home"; container ssh { description "Specifies SSH-specific call-home transport configuration."; @@ -1636,51 +1643,32 @@ description "The NETCONF server will attempt to connect to the IANA-assigned well-known port for 'netconf-ch-tls' (4335) if no value is specified."; } } } container tls-server-parameters { description - "A wrapper around the TLS server parameters - to avoid name collisions."; - uses tlss:tls-server-grouping { + "A wrapper around the TLS server parameters to + avoid name collisions."; + uses tlss:tls-server-grouping; /* { + FIXME: commented out since auth could also be external. + ^-- need a better 'must' expression? refine "client-authentication" { - /* commented out since auth could be external must 'ca-certs or client-certs'; - */ description "NETCONF/TLS servers MUST validate client certificates."; } - augment "client-authentication" { - description - "Augments in the cert-to-name structure."; - container cert-maps { - uses x509c2n:cert-to-name; - description - "The cert-maps container is used by a - TLS-based NETCONF server to map the - NETCONF client's presented X.509 - certificate to a NETCONF username. If - no matching and valid cert-to-name list - entry can be found, then the NETCONF - server MUST close the connection, and - MUST NOT accept NETCONF messages over - it."; - reference - "RFC WWWW: NETCONF over TLS, Section 7"; - } - } - } + }*/ } container netconf-server-parameters { description "A wrapper around the NETCONF server parameters to avoid name collisions."; uses ncs:netconf-server-grouping; } } } } @@ -1984,31 +1973,31 @@ namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-server prefix: ncs reference: RFC XXXX 7. References 7.1. Normative References [I-D.ietf-netconf-keystore] Watsen, K., "A YANG Data Model for a Keystore", draft- - ietf-netconf-keystore-12 (work in progress), July 2019. + ietf-netconf-keystore-13 (work in progress), October 2019. [I-D.ietf-netconf-ssh-client-server] Watsen, K., Wu, G., and L. Xia, "YANG Groupings for SSH Clients and SSH Servers", draft-ietf-netconf-ssh-client- - server-14 (work in progress), June 2019. + server-15 (work in progress), October 2019. [I-D.ietf-netconf-tls-client-server] Watsen, K., Wu, G., and L. Xia, "YANG Groupings for TLS Clients and TLS Servers", draft-ietf-netconf-tls-client- - server-14 (work in progress), July 2019. + server-15 (work in progress), October 2019. [I-D.kwatsen-netconf-tcp-client-server] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients and TCP Servers", draft-kwatsen-netconf-tcp-client- server-02 (work in progress), April 2019. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . @@ -2046,21 +2035,21 @@ . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 7.2. Informative References [I-D.ietf-netconf-trust-anchors] Watsen, K., "A YANG Data Model for a Truststore", draft- - ietf-netconf-trust-anchors-05 (work in progress), June + ietf-netconf-trust-anchors-06 (work in progress), October 2019. