draft-ietf-netconf-tls-client-server-17.txt   draft-ietf-netconf-tls-client-server-18.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: May 23, 2020 Cisco Systems Expires: September 9, 2020 Cisco Systems
L. Xia L. Xia
Huawei Huawei
November 20, 2019 March 8, 2020
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-17 draft-ietf-netconf-tls-client-server-18
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 2, line 5 skipping to change at page 2, line 5
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust- o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust-
anchors anchors
o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2019-11-20" --> the publication date of this draft o "2020-03-08" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix A. Change Log o Appendix A. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 23, 2020. This Internet-Draft will expire on September 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4 3. The TLS Client Model . . . . . . . . . . . . . . . . . . . . 4
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 5
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9
4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 13 4. The TLS Server Model . . . . . . . . . . . . . . . . . . . . 16
4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 16
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 17
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 16 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 19
5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 23 5. The TLS Common Model . . . . . . . . . . . . . . . . . . . . 27
5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 31 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 36
5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 31 5.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 36
5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 31 5.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 36
6. Security Considerations . . . . . . . . . . . . . . . . . . . 40 6. Security Considerations . . . . . . . . . . . . . . . . . . . 45
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46
7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 41 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 46
7.2. The YANG Module Names Registry . . . . . . . . . . . . . 42 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 47
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 47
8.1. Normative References . . . . . . . . . . . . . . . . . . 42 8.1. Normative References . . . . . . . . . . . . . . . . . . 47
8.2. Informative References . . . . . . . . . . . . . . . . . 44 8.2. Informative References . . . . . . . . . . . . . . . . . 49
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 46 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 51
A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 51
A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 51
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 51
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 46 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 51
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 47 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 52
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 47 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 52
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 47 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 52
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 47 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 52
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 47 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 52
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 47 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 52
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 48 A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 48 A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 48 A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 48 A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 49 A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 49 A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 49 A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 49 A.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 54
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 49 A.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 55
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
used by applications using the TLS protocol. For instance, these used by applications using the TLS protocol. For instance, these
groupings could be used to help define the data model for an HTTPS groupings could be used to help define the data model for an HTTPS
skipping to change at page 5, line 11 skipping to change at page 5, line 11
This section provides a tree diagram [RFC8340] for the "ietf-tls- This section provides a tree diagram [RFC8340] for the "ietf-tls-
client" module that does not have groupings expanded. client" module that does not have groupings expanded.
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
module: ietf-tls-client module: ietf-tls-client
grouping tls-client-grouping grouping tls-client-grouping
+-- client-identity +-- client-identity
| +-- (auth-type) | +-- (auth-type)?
| +--:(certificate) | +--:(certificate) {x509-certificate-auth}?
| | +-- certificate {x509-certificate-auth}? | | +-- certificate
| | +---u ks:local-or-keystore-end-entity-cert-with-key-\ | | +---u ks:local-or-keystore-end-entity-cert-with-key-\
grouping grouping
| +--:(raw-public-key) | +--:(raw-public-key) {raw-public-key-auth}?
| | +-- raw-public-key {raw-public-key-auth}? | | +-- raw-private-key
| | +---u ks:local-or-keystore-asymmetric-key-grouping | | +---u ks:local-or-keystore-asymmetric-key-grouping
| +--:(psk) | +--:(psk) {psk-auth}?
| +-- psk {psk-auth}? | +-- psk
| +---u ks:local-or-keystore-symmetric-key-grouping | +---u ks:local-or-keystore-symmetric-key-grouping
+-- server-authentication +-- server-authentication
| +-- ca-certs! {x509-certificate-auth}? | +-- ca-certs! {x509-certificate-auth}?
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- server-certs! {x509-certificate-auth}? | +-- server-certs! {x509-certificate-auth}?
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- raw-public-keys! {raw-public-key-auth}? | +-- raw-public-keys! {raw-public-key-auth}?
| | +---u ts:local-or-truststore-raw-pub-keys-grouping | | +---u ts:local-or-truststore-public-keys-grouping
| +-- psks! {psk-auth}? | +-- psks! {psk-auth}?
