draft-ietf-netconf-tls-client-server-15.txt   draft-ietf-netconf-tls-client-server-16.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: April 20, 2020 Cisco Systems Expires: May 4, 2020 Cisco Systems
L. Xia L. Xia
Huawei Huawei
October 18, 2019 November 1, 2019
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-15 draft-ietf-netconf-tls-client-server-16
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 2, line 5 skipping to change at page 2, line 5
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust- o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust-
anchors anchors
o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2019-10-18" --> the publication date of this draft o "2019-11-02" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix A. Change Log o Appendix A. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 20, 2020. This Internet-Draft will expire on May 4, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 34 skipping to change at page 3, line 34
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 46
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
skipping to change at page 4, line 31 skipping to change at page 4, line 32
This section provides a tree diagram [RFC8340] for the "ietf-tls- This section provides a tree diagram [RFC8340] for the "ietf-tls-
client" module that does not have groupings expanded. client" module that does not have groupings expanded.
module: ietf-tls-client module: ietf-tls-client
grouping tls-client-grouping grouping tls-client-grouping
+-- client-identity +-- client-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping | +---u ks:local-or-keystore-end-entity-cert-with-key-grouping
+-- server-authentication +-- server-authentication
| +-- ca-certs! {ts:x509-certificates}? | +-- ca-certs!
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- server-certs! {ts:x509-certificates}? | +-- server-certs!
| +---u ts:local-or-truststore-certs-grouping | +---u ts:local-or-truststore-certs-grouping
+-- hello-params {tls-client-hello-params-config}? +-- hello-params {tls-client-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-client-keepalives}? +-- keepalives! {tls-client-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
3.2. Example Usage 3.2. Example Usage
This section presents two examples showing the tls-client-grouping This section presents two examples showing the tls-client-grouping
skipping to change at page 6, line 41 skipping to change at page 6, line 41
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</keepalives> </keepalives>
</tls-client> </tls-client>
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2019-10-18.yang" <CODE BEGINS> file "ietf-tls-client@2019-11-02.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc; prefix tlsc;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-10-18; // stable grouping definitions revision-date 2019-11-02; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-truststore { import ietf-truststore {
prefix ts; prefix ts;
reference reference
"RFC YYYY: A YANG Data Model for a Truststore"; "RFC YYYY: A YANG Data Model for a Truststore";
} }
skipping to change at page 8, line 10 skipping to change at page 8, line 10
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-10-18 { revision 2019-11-02 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
skipping to change at page 9, line 20 skipping to change at page 9, line 20
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ: RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism"; YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping; uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
} // container client-identity } // container client-identity
container server-authentication { // FIXME: what about PSKs? container server-authentication { // FIXME: what about PSKs?
nacm:default-deny-write; nacm:default-deny-write;
must 'ca-certs or server-certs'; must 'ca-certs or server-certs';
description description
"Trusted server identities."; "Trusted server identities. Any combination of trusted
server identities is additive and unordered.";
container ca-certs { container ca-certs {
if-feature "ts:x509-certificates";
presence presence
"Indicates that the client can authenticate servers "Indicates that the client can authenticate servers
using the configured trust anchor certificates."; using the configured trust anchor certificates.";
description description
"A list of certificate authority (CA) certificates used by "A set of certificate authority (CA) certificates used by
the TLS client to authenticate TLS server certificates. the TLS client to authenticate TLS servers. A server
A server certificate is authenticated if it has a valid is authenticated if its certificate has a valid chain
chain of trust to a configured CA certificate."; of trust to a configured CA certificate.";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
} }
container server-certs { container server-certs {
if-feature "ts:x509-certificates";
presence presence
"Indicates that the client can authenticate servers "Indicates that the client can authenticate servers
using the configured server certificates."; using the configured server certificates.";
description description
"A list of server certificates used by the TLS client "A set of end-entity certificates used by the TLS client
to authenticate TLS server certificates. A server to authenticate TLS servers. A server is authenticated
certificate is authenticated if it is an exact match if its certificate is an exact match to a configured
to a configured server certificate."; server certificate.";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
} }
} // container server-authentication } // container server-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-client-hello-params-config"; if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
skipping to change at page 11, line 18 skipping to change at page 11, line 18
+-- server-identity +-- server-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping | +---u ks:local-or-keystore-end-entity-cert-with-key-grouping
+-- client-authentication! +-- client-authentication!