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, . @@ -2122,22 +2111,22 @@ | | | | | +--:(password) | | | | | | +--rw password? string | | | | | +--:(public-key) | | | | | | +--rw public-key | | | | | | +--rw (local-or-keystore) | | | | | | +--:(local) | | | | | | | {local-definiti\ \ons-supported}? | | | | | | | +--rw local-definition | | | | | | | +--rw algorithm - | | | | | | | | asymmetric\ - \-key-algorithm-t + | | | | | | | | iasa:asymm\ + \etric-algorithm-type | | | | | | | +--rw public-key-f\ \ormat? | | | | | | | | identityref | | | | | | | +--rw public-key | | | | | | | | binary | | | | | | | +--rw private-key-\ \format? | | | | | | | | identityref | | | | | | | +--rw (private-key\ \-type) @@ -2185,22 +2174,22 @@ | | | | | +--:(certificate) | | | | | +--rw certificate | | | | | {sshcmn:ssh-x509-certs\ \}? | | | | | +--rw (local-or-keystore) | | | | | +--:(local) | | | | | | {local-definiti\ \ons-supported}? | | | | | | +--rw local-definition | | | | | | +--rw algorithm - | | | | | | | asymmetric\ - \-key-algorithm-t + | | | | | | | iasa:asymm\ + \etric-algorithm-type | | | | | | +--rw public-key-f\ \ormat? | | | | | | | identityref | | | | | | +--rw public-key | | | | | | | binary | | | | | | +--rw private-key-\ \format? | | | | | | | identityref | | | | | | +--rw (private-key\ \-type) @@ -2268,65 +2257,61 @@ | | | | | +--rw keystore-refere\ \nce | | | | | +--rw asymmetric-k\ \ey? | | | | | | ks:asymmet\ \ric-key-ref | | | | | +--rw certificate?\ \ leafref | | | | +--rw server-authentication | | | | | +--rw ssh-host-keys! - | | | | | | {ts:ssh-host-keys}? | | | | | | +--rw (local-or-truststore) | | | | | | +--:(local) | | | | | | | {local-definitions-su\ \pported}? | | | | | | | +--rw local-definition | | | | | | | +--rw host-key* | | | | | | | ct:ssh-host-key | | | | | | +--:(truststore) | | | | | | {truststore-supported\ \,ssh-host-keys}? | | | | | | +--rw truststore-reference? | | | | | | ts:host-keys-ref | | | | | +--rw ca-certs! - | | | | | | {sshcmn:ssh-x509-certs,ts:x5\ - \09-certificates}? + | | | | | | {sshcmn:ssh-x509-certs}? | | | | | | +--rw (local-or-truststore) | | | | | | +--:(local) | | | | | | | {local-definitions-su\ \pported}? | | | | | | | +--rw local-definition | | | | | | | +--rw cert* | | | | | | | | trust-anchor-cer\ \t-cms | | | | | | | +---n certificate-expira\ \tion | | | | | | | +-- expiration-date | | | | | | | yang:date-and\ \-time | | | | | | +--:(truststore) | | | | | | {truststore-supported\ \,x509-certificates}? | | | | | | +--rw truststore-reference? | | | | | | ts:certificates-ref | | | | | +--rw server-certs! - | | | | | {sshcmn:ssh-x509-certs,ts:x5\ - \09-certificates}? + | | | | | {sshcmn:ssh-x509-certs}? | | | | | +--rw (local-or-truststore) | | | | | +--:(local) | | | | | | {local-definitions-su\ \pported}? | | | | | | +--rw local-definition | | | | | | +--rw cert* | | | | | | | trust-anchor-cer\ - \t-cms | | | | | | +---n certificate-expira\ \tion | | | | | | +-- expiration-date | | | | | | yang:date-and\ \-time | | | | | +--:(truststore) | | | | | {truststore-supported\ \,x509-certificates}? | | | | | +--rw truststore-reference? @@ -2361,26 +2346,25 @@ | | | +--rw keepalives! | | | {keepalives-supported}? | | | +--rw idle-time uint16 | | | +--rw max-probes uint16 | | | +--rw probe-interval uint16 | | +--rw tls-client-parameters | | | +--rw client-identity | | | | +--rw (local-or-keystore) | | | | +--:(local) | | | | | {local-definitions-suppo\ - \rted}? | | | | | +--rw local-definition | | | | | +--rw algorithm - | | | | | | asymmetric-key-algo\ - \rithm-t + | | | | | | iasa:asymmetric-alg\ + \orithm-type | | | | | +--rw