+-- hello-params {tls-client-hello-params-config}? +-- hello-params {tls-client-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-client-keepalives}? +-- keepalives! {tls-client-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
3.2. Example Usage 3.2. Example Usage
This section presents two examples showing the tls-client-grouping This section presents two examples showing the tls-client-grouping
skipping to change at page 6, line 25 skipping to change at page 6, line 20
<algorithm>rsa2048</algorithm> <algorithm>rsa2048</algorithm>
<public-key-format>ct:subject-public-key-info-format</public\ <public-key-format>ct:subject-public-key-info-format</public\
-key-format> -key-format>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\ <private-key-format>ct:rsa-private-key-format</private-key-f\
ormat> ormat>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</local-definition> </local-definition>
</certificate> </certificate>
<!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME
<raw-private-key>
<local-definition>
<algorithm>rsa2048</algorithm>
<public-key-format>ct:subject-public-key-info-format</public\
-key-format>
<public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\
ormat>
<private-key>base64encodedvalue==</private-key>
</local-definition>
</raw-private-key>
<psk>
<local-definition>
<algorithm>aes-256-cbc</algorithm>
<key-format>ct:octet-string-key-format</key-format>
<key>base64encodedvalue==</key>
</local-definition>
</psk>
-->
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-server-ca-certs</trus\ <local-definition>
tstore-reference> <cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
</local-definition>
</ca-certs> </ca-certs>
<server-certs> <server-certs>
<truststore-reference>explicitly-trusted-server-certs</trustst\ <local-definition>
ore-reference> <cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
</local-definition>
</server-certs> </server-certs>
<raw-public-keys>
<local-definition>
<public-key>
<name>corp-fw1</name>
<algorithm>secp256r1</algorithm>
<public-key-format>ct:subject-public-key-info-format</publ\
ic-key-format>
<public-key>base64encodedvalue==</public-key>
</public-key>
<public-key>
<name>corp-fw1</name>
<algorithm>secp256r1</algorithm>
<public-key-format>ct:subject-public-key-info-format</publ\
ic-key-format>
<public-key>base64encodedvalue==</public-key>
</public-key>
</local-definition>
</raw-public-keys>
<psks/>
</server-authentication> </server-authentication>
<keepalives> <keepalives>
<max-wait>30</max-wait> <max-wait>30</max-wait>
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</keepalives> </keepalives>
</tls-client> </tls-client>
The following example configures the client identity using a key from The following example configures the client identity using a key from
skipping to change at page 7, line 17 skipping to change at page 8, line 17
<tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client"> <tls-client xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-client">
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<certificate> <certificate>
<keystore-reference> <keystore-reference>
<asymmetric-key>rsa-asymmetric-key</asymmetric-key> <asymmetric-key>rsa-asymmetric-key</asymmetric-key>
<certificate>ex-rsa-cert</certificate> <certificate>ex-rsa-cert</certificate>
</keystore-reference> </keystore-reference>
</certificate> </certificate>
<!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME
<raw-private-key>
<keystore-reference>raw-private-key</keystore-reference>
</raw-private-key>
<psk>
<keystore-reference>encrypted-symmetric-key</keystore-referenc\
e>
</psk>
-->
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-server-ca-certs</trus\ <truststore-reference>trusted-server-ca-certs</truststore-refe\
tstore-reference> rence>
</ca-certs> </ca-certs>
<server-certs> <server-certs>
<truststore-reference>explicitly-trusted-server-certs</trustst\ <truststore-reference>trusted-server-ee-certs</truststore-refe\
ore-reference> rence>
</server-certs> </server-certs>
<raw-public-keys>
<truststore-reference>Raw Public Keys for Servers</truststore-\
reference>
</raw-public-keys>
<psks/>
</server-authentication> </server-authentication>
<keepalives> <keepalives>
<max-wait>30</max-wait> <max-wait>30</max-wait>
<max-attempts>3</max-attempts> <max-attempts>3</max-attempts>
</keepalives> </keepalives>
</tls-client> </tls-client>
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2019-11-20.yang" <CODE BEGINS> file "ietf-tls-client@2020-03-08.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc; prefix tlsc;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-11-20; // stable grouping definitions revision-date 2020-03-08; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference reference
"RFC AAAA: Common YANG Data Types for Cryptography"; "RFC AAAA: Common YANG Data Types for Cryptography";
} }
skipping to change at page 9, line 18 skipping to change at page 10, line 33
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-11-20 { revision 2020-03-08 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
skipping to change at page 10, line 29 skipping to change at page 11, line 45
have name conflicts. It is intended that the consuming have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called the 'uses' statement in a container called
