draft-ietf-netconf-tls-client-server-07.txt   draft-ietf-netconf-tls-client-server-08.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: March 24, 2019 Cisco Systems Expires: April 25, 2019 Cisco Systems
September 20, 2018 L. Xia
Huawei
October 22, 2018
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-07 draft-ietf-netconf-tls-client-server-08
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 1, line 49 skipping to change at page 2, line 5
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust- o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust-
anchors anchors
o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2018-09-20" --> the publication date of this draft o "2018-10-22" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix A. Change Log o Appendix A. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 24, 2019. This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 4 skipping to change at page 3, line 6
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4 3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 4
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6
4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 9 4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 9
4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 9
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 10
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 12 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 12
5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 15 5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 15
5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 15 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 24
5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 16 5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 24
5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 16 5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 24
6. Security Considerations . . . . . . . . . . . . . . . . . . . 24 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 25 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 34
7.2. The YANG Module Names Registry . . . . . . . . . . . . . 26 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 34
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
8.1. Normative References . . . . . . . . . . . . . . . . . . 26 8.1. Normative References . . . . . . . . . . . . . . . . . . 35
8.2. Informative References . . . . . . . . . . . . . . . . . 28 8.2. Informative References . . . . . . . . . . . . . . . . . 36
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 29 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 38
A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 29 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 38
A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 29 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 38
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 29 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 38
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 29 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 38
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 30 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 39
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 30 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 39
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 30 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 39
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 30 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
used by applications using the TLS protocol. For instance, these used by applications using the TLS protocol. For instance, these
groupings could be used to help define the data model for an HTTPS groupings could be used to help define the data model for an HTTPS
skipping to change at page 5, line 16 skipping to change at page 5, line 19
key: key:
[Note: '\' line wrapping for formatting only] [Note: '\' line wrapping for formatting only]
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<certificate> <certificate>
<algorithm xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-t\ <algorithm xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-t\
ypes">ct:rsa1024</algorithm> ypes">ct:rsa2048</algorithm>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</certificate> </certificate>
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-auth> <server-auth>
<pinned-ca-certs>explicitly-trusted-server-ca-certs</pinned-ca-c\ <pinned-ca-certs>explicitly-trusted-server-ca-certs</pinned-ca-c\
erts> erts>
skipping to change at page 6, line 31 skipping to change at page 6, line 31
ver-certs> ver-certs>
</server-auth> </server-auth>
</tls-client> </tls-client>
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2018-09-20.yang" <CODE BEGINS> file "ietf-tls-client@2018-10-22.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix "tlsc"; prefix "tlsc";
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2018-09-20; // stable grouping definitions revision-date 2018-10-22; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-trust-anchors { import ietf-trust-anchors {
prefix ta; prefix ta;
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen Author: Kent Watsen
<mailto:kwatsen@juniper.net> <mailto:kwatsen@juniper.net>
Author: Gary Wu Author: Gary Wu
<mailto:garywu@cisco.com>"; <mailto:garywu@cisco.com>";
description description
"This module defines a reusable grouping for a TLS client that "This module defines a reusable grouping for a TLS client that
can be used as a basis for specific TLS client instances. can be used as a basis for specific TLS client instances.