public-key-format? | | | | | | identityref | | | | | +--rw public-key | | | | | | binary | | | | | +--rw private-key-format? | | | | | | identityref | | | | | +--rw (private-key-type) | | | | | | +--:(private-key) | | | | | | | +--rw private-key? | | | | | | | binary @@ -2427,41 +2411,39 @@ | | | | +--:(keystore) | | | | {keystore-supported}? | | | | +--rw keystore-reference | | | | +--rw asymmetric-key? | | | | | ks:asymmetric-key-r\ \ef | | | | +--rw certificate? lea\ \fref | | | +--rw server-authentication | | | | +--rw ca-certs! - | | | | | {ts:x509-certificates}? | | | | | +--rw (local-or-truststore) | | | | | +--:(local) | | | | | | {local-definitions-su\ \pported}? | | | | | | +--rw local-definition | | | | | | +--rw cert* | | | | | | | trust-anchor-cer\ \t-cms | | | | | | +---n certificate-expira\ \tion | | | | | | +-- expiration-date | | | | | | yang:date-and\ \-time | | | | | +--:(truststore) | | | | | {truststore-supported\ \,x509-certificates}? | | | | | +--rw truststore-reference? | | | | | ts:certificates-ref | | | | +--rw server-certs! - | | | | {ts:x509-certificates}? | | | | +--rw (local-or-truststore) | | | | +--:(local) | | | | | {local-definitions-su\ \pported}? | | | | | +--rw local-definition | | | | | +--rw cert* | | | | | | trust-anchor-cer\ \t-cms | | | | | +---n certificate-expira\ \tion @@ -2518,22 +2501,22 @@ | | | +--:(password) | | | | +--rw password? string | | | +--:(public-key) | | | | +--rw public-key | | | | +--rw (local-or-keystore) | | | | +--:(local) | | | | | {local-definitions-su\ \pported}? | | | | | +--rw local-definition | | | | | +--rw algorithm - | | | | | | asymmetric-key-a\ - \lgorithm-t + | | | | | | iasa:asymmetric-\ + \algorithm-type | | | | | +--rw public-key-format? | | | | | | identityref | | | | | +--rw public-key | | | | | | binary | | | | | +--rw private-key-format? | | | | | | identityref | | | | | +--rw (private-key-type) | | | | | +--:(private-key) | | | | | | +--rw private-key? | | | | | | binary @@ -2568,22 +2551,22 @@ \ef | | | +--:(certificate) | | | +--rw certificate | | | {sshcmn:ssh-x509-certs}? | | | +--rw (local-or-keystore) | | | +--:(local) | | | | {local-definitions-su\ \pported}? | | | | +--rw local-definition | | | | +--rw algorithm - | | | | | asymmetric-key-a\ - \lgorithm-t + | | | | | iasa:asymmetric-\ + \algorithm-type | | | | +--rw public-key-format? | | | | | identityref | | | | +--rw public-key | | | | | binary | | | | +--rw private-key-format? | | | | | identityref | | | | +--rw (private-key-type) | | | | | +--:(private-key) | | | | | | +--rw private-key? | | | | | | binary @@ -2632,54 +2615,51 @@ | | | | binary | | | +--:(keystore) | | | {keystore-supported}? | | | +--rw keystore-reference | | | +--rw asymmetric-key? | | | | ks:asymmetric-ke\ \y-ref | | | +--rw certificate? \ \leafref | | +--rw server-authentication - | | | +--rw ssh-host-keys! {ts:ssh-host-keys}? + | | | +--rw ssh-host-keys! | | | | +--rw (local-or-truststore) | | | | +--:(local) | | | | | {local-definitions-supporte\ \d}? | | | | | +--rw local-definition | | | | | +--rw host-key* | | | | | ct:ssh-host-key | | | | +--:(truststore) | | | | {truststore-supported,ssh-h\ \ost-keys}? | | | | +--rw truststore-reference? | | | | ts:host-keys-ref - | | | +--rw ca-certs! - | | | | {sshcmn:ssh-x509-certs,ts:x509-cer\ - \tificates}? + | | | +--rw