| +-- (required-or-optional) | +-- (required-or-optional)
| | +--:(required) | | +--:(required)
| | | +-- required? empty | | | +-- required? empty
| | +--:(optional) | | +--:(optional)
| | +-- optional? empty | | +-- optional? empty
| +-- (local-or-external) | +-- (local-or-external)
| +--:(local) {local-client-auth-supported}? | +--:(local) {local-client-auth-supported}?
| | +-- ca-certs! {ts:x509-certificates}? | | +-- ca-certs!
| | | +---u ts:local-or-truststore-certs-grouping | | | +---u ts:local-or-truststore-certs-grouping
| | +-- client-certs! {ts:x509-certificates}? | | +-- client-certs!
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +--:(external) {external-client-auth-supported}? | +--:(external) {external-client-auth-supported}?
| +-- client-auth-defined-elsewhere? empty | +-- client-auth-defined-elsewhere? empty
+-- hello-params {tls-server-hello-params-config}? +-- hello-params {tls-server-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-server-keepalives}? +-- keepalives! {tls-server-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
4.2. Example Usage 4.2. Example Usage
skipping to change at page 13, line 37 skipping to change at page 13, line 37
</client-certs> </client-certs>
</client-authentication> </client-authentication>
</tls-server> </tls-server>
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2019-10-18.yang" <CODE BEGINS> file "ietf-tls-server@2019-11-02.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-10-18; // stable grouping definitions revision-date 2019-11-02; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-truststore { import ietf-truststore {
prefix ts; prefix ts;
reference reference
"RFC YYYY: A YANG Data Model for a Truststore"; "RFC YYYY: A YANG Data Model for a Truststore";
} }
skipping to change at page 15, line 6 skipping to change at page 15, line 6
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-10-18 { revision 2019-11-02 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
skipping to change at page 17, line 17 skipping to change at page 17, line 17
leaf optional { leaf optional {
type empty; type empty;
description description
"Indicates that TLS-level client authentication is "Indicates that TLS-level client authentication is
optional."; optional.";
} }
} }
choice local-or-external { choice local-or-external {
mandatory true; mandatory true;
description description
"Indicates if the certificates needed to authenticate the "Indicates if the credentials needed to authenticate the
client are configured locally or externally. clients are configured locally or externally.
Configuring certificates externally enables applications Configuring credentials externally enables applications
to place client authentication with client definitions, to place client authentication with client definitions,
rather then in a data model principally concerned with rather then in a part of a data model principally
configuring the transport."; concerned with configuring the TLS transport.";
case local { case local {
if-feature "local-client-auth-supported"; if-feature "local-client-auth-supported";
// must 'ca-certs or server-certs'; (case/must, YANG-Next)
description description
"The certificates needed to authenticate the clients "The certificates needed to authenticate the clients
are configured withing the TLS configuration. are configured within this TLS configuration.
How to extract an application-level user name from the How to extract an application-level user name from the
certificate is outside the scope of this data model."; certificate is outside the scope of this data model.";
container ca-certs { container ca-certs {
if-feature "ts:x509-certificates";
presence presence
"Indicates that the server can authenticate clients "Indicates that the server can authenticate clients
using the configured trust anchor certificates."; using the configured trust anchor certificates.";
description description
"A list of certificate authority (CA) certificates "A set of certificate authority (CA) certificates used
used by the TLS server to authenticate TLS client by the TLS server to authenticate TLS clients. A
certificates. A client certificate is authenticated client is authenticated if its certificate has a
if it has a valid chain of trust to a configured CA valid chain of trust to a configured CA certificate.";
certificate.";
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
} }
container client-certs { container client-certs {
if-feature "ts:x509-certificates";
presence presence
"Indicates that the server can authenticate clients "Indicates that the server can authenticate clients
using the configured client certificates."; using the configured client certificates.";
description description
"A list of client certificates used by the TLS server "A set of end-entity certificates used by the TLS
to authenticate TLS client certificates. A clients server to authenticate TLS clients. A client is
certificate is authenticated if it is an exact match authenticated if its certificate is an exact match
to a configured client certificate."; to a configured client certificate.";
reference reference
"RFC YYYY: YANG Data Model for Global Trust Anchors"; "RFC YYYY: YANG Data Model for Global Trust Anchors";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
} }
} }
case external { case external {
if-feature "external-client-auth-supported"; if-feature "external-client-auth-supported";
description description
"The certificates needed to authenticate the clients "The certificates needed to authenticate the clients
skipping to change at page 28, line 45 skipping to change at page 28, line 45
</hello-params> </hello-params>
5.3. YANG Module 5.3. YANG Module
This YANG module has a normative references to [RFC4346], [RFC5246], This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422]. [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446]. [RFC4346], [RFC5246], and [RFC8446].
