draft-ietf-netconf-tls-client-server-16.txt   draft-ietf-netconf-tls-client-server-17.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: May 4, 2020 Cisco Systems Expires: May 23, 2020 Cisco Systems
L. Xia L. Xia
Huawei Huawei
November 1, 2019 November 20, 2019
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-16 draft-ietf-netconf-tls-client-server-17
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 2, line 5 skipping to change at page 2, line 5
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust- o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust-
anchors anchors
o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2019-11-02" --> the publication date of this draft o "2019-11-20" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix A. Change Log o Appendix A. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2020. This Internet-Draft will expire on May 23, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 49 skipping to change at page 2, line 49
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4 3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7
4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 10 4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 13
4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 11 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 14
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 13 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 16
5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 19 5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 23
5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 28 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 31
5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 28 5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 31
5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 28 5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 31
6. Security Considerations . . . . . . . . . . . . . . . . . . . 37 6. Security Considerations . . . . . . . . . . . . . . . . . . . 40
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 38 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 41
7.2. The YANG Module Names Registry . . . . . . . . . . . . . 39 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 42
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
8.1. Normative References . . . . . . . . . . . . . . . . . . 39 8.1. Normative References . . . . . . . . . . . . . . . . . . 42
8.2. Informative References . . . . . . . . . . . . . . . . . 41 8.2. Informative References . . . . . . . . . . . . . . . . . 44
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 43 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 46
A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 43 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 47
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 47
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 47
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 47
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 47
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 44 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 47
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 48
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 48
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 48
A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45 A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 48
A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 49
A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 49
A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 49
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46 A.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
used by applications using the TLS protocol. For instance, these used by applications using the TLS protocol. For instance, these
groupings could be used to help define the data model for an HTTPS groupings could be used to help define the data model for an HTTPS
skipping to change at page 4, line 26 skipping to change at page 5, line 5
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. The TLS Client Model 3. The TLS Client Model
3.1. Tree Diagram 3.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-tls- This section provides a tree diagram [RFC8340] for the "ietf-tls-
client" module that does not have groupings expanded. client" module that does not have groupings expanded.
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
module: ietf-tls-client module: ietf-tls-client
grouping tls-client-grouping grouping tls-client-grouping
+-- client-identity +-- client-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping | +-- (auth-type)
| +--:(certificate)
| | +-- certificate {x509-certificate-auth}?
| | +---u ks:local-or-keystore-end-entity-cert-with-key-\
grouping
| +--:(raw-public-key)
| | +-- raw-public-key {raw-public-key-auth}?
| | +---u ks:local-or-keystore-asymmetric-key-grouping
| +--:(psk)
| +-- psk {psk-auth}?
| +---u ks:local-or-keystore-symmetric-key-grouping
+-- server-authentication +-- server-authentication
| +-- ca-certs! | +-- ca-certs! {x509-certificate-auth}?
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- server-certs! | +-- server-certs! {x509-certificate-auth}?
| +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- raw-public-keys! {raw-public-key-auth}?
| | +---u ts:local-or-truststore-raw-pub-keys-grouping
| +-- psks! {psk-auth}?
+-- hello-params {tls-client-hello-params-config}? +-- hello-params {tls-client-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-client-keepalives}? +-- keepalives! {tls-client-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
3.2. Example Usage 3.2. Example Usage
This section presents two examples showing the tls-client-grouping This section presents two examples showing the tls-client-grouping
populated with some data. These examples are effectively the same populated with some data. These examples are effectively the same
skipping to change at page 5, line 10 skipping to change at page 6, line 7
while the second uses a key configured in a keystore. Both examples while the second uses a key configured in a keystore. Both examples
are consistent with the examples presented in Section 2 of are consistent with the examples presented in Section 2 of
[I-D.ietf-netconf-trust-anchors] and Section 3.2 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
[I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-keystore].
