draft-ietf-netconf-tls-client-server-12.txt   draft-ietf-netconf-tls-client-server-13.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: October 31, 2019 Cisco Systems Expires: December 9, 2019 Cisco Systems
L. Xia L. Xia
Huawei Huawei
April 29, 2019 June 7, 2019
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-12 draft-ietf-netconf-tls-client-server-13
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 2, line 5 skipping to change at page 2, line 5
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust- o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust-
anchors anchors
o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2019-04-29" --> the publication date of this draft o "2019-06-07" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix A. Change Log o Appendix A. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 31, 2019. This Internet-Draft will expire on December 9, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 49 skipping to change at page 2, line 49
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4 3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 4
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6
4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 10 4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 10
4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 10
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 11 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 11
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 13 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 12
5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 18 5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 18
5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 27 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 27
5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 27 5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 27
5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 27 5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 27
6. Security Considerations . . . . . . . . . . . . . . . . . . . 36 6. Security Considerations . . . . . . . . . . . . . . . . . . . 36
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37
7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 37 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 37
7.2. The YANG Module Names Registry . . . . . . . . . . . . . 38 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 38
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 38 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 38
8.1. Normative References . . . . . . . . . . . . . . . . . . 38 8.1. Normative References . . . . . . . . . . . . . . . . . . 38
skipping to change at page 3, line 30 skipping to change at page 3, line 30
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 42 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 42
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 42 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 42
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 43
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 43
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 43
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 43
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 43
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 43
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 44
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 44 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
skipping to change at page 4, line 7 skipping to change at page 4, line 7
The client and server YANG modules in this document each define one The client and server YANG modules in this document each define one
grouping, which is focused on just TLS-specific configuration, and grouping, which is focused on just TLS-specific configuration, and
specifically avoids any transport-level configuration, such as what specifically avoids any transport-level configuration, such as what
ports to listen-on or connect-to. This affords applications the ports to listen-on or connect-to. This affords applications the
opportunity to define their own strategy for how the underlying TCP opportunity to define their own strategy for how the underlying TCP
connection is established. For instance, applications supporting connection is established. For instance, applications supporting
NETCONF Call Home [RFC8071] could use the "ssh-server-grouping" NETCONF Call Home [RFC8071] could use the "ssh-server-grouping"
grouping for the TLS parts it provides, while adding data nodes for grouping for the TLS parts it provides, while adding data nodes for
the TCP-level call-home configuration. the TCP-level call-home configuration.
The modules defined in this document use groupings defined in
[I-D.ietf-netconf-keystore] enabling keys to be either locally
defined or a reference to globally configured values.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. The TLS Client Model 3. The TLS Client Model
skipping to change at page 4, line 38 skipping to change at page 4, line 34
module: ietf-tls-client module: ietf-tls-client
grouping tls-client-grouping grouping tls-client-grouping
+-- client-identity +-- client-identity
| +-- (auth-type)? | +-- (auth-type)?
| +--:(certificate) | +--:(certificate)
| +-- certificate | +-- certificate
| +---u ks:local-or-keystore-end-entity-cert-with-key-\ | +---u ks:local-or-keystore-end-entity-cert-with-key-\
grouping grouping
+-- server-authentication +-- server-authentication
| +-- pinned-ca-certs? ta:pinned-certificates-ref | +-- ca-certs? ts:certificates-ref
| | {ta:x509-certificates}? | | {ts:x509-certificates}?
| +-- pinned-server-certs? ta:pinned-certificates-ref | +-- server-certs? ts:certificates-ref
| {ta:x509-certificates}? | {ts:x509-certificates}?