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2018-09-20" { revision "2018-10-22" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// features // features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
client."; client.";
} }
// groupings // groupings
grouping tls-client-grouping { grouping tls-client-grouping {
description description
"A reusable grouping for configuring a TLS client without "A reusable grouping for configuring a TLS client without
any consideration for how an underlying TCP session is any consideration for how an underlying TCP session is
established."; established.";
uses client-identity-grouping; uses client-identity-grouping;
uses server-auth-grouping; uses server-auth-grouping;
uses hello-params-grouping; uses hello-params-grouping;
} }
grouping client-identity-grouping { grouping client-identity-grouping {
description description
"A reusable grouping for configuring a TLS client identity."; "A reusable grouping for configuring a TLS client identity.";
container client-identity { container client-identity {
description description
"The credentials used by the client to authenticate to "The credentials used by the client to authenticate to
the TLS server."; the TLS server.";
choice auth-type { choice auth-type {
description description
"The authentication type."; "The authentication type.";
container certificate { container certificate {
uses ks:local-or-keystore-end-entity-certificate-grouping; uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
description description
"A locally-defined or referenced certificate "A locally-defined or referenced certificate
to be used for client authentication."; to be used for client authentication.";
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism";
} }
} }
} // end client-identity } // end client-identity
} // end client-identity-grouping } // end client-identity-grouping
grouping server-auth-grouping { grouping server-auth-grouping {
description description
"A reusable grouping for configuring TLS server "A reusable grouping for configuring TLS server
authentication."; authentication.";
container server-auth { container server-auth {
must 'pinned-ca-certs or pinned-server-certs'; must 'pinned-ca-certs or pinned-server-certs';
description description
"Trusted server identities."; "Trusted server identities.";
leaf pinned-ca-certs { leaf pinned-ca-certs {
if-feature "ta:x509-certificates"; if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref; type ta:pinned-certificates-ref;
description description
"A reference to a list of certificate authority (CA) "A reference to a list of certificate authority (CA)
certificates used by the TLS client to authenticate certificates used by the TLS client to authenticate
TLS server certificates. A server certificate is TLS server certificates. A server certificate is
authenticated if it has a valid chain of trust to authenticated if it has a valid chain of trust to
a configured pinned CA certificate."; a configured pinned CA certificate.";
} }
leaf pinned-server-certs { leaf pinned-server-certs {
if-feature "ta:x509-certificates"; if-feature "ta:x509-certificates";
type ta:pinned-certificates-ref; type ta:pinned-certificates-ref;
description description
"A reference to a list of server certificates used by "A reference to a list of server certificates used by
the TLS client to authenticate TLS server certificates. the TLS client to authenticate TLS server certificates.
A server certificate is authenticated if it is an A server certificate is authenticated if it is an
exact match to a configured pinned server certificate."; exact match to a configured pinned server certificate.";
} }
} }
} // end server-auth-grouping } // end server-auth-grouping
grouping hello-params-grouping { grouping hello-params-grouping {
description description
"A reusable grouping for configuring a TLS transport "A reusable grouping for configuring a TLS transport
parameters."; parameters.";
container hello-params { container hello-params {
if-feature tls-client-hello-params-config; if-feature tls-client-hello-params-config;
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} }
} // end transport-params-grouping } // end transport-params-grouping
} }
<CODE ENDS> <CODE ENDS>
4. The TLS Server Model 4. The TLS Server Model
4.1. Tree Diagram 4.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-tls- This section provides a tree diagram [RFC8340] for the "ietf-tls-
server" module that does not have groupings expanded. server" module that does not have groupings expanded.
module: ietf-tls-server module: ietf-tls-server
skipping to change at page 11, line 12 skipping to change at page 11, line 12
The following example configures the server identity using a local The following example configures the server identity using a local
key: key:
[Note: '\' line wrapping for formatting only] [Note: '\' line wrapping for formatting only]
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<algorithm xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-typ\ <algorithm xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-typ\
es">ct:rsa1024</algorithm> es">ct:rsa2048</algorithm>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-auth> <client-auth>
<pinned-ca-certs>explicitly-trusted-client-ca-certs</pinned-ca-c\ <pinned-ca-certs>explicitly-trusted-client-ca-certs</pinned-ca-c\
erts> erts>
<pinned-client-certs>explicitly-trusted-client-certs</pinned-cli\ <pinned-client-certs>explicitly-trusted-client-certs</pinned-cli\