<CODE BEGINS> file "ietf-tls-common@2019-10-18.yang" <CODE BEGINS> file "ietf-tls-common@2019-11-02.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn; prefix tlscmn;
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
skipping to change at page 29, line 37 skipping to change at page 29, line 37
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-10-18 { revision 2019-11-02 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-1_0 { feature tls-1_0 {
description description
skipping to change at page 31, line 29 skipping to change at page 31, line 29
} }
// Identities // Identities
identity tls-version-base { identity tls-version-base {
description description
"Base identity used to identify TLS protocol versions."; "Base identity used to identify TLS protocol versions.";
} }
identity tls-1.0 { identity tls-1.0 {
base tls-version-base;
if-feature "tls-1_0"; if-feature "tls-1_0";
base tls-version-base;
description description
"TLS Protocol Version 1.0."; "TLS Protocol Version 1.0.";
reference reference
"RFC 2246: The TLS Protocol Version 1.0"; "RFC 2246: The TLS Protocol Version 1.0";
} }
identity tls-1.1 { identity tls-1.1 {
base tls-version-base;
if-feature "tls-1_1"; if-feature "tls-1_1";
base tls-version-base;
description description
"TLS Protocol Version 1.1."; "TLS Protocol Version 1.1.";
reference reference
"RFC 4346: The Transport Layer Security (TLS) Protocol "RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1"; Version 1.1";
} }
identity tls-1.2 { identity tls-1.2 {
base tls-version-base;
if-feature "tls-1_2"; if-feature "tls-1_2";
base tls-version-base;
description description
"TLS Protocol Version 1.2."; "TLS Protocol Version 1.2.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity cipher-suite-base { identity cipher-suite-base {
description description
skipping to change at page 32, line 34 skipping to change at page 32, line 34
identity rsa-with-aes-256-cbc-sha { identity rsa-with-aes-256-cbc-sha {
base cipher-suite-base; base cipher-suite-base;
description description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA."; "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity rsa-with-aes-128-cbc-sha256 { identity rsa-with-aes-128-cbc-sha256 {
base cipher-suite-base;
if-feature "tls-sha2"; if-feature "tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256."; "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity rsa-with-aes-256-cbc-sha256 { identity rsa-with-aes-256-cbc-sha256 {
base cipher-suite-base;
if-feature "tls-sha2"; if-feature "tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256."; "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-128-cbc-sha { identity dhe-rsa-with-aes-128-cbc-sha {
base cipher-suite-base;
if-feature "tls-dhe"; if-feature "tls-dhe";
base cipher-suite-base;
description description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA."; "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-256-cbc-sha { identity dhe-rsa-with-aes-256-cbc-sha {
base cipher-suite-base;
if-feature "tls-dhe"; if-feature "tls-dhe";
base cipher-suite-base;
description description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA."; "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-128-cbc-sha256 { identity dhe-rsa-with-aes-128-cbc-sha256 {
base cipher-suite-base;
if-feature "tls-dhe and tls-sha2"; if-feature "tls-dhe and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256."; "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity dhe-rsa-with-aes-256-cbc-sha256 { identity dhe-rsa-with-aes-256-cbc-sha256 {
base cipher-suite-base;
if-feature "tls-dhe and tls-sha2"; if-feature "tls-dhe and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256."; "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity ecdhe-ecdsa-with-aes-128-cbc-sha256 { identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
base cipher-suite-base;
if-feature "tls-ecc and tls-sha2"; if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256."; "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-ecdsa-with-aes-256-cbc-sha384 { identity ecdhe-ecdsa-with-aes-256-cbc-sha384 {
base cipher-suite-base;
if-feature "tls-ecc and tls-sha2"; if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384."; "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-rsa-with-aes-128-cbc-sha256 { identity ecdhe-rsa-with-aes-128-cbc-sha256 {
base cipher-suite-base;
if-feature "tls-ecc and tls-sha2"; if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-rsa-with-aes-256-cbc-sha384 { identity ecdhe-rsa-with-aes-256-cbc-sha384 {
base cipher-suite-base;
if-feature "tls-ecc and tls-sha2"; if-feature "tls-ecc and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-ecdsa-with-aes-128-gcm-sha256 { identity ecdhe-ecdsa-with-aes-128-gcm-sha256 {
