draft-ietf-netconf-tls-client-server-02.txt   draft-ietf-netconf-tls-client-server-03.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: September 14, 2017 Cisco Systems Expires: December 15, 2017 Cisco Systems
March 13, 2017 June 13, 2017
TLS Client and Server Models TLS Client and Server Models
draft-ietf-netconf-tls-client-server-02 draft-ietf-netconf-tls-client-server-03
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Artwork in this document contains shorthand references to drafts in Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements: progress. Please apply the following replacements:
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-keystore o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2017-03-13" --> the publication date of this draft o "2017-06-13" --> the publication date of this draft
The following two Appendix sections are to be removed prior to The following Appendix section is to be removed prior to publication:
publication:
o Appendix A. Change Log o Appendix A. Change Log
o Appendix B. Open Issues
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on December 15, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
2. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4 2. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4
2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
2.3. YANG Model . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. YANG Model . . . . . . . . . . . . . . . . . . . . . . . 5
3. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 8 3. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 8
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 9
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 9
3.3. YANG Model . . . . . . . . . . . . . . . . . . . . . . . 9 3.3. YANG Model . . . . . . . . . . . . . . . . . . . . . . . 10
4. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 12 4. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 13
4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 13
4.3. YANG Model . . . . . . . . . . . . . . . . . . . . . . . 13 4.3. YANG Model . . . . . . . . . . . . . . . . . . . . . . . 14
5. Security Considerations . . . . . . . . . . . . . . . . . . . 21 5. Security Considerations . . . . . . . . . . . . . . . . . . . 21
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 22 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 22
6.2. The YANG Module Names Registry . . . . . . . . . . . . . 22 6.2. The YANG Module Names Registry . . . . . . . . . . . . . 22
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.1. Normative References . . . . . . . . . . . . . . . . . . 23 8.1. Normative References . . . . . . . . . . . . . . . . . . 23
8.2. Informative References . . . . . . . . . . . . . . . . . 24 8.2. Informative References . . . . . . . . . . . . . . . . . 24
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 25 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 26
A.1. server-model-09 to 00 . . . . . . . . . . . . . . . . . . 25 A.1. server-model-09 to 00 . . . . . . . . . . . . . . . . . . 26
A.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 25 A.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 26
A.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 25 A.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 26
Appendix B. Open Issues . . . . . . . . . . . . . . . . . . . . 25 A.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
This document defines three YANG [RFC7950] modules: the first defines This document defines three YANG [RFC7950] modules: the first defines
a grouping for a generic TLS client, the second defines a grouping a grouping for a generic TLS client, the second defines a grouping
for a generic TLS server, and the third defines identities and for a generic TLS server, and the third defines identities and
groupings common to both the client and the server (TLS is defined in groupings common to both the client and the server (TLS is defined in
[RFC5246]). It is intended that these groupings will be used by [RFC5246]). It is intended that these groupings will be used by
applications using the TLS protocol. For instance, these groupings applications using the TLS protocol. For instance, these groupings
could be used to help define the data model for an HTTPS [RFC2818] could be used to help define the data model for an HTTPS [RFC2818]
skipping to change at page 5, line 50 skipping to change at page 5, line 50
<certificate>builtin-idevid-cert</certificate> <certificate>builtin-idevid-cert</certificate>
</client-auth> </client-auth>
</tls-client> </tls-client>
2.3. YANG Model 2.3. YANG Model
This YANG module has a normative references to [RFC6991] and This YANG module has a normative references to [RFC6991] and
[I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2017-03-13.yang" <CODE BEGINS> file "ietf-tls-client@2017-06-13.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix "tlsc"; prefix "tlsc";
import ietf-tls-common { import ietf-tls-common {
prefix tlscom; prefix tlscom;
revision-date 2017-03-13; // stable grouping definitions revision-date 2017-06-13; // stable grouping definitions
reference reference
"RFC XXXX: TLS Client and Server Models"; "RFC XXXX: TLS Client and Server Models";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC YYYY: Keystore Model"; "RFC YYYY: Keystore Model";
} }
skipping to change at page 6, line 50 skipping to change at page 6, line 50
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2017-03-13" { revision "2017-06-13" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: TLS Client and Server Models"; "RFC XXXX: TLS Client and Server Models";
} }
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
client."; client.";
} }
grouping tls-client-grouping { grouping tls-client-grouping {
description description
"A reusable grouping for configuring a TLS client without "A reusable grouping for configuring a TLS client without
any consideration for how an underlying TCP session is any consideration for how an underlying TCP session is
established."; established.";
container server-auth { container server-auth {
must 'trusted-ca-certs or trusted-server-certs';
description description
"Trusted server identities."; "Trusted server identities.";
leaf trusted-ca-certs { leaf trusted-ca-certs {
type leafref { type leafref {
path "/ks:keystore/ks:trusted-certificates/ks:name"; path "/ks:keystore/ks:trusted-certificates/ks:name";
} }
description description
"A reference to a list of certificate authority (CA) "A reference to a list of certificate authority (CA)
certificates used by the TLS client to authenticate certificates used by the TLS client to authenticate
TLS server certificates."; TLS server certificates. A server certificate is
authenticated if it has a valid chain of trust to
a configured trusted CA certificate.";
} }
leaf trusted-server-certs { leaf trusted-server-certs {
type leafref { type leafref {
path "/ks:keystore/ks:trusted-certificates/ks:name"; path "/ks:keystore/ks:trusted-certificates/ks:name";
} }
description description
"A reference to a list of server certificates used by "A reference to a list of server certificates used by
the TLS client to authenticate TLS server certificates. the TLS client to authenticate TLS server certificates.