+-- hello-params {tls-client-hello-params-config}? +-- hello-params {tls-client-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-client-keepalives}? +-- keepalives! {tls-client-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
3.2. Example Usage 3.2. Example Usage
This section presents two examples showing the tls-client-grouping This section presents two examples showing the tls-client-grouping
populated with some data. These examples are effectively the same populated with some data. These examples are effectively the same
skipping to change at page 5, line 37 skipping to change at page 5, line 30
-types">ct:rsa2048</algorithm> -types">ct:rsa2048</algorithm>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</local-definition> </local-definition>
</certificate> </certificate>
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<pinned-ca-certs>explicitly-trusted-server-ca-certs</pinned-ca-c\ <ca-certs>explicitly-trusted-server-ca-certs</ca-certs>
erts> <server-certs>explicitly-trusted-server-certs</server-certs>
<pinned-server-certs>explicitly-trusted-server-certs</pinned-ser\
ver-certs>
</server-authentication> </server-authentication>
<keepalives> <keepalives>
<max-wait>30</max-wait> <max-wait>30</max-wait>
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</keepalives> </keepalives>
</tls-client> </tls-client>
The following example configures the client identity using a key from The following example configures the client identity using a key from
the keystore: the keystore:
=========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<certificate> <certificate>
<keystore-reference>ex-rsa-cert</keystore-reference> <keystore-reference>ex-rsa-cert</keystore-reference>
</certificate> </certificate>
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<pinned-ca-certs>explicitly-trusted-server-ca-certs</pinned-ca-c\ <ca-certs>explicitly-trusted-server-ca-certs</ca-certs>
erts> <server-certs>explicitly-trusted-server-certs</server-certs>
<pinned-server-certs>explicitly-trusted-server-certs</pinned-ser\
ver-certs>
</server-authentication> </server-authentication>
<keepalives> <keepalives>
<max-wait>30</max-wait> <max-wait>30</max-wait>
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</keepalives> </keepalives>
</tls-client> </tls-client>
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2019-04-29.yang" <CODE BEGINS> file "ietf-tls-client@2019-06-07.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc; prefix tlsc;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-04-29; // stable grouping definitions revision-date 2019-06-07; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-trust-anchors { import ietf-truststore {
prefix ta; prefix ts;
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: A YANG Data Model for a Truststore";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: A YANG Data Model for a Keystore";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
skipping to change at page 8, line 5 skipping to change at page 7, line 48
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-04-29 { revision 2019-06-07 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
skipping to change at page 9, line 8 skipping to change at page 9, line 4
the TLS server."; the TLS server.";
choice auth-type { choice auth-type {
description description
"The authentication type."; "The authentication type.";
container certificate { container certificate {
uses uses
ks:local-or-keystore-end-entity-cert-with-key-grouping; ks:local-or-keystore-end-entity-cert-with-key-grouping;
description description
"A locally-defined or referenced certificate "A locally-defined or referenced certificate
to be used for client authentication."; to be used for client authentication.";
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism";
} }
} }
} // container client-identity } // container client-identity
container server-authentication { container server-authentication {
nacm:default-deny-write; nacm:default-deny-write;
must 'pinned-ca-certs or pinned-server-certs'; must 'ca-certs or server-certs';
description description
"Trusted server identities."; "Trusted server identities.";
leaf pinned-ca-certs { leaf ca-certs {
if-feature "ta:x509-certificates"; if-feature "ts:x509-certificates";
type ta:pinned-certificates-ref; type ts:certificates-ref;
description description
"A reference to a list of certificate authority (CA) "A reference to a list of certificate authority (CA)
certificates used by the TLS client to authenticate certificates used by the TLS client to authenticate
TLS server certificates. A server certificate is TLS server certificates. A server certificate is
authenticated if it has a valid chain of trust to authenticated if it has a valid chain of trust to
a configured pinned CA certificate."; a configured CA certificate.";
} }
leaf pinned-server-certs { leaf server-certs {
if-feature "ta:x509-certificates"; if-feature "ts:x509-certificates";
type ta:pinned-certificates-ref; type ts:certificates-ref;
description description
"A reference to a list of server certificates used by "A reference to a list of server certificates used by
the TLS client to authenticate TLS server certificates. the TLS client to authenticate TLS server certificates.