ca-certs! {sshcmn:ssh-x509-certs}? | | | | +--rw (local-or-truststore) | | | | +--:(local) | | | | | {local-definitions-supporte\ \d}? | | | | | +--rw local-definition | | | | | +--rw cert* | | | | | | trust-anchor-cert-cms | | | | | +---n certificate-expiration | | | | | +-- expiration-date | | | | | yang:date-and-time | | | | +--:(truststore) | | | | {truststore-supported,x509-\ \certificates}? | | | | +--rw truststore-reference? | | | | ts:certificates-ref | | | +--rw server-certs! - | | | {sshcmn:ssh-x509-certs,ts:x509-cer\ - \tificates}? + | | | {sshcmn:ssh-x509-certs}? | | | +--rw (local-or-truststore) | | | +--:(local) | | | | {local-definitions-supporte\ \d}? | | | | +--rw local-definition | | | | +--rw cert* | | | | | trust-anchor-cert-cms | | | | +---n certificate-expiration | | | | +-- expiration-date | | | | yang:date-and-time @@ -2711,21 +2691,22 @@ | +--rw idle-time uint16 | +--rw max-probes uint16 | +--rw probe-interval uint16 +--rw tls-client-parameters | +--rw client-identity | | +--rw (local-or-keystore) | | +--:(local) | | | {local-definitions-supported}? | | | +--rw local-definition | | | +--rw algorithm - | | | | asymmetric-key-algorithm-t + | | | | iasa:asymmetric-algorithm\ + \-type | | | +--rw public-key-format? | | | | identityref | | | +--rw public-key | | | | binary | | | +--rw private-key-format? | | | | identityref | | | +--rw (private-key-type) | | | | +--:(private-key) | | | | | +--rw private-key? | | | | | binary @@ -2762,37 +2743,37 @@ | | | +--ro output | | | +--ro certificate-signing-r\ \equest | | | binary | | +--:(keystore) {keystore-supported}? | | +--rw keystore-reference | | +--rw asymmetric-key? | | | ks:asymmetric-key-ref | | +--rw certificate? leafref | +--rw server-authentication - | | +--rw ca-certs! {ts:x509-certificates}? + | | +--rw ca-certs! | | | +--rw (local-or-truststore) | | | +--:(local) | | | | {local-definitions-supporte\ \d}? | | | | +--rw local-definition | | | | +--rw cert* | | | | | trust-anchor-cert-cms | | | | +---n certificate-expiration | | | | +-- expiration-date | | | | yang:date-and-time | | | +--:(truststore) | | | {truststore-supported,x509-\ \certificates}? | | | +--rw truststore-reference? | | | ts:certificates-ref - | | +--rw server-certs! {ts:x509-certificates}? + | | +--rw server-certs! | | +--rw (local-or-truststore) | | +--:(local) | | | {local-definitions-supporte\ \d}? | | | +--rw local-definition | | | +--rw cert* | | | | trust-anchor-cert-cms | | | +---n certificate-expiration | | | +-- expiration-date | | | yang:date-and-time @@ -2847,22 +2828,22 @@ | | | | +--rw name string | | | | +--rw (host-key-type) | | | | +--:(public-key) | | | | | +--rw public-key | | | | | +--rw (local-or-keystore) | | | | | +--:(local) | | | | | | {local-definitions\ \-supported}? | | | | | | +--rw local-definition | | | | | | +--rw algorithm - | | | | | | | asymmetric-ke\ - \y-algorithm-t + | | | | | | | iasa:asymmetr\ + \ic-algorithm-type | | | | | | +--rw public-key-form\ \at? | | | | | | | identityref | | | | | | +--rw public-key | | | | | | | binary | | | | | | +--rw private-key-for\ \mat? | | | | | | | identityref | | | | | | +--rw (private-key-ty\ \pe) @@ -2904,22 +2885,22 @@ \y-ref | | | | +--:(certificate) | | | | +--rw certificate | | | | {sshcmn:ssh-x509-certs}? | | | | +--rw (local-or-keystore) | | | | +--:(local) | | | | | {local-definitions\ \-supported}? | | | | | +--rw local-definition | | | | | +--rw algorithm - | | | | | | asymmetric-ke\ - \y-algorithm-t + | | | | | | iasa:asymmetr\ + \ic-algorithm-type | | | | | +--rw public-key-form\ \at? | | | | | | identityref | | | | | +--rw public-key | | | | | | binary | | | | | +--rw private-key-for\ \mat? | | | | | | identityref | | | | | +--rw (private-key-ty\ \pe) @@ -2992,39 +2973,38 @@ | | | | | +--rw other* string | | | | +--rw (local-or-external) | | | | +--:(local) | | | | | {local-client-auth-supported}? | | | | | +--rw users | | | | | +--rw user* [name] | | | | | +--rw name string | | | | | +--rw password? | | | | | | ianach:crypt-hash | | | | | +--rw host-keys! - | | | | | | {ts:ssh-host-keys}? | | | | | | +--rw (local-or-truststore) | | | | | | +--:(local) | | | | | | | {local-definiti\ \ons-supported}? | | | | | | | +--rw local-definition | | | | | | | +--rw host-key* | | | | | | | ct:ssh-hos\ \t-key | | | | | | +--:(truststore) | | | | | | {truststore-sup\ \ported,ssh-host-keys}? | | | | | | +--rw truststore-refe\ \rence? | | | | | | ts:host-keys-\ \ref | | | | | +--rw ca-certs! | | | | | | {sshcmn:ssh-x509-certs\ - \,ts:x509-certificates}? + \}? | | | | | | +--rw (local-or-truststore) | | | | | | +--:(local) | | | | | | | {local-definiti\ \ons-supported}? | | | | | | | +--rw local-definition | | | | | | | +--rw cert* | | | | | | | | trust-anch\ \or-cert-cms | | | | | | | +---n certificate-\ \expiration @@ -3034,21 +3014,21 @@ \te-and-time | | | | | | +--:(truststore) | | | | | | {truststore-sup\ \ported,x509-certificates}? | | | | | | +--rw truststore-refe\ \rence? | | | | | | ts:certificat\ \es-ref | | | | | +--rw client-certs! | | | | | {sshcmn:ssh-x509-certs\ - \,ts:x509-certificates}? + \}? | | | | | +--rw (local-or-truststore) | | | | | +--:(local) | | | | | | {local-definiti\ \ons-supported}? | | | | | | +--rw local-definition | | | | | | +--rw cert* | | | | | | | trust-anch\ \or-cert-cms | | | | | | +---n certificate-\ \expiration @@ -3079,41 +3059,42 @@ | | | | +--rw mac | | | | +--rw mac-alg* identityref | | | +--rw keepalives! {ssh-server-keepalives}? | | | +--rw max-wait? uint16 | | | +--rw max-attempts? uint8 | | +--rw netconf-server-parameters | | +--rw client-identification | | +--rw cert-maps | | +--rw cert-to-name* [id] | | +--rw id uint32 - | | +--rw fingerprint + | | +--rw fingerprint? | | | x509c2n:tls-fingerprint | | +--rw map-type identityref | | +--rw name string | +--:(tls) {tls-listen}? | +--rw tls | +--rw tcp-server-parameters | | +--rw local-address inet:ip-address | | +--rw local-port? inet:port-number | | +--rw keepalives! {keepalives-supported}? | | +--rw idle-time uint16 | | +--rw max-probes uint16 | | +--rw probe-interval uint16 | +--rw tls-server-parameters | | +--rw server-identity | | | +--rw (local-or-keystore) | | | +--:(local) | | | | {local-definitions-supported}? | | | | +--rw local-definition | | | | +--rw algorithm - | | | | | asymmetric-key-algorithm-t + | | | | | iasa:asymmetric-algorithm\ + \-type | | | | +--rw public-key-format? | | | | | identityref | | | | +--rw public-key | | | | | binary | | | | +--rw private-key-format? | | | | | identityref | | | | +--rw (private-key-type) | | | | | +--:(private-key) | | | | | | +--rw