The following example configures the client identity using a local The following example configures the client identity using a local
key: key:
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> <tls-client
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<local-definition> <certificate>
<algorithm>rsa2048</algorithm> <local-definition>
<public-key>base64encodedvalue==</public-key> <algorithm>rsa2048</algorithm>
<private-key>base64encodedvalue==</private-key> <public-key-format>ct:subject-public-key-info-format</public\
<cert>base64encodedvalue==</cert> -key-format>
</local-definition> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\
ormat>
<private-key>base64encodedvalue==</private-key>
<cert>base64encodedvalue==</cert>
</local-definition>
</certificate>
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-server-ca-certs</trus\ <truststore-reference>explicitly-trusted-server-ca-certs</trus\
tstore-reference> tstore-reference>
</ca-certs> </ca-certs>
<server-certs> <server-certs>
<truststore-reference>explicitly-trusted-server-certs</trustst\ <truststore-reference>explicitly-trusted-server-certs</trustst\
skipping to change at page 6, line 11 skipping to change at page 7, line 11
The following example configures the client identity using a key from The following example configures the client identity using a key from
the keystore: the keystore:
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<keystore-reference> <certificate>
<asymmetric-key>rsa-asymmetric-key</asymmetric-key> <keystore-reference>
<certificate>ex-rsa-cert</certificate> <asymmetric-key>rsa-asymmetric-key</asymmetric-key>
</keystore-reference> <certificate>ex-rsa-cert</certificate>
</keystore-reference>
</certificate>
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-server-ca-certs</trus\ <truststore-reference>explicitly-trusted-server-ca-certs</trus\
tstore-reference> tstore-reference>
</ca-certs> </ca-certs>
<server-certs> <server-certs>
<truststore-reference>explicitly-trusted-server-certs</trustst\ <truststore-reference>explicitly-trusted-server-certs</trustst\
skipping to change at page 6, line 41 skipping to change at page 7, line 43
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</keepalives> </keepalives>
</tls-client> </tls-client>
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2019-11-02.yang" <CODE BEGINS> file "ietf-tls-client@2019-11-20.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc; prefix tlsc;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-11-02; // stable grouping definitions revision-date 2019-11-20; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: Common YANG Data Types for Cryptography";
} }
import ietf-truststore { import ietf-truststore {
prefix ts; prefix ts;
reference reference
"RFC YYYY: A YANG Data Model for a Truststore"; "RFC BBBB: A YANG Data Model for a Truststore";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: A YANG Data Model for a Keystore"; "RFC CCCC: A YANG Data Model for a Keystore";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
skipping to change at page 7, line 50 skipping to change at page 9, line 9
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-11-02 { revision 2019-11-20 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
client."; client.";
} }
feature tls-client-keepalives { feature tls-client-keepalives {
description description
"Per socket TLS keepalive parameters are configurable for "Per socket TLS keepalive parameters are configurable for
TLS clients on the server implementing this feature."; TLS clients on the server implementing this feature.";
} }
feature x509-certificate-auth {
description
"Indicates that the client supports authenticating servers
using X.509 certificates.";
}
feature raw-public-key-auth {
description
"Indicates that the client supports authenticating servers
using ray public keys.";
}
feature psk-auth {
description
"Indicates that the client supports authenticating servers
using PSKs (pre-shared or pairwise-symmetric keys).";
}
// Groupings // Groupings
grouping tls-client-grouping { grouping tls-client-grouping {
description description
"A reusable grouping for configuring a TLS client without "A reusable grouping for configuring a TLS client without
any consideration for how an underlying TCP session is any consideration for how an underlying TCP session is
established. established.
Note that this grouping uses fairly typical descendent Note that this grouping uses fairly typical descendent
node names such that a stack of 'uses' statements will node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called the 'uses' statement in a container called
'tls-client-parameters'). This model purposely does 'tls-client-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility not do this itself so as to provide maximum flexibility
to consuming models."; to consuming models.";
container client-identity { // FIXME: what about PSKs? container client-identity {
nacm:default-deny-write; nacm:default-deny-write;
description description
"A locally-defined or referenced end-entity certificate, "A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the including any configured intermediate certificates, the
TLS client will present when establishing a TLS connection TLS client will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2 in its Certificate message, as defined in Section 7.4.2
in RFC 5246."; in RFC 5246.";
reference reference
"RFC 5246: "RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ: RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism"; YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping; choice auth-type {
mandatory true;
description
"A choice amongst available authentication types.";
container certificate {
if-feature x509-certificate-auth;
description
"Specifies the client identity using a certificate.";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping
{
refine "local-or-keystore/local/local-definition" {
must 'public-key-format =
"ct:subject-public-key-info-format"';
}
// FIXME: also need a must expression to ensure the
// *referenced* key's public-key-format is
// "ct:subject-public-key-info-format"
}
}
container raw-public-key {
if-feature raw-public-key-auth;
description
"Specifies the client identity using a raw private key.";
uses ks:local-or-keystore-asymmetric-key-grouping;
// FIXME: add a must expression contraining key-formats?