skipping to change at page 12, line 10 skipping to change at page 12, line 10
ent-certs> ent-certs>
</client-auth> </client-auth>
</tls-server> </tls-server>
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2018-09-20.yang" <CODE BEGINS> file "ietf-tls-server@2018-10-22.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix "tlss"; prefix "tlss";
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2018-09-20; // stable grouping definitions revision-date 2018-10-22; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-trust-anchors { import ietf-trust-anchors {
prefix ta; prefix ta;
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
} }
skipping to change at page 13, line 18 skipping to change at page 13, line 18
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2018-09-20" { revision "2018-10-22" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// features // features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
skipping to change at page 14, line 12 skipping to change at page 14, line 12
"A locally-defined or referenced end-entity certificate, "A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the including any configured intermediate certificates, the
TLS server will present when establishing a TLS connection TLS server will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2 in its Certificate message, as defined in Section 7.4.2
in RFC 5246."; in RFC 5246.";
reference reference
"RFC 5246: "RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ: RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism"; YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-certificate-grouping; uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
} }
} // end server-identity-grouping } // end server-identity-grouping
grouping client-auth-grouping { grouping client-auth-grouping {
description description
"A reusable grouping for configuring a TLS client "A reusable grouping for configuring a TLS client
authentication."; authentication.";
container client-auth { container client-auth {
description description
"A reference to a list of pinned certificate authority (CA) "A reference to a list of pinned certificate authority (CA)
skipping to change at page 15, line 31 skipping to change at page 15, line 31
The TLS common model presented in this section contains identities The TLS common model presented in this section contains identities
and groupings common to both TLS clients and TLS servers. The hello- and groupings common to both TLS clients and TLS servers. The hello-
params-grouping can be used to configure the list of TLS algorithms params-grouping can be used to configure the list of TLS algorithms
permitted by the TLS client or TLS server. The lists of algorithms permitted by the TLS client or TLS server. The lists of algorithms
are ordered such that, if multiple algorithms are permitted by the are ordered such that, if multiple algorithms are permitted by the
client, the algorithm that appears first in its list that is also client, the algorithm that appears first in its list that is also
permitted by the server is used for the TLS transport layer permitted by the server is used for the TLS transport layer
connection. The ability to restrict the the algorithms allowed is connection. The ability to restrict the the algorithms allowed is
provided in this grouping for TLS clients and TLS servers that are provided in this grouping for TLS clients and TLS servers that are
capable of doing so and may serve to make TLS clients and TLS servers capable of doing so and may serve to make TLS clients and TLS servers
compliant with security policies. compliant with local security policies. This model supports both
TLS1.2 [RFC5246] and TLS 1.3 [RFC8446].
TLS 1.2 and TLS 1.3 have different ways defining their own supported
cryptographic algorithms, see TLS and DTLS IANA registries page
(https://www.iana.org/assignments/tls-parameters/tls-
parameters.xhtml):
o TLS 1.2 defines four categories of registries for cryptographic
algorithms: TLS Cipher Suites, TLS SignatureAlgorithm, TLS
HashAlgorithm, TLS Supported Groups. TLS Cipher Suites plays the
role of combining all of them into one set, as each value of the
set represents a unique and feasible combination of all the
cryptographic algorithms, and thus the other three registry
categories do not need to be considered here. In this document,
the TLS common model only chooses those TLS1.2 algorithms in TLS
Cipher Suites which are marked as recommended:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, and so on. All chosen
algorithms are enumerated in Table 1-1 below;
o TLS 1.3 defines its supported algorithms differently. Firstly, it
defines three categories of registries for cryptographic
algorithms: TLS Cipher Suites, TLS SignatureScheme, TLS Supported
Groups. Secondly, all three of these categories are useful, since
they represent different parts of all the supported algorithms
respectively. Thus, all of these registries categories are
considered here. In this draft, the TLS common model chooses only
those TLS1.3 algorithms specified in B.4, 4.2.3, 4.2.7 of
[RFC8446].
Thus, in order to support both TLS1.2 and TLS1.3, the cipher-suites
part of the hello-params-grouping should include three parameters for
configuring its permitted TLS algorithms, which are: TLS Cipher
Suites, TLS SignatureScheme, TLS Supported Groups. Note that TLS1.2
only uses TLS Cipher Suites.