'tls-client-parameters'). This model purposely does 'tls-client-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility not do this itself so as to provide maximum flexibility
to consuming models."; to consuming models.";
container client-identity { container client-identity {
nacm:default-deny-write; nacm:default-deny-write;
description description
"A locally-defined or referenced end-entity certificate, "Identity credentials the TLS client MAY present when
including any configured intermediate certificates, the establishing a connection to a TLS server. If not
TLS client will present when establishing a TLS connection configured, then client authentication is presumed to
in its Certificate message, as defined in Section 7.4.2 occur a protocol layer above TLS. When configured,
in RFC 5246."; and requested by the TLS server when establishing a
TLS session, these credentials are passed in the
Certificate message defined in Section 7.4.2 of
RFC 5246.";
reference reference
"RFC 5246: "RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ: RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism"; YANG Data Model for a 'Keystore' Mechanism";
choice auth-type { choice auth-type {
mandatory true;
description description
"A choice amongst available authentication types."; "A choice amongst available authentication types.";
container certificate { case certificate {
if-feature x509-certificate-auth; if-feature x509-certificate-auth;
description container certificate {
"Specifies the client identity using a certificate."; description
uses ks:local-or-keystore-end-entity-cert-with-key-grouping "Specifies the client identity using a certificate.";
{ uses
refine "local-or-keystore/local/local-definition" { ks:local-or-keystore-end-entity-cert-with-key-grouping{
must 'public-key-format = refine "local-or-keystore/local/local-definition" {
"ct:subject-public-key-info-format"'; must 'public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
refine "local-or-keystore/keystore/keystore-reference"
+ "/asymmetric-key" {
must 'deref(.)/../ks:public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
} }
// FIXME: also need a must expression to ensure the
// *referenced* key's public-key-format is
// "ct:subject-public-key-info-format"
} }
} }
container raw-public-key { case raw-public-key {
if-feature raw-public-key-auth; if-feature raw-public-key-auth;
description container raw-private-key {
"Specifies the client identity using a raw private key."; description
uses ks:local-or-keystore-asymmetric-key-grouping; "Specifies the client identity using a raw
// FIXME: add a must expression contraining key-formats? private key.";
uses ks:local-or-keystore-asymmetric-key-grouping {
refine "local-or-keystore/local/local-definition" {
must 'public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
refine "local-or-keystore/keystore"
+ "/keystore-reference" {
must 'deref(.)/../ks:public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
}
}
} }
container psk { case psk {
if-feature psk-auth; if-feature psk-auth;
description container psk {
"Specifies the client identity using a PSK."; description
uses ks:local-or-keystore-symmetric-key-grouping; "Specifies the client identity using a PSK (pre-shared
// FIXME: add a must expression contraining key-formats? or pairwise-symmetric key). Note that, when the PSK is
configured as a Keystore reference, the key's 'name'
node MAY be used as the PSK's ID when used by the TLS
protocol.";
uses ks:local-or-keystore-symmetric-key-grouping {
augment "local-or-keystore/local/local-definition" {
if-feature "ks:local-definitions-supported";
description
"Adds an 'id' value when the PSK is used by TLS.";
leaf id {
type string; // is this the right type?
description
"The key id used in the TLS protocol for PSKs.";
}
}
}
}
} }
} }
} // container client-identity } // container client-identity
container server-authentication { container server-authentication {
nacm:default-deny-write; nacm:default-deny-write;
must 'ca-certs or server-certs'; must 'ca-certs or server-certs';
description description
"Specifies how the TLS client can authenticate TLS servers. "Specifies how the TLS client can authenticate TLS servers.
Any combination of credentials is additive and unordered. Any combination of credentials is additive and unordered.
skipping to change at page 12, line 4 skipping to change at page 14, line 5
presence presence
"Indicates that the TLS client can authenticate TLS servers "Indicates that the TLS client can authenticate TLS servers
using configured certificate authority certificates."; using configured certificate authority certificates.";
description description
"A set of certificate authority (CA) certificates used by "A set of certificate authority (CA) certificates used by
the TLS client to authenticate TLS server certificates. the TLS client to authenticate TLS server certificates.
A server certificate is authenticated if it has a valid A server certificate is authenticated if it has a valid
chain of trust to a configured CA certificate."; chain of trust to a configured CA certificate.";
reference reference
"RFC YYYY: YANG Data Model for a Truststore"; "RFC YYYY: YANG Data Model for a Truststore";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
// Note: TS certs don't have a key-format...no test needed
} }
container server-certs { // FIXME: plural too much? container server-certs {
// FIXME: plural too much? rename to ee-certs?