}
container psk {
if-feature psk-auth;
description
"Specifies the client identity using a PSK.";
uses ks:local-or-keystore-symmetric-key-grouping;
// FIXME: add a must expression contraining key-formats?
}
}
} // container client-identity } // container client-identity
container server-authentication { // FIXME: what about PSKs? container server-authentication {
nacm:default-deny-write; nacm:default-deny-write;
must 'ca-certs or server-certs'; must 'ca-certs or server-certs';
description description
"Trusted server identities. Any combination of trusted "Specifies how the TLS client can authenticate TLS servers.
server identities is additive and unordered."; Any combination of credentials is additive and unordered.
Note that no configuration is required for PSK (pre-shared
or pairwise-symmetric key) based authentication as the key
is necessarily the same as configured in the '../client-
identity' node.";
container ca-certs { container ca-certs {
if-feature "x509-certificate-auth";
presence presence
"Indicates that the client can authenticate servers "Indicates that the TLS client can authenticate TLS servers
using the configured trust anchor certificates."; using configured certificate authority certificates.";
description description
"A set of certificate authority (CA) certificates used by "A set of certificate authority (CA) certificates used by
the TLS client to authenticate TLS servers. A server the TLS client to authenticate TLS server certificates.
is authenticated if its certificate has a valid chain A server certificate is authenticated if it has a valid
of trust to a configured CA certificate."; chain of trust to a configured CA certificate.";
reference
"RFC YYYY: YANG Data Model for a Truststore";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
} }
container server-certs { container server-certs { // FIXME: plural too much?
if-feature "x509-certificate-auth";
presence presence
"Indicates that the client can authenticate servers "Indicates that the TLS client can authenticate TLS servers
using the configured server certificates."; using configured server certificates.";
description description
"A set of end-entity certificates used by the TLS client "A set of server certificates (i.e., end entity
to authenticate TLS servers. A server is authenticated certificates) used by the TLS client to authenticate
if its certificate is an exact match to a configured certificates presented by TLS servers. A server
server certificate."; certificate is authenticated if it is an exact
match to a configured server certificate.";
reference
"RFC YYYY: YANG Data Model for a Truststore";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
} }
container raw-public-keys {
if-feature "raw-public-key-auth";
presence
"Indicates that the TLS client can authenticate TLS servers
using configured server certificates.";
description
"A set of raw public keys used by the TLS client to
authenticate raw public keys presented by the TLS server.
A raw public key is authenticated if it is an exact match
to a configured raw public key.";
reference
"RFC YYYY: YANG Data Model for a Truststore";
uses ts:local-or-truststore-raw-pub-keys-grouping;
}
container psks {
if-feature "psk-auth";
presence
"Indicates that the TLS client can authenticate TLS servers
using a configure PSK (pre-shared or pairwise-symmetric
key).";
description
"No configuration is required since the PSK value would be
the same as PSK value configured in the 'client-identity'
node.";
}
} // container server-authentication } // container server-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-client-hello-params-config"; if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} // container hello-params } // container hello-params
container keepalives { container keepalives {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-client-keepalives"; if-feature "tls-client-keepalives";
presence "Indicates that keepalives are enabled."; presence "Indicates that keepalives are enabled.";
description description
"Configures the keep-alive policy, to proactively test "Configures the keep-alive policy, to proactively test
the aliveness of the TLS server. An unresponsive the aliveness of the TLS server. An unresponsive
TLS server is dropped after approximately max-wait TLS server is dropped after approximately max-wait
skipping to change at page 11, line 5 skipping to change at page 14, line 5
<CODE ENDS> <CODE ENDS>
4. The TLS Server Model 4. The TLS Server Model
4.1. Tree Diagram 4.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-tls- This section provides a tree diagram [RFC8340] for the "ietf-tls-
server" module that does not have groupings expanded. server" module that does not have groupings expanded.
