draft-ietf-netconf-tls-client-server-09.txt   draft-ietf-netconf-tls-client-server-10.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: September 10, 2019 Cisco Systems Expires: September 10, 2019 Cisco Systems
L. Xia L. Xia
Huawei Huawei
March 9, 2019 March 9, 2019
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-09 draft-ietf-netconf-tls-client-server-10
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 3, line 27 skipping to change at page 3, line 27
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 39 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 39
A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 39 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 39
A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 39 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 39
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 39 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 39
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 39 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 39
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 40 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 40
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 40 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 40
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 40 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 40
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 40 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 40
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 40 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 40
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 40 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 40
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
used by applications using the TLS protocol. For instance, these used by applications using the TLS protocol. For instance, these
skipping to change at page 6, line 40 skipping to change at page 6, line 40
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2019-03-09.yang" <CODE BEGINS> file "ietf-tls-client@2019-03-09.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix "tlsc"; prefix tlsc;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-03-09; // stable grouping definitions revision-date 2019-03-09; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-trust-anchors { import ietf-trust-anchors {
prefix ta; prefix ta;
skipping to change at page 7, line 14 skipping to change at page 7, line 14
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Gary Wu <mailto:garywu@cisco.com>"; Author: Gary Wu <mailto:garywu@cisco.com>";
description description
"This module defines reusable groupings for TLS clients that "This module defines reusable groupings for TLS clients that
can be used as a basis for specific TLS client instances. can be used as a basis for specific TLS client instances.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 [RFC2119] are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-09" { revision 2019-03-09 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
client."; client.";
} }
feature tls-client-keepalives { feature tls-client-keepalives {
skipping to change at page 9, line 43 skipping to change at page 9, line 42
exact match to a configured pinned server certificate."; exact match to a configured pinned server certificate.";
} }
} }
} }
grouping hello-params-grouping { grouping hello-params-grouping {
description description
"A reusable grouping for configuring a TLS transport "A reusable grouping for configuring a TLS transport
parameters."; parameters.";
container tls-hello-params { container tls-hello-params {
if-feature tls-client-hello-params-config; if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} }
} }
grouping keepalives-grouping { grouping keepalives-grouping {
description description
"A reusable grouping for configuring TLS client keepalive "A reusable grouping for configuring TLS client keepalive
parameters."; parameters.";
skipping to change at page 10, line 16 skipping to change at page 10, line 16
if-feature "tls-client-keepalives"; if-feature "tls-client-keepalives";
description description
"Configures the keep-alive policy, to proactively test "Configures the keep-alive policy, to proactively test
the aliveness of the TLS server. An unresponsive the aliveness of the TLS server. An unresponsive
TLS server is dropped after approximately max-wait TLS server is dropped after approximately max-wait
* max-attempts seconds."; * max-attempts seconds.";
leaf max-wait { leaf max-wait {
type uint16 { type uint16 {
range "1..max"; range "1..max";
} }
units seconds; units "seconds";
default 30; default "30";
description description
"Sets the amount of time in seconds after which if no data "Sets the amount of time in seconds after which if no data
has been received from the TLS server, a TLS-level message has been received from the TLS server, a TLS-level message
will be sent to test the aliveness of the TLS server."; will be sent to test the aliveness of the TLS server.";
} }
leaf max-attempts { leaf max-attempts {
type uint8; type uint8;
default 3; default "3";
description description
"Sets the maximum number of sequential keep-alive messages "Sets the maximum number of sequential keep-alive messages