[I-D.ietf-netconf-crypto-types] defines six categories of
cryptographic algorithms (hash-algorithm, symmetric-key-encryption-
algorithm, mac-algorithm, asymmetric-key-encryption-algorithm,
signature-algorithm, key-negotiation-algorithm) and lists several
widely accepted algorithms for each of them. The TLS client and
server models use one or more of these algorithms. The following
tables are provided, in part to define the subset of algorithms
defined in the crypto-types model used by TLS, and in part to ensure
compatibility of configured TLS cryptographic parameters for
configuring its permitted TLS algorithms:
+-----------------------------------------------+---------+
| ciper-suites in hello-params-grouping | HASH |
+-----------------------------------------------+---------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | sha-256 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | sha-384 |
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | sha-256 |
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | sha-384 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | sha-256 |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | sha-384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | sha-256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | sha-384 |
| TLS_DHE_RSA_WITH_AES_128_CCM | sha-256 |
| TLS_DHE_RSA_WITH_AES_256_CCM | sha-256 |
| TLS_DHE_PSK_WITH_AES_128_CCM | sha-256 |
| TLS_DHE_PSK_WITH_AES_256_CCM | sha-256 |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | sha-256 |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | sha-256 |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | sha-256 |
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | sha-256 |
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | sha-256 |
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | sha-256 |
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | sha-384 |
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 | sha-256 |
+-----------------------------------------------+---------+
Table 1-1 TLS 1.2 Compatibility Matrix Part 1: ciper-suites mapping
to hash-algorithm
+--------------------------------------------- +---------------------+
| ciper-suites in hello-params-grouping | symmetric |
| | |
+--------------------------------------------- +---------------------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | enc-aes-128-gcm |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | enc-aes-256-gcm |
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | enc-aes-128-gcm |
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | enc-aes-256-gcm |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | enc-aes-128-gcm |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | enc-aes-256-gcm |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | enc-aes-128-gcm |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | enc-aes-256-gcm |
| TLS_DHE_RSA_WITH_AES_128_CCM | enc-aes-128-ccm |
| TLS_DHE_RSA_WITH_AES_256_CCM | enc-aes-256-ccm |
| TLS_DHE_PSK_WITH_AES_128_CCM | enc-aes-128-ccm |
| TLS_DHE_PSK_WITH_AES_256_CCM | enc-aes-256-ccm |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |enc-chacha20-poly1305|
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|enc-chacha20-poly1305|
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |enc-chacha20-poly1305|
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |enc-chacha20-poly1305|
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |enc-chacha20-poly1305|
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | enc-aes-128-gcm |
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | enc-aes-256-gcm |
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 | enc-aes-128-ccm |
+--------------------------------------------- +---------------------+
Table 1-2 TLS 1.2 Compatibility Matrix Part 2: ciper-suites mapping
to symmetric-key-encryption-algorithm
+--------------------------------------------- +---------------------+
| ciper-suites in hello-params-grouping | MAC |
| | |
+--------------------------------------------- +---------------------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | mac-aes-128-gcm |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | mac-aes-256-gcm |
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | mac-aes-128-gcm |
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | mac-aes-256-gcm |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | mac-aes-128-gcm |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | mac-aes-256-gcm |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | mac-aes-128-gcm |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | mac-aes-256-gcm |
| TLS_DHE_RSA_WITH_AES_128_CCM | mac-aes-128-ccm |