private-key? | | | | | | binary @@ -3161,41 +3142,39 @@ | | | | +--:(required) | | | | | +--rw required? | | | | | empty | | | | +--:(optional) | | | | +--rw optional? | | | | empty | | | +--rw (local-or-external) | | | +--:(local) | | | | {local-client-auth-supported}? | | | | +--rw ca-certs! - | | | | | {ts:x509-certificates}? | | | | | +--rw (local-or-truststore) | | | | | +--:(local) | | | | | | {local-definitions-su\ \pported}? | | | | | | +--rw local-definition | | | | | | +--rw cert* | | | | | | | trust-anchor-cer\ \t-cms | | | | | | +---n certificate-expira\ \tion | | | | | | +-- expiration-date | | | | | | yang:date-and\ \-time | | | | | +--:(truststore) | | | | | {truststore-supported\ \,x509-certificates}? | | | | | +--rw truststore-reference? | | | | | ts:certificates-ref | | | | +--rw client-certs! - | | | | {ts:x509-certificates}? | | | | +--rw (local-or-truststore) | | | | +--:(local) | | | | | {local-definitions-su\ \pported}? | | | | | +--rw local-definition | | | | | +--rw cert* | | | | | | trust-anchor-cer\ \t-cms | | | | | +---n certificate-expira\ \tion @@ -3219,21 +3198,21 @@ | | | +--rw cipher-suites | | | +--rw cipher-suite* identityref | | +--rw keepalives! {tls-server-keepalives}? | | +--rw max-wait? uint16 | | +--rw max-attempts? uint8 | +--rw netconf-server-parameters | +--rw client-identification | +--rw cert-maps | +--rw cert-to-name* [id] | +--rw id uint32 - | +--rw fingerprint + | +--rw fingerprint? | | x509c2n:tls-fingerprint | +--rw map-type identityref | +--rw name string +--rw call-home! {ssh-call-home or tls-call-home}? +--rw netconf-client* [name] +--rw name string +--rw endpoints | +--rw endpoint* [name] | +--rw name string | +--rw (transport) @@ -3258,22 +3237,22 @@ | | | | +--rw (host-key-type) | | | | +--:(public-key) | | | | | +--rw public-key | | | | | +--rw (local-or-keystore) | | | | | +--:(local) | | | | | | {local-defin\ \itions-supported}? | | | | | | +--rw local-defini\ \tion | | | | | | +--rw algorithm - | | | | | | | asymmet\ - \ric-key-algorithm-t + | | | | | | | iasa:as\ + \ymmetric-algorithm-type | | | | | | +--rw public-ke\ \y-format? | | | | | | | identit\ \yref | | | | | | +--rw public-key | | | | | | | binary | | | | | | +--rw private-k\ \ey-format? | | | | | | | identit\ \yref @@ -3325,22 +3303,22 @@ | | | | +--rw certificate | | | | {sshcmn:ssh-x509-ce\ \rts}? | | | | +--rw (local-or-keystore) | | | | +--:(local) | | | | | {local-defin\ \itions-supported}? | | | | | +--rw local-defini\ \tion | | | | | +--rw algorithm - | | | | | | asymmet\ - \ric-key-algorithm-t + | | | | | | iasa:as\ + \ymmetric-algorithm-type | | | | | +--rw public-ke\ \y-format? | | | | | | identit\ \yref | | | | | +--rw public-key | | | | | | binary | | | | | +--rw private-k\ \ey-format? | | | | | | identit\ \yref @@ -3421,32 +3399,30 @@ | | | | +--rw supported-authentication-metho\ \ds | | | | | +--rw publickey? empty | | | | | +--rw passsword? empty | | | | | +--rw hostbased? empty | | | | | +--rw none? empty | | | | | +--rw other* string | | | | +--rw (local-or-external) | | | | +--:(local) | | | | | {local-client-auth-suppo\ - \rted}? | | | | | +--rw users | | | | | +--rw user* [name] | | | | | +--rw name | | | | | | string | | | | | +--rw password? | | | | | | ianach:crypt-hash | | | | | +--rw