if-feature "x509-certificate-auth"; if-feature "x509-certificate-auth";
presence presence
"Indicates that the TLS client can authenticate TLS servers "Indicates that the TLS client can authenticate TLS
using configured server certificates."; servers using configured server certificates.";
description description
"A set of server certificates (i.e., end entity "A set of server certificates (i.e., end entity
certificates) used by the TLS client to authenticate certificates) used by the TLS client to authenticate
certificates presented by TLS servers. A server certificates presented by TLS servers. A server
certificate is authenticated if it is an exact certificate is authenticated if it is an exact
match to a configured server certificate."; match to a configured server certificate.";
reference reference
"RFC YYYY: YANG Data Model for a Truststore"; "RFC YYYY: YANG Data Model for a Truststore";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
// Note: TS certs don't have a key-format...no test needed
} }
container raw-public-keys { container raw-public-keys {
if-feature "raw-public-key-auth"; if-feature "raw-public-key-auth";
presence presence
"Indicates that the TLS client can authenticate TLS servers "Indicates that the TLS client can authenticate TLS
using configured server certificates."; servers using configured server certificates.";
description description
"A set of raw public keys used by the TLS client to "A set of raw public keys used by the TLS client to
authenticate raw public keys presented by the TLS server. authenticate raw public keys presented by the TLS
A raw public key is authenticated if it is an exact match server. A raw public key is authenticated if it
to a configured raw public key."; is an exact match to a configured raw public key.";
reference reference
"RFC YYYY: YANG Data Model for a Truststore"; "RFC YYYY: YANG Data Model for a Truststore";
uses ts:local-or-truststore-raw-pub-keys-grouping; uses ts:local-or-truststore-public-keys-grouping {
refine "local-or-truststore/local/local-definition"
+ "/public-key" {
must 'public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
refine "local-or-truststore/truststore"
+ "/truststore-reference" {
must 'deref(.)/../*/ts:public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
}
} }
container psks { container psks {
if-feature "psk-auth"; if-feature "psk-auth";
presence presence
"Indicates that the TLS client can authenticate TLS servers "Indicates that the TLS client can authenticate TLS servers
using a configure PSK (pre-shared or pairwise-symmetric using a configure PSK (pre-shared or pairwise-symmetric
key)."; key).";
description description
"No configuration is required since the PSK value would be "No configuration is required since the PSK value is the
the same as PSK value configured in the 'client-identity' same as PSK value configured in the 'client-identity'
node."; node.";
} }
} // container server-authentication } // container server-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-client-hello-params-config"; if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
skipping to change at page 13, line 37 skipping to change at page 16, line 4
aliveness of the TLS server."; aliveness of the TLS server.";
} }
leaf max-attempts { leaf max-attempts {
type uint8; type uint8;
default "3"; default "3";
description description
"Sets the maximum number of sequential keep-alive "Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from messages that can fail to obtain a response from
the TLS server before assuming the TLS server is the TLS server before assuming the TLS server is
no longer alive."; no longer alive.";
} }
} // container keepalives }
} // grouping tls-client-grouping } // grouping tls-client-grouping
} } // module ietf-tls-client
<CODE ENDS> <CODE ENDS>
4. The TLS Server Model 4. The TLS Server Model
4.1. Tree Diagram 4.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-tls- This section provides a tree diagram [RFC8340] for the "ietf-tls-
server" module that does not have groupings expanded. server" module that does not have groupings expanded.
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
module: ietf-tls-server module: ietf-tls-server
grouping tls-server-grouping grouping tls-server-grouping
+-- server-identity +-- server-identity
| +-- (auth-type) | +-- (auth-type)
| +--:(certificate) | +--:(certificate) {x509-certificate-auth}?
| | +-- certificate {x509-certificate-auth}? | | +-- certificate
| | +---u ks:local-or-keystore-end-entity-cert-with-key-\ | | +---u ks:local-or-keystore-end-entity-cert-with-key-\
grouping grouping
| +--:(raw-private-key) | +--:(raw-private-key) {raw-public-key-auth}?
| | +-- raw-private-key {raw-public-key-auth}? | | +-- raw-private-key
| | +---u ks:local-or-keystore-asymmetric-key-grouping | | +---u ks:local-or-keystore-asymmetric-key-grouping
| +--:(psk) | +--:(psk) {psk-auth}?
| +-- psk {psk-auth}? | +-- psk
| +---u ks:local-or-keystore-symmetric-key-grouping | +---u ks:local-or-keystore-symmetric-key-grouping
+-- client-authentication! {client-auth-config-supported}? +-- client-authentication! {client-auth-config-supported}?
| +-- ca-certs! {x509-certificate-auth}? | +-- ca-certs! {x509-certificate-auth}?
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- client-certs! {x509-certificate-auth}? | +-- client-certs! {x509-certificate-auth}?
| | +---u ts:local-or-truststore-certs-grouping | | +---u ts:local-or-truststore-certs-grouping
| +-- raw-public-keys! {raw-public-key-auth}? | +-- raw-public-keys! {raw-public-key-auth}?
| +---u ts:local-or-truststore-raw-pub-keys-grouping | | +---u ts:local-or-truststore-public-keys-grouping
| +-- psks! {psk-auth}?