A server certificate is authenticated if it is an A server certificate is authenticated if it is an
skipping to change at page 9, line 42 skipping to change at page 10, line 4
<certificates> <certificates>
<certificate> <certificate>
<name>tls-ec-cert</name> <name>tls-ec-cert</name>
</certificate> </certificate>
</certificates> </certificates>
<client-auth> <client-auth>
<trusted-ca-certs>deployment-specific-ca-certs</trusted-ca-certs> <trusted-ca-certs>deployment-specific-ca-certs</trusted-ca-certs>
<trusted-client-certs>explicitly-trusted-client-certs</trusted-client-certs> <trusted-client-certs>explicitly-trusted-client-certs</trusted-client-certs>
</client-auth> </client-auth>
</tls-server> </tls-server>
3.3. YANG Model 3.3. YANG Model
This YANG module has a normative references to [RFC6991], and This YANG module has a normative references to [RFC6991], and
[I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2017-03-13.yang" <CODE BEGINS> file "ietf-tls-server@2017-06-13.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix "tlss"; prefix "tlss";
import ietf-tls-common { import ietf-tls-common {
prefix tlscom; prefix tlscom;
revision-date 2017-03-13; // stable grouping definitions revision-date 2017-06-13; // stable grouping definitions
reference reference
"RFC XXXX: TLS Client and Server Models"; "RFC XXXX: TLS Client and Server Models";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC YYYY: Keystore Model"; "RFC YYYY: Keystore Model";
} }
skipping to change at page 10, line 49 skipping to change at page 11, line 11
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2017-03-13" { revision "2017-06-13" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: TLS Client and Server Models"; "RFC XXXX: TLS Client and Server Models";
} }
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
server."; server.";
skipping to change at page 14, line 5 skipping to change at page 14, line 25
<cipher-suite>rsa-with-3des-ede-cbc-sha</cipher-suite> <cipher-suite>rsa-with-3des-ede-cbc-sha</cipher-suite>
</cipher-suites> </cipher-suites>
</hello-params> </hello-params>
4.3. YANG Model 4.3. YANG Model
This YANG module has a normative references to [RFC4492], [RFC5246], This YANG module has a normative references to [RFC4492], [RFC5246],
[RFC5288], and [RFC5289]. [RFC5288], and [RFC5289].
<CODE BEGINS> file "ietf-tls-common@2017-03-13.yang" <CODE BEGINS> file "ietf-tls-common@2017-06-13.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix "tlscom"; prefix "tlscom";
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
skipping to change at page 14, line 43 skipping to change at page 15, line 16
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2017-03-13" { revision "2017-06-13" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: TLS Client and Server Models"; "RFC XXXX: TLS Client and Server Models";
} }
// features // features
feature tls-ecc { feature tls-ecc {
description description
"Elliptic Curve Cryptography (ECC) is supported for TLS."; "Elliptic Curve Cryptography (ECC) is supported for TLS.";
skipping to change at page 22, line 50 skipping to change at page 23, line 24
name: ietf-tls-common name: ietf-tls-common
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlss prefix: tlss
reference: RFC XXXX reference: RFC XXXX
7. Acknowledgements 7. Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, David Lamparter, Alan Luchuk, Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Ladislav Lhotka, Radek Krejci, Tom Petch, Juergen Schoenwaelder, Phil Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K. and G. Wu, "Keystore Model", draft-ietf- Watsen, K., "Keystore Model", draft-ietf-netconf-
netconf-keystore-00 (work in progress), October 2016. keystore-01 (work in progress), March 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, for Transport Layer Security (TLS)", RFC 4492,
DOI 10.17487/RFC4492, May 2006, DOI 10.17487/RFC4492, May 2006,
skipping to change at page 25, line 27 skipping to change at page 26, line 27
A.3. 01 to 02 A.3. 01 to 02
o Removed the groupings containing transport-level configuration. o Removed the groupings containing transport-level configuration.
Now modules contain only the transport-independent groupings. Now modules contain only the transport-independent groupings.
o Filled in previously incomplete 'ietf-tls-client' module. o Filled in previously incomplete 'ietf-tls-client' module.
o Added cipher suites for various algorithms into new 'ietf-tls- o Added cipher suites for various algorithms into new 'ietf-tls-
common' module. common' module.
Appendix B. Open Issues A.4. 02 to 03
Please see: https://github.com/netconf-wg/tls-client-server/issues. o Added a 'must' statement to container 'server-auth' asserting that
at least one of the various auth mechanisms must be specified.
o Fixed description statement for leaf 'trusted-ca-certs'.
Authors' Addresses Authors' Addresses
Kent Watsen Kent Watsen
Juniper Networks Juniper Networks
EMail: kwatsen@juniper.net EMail: kwatsen@juniper.net
Gary Wu Gary Wu
Cisco Systems Cisco Systems
 End of changes. 28 change blocks. 
38 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/