host-keys! - | | | | | | {ts:ssh-host-key\ - \s}? | | | | | | +--rw (local-or-trust\ + \store) | | | | | | +--:(local) | | | | | | | {local-de\ \finitions-supported}? | | | | | | | +--rw local-def\ \inition | | | | | | | +--rw host-k\ \ey* | | | | | | | ct:s\ \sh-host-key @@ -3452,21 +3428,21 @@ \sh-host-key | | | | | | +--:(truststore) | | | | | | {truststo\ \re-supported,ssh-host-keys}? | | | | | | +--rw truststor\ \e-reference? | | | | | | ts:host\ \-keys-ref | | | | | +--rw ca-certs! | | | | | | {sshcmn:ssh-x509\ - \-certs,ts:x509-certificates}? + \-certs}? | | | | | | +--rw (local-or-trust\ \store) | | | | | | +--:(local) | | | | | | | {local-de\ \finitions-supported}? | | | | | | | +--rw local-def\ \inition | | | | | | | +--rw cert* | | | | | | | | trus\ \t-anchor-cert-cms @@ -3478,21 +3454,21 @@ \ang:date-and-time | | | | | | +--:(truststore) | | | | | | {truststo\ \re-supported,x509-certificates}? | | | | | | +--rw truststor\ \e-reference? | | | | | | ts:cert\ \ificates-ref | | | | | +--rw client-certs! | | | | | {sshcmn:ssh-x509\ - \-certs,ts:x509-certificates}? + \-certs}? | | | | | +--rw (local-or-trust\ \store) | | | | | +--:(local) | | | | | | {local-de\ \finitions-supported}? | | | | | | +--rw local-def\ \inition | | | | | | +--rw cert* | | | | | | | trus\ \t-anchor-cert-cms @@ -3530,21 +3506,21 @@ | | | | +--rw mac-alg* identityref | | | +--rw keepalives! | | | {ssh-server-keepalives}? | | | +--rw max-wait? uint16 | | | +--rw max-attempts? uint8 | | +--rw netconf-server-parameters | | +--rw client-identification | | +--rw cert-maps | | +--rw cert-to-name* [id] | | +--rw id uint32 - | | +--rw fingerprint + | | +--rw fingerprint? | | | x509c2n:tls-fingerprint | | +--rw map-type | | | identityref | | +--rw name string | +--:(tls) {tls-call-home}? | +--rw tls | +--rw tcp-client-parameters | | +--rw remote-address inet:host | | +--rw remote-port? inet:port-number | | +--rw local-address? inet:ip-address @@ -3557,22 +3533,22 @@ | | +--rw max-probes uint16 | | +--rw probe-interval uint16 | +--rw tls-server-parameters | | +--rw server-identity | | | +--rw (local-or-keystore) | | | +--:(local) | | | | {local-definitions-suppo\ \rted}? | | | | +--rw local-definition | | | | +--rw algorithm - | | | | | asymmetric-key-algo\ - \rithm-t + | | | | | iasa:asymmetric-alg\ + \orithm-type | | | | +--rw public-key-format? | | | | | identityref | | | | +--rw public-key | | | | | binary | | | | +--rw private-key-format? | | | | | identityref | | | | +--rw (private-key-type) | | | | | +--:(private-key) | | | | | | +--rw private-key? | | | | | | binary @@ -3627,48 +3602,24 @@ \fref | | +--rw client-authentication! | | | +--rw (required-or-optional) | | | | +--:(required) | | | | | +--rw required? | | | | | empty | | | | +--:(optional) | | | | +--rw optional? | | | | empty | | | +--rw (local-or-external) - | | | | +--:(local) - | | | | | {local-client-auth-suppo\ + | | | +--:(local) + | | | | {local-client-auth-suppo\ \rted}? - | | | | | +--rw ca-certs! - | | | | | | {ts:x509-certificates}? - | | | | | | +--rw (local-or-truststore) - | | | | | | +--:(local) - | | | | | | | {local-definiti\ - \ons-supported}? - | | | | | | | +--rw local-definition - | | | | | | | +--rw cert* - | | | | | | | | trust-anch\ - \or-cert-cms - | | | | | | | +---n certificate-\ - \expiration - | | | | | | | +-- expiration-\ - \date - | | | | | | | yang:da\ - \te-and-time - | | | | | | +--:(truststore) - | | | | | | {truststore-sup\ - \ported,x509-certificates}? - | | | | | | +--rw truststore-refe\ - \rence? - | | | | | | ts:certificat\ - \es-ref - | | | | | +--rw client-certs! - | | | | | {ts:x509-certificates}? + | | | | +--rw ca-certs! | | | | | +--rw (local-or-truststore) | | | | | +--:(local) | | | | | | {local-definiti\ \ons-supported}? | | | | | | +--rw local-definition | | | | | | +--rw cert* | | | | | | | trust-anch\ \or-cert-cms | | | | | | +---n certificate-\ \expiration @@ -3676,51 +3627,65 @@ \date | | | | | | yang:da\ \te-and-time | | | | | +--:(truststore) | | | | | {truststore-sup\ \ported,x509-certificates}? | | | | | +--rw truststore-refe\ \rence? | | | | | ts:certificat\ \es-ref - | | | | +--:(external) - | | | | {external-client-auth-su\ + | | | | +--rw client-certs! + | | | | +--rw (local-or-truststore) + | | | | +--:(local) + | | | | | {local-definiti\ + \ons-supported}? + | | | | | +--rw local-definition + | | | | | +--rw cert* + | | | | | | trust-anch\ + \or-cert-cms + | | | | | +---n certificate-\ + \expiration + | | | | | +-- expiration-\ + \date + | | | | | yang:da\ + \te-and-time + | | | | +--:(truststore) + | | | | {truststore-sup\ + \ported,x509-certificates}? + | | | | +--rw truststore-refe\ + \rence? + | | | | ts:certificat\ + \es-ref + | | | +--:(external) + | | | {external-client-auth-su\ \pported}? - | | | | +--rw client-auth-defined-else\ + | | | +--rw client-auth-defined-else\ \where? - | | | | empty - | | | +--rw cert-maps - | | | +--rw cert-to-name* [id] - | | | +--rw id uint32 - | | | +--rw fingerprint - | | | | x509c2n:tls-fingerprint - | | | +--rw map-type - | | | | identityref - | | | +--rw name string + | | | empty | | +--rw hello-params | | | {tls-server-hello-params-config\ \}? | | | +--rw tls-versions | | | | +--rw tls-version* identityref | | | +--rw cipher-suites | | | +--rw cipher-suite* identityref | | +--rw keepalives! | | {tls-server-keepalives}? | | +--rw max-wait? uint16 | | +--rw max-attempts? uint8 | +--rw netconf-server-parameters | +--rw client-identification | +--rw cert-maps | +--rw cert-to-name* [id] | +--rw id uint32 - | +--rw fingerprint + | +--rw fingerprint? | | x509c2n:tls-fingerprint | +--rw map-type | | identityref | +--rw name string +--rw connection-type | +--rw (connection-type) | +--:(persistent-connection) | | +--rw persistent! | +--:(periodic-connection) | +--rw periodic! @@ -3870,20 +3835,28 @@ o Updated examples to reflect ietf-crypto-types change (e.g., identities --> enumerations) B.15. 14 to 15 o Refactored both the client and server modules similar to how the ietf-restconf-server module was refactored in -13 of that draft, and the ietf-restconf-client grouping. +B.16. 15 to 16 + + o Added refinement to make "cert-to-name/fingerprint" be mandatory + false. + + o Commented out refinement to "tls-server-grouping/client- + authentication" until a better "must" expression is defined. + Acknowledgements The authors would like to thank for following for lively discussions on list and in the halls (ordered by last name): Andy Bierman, Martin Bjorklund, Benoit Claise, Ramkumar Dhanapal, Mehmet Ersue, Balazs Kovacs, David Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Author's Address