+-- hello-params {tls-server-hello-params-config}? +-- hello-params {tls-server-hello-params-config}?
| +---u tlscmn:hello-params-grouping | +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-server-keepalives}? +-- keepalives! {tls-server-keepalives}?
+-- max-wait? uint16 +-- max-wait? uint16
+-- max-attempts? uint8 +-- max-attempts? uint8
4.2. Example Usage 4.2. Example Usage
This section presents two examples showing the tls-server-grouping This section presents two examples showing the tls-server-grouping
populated with some data. These examples are effectively the same populated with some data. These examples are effectively the same
skipping to change at page 15, line 25 skipping to change at page 17, line 38
<algorithm>rsa2048</algorithm> <algorithm>rsa2048</algorithm>
<public-key-format>ct:subject-public-key-info-format</public\ <public-key-format>ct:subject-public-key-info-format</public\
-key-format> -key-format>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\ <private-key-format>ct:rsa-private-key-format</private-key-f\
ormat> ormat>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</local-definition> </local-definition>
</certificate> </certificate>
<!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME
<raw-private-key>
<local-definition>
<algorithm>rsa2048</algorithm>
<public-key-format>ct:subject-public-key-info-format</public\
-key-format>
<public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\
ormat>
<private-key>base64encodedvalue==</private-key>
</local-definition>
</raw-private-key>
<psk>
<local-definition>
<algorithm>aes-256-cbc</algorithm>
<key-format>ct:octet-string-key-format</key-format>
<key>base64encodedvalue==</key>
</local-definition>
</psk>
-->
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-client-ca-certs</trus\ <local-definition>
tstore-reference> <cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
</local-definition>
</ca-certs> </ca-certs>
<client-certs> <client-certs>
<truststore-reference>explicitly-trusted-client-certs</trustst\ <local-definition>
ore-reference> <cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
<cert>base64encodedvalue==</cert>
</local-definition>
</client-certs> </client-certs>
<raw-public-keys>
<local-definition>
<public-key>
<name>User A</name>
<algorithm>secp256r1</algorithm>
<public-key-format>ct:subject-public-key-info-format</publ\
ic-key-format>
<public-key>base64encodedvalue==</public-key>
</public-key>
<public-key>
<name>User B</name>
<algorithm>secp256r1</algorithm>
<public-key-format>ct:subject-public-key-info-format</publ\
ic-key-format>
<public-key>base64encodedvalue==</public-key>
</public-key>
</local-definition>
</raw-public-keys>
<psks/>
</client-authentication> </client-authentication>
</tls-server> </tls-server>
The following example configures the server identity using a key from The following example configures the server identity using a key from
the keystore: the keystore:
========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) ===========
<tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server"> <tls-server xmlns="urn:ietf:params:xml:ns:yang:ietf-tls-server">
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<certificate> <certificate>
<keystore-reference> <keystore-reference>
<asymmetric-key>rsa-asymmetric-key</asymmetric-key> <asymmetric-key>rsa-asymmetric-key</asymmetric-key>
<certificate>ex-rsa-cert</certificate> <certificate>ex-rsa-cert</certificate>
</keystore-reference> </keystore-reference>
</certificate> </certificate>
<!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME
<raw-private-key>
<keystore-reference>raw-private-key</keystore-reference>
</raw-private-key>
<psk>
<keystore-reference>encrypted-symmetric-key</keystore-referenc\
e>
</psk>
-->
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<ca-certs> <ca-certs>
<truststore-reference>explicitly-trusted-client-ca-certs</trus\ <truststore-reference>trusted-client-ca-certs</truststore-refe\
tstore-reference> rence>
</ca-certs> </ca-certs>
<client-certs> <client-certs>
<truststore-reference>explicitly-trusted-client-certs</trustst\ <truststore-reference>trusted-client-ee-certs</truststore-refe\
ore-reference> rence>
</client-certs> </client-certs>
<raw-public-keys>
<truststore-reference>Raw Public Keys for Clients</truststore-\
reference>
</raw-public-keys>
<psks/>
</client-authentication> </client-authentication>
</tls-server> </tls-server>
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2019-11-20.yang" <CODE BEGINS> file "ietf-tls-server@2020-03-08.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2019-11-20; // stable grouping definitions revision-date 2020-03-08; // stable grouping definitions
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
import ietf-crypto-types { import ietf-crypto-types {
prefix ct; prefix ct;
reference reference
"RFC AAAA: Common YANG Data Types for Cryptography"; "RFC AAAA: Common YANG Data Types for Cryptography";
} }
skipping to change at page 18, line 13 skipping to change at page 21, line 26
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-11-20 { revision 2020-03-08 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
skipping to change at page 18, line 45 skipping to change at page 22, line 9
description description
"Indicates that the configuration for how to authenticate "Indicates that the configuration for how to authenticate
clients can be configured herein, as opposed to in an clients can be configured herein, as opposed to in an