A server certificate is authenticated if it is an A server certificate is authenticated if it is an
exact match to a configured pinned server certificate."; exact match to a configured server certificate.";
} }
} // container server-authentication } // container server-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-client-hello-params-config"; if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} // container hello-params } // container hello-params
skipping to change at page 11, line 18 skipping to change at page 11, line 18
+-- server-identity +-- server-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping | +---u ks:local-or-keystore-end-entity-cert-with-key-grouping
+-- client-authentication! +-- client-authentication!
| +-- (required-or-optional) | +-- (required-or-optional)
| | +--:(required) | | +--:(required)
| | | +-- required? empty | | | +-- required? empty
| | +--:(optional) | | +--:(optional)
| | +-- optional? empty | | +-- optional? empty
| +-- (local-or-external) | +-- (local-or-external)
| +--:(local) {local-client-auth-supported}? | +--:(local) {local-client-auth-supported}?
| | +-- pinned-ca-certs? | | +-- ca-certs? ts:certificates-ref
| | | ta:pinned-certificates-ref | | | {ts:x509-certificates}?
| | | {ta:x509-certificates}? | | +-- client-certs? ts:certificates-ref
| | +-- pinned-client-certs? | | {ts:x509-certificates}?
| | ta:pinned-certificates-ref
| | {ta:x509-certificates}?
| +--:(external) {external-client-auth-supported}? | +--:(external) {external-client-auth-supported}?
| +-- client-auth-defined-elsewhere? empty | +-- client-auth-defined-elsewhere? empty
+-- hello-params {tls-server-hello-params-config}? +-- hello-params {tls-server-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-server-keepalives}? +-- keepalives! {tls-server-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
4.2. Example Usage 4.2. Example Usage
skipping to change at page 12, line 23 skipping to change at page 12, line 23
ypes">ct:rsa2048</algorithm> ypes">ct:rsa2048</algorithm>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</local-definition> </local-definition>
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<required/> <required/>
<pinned-ca-certs>explicitly-trusted-client-ca-certs</pinned-ca-c\ <ca-certs>explicitly-trusted-client-ca-certs</ca-certs>
erts> <client-certs>explicitly-trusted-client-certs</client-certs>
<pinned-client-certs>explicitly-trusted-client-certs</pinned-cli\
ent-certs>
</client-authentication> </client-authentication>
</tls-server> </tls-server>
The following example configures the server identity using a key from The following example configures the server identity using a key from
the keystore: the keystore:
=========== NOTE: '\' line wrapping per BCP XX (RFC XXXX) ===========
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<keystore-reference>ex-rsa-cert</keystore-reference> <keystore-reference>ex-rsa-cert</keystore-reference>
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<required/> <required/>
<pinned-ca-certs>explicitly-trusted-client-ca-certs</pinned-ca-c\ <ca-certs>explicitly-trusted-client-ca-certs</ca-certs>
erts> <client-certs>explicitly-trusted-client-certs</client-certs>
<pinned-client-certs>explicitly-trusted-client-certs</pinned-cli\
ent-certs>
</client-authentication> </client-authentication>
</tls-server> </tls-server>
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2019-04-29.yang" <CODE BEGINS> file "ietf-tls-server@2019-06-07.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-04-29; // stable grouping definitions revision-date 2019-06-07; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-trust-anchors { import ietf-truststore {
prefix ta; prefix ts;
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: A YANG Data Model for a Truststore";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: YANG Data Model for a 'Keystore' Mechanism"; "RFC ZZZZ: A YANG Data Model for a Keystore";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
skipping to change at page 14, line 26 skipping to change at page 14, line 21
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-04-29 { revision 2019-06-07 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
skipping to change at page 16, line 49 skipping to change at page 16, line 45
authentication stems from the desire to support authentication stems from the desire to support
consuming data models that prefer to place client consuming data models that prefer to place client
authentication with client definitions, rather then authentication with client definitions, rather then
in a data model principally concerned with configuring in a data model principally concerned with configuring
the transport."; the transport.";
case local { case local {
if-feature "local-client-auth-supported"; if-feature "local-client-auth-supported";
description description
"The certificates needed to authenticate the clients "The certificates needed to authenticate the clients
are configured locally."; are configured locally.";
leaf pinned-ca-certs { leaf ca-certs {
if-feature "ta:x509-certificates"; if-feature "ts:x509-certificates";
type ta:pinned-certificates-ref;//FIXME: local-or-remote? type ts:certificates-ref;//FIXME: local-or-remote?