| TLS_DHE_RSA_WITH_AES_256_CCM | mac-aes-256-ccm |
| TLS_DHE_PSK_WITH_AES_128_CCM | mac-aes-128-ccm |
| TLS_DHE_PSK_WITH_AES_256_CCM | mac-aes-256-ccm |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |mac-chacha20-poly1305|
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|mac-chacha20-poly1305|
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |mac-chacha20-poly1305|
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |mac-chacha20-poly1305|
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |mac-chacha20-poly1305|
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | mac-aes-128-gcm |
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | mac-aes-256-gcm |
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 | mac-aes-128-ccm |
+--------------------------------------------- +---------------------+
Table 1-3 TLS 1.2 Compatibility Matrix Part 3: ciper-suites mapping
to MAC-algorithm
+----------------------------------------------+----------------------+
|ciper-suites in hello-params-grouping | signature |
+--------------------------------------------- +----------------------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | rsa-pkcs1-sha256 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | rsa-pkcs1-sha384 |
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | N/A |
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | N/A |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |ecdsa-secp256r1-sha256|
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |ecdsa-secp384r1-sha384|
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | rsa-pkcs1-sha256 |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | rsa-pkcs1-sha384 |
| TLS_DHE_RSA_WITH_AES_128_CCM | rsa-pkcs1-sha256 |
| TLS_DHE_RSA_WITH_AES_256_CCM | rsa-pkcs1-sha256 |
| TLS_DHE_PSK_WITH_AES_128_CCM | N/A |
| TLS_DHE_PSK_WITH_AES_256_CCM | N/A |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | rsa-pkcs1-sha256 |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ecdsa-secp256r1-sha256|
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | rsa-pkcs1-sha256 |
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | N/A |
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | N/A |
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | N/A |
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 | N/A |
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 | N/A |
+----------------------------------------------+----------------------+
Table 1-4 TLS 1.2 Compatibility Matrix Part 4: ciper-suites mapping
to signature-algorithm
+----------------------------------------------+-----------------------+
|ciper-suites in hello-params-grouping | key-negotiation |
+----------------------------------------------+-----------------------+
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | dhe-ffdhe2048, ... |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | dhe-ffdhe2048, ... |
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | psk-dhe-ffdhe2048, ...|
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | psk-dhe-ffdhe2048, ...|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ecdhe-secp256r1, ... |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ecdhe-secp256r1, ... |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ecdhe-secp256r1, ... |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ecdhe-secp256r1, ... |
| TLS_DHE_RSA_WITH_AES_128_CCM | dhe-ffdhe2048, ... |
| TLS_DHE_RSA_WITH_AES_256_CCM | dhe-ffdhe2048, ... |
| TLS_DHE_PSK_WITH_AES_128_CCM | psk-dhe-ffdhe2048, ...|
| TLS_DHE_PSK_WITH_AES_256_CCM | psk-dhe-ffdhe2048, ...|
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ecdhe-secp256r1, ... |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256| ecdhe-secp256r1, ... |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | dhe-ffdhe2048, ... |
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |psk-ecdhe-secp256r1,...|
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | psk-dhe-ffdhe2048, ...|
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 |psk-ecdhe-secp256r1,...|
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 |psk-ecdhe-secp256r1,...|
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 |psk-ecdhe-secp256r1,...|
+----------------------------------------------+-----------------------+
Table 1-5 TLS 1.2 Compatibility Matrix Part 5: ciper-suites mapping
to key-negotiation-algorithm
+------------------------------+---------+
| ciper-suites in hello | HASH |
| -params-grouping | |
+------------------------------+---------+
| TLS_AES_128_GCM_SHA256 | sha-256 |
| TLS_AES_256_GCM_SHA384 | sha-384 |
| TLS_CHACHA20_POLY1305_SHA256 | sha-256 |
| TLS_AES_128_CCM_SHA256 | sha-256 |
+------------------------------+---------+