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
module: ietf-tls-server module: ietf-tls-server
grouping tls-server-grouping grouping tls-server-grouping
+-- server-identity +-- server-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping | +-- (auth-type)
+-- client-authentication! | +--:(certificate)
| +-- (required-or-optional) | | +-- certificate {x509-certificate-auth}?
| | +--:(required) | | +---u ks:local-or-keystore-end-entity-cert-with-key-\
| | | +-- required? empty grouping
| | +--:(optional) | +--:(raw-private-key)
| | +-- optional? empty | | +-- raw-private-key {raw-public-key-auth}?
| +-- (local-or-external) | | +---u ks:local-or-keystore-asymmetric-key-grouping
| +--:(local) {local-client-auth-supported}? | +--:(psk)
| | +-- ca-certs! | +-- psk {psk-auth}?
| | | +---u ts:local-or-truststore-certs-grouping | +---u ks:local-or-keystore-symmetric-key-grouping
| | +-- client-certs! +-- client-authentication! {client-auth-config-supported}?
| | +---u ts:local-or-truststore-certs-grouping | +-- ca-certs! {x509-certificate-auth}?
| +--:(external) {external-client-auth-supported}? | | +---u ts:local-or-truststore-certs-grouping
| +-- client-auth-defined-elsewhere? empty | +-- client-certs! {x509-certificate-auth}?
| | +---u ts:local-or-truststore-certs-grouping
| +-- raw-public-keys! {raw-public-key-auth}?
| +---u ts:local-or-truststore-raw-pub-keys-grouping
+-- hello-params {tls-server-hello-params-config}? +-- hello-params {tls-server-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-server-keepalives}? +-- keepalives! {tls-server-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
4.2. Example Usage 4.2. Example Usage
This section presents two examples showing the tls-server-grouping This section presents two examples showing the tls-server-grouping
populated with some data. These examples are effectively the same populated with some data. These examples are effectively the same
skipping to change at page 12, line 7 skipping to change at page 15, line 7
while the second uses a key configured in a keystore. Both examples while the second uses a key configured in a keystore. Both examples
are consistent with the examples presented in Section 2 of are consistent with the examples presented in Section 2 of
[I-D.ietf-netconf-trust-anchors] and Section 3.2 of [I-D.ietf-netconf-trust-anchors] and Section 3.2 of
[I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-keystore].
The following example configures the server identity using a local The following example configures the server identity using a local
key: key:
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> <tls-server
xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<local-definition> <certificate>
<algorithm>rsa2048</algorithm> <local-definition>
<private-key>base64encodedvalue==</private-key> <algorithm>rsa2048</algorithm>
<public-key>base64encodedvalue==</public-key> <public-key-format>ct:subject-public-key-info-format</public\
<cert>base64encodedvalue==</cert> -key-format>
</local-definition> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\
ormat>
<private-key>base64encodedvalue==</private-key>
<cert>base64encodedvalue==</cert>
</local-definition>
</certificate>
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<required/>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-client-ca-certs</trus\ <truststore-reference>explicitly-trusted-client-ca-certs</trus\
tstore-reference> tstore-reference>
</ca-certs> </ca-certs>
<client-certs> <client-certs>
<truststore-reference>explicitly-trusted-client-certs</trustst\ <truststore-reference>explicitly-trusted-client-certs</trustst\
ore-reference> ore-reference>
</client-certs> </client-certs>
</client-authentication> </client-authentication>
skipping to change at page 13, line 11 skipping to change at page 16, line 11
The following example configures the server identity using a key from The following example configures the server identity using a key from
the keystore: the keystore:
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<keystore-reference> <certificate>
<asymmetric-key>rsa-asymmetric-key</asymmetric-key> <keystore-reference>
<certificate>ex-rsa-cert</certificate> <asymmetric-key>rsa-asymmetric-key</asymmetric-key>
</keystore-reference> <certificate>ex-rsa-cert</certificate>
</keystore-reference>
</certificate>
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<required/>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-client-ca-certs</trus\ <truststore-reference>explicitly-trusted-client-ca-certs</trus\
tstore-reference> tstore-reference>
</ca-certs> </ca-certs>
<client-certs> <client-certs>
<truststore-reference>explicitly-trusted-client-certs</trustst\ <truststore-reference>explicitly-trusted-client-certs</trustst\
ore-reference> ore-reference>
</client-certs> </client-certs>
</client-authentication> </client-authentication>
</tls-server> </tls-server>
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2019-11-02.yang" <CODE BEGINS> file "ietf-tls-server@2019-11-20.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-11-02; // stable grouping definitions revision-date 2019-11-20; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: Common YANG Data Types for Cryptography";
}