description description
"A reference to a list of certificate authority (CA) "A reference to a list of certificate authority (CA)
certificates used by the TLS server to authenticate certificates used by the TLS server to authenticate
TLS client certificates. A client certificate is TLS client certificates. A client certificate is
authenticated if it has a valid chain of trust to authenticated if it has a valid chain of trust to
a configured pinned CA certificate."; a configured CA certificate.";
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
} }
leaf pinned-client-certs { leaf client-certs {
if-feature "ta:x509-certificates"; if-feature "ts:x509-certificates";
type ta:pinned-certificates-ref;//FIXME: local-or-remote? type ts:certificates-ref;//FIXME: local-or-remote?
description description
"A reference to a list of client certificates "A reference to a list of client certificates
used by the TLS server to authenticate TLS used by the TLS server to authenticate TLS
client certificates. A clients certificate client certificates. A clients certificate
is authenticated if it is an exact match to is authenticated if it is an exact match to
a configured pinned client certificate."; a configured client certificate.";
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
} }
} }
case external { case external {
if-feature "external-client-auth-supported"; if-feature "external-client-auth-supported";
description description
"The certificates needed to authenticate the clients "The certificates needed to authenticate the clients
are configured externally."; are configured externally.";
leaf client-auth-defined-elsewhere { leaf client-auth-defined-elsewhere {
skipping to change at page 27, line 45 skipping to change at page 27, line 45
</hello-params> </hello-params>
5.3. YANG Module 5.3. YANG Module
This YANG module has a normative references to [RFC4346], [RFC5246], This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422]. [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446]. [RFC4346], [RFC5246], and [RFC8446].
<CODE BEGINS> file "ietf-tls-common@2019-04-29.yang" <CODE BEGINS> file "ietf-tls-common@2019-06-07.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn; prefix tlscmn;
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
skipping to change at page 28, line 36 skipping to change at page 28, line 36
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-04-29 { revision 2019-06-07 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-1_0 { feature tls-1_0 {
description description
skipping to change at page 38, line 44 skipping to change at page 38, line 44
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn prefix: tlscmn
reference: RFC XXXX reference: RFC XXXX
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-netconf-crypto-types] [I-D.ietf-netconf-crypto-types]
Watsen, K. and H. Wang, "Common YANG Data Types for Watsen, K. and H. Wang, "Common YANG Data Types for
Cryptography", draft-ietf-netconf-crypto-types-05 (work in Cryptography", draft-ietf-netconf-crypto-types-06 (work in
progress), March 2019. progress), April 2019.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "YANG Data Model for a Centralized Keystore Watsen, K., "YANG Data Model for a Centralized Keystore
Mechanism", draft-ietf-netconf-keystore-08 (work in Mechanism", draft-ietf-netconf-keystore-09 (work in
progress), March 2019. progress), April 2019.
[I-D.ietf-netconf-trust-anchors] [I-D.ietf-netconf-trust-anchors]
Watsen, K., "YANG Data Model for Global Trust Anchors", Watsen, K., "YANG Data Model for Global Trust Anchors",
draft-ietf-netconf-trust-anchors-03 (work in progress), draft-ietf-netconf-trust-anchors-04 (work in progress),
March 2019. April 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008, DOI 10.17487/RFC5288, August 2008,
<https://www.rfc-editor.org/info/rfc5288>. <https://www.rfc-editor.org/info/rfc5288>.
skipping to change at page 44, line 43 skipping to change at page 44, line 43
that prefer to keep client auth with client definitions than in a that prefer to keep client auth with client definitions than in a
model principally concerned with the "transport". model principally concerned with the "transport".
o In both models, removed the "demux containers", floating the o In both models, removed the "demux containers", floating the
nacm:default-deny-write to each descendent node, and adding a note nacm:default-deny-write to each descendent node, and adding a note
to model designers regarding the potential need to add their own to model designers regarding the potential need to add their own
demux containers. demux containers.
o Fixed a couple references (section 2 --> section 3) o Fixed a couple references (section 2 --> section 3)
A.13. 12 to 13
o Updated to reflect changes in trust-anchors drafts (e.g., s/trust-
anchors/truststore/g + s/pinned.//)
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses Authors' Addresses
 End of changes. 45 change blocks. 
81 lines changed or deleted 69 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/