Table 2-1 TLS 1.3 Compatibility Matrix Part 1: ciper-suites mapping
to hash-algorithm
+------------------------------+-----------------------+
| ciper-suites in hello | symmetric |
| -params-grouping | |
+------------------------------+-----------------------+
| TLS_AES_128_GCM_SHA256 | enc-aes-128-gcm |
| TLS_AES_256_GCM_SHA384 | enc-aes-128-gcm |
| TLS_CHACHA20_POLY1305_SHA256 | enc-chacha20-poly1305 |
| TLS_AES_128_CCM_SHA256 | enc-aes-128-ccm |
+------------------------------+-----------------------+
Table 2-2 TLS 1.3 Compatibility Matrix Part 2: ciper-suites mapping
to symmetric-key--encryption-algorithm
+------------------------------+-----------------------+
| ciper-suites in hello | symmetric |
| -params-grouping | |
+------------------------------+-----------------------+
| TLS_AES_128_GCM_SHA256 | mac-aes-128-gcm |
| TLS_AES_256_GCM_SHA384 | mac-aes-128-gcm |
| TLS_CHACHA20_POLY1305_SHA256 | mac-chacha20-poly1305 |
| TLS_AES_128_CCM_SHA256 | mac-aes-128-ccm |
+------------------------------+-----------------------+
Table 2-3 TLS 1.3 Compatibility Matrix Part 3: ciper-suites mapping
to MAC-algorithm
+----------------------------+-------------------------+
|signatureScheme in hello | signature |
| -params-grouping | |
+----------------------------+-------------------------+
| rsa-pkcs1-sha256 | rsa-pkcs1-sha256 |
| rsa-pkcs1-sha384 | rsa-pkcs1-sha384 |
| rsa-pkcs1-sha512 | rsa-pkcs1-sha512 |
| rsa-pss-rsae-sha256 | rsa-pss-rsae-sha256 |
| rsa-pss-rsae-sha384 | rsa-pss-rsae-sha384 |
| rsa-pss-rsae-sha512 | rsa-pss-rsae-sha512 |
| rsa-pss-pss-sha256 | rsa-pss-pss-sha256 |
| rsa-pss-pss-sha384 | rsa-pss-pss-sha384 |
| rsa-pss-pss-sha512 | rsa-pss-pss-sha512 |
| ecdsa-secp256r1-sha256 | ecdsa-secp256r1-sha256 |
| ecdsa-secp384r1-sha384 | ecdsa-secp384r1-sha384 |
| ecdsa-secp521r1-sha512 | ecdsa-secp521r1-sha512 |
| ed25519 | ed25519 |
| ed448 | ed448 |
+----------------------------+-------------------------+
Table 2-4 TLS 1.3 Compatibility Matrix Part 4: SignatureScheme
mapping to signature-algorithm
+----------------------------+-------------------------+
|supported Groups in hello | key-negotiation |
| -params-grouping | |
+----------------------------+-------------------------+
| dhe-ffdhe2048 | dhe-ffdhe2048 |
| dhe-ffdhe3072 | dhe-ffdhe3072 |
| dhe-ffdhe4096 | dhe-ffdhe4096 |
| dhe-ffdhe6144 | dhe-ffdhe6144 |
| dhe-ffdhe8192 | dhe-ffdhe8192 |
| psk-dhe-ffdhe2048 | psk-dhe-ffdhe2048 |
| psk-dhe-ffdhe3072 | psk-dhe-ffdhe3072 |
| psk-dhe-ffdhe4096 | psk-dhe-ffdhe4096 |
| psk-dhe-ffdhe6144 | psk-dhe-ffdhe6144 |
| psk-dhe-ffdhe8192 | psk-dhe-ffdhe8192 |
| ecdhe-secp256r1 | ecdhe-secp256r1 |
| ecdhe-secp384r1 | ecdhe-secp384r1 |
| ecdhe-secp521r1 | ecdhe-secp521r1 |
| ecdhe-x25519 | ecdhe-x25519 |
| ecdhe-x448 | ecdhe-x448 |
| psk-ecdhe-secp256r1 | psk-ecdhe-secp256r1 |
| psk-ecdhe-secp384r1 | psk-ecdhe-secp384r1 |
| psk-ecdhe-secp521r1 | psk-ecdhe-secp521r1 |
| psk-ecdhe-x25519 | psk-ecdhe-x25519 |
| psk-ecdhe-x448 | psk-ecdhe-x448 |
+----------------------------+-------------------------+
Table 2-5 TLS 1.3 Compatibility Matrix Part 5: Supported Groups
mapping to key-negotiation-algorithm
Note that in Table 1-5:
o dhe-ffdhe2048, ... is the abbreviation of dhe-ffdhe2048, dhe-
ffdhe3072, dhe-ffdhe4096, dhe-ffdhe6144, dhe-ffdhe8192;
o psk-dhe-ffdhe2048, ... is the abbreviation of psk-dhe-ffdhe2048,
psk-dhe-ffdhe3072, psk-dhe-ffdhe4096, psk-dhe-ffdhe6144, psk-dhe-
ffdhe8192;
o ecdhe-secp256r1, ... is the abbreviation of ecdhe-secp256r1,
ecdhe-secp384r1, ecdhe-secp521r1, ecdhe-x25519, ecdhe-x448;
o psk-ecdhe-secp256r1, ... is the abbreviation of psk-ecdhe-
secp256r1, psk-ecdhe-secp384r1, psk-ecdhe-secp521r1, psk-ecdhe-
x25519, psk-ecdhe-x448.
Features are defined for algorithms that are OPTIONAL or are not Features are defined for algorithms that are OPTIONAL or are not
widely supported by popular implementations. Note that the list of widely supported by popular implementations. Note that the list of
algorithms is not exhaustive. algorithms is not exhaustive.
5.1. Tree Diagram 5.1. Tree Diagram
The following tree diagram [RFC8340] provides an overview of the data The following tree diagram [RFC8340] provides an overview of the data
model for the "ietf-tls-common" module. model for the "ietf-tls-common" module.
skipping to change at page 16, line 32 skipping to change at page 24, line 45
</hello-params> </hello-params>
5.3. YANG Module 5.3. YANG Module
This YANG module has a normative references to [RFC2246], [RFC4346], This YANG module has a normative references to [RFC2246], [RFC4346],
[RFC5246], [RFC5288], [RFC5289], and [RFC8422]. [RFC5246], [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], and [RFC5246]. [RFC4346], and [RFC5246].