base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2"; if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256."; "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-ecdsa-with-aes-256-gcm-sha384 { identity ecdhe-ecdsa-with-aes-256-gcm-sha384 {
base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2"; if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384."; "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-rsa-with-aes-128-gcm-sha256 { identity ecdhe-rsa-with-aes-128-gcm-sha256 {
base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2"; if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity ecdhe-rsa-with-aes-256-gcm-sha384 { identity ecdhe-rsa-with-aes-256-gcm-sha384 {
base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2"; if-feature "tls-ecc and tls-gcm and tls-sha2";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.";
reference reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with "RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)"; SHA-256/384 and AES Galois Counter Mode (GCM)";
} }
identity rsa-with-3des-ede-cbc-sha { identity rsa-with-3des-ede-cbc-sha {
base cipher-suite-base;
if-feature "tls-3des"; if-feature "tls-3des";
base cipher-suite-base;
description description
"Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA."; "Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.";
reference reference
"RFC 5246: The Transport Layer Security (TLS) Protocol "RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2"; Version 1.2";
} }
identity ecdhe-rsa-with-3des-ede-cbc-sha { identity ecdhe-rsa-with-3des-ede-cbc-sha {
base cipher-suite-base;
if-feature "tls-ecc and tls-3des"; if-feature "tls-ecc and tls-3des";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA."; "Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.";
reference reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity ecdhe-rsa-with-aes-128-cbc-sha { identity ecdhe-rsa-with-aes-128-cbc-sha {
base cipher-suite-base;
if-feature "tls-ecc"; if-feature "tls-ecc";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA.";
reference reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity ecdhe-rsa-with-aes-256-cbc-sha { identity ecdhe-rsa-with-aes-256-cbc-sha {
base cipher-suite-base;
if-feature "tls-ecc"; if-feature "tls-ecc";
base cipher-suite-base;
description description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA."; "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.";
reference reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
// Groupings // Groupings
grouping hello-params-grouping { grouping hello-params-grouping {
skipping to change at page 39, line 44 skipping to change at page 39, line 44
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn prefix: tlscmn
reference: RFC XXXX reference: RFC XXXX
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-netconf-crypto-types] [I-D.ietf-netconf-crypto-types]
Watsen, K. and H. Wang, "Common YANG Data Types for Watsen, K. and H. Wang, "Common YANG Data Types for
Cryptography", draft-ietf-netconf-crypto-types-10 (work in Cryptography", draft-ietf-netconf-crypto-types-11 (work in
progress), July 2019. progress), October 2019.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", draft- Watsen, K., "A YANG Data Model for a Keystore", draft-
ietf-netconf-keystore-12 (work in progress), July 2019. ietf-netconf-keystore-13 (work in progress), October 2019.
[I-D.ietf-netconf-trust-anchors] [I-D.ietf-netconf-trust-anchors]
Watsen, K., "A YANG Data Model for a Truststore", draft- Watsen, K., "A YANG Data Model for a Truststore", draft-
ietf-netconf-trust-anchors-05 (work in progress), June ietf-netconf-trust-anchors-06 (work in progress), October
2019. 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008, DOI 10.17487/RFC5288, August 2008,
skipping to change at page 46, line 19 skipping to change at page 46, line 19
o Updated examples to reflect ietf-crypto-types change (e.g., o Updated examples to reflect ietf-crypto-types change (e.g.,
identities --> enumerations) identities --> enumerations)
A.16. 14 to 15 A.16. 14 to 15
o Updated "server-authentication" and "client-authentication" nodes o Updated "server-authentication" and "client-authentication" nodes
from being a leaf of type "ts:certificates-ref" to a container from being a leaf of type "ts:certificates-ref" to a container
that uses "ts:local-or-truststore-certs-grouping". that uses "ts:local-or-truststore-certs-grouping".
A.17. 15 to 16
o Removed unnecessary if-feature statements in the -client and
-server modules.
o Cleaned up some description statements in the -client and -server
modules.
o Fixed a canonical ordering issue in ietf-tls-common detected by
new pyang.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses Authors' Addresses
 End of changes. 78 change blocks. 
70 lines changed or deleted 77 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/