frr/libnetconf2
1
0
Fork 0
Code Issues Activity

Merging upstream version 3.5.5 (Closes: #1098233).

Browse source 
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
Daniel Baumann 2025-02-18 11:33:30 +01:00
parent c86ae7dcba
commit 6af28b7e8e
Signed by: daniel
GPG key ID: FBB4F0E80A80222F
144 changed files with 43534 additions and 11497 deletions
Download patch file Download diff file Expand all files Collapse all files

124
modules/iana-crypt-hash@2014-04-04.yang Normal file
View file

@ -0,0 +1,124 @@
module iana-crypt-hash {
namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash";
prefix ianach;
organization "IANA";
contact
" Internet Assigned Numbers Authority
Postal: ICANN
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
Tel: +1 310 823 9358
E-Mail: iana&iana.org";
description
"This YANG module defines a typedef for storing passwords
using a hash function, and features to indicate which hash
functions are supported by an implementation.
The latest revision of this YANG module can be obtained from
the IANA web site.
Requests for new values should be made to IANA via
email (iana&iana.org).
Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC XXXX;
see the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this
// note.
// RFC Ed.: update the date below with the date of RFC publication
// and remove this note.
revision 2014-04-04 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for System Management";
}
typedef crypt-hash {
type string {
pattern
'$0$.*'
+ '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}'
+ '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}'
+ '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}';
}
description
"The crypt-hash type is used to store passwords using
a hash function. The algorithms for applying the hash
function and encoding the result are implemented in
various UNIX systems as the function crypt(3).
A value of this type matches one of the forms:
$0$<clear text password>
$<id>$<salt>$<password hash>
$<id>$<parameter>$<salt>$<password hash>
The '$0$' prefix signals that the value is clear text. When
such a value is received by the server, a hash value is
calculated, and the string '$<id>$<salt>$' or
$<id>$<parameter>$<salt>$ is prepended to the result. This
value is stored in the configuration data store.
If a value starting with '$<id>$', where <id> is not '0', is
received, the server knows that the value already represents a
hashed value, and stores it as is in the data store.
When a server needs to verify a password given by a user, it
finds the stored password hash string for that user, extracts
the salt, and calculates the hash with the salt and given
password as input. If the calculated hash value is the same
as the stored value, the password given by the client is
accepted.
This type defines the following hash functions:
id | hash function | feature
---+---------------+-------------------
1 | MD5 | crypt-hash-md5
5 | SHA-256 | crypt-hash-sha-256
6 | SHA-512 | crypt-hash-sha-512
The server indicates support for the different hash functions
by advertising the corresponding feature.";
reference
"IEEE Std 1003.1-2008 - crypt() function
RFC 1321: The MD5 Message-Digest Algorithm
FIPS.180-3.2008: Secure Hash Standard";
}
feature crypt-hash-md5 {
description
"Indicates that the device supports the MD5
hash function in 'crypt-hash' values";
reference "RFC 1321: The MD5 Message-Digest Algorithm";
}
feature crypt-hash-sha-256 {
description
"Indicates that the device supports the SHA-256
hash function in 'crypt-hash' values";
reference "FIPS.180-3.2008: Secure Hash Standard";
}
feature crypt-hash-sha-512 {
description
"Indicates that the device supports the SHA-512
hash function in 'crypt-hash' values";
reference "FIPS.180-3.2008: Secure Hash Standard";
}
}