<CODE BEGINS> file "ietf-tls-common@2018-09-20.yang" <CODE BEGINS> file "ietf-tls-common@2018-10-22.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix "tlscmn"; prefix "tlscmn";
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
skipping to change at page 17, line 22 skipping to change at page 25, line 33
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2018-09-20" { revision "2018-10-22" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// features // features
feature tls-1_0 { feature tls-1_0 {
description description
skipping to change at page 24, line 30 skipping to change at page 32, line 44
container cipher-suites { container cipher-suites {
description description
"Parameters regarding cipher suites."; "Parameters regarding cipher suites.";
leaf-list cipher-suite { leaf-list cipher-suite {
type identityref { type identityref {
base cipher-suite-base; base cipher-suite-base;
} }
ordered-by user; ordered-by user;
description description
"Acceptable cipher suites in order of descending "Acceptable cipher suites in order of descending
preference. preference. The configured host key algorithms should
be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC XXXX for
valid combinations.
If this leaf-list is not configured (has zero elements) If this leaf-list is not configured (has zero elements)
the acceptable cipher suites are implementation- the acceptable cipher suites are implementation-
defined."; defined.";
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
} }
} // end hello-params-grouping } // end hello-params-grouping
} }
<CODE ENDS> <CODE ENDS>
6. Security Considerations 6. Security Considerations
skipping to change at page 26, line 42 skipping to change at page 35, line 24
name: ietf-tls-common name: ietf-tls-common
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn prefix: tlscmn
reference: RFC XXXX reference: RFC XXXX
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-netconf-crypto-types]
Watsen, K., "Common YANG Data Types for Cryptography",
draft-ietf-netconf-crypto-types-01 (work in progress),
September 2018.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "YANG Data Model for a Centralized Keystore Watsen, K., "YANG Data Model for a Centralized Keystore
Mechanism", draft-ietf-netconf-keystore-06 (work in Mechanism", draft-ietf-netconf-keystore-06 (work in
progress), September 2018. progress), September 2018.
[I-D.ietf-netconf-trust-anchors] [I-D.ietf-netconf-trust-anchors]
Watsen, K., "YANG Data Model for Global Trust Anchors", Watsen, K., "YANG Data Model for Global Trust Anchors",
draft-ietf-netconf-trust-anchors-01 (work in progress), draft-ietf-netconf-trust-anchors-01 (work in progress),
September 2018. September 2018.
skipping to change at page 28, line 5 skipping to change at page 36, line 35
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic
Curve Cryptography (ECC) Cipher Suites for Transport Layer Curve Cryptography (ECC) Cipher Suites for Transport Layer
Security (TLS) Versions 1.2 and Earlier", RFC 8422, Security (TLS) Versions 1.2 and Earlier", RFC 8422,
DOI 10.17487/RFC8422, August 2018, DOI 10.17487/RFC8422, August 2018,
<https://www.rfc-editor.org/info/rfc8422>. <https://www.rfc-editor.org/info/rfc8422>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
8.2. Informative References 8.2. Informative References
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, DOI 10.17487/RFC2246, January 1999, RFC 2246, DOI 10.17487/RFC2246, January 1999,
<https://www.rfc-editor.org/info/rfc2246>. <https://www.rfc-editor.org/info/rfc2246>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
skipping to change at page 30, line 25 skipping to change at page 39, line 25
either locally defined or a reference to the keystore. either locally defined or a reference to the keystore.
A.7. 06 to 07 A.7. 06 to 07
o factored the tls-[client|server]-groupings into more reusable o factored the tls-[client|server]-groupings into more reusable
groupings. groupings.
o added if-feature statements for the new "x509-certificates" o added if-feature statements for the new "x509-certificates"
feature defined in draft-ietf-netconf-trust-anchors. feature defined in draft-ietf-netconf-trust-anchors.
A.8. 07 to 08
o Added a number of compatibility matricies to Section 5 (thanks
Frank!)
o Claified that any configured "cipher-suite" values need to be
compatible with the configured private key.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses Authors' Addresses
Kent Watsen Kent Watsen
Juniper Networks Juniper Networks
EMail: kwatsen@juniper.net EMail: kwatsen@juniper.net
Gary Wu Gary Wu
Cisco Systems Cisco Systems
EMail: garywu@cisco.com EMail: garywu@cisco.com
Liang Xia
Huawei
EMail: frank.xialiang@huawei.com
 End of changes. 45 change blocks. 
164 lines changed or deleted 487 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/