application specific location. That is, to support the application specific location. That is, to support the
consuming data models that prefer to place client consuming data models that prefer to place client
authentication with client definitions, rather then authentication with client definitions, rather then
in a data model principally concerned with configuring in a data model principally concerned with configuring
the transport."; the transport.";
} }
feature external-client-auth-supported {
description
"Indicates that the TLS server supports external
configuration of client credentials.";
}
feature x509-certificate-auth { feature x509-certificate-auth {
description description
"Indicates that the server supports authenticating clients "Indicates that the server supports authenticating clients
using X.509 certificates."; using X.509 certificates.";
} }
feature raw-public-key-auth { feature raw-public-key-auth {
description description
"Indicates that the server supports authenticating clients "Indicates that the server supports authenticating clients
using ray public keys."; using ray public keys.";
skipping to change at page 20, line 4 skipping to change at page 23, line 10
nacm:default-deny-write; nacm:default-deny-write;
description description
"A locally-defined or referenced end-entity certificate, "A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the including any configured intermediate certificates, the
TLS server will present when establishing a TLS connection TLS server will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2 in its Certificate message, as defined in Section 7.4.2
in RFC 5246."; in RFC 5246.";
reference reference
"RFC 5246: "RFC 5246:
The Transport Layer Security (TLS) Protocol Version 1.2 The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ: RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism"; YANG Data Model for a 'Keystore' Mechanism";
choice auth-type { choice auth-type {
mandatory true; mandatory true;
description description
"A choice amongst authentication types."; "A choice amongst authentication types.";
container certificate { case certificate {
if-feature x509-certificate-auth; if-feature x509-certificate-auth;
description container certificate {
"Specifies the server identity using a certificate."; description
uses ks:local-or-keystore-end-entity-cert-with-key-grouping "Specifies the server identity using a certificate.";
{ uses
refine "local-or-keystore/local/local-definition" { ks:local-or-keystore-end-entity-cert-with-key-grouping{
must 'public-key-format = refine "local-or-keystore/local/local-definition" {
"ct:subject-public-key-info-format"'; must 'public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
refine "local-or-keystore/keystore/keystore-reference"
+ "/asymmetric-key" {
must 'deref(.)/../ks:public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
} }
// FIXME: also need a must expression to ensure the
// *referenced* key's public-key-format is
// "ct:subject-public-key-info-format"
} }
} }
container raw-private-key { case raw-private-key {
if-feature raw-public-key-auth; if-feature raw-public-key-auth;
description container raw-private-key {
"Specifies the server identity using a raw private key."; description
uses ks:local-or-keystore-asymmetric-key-grouping; "Specifies the server identity using a raw
// FIXME: add a must expression contraining key-formats? private key.";
uses ks:local-or-keystore-asymmetric-key-grouping {
refine "local-or-keystore/local/local-definition" {
must 'public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
refine "local-or-keystore/keystore/keystore-reference"{
must 'deref(.)/../ks:public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
}
}
} }
container psk { case psk {
if-feature psk-auth; if-feature psk-auth;
description container psk {
"Specifies the server identity using a PSK."; description
uses ks:local-or-keystore-symmetric-key-grouping; "Specifies the server identity using a PSK (pre-shared
// FIXME: add a must expression contraining key-formats? or pairwise-symmetric key). Note that, when the PSK is
configured as a Keystore reference, the key's 'name'
node MAY be used as the PSK's ID when used by the TLS
protocol.";
uses ks:local-or-keystore-symmetric-key-grouping {
augment "local-or-keystore/local/local-definition" {
if-feature "ks:local-definitions-supported";
description
"An 'id' value for when the PSK is used by TLS.";
leaf id {
type string; // is this the right type?
description
"The key id used in the TLS protocol for PSKs.";
}
}
}
}
} }
} }
} // container server-identity } // container server-identity
container client-authentication { container client-authentication {
if-feature "client-auth-config-supported"; if-feature "client-auth-config-supported";
nacm:default-deny-write; nacm:default-deny-write;
presence presence
"Indicates that client authentication is supported (i.e., "Indicates that client authentication is supported (i.e.,
that the server will request clients send certificates)."; that the server will request clients send certificates).
If not configured, the TLS server SHOULD NOT request the
TLS clients provide authentication credentials.";
description description
"Specifies how the TLS server can authenticate TLS clients. "Specifies how the TLS server can authenticate TLS clients.
Any combination of credentials is additive and unordered. Any combination of credentials is additive and unordered.