389
modules/iana-ssh-encryption-algs@2022-06-16.yang Normal file
View file

@ -0,0 +1,389 @@
module iana-ssh-encryption-algs {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs";
prefix sshea;
organization
"Internet Assigned Numbers Authority (IANA)";
contact
"Postal: ICANN
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536
United States of America
Tel: +1 310 301 5800
Email: iana@iana.org";
description
"This module defines identities for the encryption algorithms
defined in the 'Encryption Algorithm Names' sub-registry of the
'Secure Shell (SSH) Protocol Parameters' registry maintained
by IANA.
Copyright (c) 2022 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC EEEE
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC
itself for full legal notices.";
revision 2022-06-16 {
description
"Reflects contents of the encryption algorithms registry
on June 16, 2022.";
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
// Typedefs
typedef encryption-algorithm-ref {
type identityref {
base "encryption-alg-base";
}
description
"A reference to a SSH encryption algorithm identifier.";
}
// Identities
identity encryption-alg-base {
description
"Base identity used to identify encryption algorithms.";
}
identity triple-des-cbc { // YANG IDs cannot begin with a number
base encryption-alg-base;
description
"3DES-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity blowfish-cbc {
base encryption-alg-base;
description
"BLOWFISH-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity twofish256-cbc {
base encryption-alg-base;
description
"TWOFISH256-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity twofish-cbc {
base encryption-alg-base;
description
"TWOFISH-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity twofish192-cbc {
base encryption-alg-base;
description
"TWOFISH192-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity twofish128-cbc {
base encryption-alg-base;
description
"TWOFISH128-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity aes256-cbc {
base encryption-alg-base;
description
"AES256-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity aes192-cbc {
base encryption-alg-base;
description
"AES192-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity aes128-cbc {
base encryption-alg-base;
status deprecated;
description
"AES128-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity serpent256-cbc {
base encryption-alg-base;
description
"SERPENT256-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity serpent192-cbc {
base encryption-alg-base;
description
"SERPENT192-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity serpent128-cbc {
base encryption-alg-base;
description
"SERPENT128-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity arcfour {
base encryption-alg-base;
status obsolete;
description
"ARCFOUR";
reference
"RFC 8758:
Deprecating RC4 in Secure Shell (SSH)";
}
identity idea-cbc {
base encryption-alg-base;
description
"IDEA-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity cast128-cbc {
base encryption-alg-base;
description
"CAST128-CBC";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity none {
base encryption-alg-base;
description
"NONE";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity des-cbc {
base encryption-alg-base;
status obsolete;
description
"DES-CBC";
reference
"FIPS 46-3:
Data Encryption Standard (DES)";
}
identity arcfour128 {
base encryption-alg-base;
status obsolete;
description
"ARCFOUR128";
reference
"RFC 8758:
Deprecating RC4 in Secure Shell (SSH)";
}
identity arcfour256 {
base encryption-alg-base;
status obsolete;
description
"ARCFOUR256";
reference
"RFC 8758:
Deprecating RC4 in Secure Shell (SSH)";
}
identity aes128-ctr {
base encryption-alg-base;
status deprecated;
description
"AES128-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity aes192-ctr {
base encryption-alg-base;
description
"AES192-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity aes256-ctr {
base encryption-alg-base;
description
"AES256-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity triple-des-ctr { // YANG IDs cannot begin with a number
base encryption-alg-base;
description
"3DES-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity blowfish-ctr {
base encryption-alg-base;
description
"BLOWFISH-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity twofish128-ctr {
base encryption-alg-base;
description
"TWOFISH128-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity twofish192-ctr {
base encryption-alg-base;
description
"TWOFISH192-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity twofish256-ctr {
base encryption-alg-base;
description
"TWOFISH256-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity serpent128-ctr {
base encryption-alg-base;
description
"SERPENT128-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity serpent192-ctr {
base encryption-alg-base;
description
"SERPENT192-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity serpent256-ctr {
base encryption-alg-base;
description
"SERPENT256-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity idea-ctr {
base encryption-alg-base;
description
"IDEA-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity cast128-ctr {
base encryption-alg-base;
description
"CAST128-CTR";
reference
"RFC 4344:
The Secure Shell (SSH) Transport Layer Encryption Modes";
}
identity aead-aes-128-gcm {
base encryption-alg-base;
description
"AEAD_AES_128_GCM";
reference
"RFC 5647:
AES Galois Counter Mode for the
Secure Shell Transport Layer Protocol";
}
identity aead-aes-256-gcm {
base encryption-alg-base;
description
"AEAD_AES_256_GCM";
reference
"RFC 5647:
AES Galois Counter Mode for the
Secure Shell Transport Layer Protocol";
}
// Protocol-accessible Nodes
container supported-algorithms {
config false;
description
"A container for a list of encryption algorithms
supported by the server.";
leaf-list supported-algorithm {
type encryption-algorithm-ref;
description
"A encryption algorithm supported by the server.";
}
}
}