that can fail to obtain a response from the TLS server that can fail to obtain a response from the TLS server
before assuming the TLS server is no longer alive."; before assuming the TLS server is no longer alive.";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. The TLS Server Model 4. The TLS Server Model
4.1. Tree Diagram 4.1. Tree Diagram
skipping to change at page 13, line 14 skipping to change at page 13, line 14
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2019-03-09.yang" <CODE BEGINS> file "ietf-tls-server@2019-03-09.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix "tlss"; prefix tlss;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-03-09; // stable grouping definitions revision-date 2019-03-09; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-trust-anchors { import ietf-trust-anchors {
prefix ta; prefix ta;
skipping to change at page 13, line 36 skipping to change at page 13, line 36
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Gary Wu <mailto:garywu@cisco.com>"; Author: Gary Wu <mailto:garywu@cisco.com>";
description description
"This module defines reusable groupings for TLS servers that "This module defines reusable groupings for TLS servers that
can be used as a basis for specific TLS server instances. can be used as a basis for specific TLS server instances.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 [RFC2119] are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-09" { revision 2019-03-09 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
server."; server.";
} }
skipping to change at page 16, line 18 skipping to change at page 16, line 16
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
} }
} }
} }
grouping hello-params-grouping { grouping hello-params-grouping {
description description
"A reusable grouping for configuring a TLS transport "A reusable grouping for configuring a TLS transport
parameters."; parameters.";
container tls-hello-params { container tls-hello-params {
if-feature tls-server-hello-params-config; if-feature "tls-server-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} }
} }
grouping keepalives-grouping { grouping keepalives-grouping {
description description
"A reusable grouping for configuring TLS server keepalive "A reusable grouping for configuring TLS server keepalive
parameters."; parameters.";
skipping to change at page 16, line 40 skipping to change at page 16, line 38
if-feature "tls-server-keepalives"; if-feature "tls-server-keepalives";
description description
"Configures the keep-alive policy, to proactively test "Configures the keep-alive policy, to proactively test
the aliveness of the TLS client. An unresponsive the aliveness of the TLS client. An unresponsive
TLS client is dropped after approximately max-wait TLS client is dropped after approximately max-wait
* max-attempts seconds."; * max-attempts seconds.";
leaf max-wait { leaf max-wait {
type uint16 { type uint16 {
range "1..max"; range "1..max";
} }
units seconds; units "seconds";
default 30; default "30";
description description
"Sets the amount of time in seconds after which if no data "Sets the amount of time in seconds after which if no data
has been received from the TLS client, a TLS-level message has been received from the TLS client, a TLS-level message
will be sent to test the aliveness of the TLS client."; will be sent to test the aliveness of the TLS client.";
} }
leaf max-attempts { leaf max-attempts {
type uint8; type uint8;
default 3; default "3";
description description
"Sets the maximum number of sequential keep-alive messages "Sets the maximum number of sequential keep-alive messages
that can fail to obtain a response from the TLS client that can fail to obtain a response from the TLS client
before assuming the TLS client is no longer alive."; before assuming the TLS client is no longer alive.";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
5. The TLS Common Model 5. The TLS Common Model
The TLS common model presented in this section contains identities The TLS common model presented in this section contains identities
and groupings common to both TLS clients and TLS servers. The hello- and groupings common to both TLS clients and TLS servers. The hello-
params-grouping can be used to configure the list of TLS algorithms params-grouping can be used to configure the list of TLS algorithms
skipping to change at page 25, line 49 skipping to change at page 25, line 49
This YANG module has a normative references to [RFC4346], [RFC5246], This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422]. [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446]. [RFC4346], [RFC5246], and [RFC8446].
<CODE BEGINS> file "ietf-tls-common@2019-03-09.yang" <CODE BEGINS> file "ietf-tls-common@2019-03-09.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix "tlscmn"; prefix tlscmn;
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Gary Wu <mailto:garywu@cisco.com>"; Author: Gary Wu <mailto:garywu@cisco.com>";
description description
"This module defines a common features, identities, and "This module defines a common features, identities, and
groupings for Transport Layer Security (TLS). groupings for Transport Layer Security (TLS).