import ietf-truststore { import ietf-truststore {
prefix ts; prefix ts;
reference reference
"RFC YYYY: A YANG Data Model for a Truststore"; "RFC BBBB: A YANG Data Model for a Truststore";
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC ZZZZ: A YANG Data Model for a Keystore"; "RFC CCCC: A YANG Data Model for a Keystore";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
skipping to change at page 14, line 45 skipping to change at page 18, line 4
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-11-02 { revision 2019-11-20 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
"TLS hello message parameters are configurable on a TLS "TLS hello message parameters are configurable on a TLS
server."; server.";
} }
feature tls-server-keepalives { feature tls-server-keepalives {
description description
"Per socket TLS keepalive parameters are configurable for "Per socket TLS keepalive parameters are configurable for
TLS servers on the server implementing this feature."; TLS servers on the server implementing this feature.";
} }
feature local-client-auth-supported { feature client-auth-config-supported {
description description
"Indicates that the TLS server supports local "Indicates that the configuration for how to authenticate
configuration of client credentials."; clients can be configured herein, as opposed to in an
application specific location. That is, to support the
consuming data models that prefer to place client
authentication with client definitions, rather then
in a data model principally concerned with configuring
the transport.";
} }
feature external-client-auth-supported { feature external-client-auth-supported {
description description
"Indicates that the TLS server supports external "Indicates that the TLS server supports external
configuration of client credentials."; configuration of client credentials.";
} }
feature x509-certificate-auth {
description
"Indicates that the server supports authenticating clients
using X.509 certificates.";
}
feature raw-public-key-auth {
description
"Indicates that the server supports authenticating clients
using ray public keys.";
}
feature psk-auth {
description
"Indicates that the server supports authenticating clients
using PSKs (pre-shared or pairwise-symmetric keys).";
}
// Groupings // Groupings
grouping tls-server-grouping { grouping tls-server-grouping {
description description
"A reusable grouping for configuring a TLS server without "A reusable grouping for configuring a TLS server without
any consideration for how underlying TCP sessions are any consideration for how underlying TCP sessions are
established. established.
Note that this grouping uses fairly typical descendent Note that this grouping uses fairly typical descendent
node names such that a stack of 'uses' statements will node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called the 'uses' statement in a container called
'tls-server-parameters'). This model purposely does 'tls-server-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility not do this itself so as to provide maximum flexibility
to consuming models."; to consuming models.";
container server-identity { // FIXME: what about PSKs? container server-identity {
nacm:default-deny-write; nacm:default-deny-write;
description description
"A locally-defined or referenced end-entity certificate, "A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the including any configured intermediate certificates, the
TLS server will present when establishing a TLS connection TLS server will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2 in its Certificate message, as defined in Section 7.4.2
in RFC 5246."; in RFC 5246.";
reference reference
"RFC 5246: "RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
skipping to change at page 16, line 22 skipping to change at page 20, line 4
nacm:default-deny-write; nacm:default-deny-write;
description description
"A locally-defined or referenced end-entity certificate, "A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the including any configured intermediate certificates, the
TLS server will present when establishing a TLS connection TLS server will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2 in its Certificate message, as defined in Section 7.4.2
in RFC 5246."; in RFC 5246.";
reference reference
"RFC 5246: "RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ: RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism"; YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping; choice auth-type {
mandatory true;
description
"A choice amongst authentication types.";
container certificate {
if-feature x509-certificate-auth;
description
"Specifies the server identity using a certificate.";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping
{
refine "local-or-keystore/local/local-definition" {
must 'public-key-format =
"ct:subject-public-key-info-format"';
}
// FIXME: also need a must expression to ensure the
// *referenced* key's public-key-format is
// "ct:subject-public-key-info-format"
}
}
container raw-private-key {
if-feature raw-public-key-auth;
description
"Specifies the server identity using a raw private key.";
uses ks:local-or-keystore-asymmetric-key-grouping;
// FIXME: add a must expression contraining key-formats?