2217
modules/iana-ssh-key-exchange-algs@2022-06-16.yang Normal file
View file

File diff suppressed because it is too large Load diff

162
modules/iana-ssh-mac-algs@2022-06-16.yang Normal file
View file

@ -0,0 +1,162 @@
module iana-ssh-mac-algs {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs";
prefix sshma;
organization
"Internet Assigned Numbers Authority (IANA)";
contact
"Postal: ICANN
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536
United States of America
Tel: +1 310 301 5800
Email: iana@iana.org";
description
"This module defines identities for the MAC algorithms
defined in the 'MAC Algorithm Names' sub-registry of the
'Secure Shell (SSH) Protocol Parameters' registry maintained
by IANA.
Copyright (c) 2022 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC EEEE
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC
itself for full legal notices.";
revision 2022-06-16 {
description
"Reflects contents of the MAC algorithms registry on
June 16, 2022.";
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
// Typedefs
typedef mac-algorithm-ref {
type identityref {
base "mac-alg-base";
}
description
"A reference to a SSH mac algorithm identifier.";
}
// Identities
identity mac-alg-base {
description
"Base identity used to identify message authentication
code (MAC) algorithms.";
}
identity hmac-sha1 {
base mac-alg-base;
description
"HMAC-SHA1";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity hmac-sha1-96 {
base mac-alg-base;
description
"HMAC-SHA1-96";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity hmac-md5 {
base mac-alg-base;
description
"HMAC-MD5";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity hmac-md5-96 {
base mac-alg-base;
description
"HMAC-MD5-96";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity none {
base mac-alg-base;
description
"NONE";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity aead-aes-128-gcm {
base mac-alg-base;
description
"AEAD_AES_128_GCM";
reference
"RFC 5647:
AES Galois Counter Mode for the
Secure Shell Transport Layer Protocol";
}
identity aead-aes-256-gcm {
base mac-alg-base;
description
"AEAD_AES_256_GCM";
reference
"RFC 5647:
AES Galois Counter Mode for the
Secure Shell Transport Layer Protocol";
}
identity hmac-sha2-256 {
base mac-alg-base;
description
"HMAC-SHA2-256";
reference
"RFC 6668:
SHA-2 Data Integrity Verification for the
Secure Shell (SSH) Transport Layer Protocol";
}
identity hmac-sha2-512 {
base mac-alg-base;
description
"HMAC-SHA2-512";
reference
"RFC 6668:
SHA-2 Data Integrity Verification for the
Secure Shell (SSH) Transport Layer Protocol";
}
// Protocol-accessible Nodes
container supported-algorithms {
config false;
description
"A container for a list of MAC algorithms
supported by the server.";
leaf-list supported-algorithm {
type mac-algorithm-ref;
description
"A MAC algorithm supported by the server.";
}
}
}

436
modules/iana-ssh-public-key-algs@2022-06-16.yang Normal file
View file

@ -0,0 +1,436 @@
module iana-ssh-public-key-algs {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs";
prefix sshpka;
organization
"Internet Assigned Numbers Authority (IANA)";
contact
"Postal: ICANN
12025 Waterfront Drive, Suite 300
Los Angeles, CA 90094-2536
United States of America
Tel: +1 310 301 5800
Email: iana@iana.org";
description
"This module defines identities for the public key algorithms
defined in the 'Public Key Algorithm Names' sub-registry of the
'Secure Shell (SSH) Protocol Parameters' registry maintained
by IANA.
Copyright (c) 2022 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
The initial version of this YANG module is part of RFC EEEE
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC
itself for full legal notices.";
revision 2022-06-16 {
description
"Reflects contents of the public key algorithms registry
on June 16, 2022.";
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
// Typedefs
typedef public-key-algorithm-ref {
type identityref {
base "public-key-alg-base";
}
description
"A reference to a SSH public key algorithm identifier.";
}
// Identities
identity public-key-alg-base {
description
"Base identity used to identify public key algorithms.";
}
identity ssh-dss {
base public-key-alg-base;
description
"SSH-DSS";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity ssh-rsa {
base public-key-alg-base;
description
"SSH-RSA";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity rsa-sha2-256 {
base public-key-alg-base;
description
"RSA-SHA2-256";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512
in the Secure Shell (SSH) Protocol";
}
identity rsa-sha2-512 {
base public-key-alg-base;
description
"RSA-SHA2-512";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512
in the Secure Shell (SSH) Protocol";
}
identity spki-sign-rsa {
base public-key-alg-base;
description
"SPKI-SIGN-RSA";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity spki-sign-dss {
base public-key-alg-base;
description
"SPKI-SIGN-DSS";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity pgp-sign-rsa {
base public-key-alg-base;
description
"PGP-SIGN-RSA";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity pgp-sign-dss {
base public-key-alg-base;
description
"PGP-SIGN-DSS";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity null {
base public-key-alg-base;
description
"NULL";
reference
"RFC 4462:
Generic Security Service Application Program Interface
(GSS-API) Authentication and Key Exchange for the
Secure Shell (SSH) Protocol";
}
identity ecdsa-sha2-nistp256 {
base public-key-alg-base;
status deprecated;
description
"ECDSA-SHA2-NISTP256 (secp256r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-nistp384 {
base public-key-alg-base;
description
"ECDSA-SHA2-NISTP384 (secp384r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-nistp521 {
base public-key-alg-base;
description
"ECDSA-SHA2-NISTP521 (secp521r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.1 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.2.840.10045.3.1.1 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.33 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.26 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.27 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.16 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.36 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.37 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity ecdsa-sha2-1.3.132.0.38 {
base public-key-alg-base;
description
"ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer";
}
identity x509v3-ssh-dss {
base public-key-alg-base;
description
"X509V3-SSH-DSS";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ssh-rsa {
base public-key-alg-base;
description
"X509V3-SSH-RSA";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-rsa2048-sha256 {
base public-key-alg-base;
status deprecated;
description
"X509V3-RSA2048-SHA256";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-nistp256 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-NISTP256 (secp256r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-nistp384 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-NISTP384 (secp384r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-nistp521 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-NISTP521 (secp521r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.1 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.1 (nistk163, sect163k1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.2.840.10045.3.1.1 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.2.840.10045.3.1.1 (nistp192, secp192r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.33 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.33 (nistp224, secp224r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.26 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.26 (nistk233, sect233k1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.27 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.27 (nistb233, sect233r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.16 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.16 (nistk283, sect283k1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.36 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.36 (nistk409, sect409k1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.37 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.37 (nistb409, sect409r1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-sha2-1.3.132.0.38 {
base public-key-alg-base;
description
"X509V3-ECDSA-SHA2-1.3.132.0.38 (nistt571, sect571k1)";
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity ssh-ed25519 {
base public-key-alg-base;
description
"SSH-ED25519";
reference
"RFC 8709:
Ed25519 and Ed448 Public Key Algorithms for the
Secure Shell (SSH) Protocol";
}
identity ssh-ed448 {
base public-key-alg-base;
description
"SSH-ED448";
reference
"RFC 8709:
Ed25519 and Ed448 Public Key Algorithms for the
Secure Shell (SSH) Protocol";
}
// Protocol-accessible Nodes
container supported-algorithms {
config false;
description
"A container for a list of public key algorithms
supported by the server.";
leaf-list supported-algorithm {
type public-key-algorithm-ref;
description
"A public key algorithm supported by the server.";
}
}
}