Note that no configuration is required for PSK (pre-shared Note that no configuration is required for PSK (pre-shared
or pairwise-symmetric key) based authentication as the key or pairwise-symmetric key) based authentication as the key
is necessarily the same as configured in the '../server- is necessarily the same as configured in the '../server-
identity' node."; identity' node.";
container ca-certs { container ca-certs {
if-feature "x509-certificate-auth"; if-feature "x509-certificate-auth";
skipping to change at page 21, line 14 skipping to change at page 25, line 4
Note that no configuration is required for PSK (pre-shared Note that no configuration is required for PSK (pre-shared
or pairwise-symmetric key) based authentication as the key or pairwise-symmetric key) based authentication as the key
is necessarily the same as configured in the '../server- is necessarily the same as configured in the '../server-
identity' node."; identity' node.";
container ca-certs { container ca-certs {
if-feature "x509-certificate-auth"; if-feature "x509-certificate-auth";
presence presence
"Indicates that the TLS server can authenticate TLS clients "Indicates that the TLS server can authenticate TLS clients
using configured certificate authority certificates."; using configured certificate authority certificates.";
description description
"A set of certificate authority (CA) certificates used by "A set of certificate authority (CA) certificates used by
the TLS server to authenticate TLS client certificates. A the TLS server to authenticate TLS client certificates. A
client certificate is authenticated if it has a valid client certificate is authenticated if it has a valid
chain of trust to a configured CA certificate."; chain of trust to a configured CA certificate.";
reference reference
"RFC YYYY: YANG Data Model for a Truststore"; "RFC CCCC: YANG Data Model for a Truststore";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
// Note: TS certs don't have a key-format...no test needed
} }
container client-certs { // FIXME: plural too much? container client-certs { // FIXME: plural too much?
if-feature "x509-certificate-auth"; if-feature "x509-certificate-auth";
presence presence
"Indicates that the TLS server can authenticate TLS clients "Indicates that the TLS server can authenticate TLS
using configured client certificates."; clients using configured client certificates.";
description description
"A set of client certificates (i.e., end entity "A set of client certificates (i.e., end entity
certificates) used by the TLS server to authenticate certificates) used by the TLS server to authenticate
certificates presented by TLS clients. A client certificates presented by TLS clients. A client
certificate is authenticated if it is an exact match certificate is authenticated if it is an exact
to a configured client certificate."; match to a configured client certificate.";
reference reference
"RFC YYYY: YANG Data Model for a Truststore"; "RFC CCCC: YANG Data Model for a Truststore";
uses ts:local-or-truststore-certs-grouping; uses ts:local-or-truststore-certs-grouping;
// Note: TS certs don't have a key-format...no test needed
} }
container raw-public-keys { container raw-public-keys {
if-feature "raw-public-key-auth"; if-feature "raw-public-key-auth";
presence presence
"Indicates that the TLS server can authenticate TLS clients "Indicates that the TLS server can authenticate TLS
using configured client certificates."; clients using raw public keys.";
description description
"A set of raw public keys used by the TLS server to "A set of raw public keys used by the TLS server to
authenticate raw public keys presented by the TLS client. authenticate raw public keys presented by the TLS
A raw public key is authenticated if it is an exact match client. A raw public key is authenticated if it
to a configured raw public key."; is an exact match to a configured raw public key.";
reference reference
"RFC YYYY: YANG Data Model for a Truststore"; "RFC CCCC: YANG Data Model for a Truststore";
uses ts:local-or-truststore-raw-pub-keys-grouping; uses ts:local-or-truststore-public-keys-grouping {
refine "local-or-truststore/local/local-definition"
+ "/public-key" {
must 'public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
refine "local-or-truststore/truststore"
+ "/truststore-reference" {
must 'deref(.)/../*/ts:public-key-format'
+ ' = "ct:subject-public-key-info-format"';
}
}
}
container psks {
if-feature "psk-auth";
presence
"Indicates that the TLS server can authenticate the TLS
client using its PSK (pre-shared or pairwise-symmetric
key).";
description
"No configuration is required since the PSK value is the
same as PSK value configured in the 'client-identity'
node.";
} }
} // container client-authentication } // container client-authentication
container hello-params { container hello-params {
nacm:default-deny-write; nacm:default-deny-write;
if-feature "tls-server-hello-params-config"; if-feature "tls-server-hello-params-config";
uses tlscmn:hello-params-grouping; uses tlscmn:hello-params-grouping;
description description
"Configurable parameters for the TLS hello message."; "Configurable parameters for the TLS hello message.";
} // container hello-params } // container hello-params
container keepalives { container keepalives {