}
container psk {
if-feature psk-auth;
description
"Specifies the server identity using a PSK.";
uses ks:local-or-keystore-symmetric-key-grouping;
// FIXME: add a must expression contraining key-formats?
}
}
} // container server-identity } // container server-identity
container client-authentication { // FIXME: what about PSKs? container client-authentication {
if-feature "client-auth-config-supported";
nacm:default-deny-write; nacm:default-deny-write;
presence presence
"Indicates that certificate based client authentication "Indicates that client authentication is supported (i.e.,
is supported (i.e., the server will request that the that the server will request clients send certificates).";
client send a certificate).";
description description
"Specifies if TLS client authentication is required or "Specifies how the TLS server can authenticate TLS clients.
optional, and specifies if the certificates needed to Any combination of credentials is additive and unordered.
authenticate the TLS client are configured locally or
externally. If configured locally, the data model Note that no configuration is required for PSK (pre-shared
enables both trust anchors and end-entity certificate or pairwise-symmetric key) based authentication as the key
to be set."; is necessarily the same as configured in the '../server-
choice required-or-optional { identity' node.";
mandatory true; // or default to 'required' ? container ca-certs {
if-feature "x509-certificate-auth";
presence
"Indicates that the TLS server can authenticate TLS clients
using configured certificate authority certificates.";
description description
"Indicates if TLS-level client authentication is required "A set of certificate authority (CA) certificates used by
or optional. This is necessary for some protocols (e.g., the TLS server to authenticate TLS client certificates. A
RESTCONF) the may optionally authenticate a client via client certificate is authenticated if it has a valid
TLS-level authentication, HTTP-level authentication, or chain of trust to a configured CA certificate.";
both simultaneously)."; reference
leaf required { "RFC YYYY: YANG Data Model for a Truststore";
type empty; uses ts:local-or-truststore-certs-grouping;
description
"Indicates that TLS-level client authentication is
required.";
}
leaf optional {
type empty;
description
"Indicates that TLS-level client authentication is
optional.";
}
} }
choice local-or-external { container client-certs { // FIXME: plural too much?
mandatory true; if-feature "x509-certificate-auth";
presence
"Indicates that the TLS server can authenticate TLS clients
using configured client certificates.";
description description
"Indicates if the credentials needed to authenticate the "A set of client certificates (i.e., end entity
clients are configured locally or externally. certificates) used by the TLS server to authenticate
certificates presented by TLS clients. A client
Configuring credentials externally enables applications certificate is authenticated if it is an exact match
to place client authentication with client definitions, to a configured client certificate.";
rather then in a part of a data model principally reference
concerned with configuring the TLS transport."; "RFC YYYY: YANG Data Model for a Truststore";
case local { uses ts:local-or-truststore-certs-grouping;
if-feature "local-client-auth-supported"; }
description container raw-public-keys {
"The certificates needed to authenticate the clients if-feature "raw-public-key-auth";
are configured within this TLS configuration. presence
"Indicates that the TLS server can authenticate TLS clients
How to extract an application-level user name from the using configured client certificates.";
certificate is outside the scope of this data model."; description
container ca-certs { "A set of raw public keys used by the TLS server to
presence authenticate raw public keys presented by the TLS client.