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 [RFC2119] are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-09" { revision 2019-03-09 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-1_0 { feature tls-1_0 {
description description
"TLS Protocol Version 1.0 is supported."; "TLS Protocol Version 1.0 is supported.";
reference reference
"RFC 2246: The TLS Protocol Version 1.0"; "RFC 2246: The TLS Protocol Version 1.0";
} }
skipping to change at page 28, line 28 skipping to change at page 28, line 28
// Identities // Identities
identity tls-version-base { identity tls-version-base {
description description
"Base identity used to identify TLS protocol versions."; "Base identity used to identify TLS protocol versions.";
} }
identity tls-1.0 { identity tls-1.0 {
base tls-version-base; base tls-version-base;
if-feature tls-1_0; if-feature "tls-1_0";
description description
"TLS Protocol Version 1.0."; "TLS Protocol Version 1.0.";
reference reference
"RFC 2246: The TLS Protocol Version 1.0"; "RFC 2246: The TLS Protocol Version 1.0";
} }
identity tls-1.1 { identity tls-1.1 {
base tls-version-base; base tls-version-base;
if-feature tls-1_1; if-feature "tls-1_1";
description description
"TLS Protocol Version 1.1."; "TLS Protocol Version 1.1.";
reference reference
"RFC 4346: The Transport Layer Security (TLS) Protocol "RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1"; Version 1.1";
} }
identity tls-1.2 { identity tls-1.2 {
base tls-version-base; base tls-version-base;
if-feature tls-1_2; if-feature "tls-1_2";
description description
"TLS Protocol Version 1.2."; "TLS Protocol Version 1.2.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity cipher-suite-base { identity cipher-suite-base {
description description
"Base identity used to identify TLS cipher suites."; "Base identity used to identify TLS cipher suites.";
skipping to change at page 29, line 32 skipping to change at page 29, line 32
base cipher-suite-base; base cipher-suite-base;
description description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA."; "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity rsa-with-aes-128-cbc-sha256 { identity rsa-with-aes-128-cbc-sha256 {
base cipher-suite-base; base cipher-suite-base;
if-feature tls-sha2; if-feature "tls-sha2";
description description
"Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256."; "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity rsa-with-aes-256-cbc-sha256 { identity rsa-with-aes-256-cbc-sha256 {
base cipher-suite-base; base cipher-suite-base;
if-feature tls-sha2; if-feature "tls-sha2";
description description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256."; "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-128-cbc-sha { identity dhe-rsa-with-aes-128-cbc-sha {
base cipher-suite-base; base cipher-suite-base;
if-feature tls-dhe; if-feature "tls-dhe";
description description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA."; "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-256-cbc-sha { identity dhe-rsa-with-aes-256-cbc-sha {
base cipher-suite-base; base cipher-suite-base;
if-feature tls-dhe; if-feature "tls-dhe";
description description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA."; "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-128-cbc-sha256 { identity dhe-rsa-with-aes-128-cbc-sha256 {
base cipher-suite-base; base cipher-suite-base;
if-feature "tls-dhe and tls-sha2"; if-feature "tls-dhe and tls-sha2";
skipping to change at page 32, line 29 skipping to change at page 32, line 29
if-feature "tls-ecc and tls-gcm and tls-sha2"; if-feature "tls-ecc and tls-gcm and tls-sha2";
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity rsa-with-3des-ede-cbc-sha { identity rsa-with-3des-ede-cbc-sha {
base cipher-suite-base; base cipher-suite-base;
if-feature tls-3des; if-feature "tls-3des";
description description
"Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA."; "Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity ecdhe-rsa-with-3des-ede-cbc-sha { identity ecdhe-rsa-with-3des-ede-cbc-sha {
base cipher-suite-base; base cipher-suite-base;
if-feature "tls-ecc and tls-3des"; if-feature "tls-ecc and tls-3des";
skipping to change at page 34, line 13 skipping to change at page 34, line 12
"Acceptable cipher suites in order of descending "Acceptable cipher suites in order of descending
preference. The configured host key algorithms should preference. The configured host key algorithms should
be compatible with the algorithm used by the configured be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC XXXX for private key. Please see Section 5 of RFC XXXX for
valid combinations. valid combinations.
If this leaf-list is not configured (has zero elements) If this leaf-list is not configured (has zero elements)
the acceptable cipher suites are implementation- the acceptable cipher suites are implementation-
defined."; defined.";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
6. Security Considerations 6. Security Considerations
The YANG modules defined in this document are designed to be accessed The YANG modules defined in this document are designed to be accessed
via YANG based management protocols, such as NETCONF [RFC6241] and via YANG based management protocols, such as NETCONF [RFC6241] and
RESTCONF [RFC8040]. Both of these protocols have mandatory-to- RESTCONF [RFC8040]. Both of these protocols have mandatory-to-
implement secure transport layers (e.g., SSH, TLS) with mutual implement secure transport layers (e.g., SSH, TLS) with mutual
skipping to change at page 40, line 46 skipping to change at page 40, line 46
keystore draft. keystore draft.
o Add TLS keepalives features and groupings. o Add TLS keepalives features and groupings.
o Prefixed top-level TLS grouping nodes with 'tls-' and support o Prefixed top-level TLS grouping nodes with 'tls-' and support
mashups. mashups.
o Updated copyright date, boilerplate template, affiliation, and o Updated copyright date, boilerplate template, affiliation, and
folding algorithm. folding algorithm.
A.10. 09 to 10
o Reformatted the YANG modules.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses Authors' Addresses
 End of changes. 57 change blocks. 
114 lines changed or deleted 119 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/