nacm:default-deny-write; nacm:default-deny-write;
skipping to change at page 22, line 44 skipping to change at page 27, line 13
type uint8; type uint8;
default "3"; default "3";
description description
"Sets the maximum number of sequential keep-alive "Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from messages that can fail to obtain a response from
the TLS client before assuming the TLS client is the TLS client before assuming the TLS client is
no longer alive."; no longer alive.";
} }
} // container keepalives } // container keepalives
} // grouping tls-server-grouping } // grouping tls-server-grouping
} } // module ietf-tls-server
<CODE ENDS> <CODE ENDS>
5. The TLS Common Model 5. The TLS Common Model
The TLS common model presented in this section contains identities The TLS common model presented in this section contains identities
and groupings common to both TLS clients and TLS servers. The hello- and groupings common to both TLS clients and TLS servers. The hello-
params-grouping can be used to configure the list of TLS algorithms params-grouping can be used to configure the list of TLS algorithms
permitted by the TLS client or TLS server. The lists of algorithms permitted by the TLS client or TLS server. The lists of algorithms
are ordered such that, if multiple algorithms are permitted by the are ordered such that, if multiple algorithms are permitted by the
skipping to change at page 31, line 45 skipping to change at page 36, line 45
</hello-params> </hello-params>
5.3. YANG Module 5.3. YANG Module
This YANG module has a normative references to [RFC4346], [RFC5246], This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422]. [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446]. [RFC4346], [RFC5246], and [RFC8446].
<CODE BEGINS> file "ietf-tls-common@2019-11-20.yang" <CODE BEGINS> file "ietf-tls-common@2020-03-08.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn; prefix tlscmn;
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
skipping to change at page 32, line 37 skipping to change at page 37, line 37
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-11-20 { revision 2020-03-08 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-1_0 { feature tls-1_0 {
description description
skipping to change at page 42, line 44 skipping to change at page 47, line 44
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn prefix: tlscmn
reference: RFC XXXX reference: RFC XXXX
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-netconf-crypto-types] [I-D.ietf-netconf-crypto-types]
Watsen, K. and H. Wang, "Common YANG Data Types for Watsen, K. and H. Wang, "Common YANG Data Types for
Cryptography", draft-ietf-netconf-crypto-types-12 (work in Cryptography", draft-ietf-netconf-crypto-types-13 (work in
progress), November 2019. progress), November 2019.
[I-D.ietf-netconf-keystore] [I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", draft- Watsen, K., "A YANG Data Model for a Keystore", draft-
ietf-netconf-keystore-14 (work in progress), November ietf-netconf-keystore-15 (work in progress), November
2019. 2019.
[I-D.ietf-netconf-trust-anchors] [I-D.ietf-netconf-trust-anchors]
Watsen, K. and H. Birkholz, "A YANG Data Model for a Watsen, K., "A YANG Data Model for a Truststore", draft-
Truststore", draft-ietf-netconf-trust-anchors-07 (work in ietf-netconf-trust-anchors-08 (work in progress), November
progress), November 2019. 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008, DOI 10.17487/RFC5288, August 2008,
<https://www.rfc-editor.org/info/rfc5288>. <https://www.rfc-editor.org/info/rfc5288>.
skipping to change at page 49, line 44 skipping to change at page 54, line 44
supported" feature. supported" feature.
o Removed choice required-or-optional. o Removed choice required-or-optional.
o Updated examples to include the "*-key-format" nodes. o Updated examples to include the "*-key-format" nodes.
o Augmented-in "must" expressions ensuring that locally-defined o Augmented-in "must" expressions ensuring that locally-defined
public-key-format are "ct:ssh-public-key-format" (must expr for public-key-format are "ct:ssh-public-key-format" (must expr for
ref'ed keys are TBD). ref'ed keys are TBD).
A.19. 17 to 18
o Removed the unused "external-client-auth-supported" feature.
o Made client-indentity optional, as there may be over-the-top auth
instead.
o Added augment to uses of local-or-keystore-symmetric-key-grouping
for a psk "id" node.
o Added missing presence container "psks" to ietf-tls-server's
"client-authentication" container.
o Updated examples to reflect new "bag" addition to truststore.
o Removed feature-limited caseless 'case' statements to improve tree
diagram rendering.
o Refined truststore/keystore groupings to ensure the key formats
"must" be particular values.
o Switched to using truststore's new "public-key" bag (instead of
separate "ssh-public-key" and "raw-public-key" bags.
o Updated client/server examples to cover ALL cases (local/ref x
cert/raw-key/psk).
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch, Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen. Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses Authors' Addresses
 End of changes. 86 change blocks. 
172 lines changed or deleted 420 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/