"Indicates that the server can authenticate clients A raw public key is authenticated if it is an exact match
using the configured trust anchor certificates."; to a configured raw public key.";
description reference
"A set of certificate authority (CA) certificates used "RFC YYYY: YANG Data Model for a Truststore";
by the TLS server to authenticate TLS clients. A uses ts:local-or-truststore-raw-pub-keys-grouping;
client is authenticated if its certificate has a }
valid chain of trust to a configured CA certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
uses ts:local-or-truststore-certs-grouping;
}
container client-certs {
presence
"Indicates that the server can authenticate clients
using the configured client certificates.";
description
"A set of end-entity certificates used by the TLS
server to authenticate TLS clients. A client is
authenticated if its certificate is an exact match
to a configured client certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
uses ts:local-or-truststore-certs-grouping;
}
}
case external {
if-feature "external-client-auth-supported";
description
"The certificates needed to authenticate the clients
are configured externally.";
leaf client-auth-defined-elsewhere {
type empty;
description
"Indicates that certificates needed to authenticate
clients are configured elsewhere.";
}
}
} // choice local-or-external
} // container client-authentication } // container client-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-server-hello-params-config"; if-feature "tls-server-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} // container hello-params } // container hello-params
container keepalives { container keepalives {
nacm:default-deny-write; nacm:default-deny-write;
skipping to change at page 28, line 45 skipping to change at page 31, line 45
</hello-params> </hello-params>
5.3. YANG Module 5.3. YANG Module
This YANG module has a normative references to [RFC4346], [RFC5246], This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422]. [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446]. [RFC4346], [RFC5246], and [RFC8446].
<CODE BEGINS> file "ietf-tls-common@2019-11-02.yang" <CODE BEGINS> file "ietf-tls-common@2019-11-20.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn; prefix tlscmn;
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
skipping to change at page 29, line 28 skipping to change at page 32, line 28
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-11-02 { revision 2019-11-20 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-1_0 { feature tls-1_0 {
description description
skipping to change at page 39, line 44 skipping to change at page 42, line 44
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn prefix: tlscmn
reference: RFC XXXX reference: RFC XXXX
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-netconf-crypto-types] [I-D.ietf-netconf-crypto-types]
Watsen, K. and H. Wang, "Common YANG Data Types for Watsen, K. and H. Wang, "Common YANG Data Types for
Cryptography", draft-ietf-netconf-crypto-types-11 (work in Cryptography", draft-ietf-netconf-crypto-types-12 (work in
progress), October 2019. progress), November 2019.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", draft- Watsen, K., "A YANG Data Model for a Keystore", draft-
ietf-netconf-keystore-13 (work in progress), October 2019. ietf-netconf-keystore-14 (work in progress), November
2019.
[I-D.ietf-netconf-trust-anchors] [I-D.ietf-netconf-trust-anchors]
Watsen, K., "A YANG Data Model for a Truststore", draft- Watsen, K. and H. Birkholz, "A YANG Data Model for a
ietf-netconf-trust-anchors-06 (work in progress), October Truststore", draft-ietf-netconf-trust-anchors-07 (work in
2019. progress), November 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008, DOI 10.17487/RFC5288, August 2008,
<https://www.rfc-editor.org/info/rfc5288>. <https://www.rfc-editor.org/info/rfc5288>.
skipping to change at page 46, line 30 skipping to change at page 49, line 30
o Removed unnecessary if-feature statements in the -client and o Removed unnecessary if-feature statements in the -client and
-server modules. -server modules.
o Cleaned up some description statements in the -client and -server o Cleaned up some description statements in the -client and -server
modules. modules.
o Fixed a canonical ordering issue in ietf-tls-common detected by o Fixed a canonical ordering issue in ietf-tls-common detected by
new pyang. new pyang.
A.18. 16 to 17
o Removed choice local-or-external by removing the 'external' case
and flattening the 'local' case and adding a "client-auth-config-
supported" feature.
o Removed choice required-or-optional.
o Updated examples to include the "*-key-format" nodes.
o Augmented-in "must" expressions ensuring that locally-defined
public-key-format are "ct:ssh-public-key-format" (must expr for
ref'ed keys are TBD).
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses Authors' Addresses
 End of changes. 68 change blocks. 
216 lines changed or deleted 390 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/