3777
modules/iana-tls-cipher-suite-algs@2022-06-16.yang Normal file
View file

File diff suppressed because it is too large Load diff

1091
modules/ietf-crypto-types@2023-12-28.yang Normal file
View file

File diff suppressed because it is too large Load diff

407
modules/ietf-keystore@2023-12-28.yang Normal file
View file

@ -0,0 +1,407 @@
module ietf-keystore {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
prefix ks;
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
WG List: NETCONF WG list <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
description
"This module defines a 'keystore' to centralize management
of security credentials.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC CCCC
(https://www.rfc-editor.org/info/rfcCCCC); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC CCCC: A YANG Data Model for a Keystore";
}
/****************/
/* Features */
/****************/
feature central-keystore-supported {
description
"The 'central-keystore-supported' feature indicates that
the server supports the central keystore (i.e., fully
implements the 'ietf-keystore' module).";
}
feature inline-definitions-supported {
description
"The 'inline-definitions-supported' feature indicates that
the server supports locally-defined keys.";
}
feature asymmetric-keys {
description
"The 'asymmetric-keys' feature indicates that the server
implements the /keystore/asymmetric-keys subtree.";
}
feature symmetric-keys {
description
"The 'symmetric-keys' feature indicates that the server
implements the /keystore/symmetric-keys subtree.";
}
/****************/
/* Typedefs */
/****************/
typedef symmetric-key-ref {
type leafref {
path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key"
+ "/ks:name";
}
description
"This typedef enables modules to easily define a reference
to a symmetric key stored in the central keystore.";
}
typedef asymmetric-key-ref {
type leafref {
path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ "/ks:name";
}
description
"This typedef enables modules to easily define a reference
to an asymmetric key stored in the central keystore.";
}
/*****************/
/* Groupings */
/*****************/
grouping encrypted-by-grouping {
description
"A grouping that defines a 'choice' statement that can be
augmented into the 'encrypted-by' node, present in the
'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
groupings defined in RFC AAAA, enabling references to keys
in the central keystore.";
choice encrypted-by {
nacm:default-deny-write;
mandatory true;
description
"A choice amongst other symmetric or asymmetric keys.";
case symmetric-key-ref {
if-feature "central-keystore-supported";
if-feature "symmetric-keys";
leaf symmetric-key-ref {
type ks:symmetric-key-ref;
description
"Identifies the symmetric key used to encrypt the
associated key.";
}
}
case asymmetric-key-ref {
if-feature "central-keystore-supported";
if-feature "asymmetric-keys";
leaf asymmetric-key-ref {
type ks:asymmetric-key-ref;
description
"Identifies the asymmetric key whose public key
encrypted the associated key.";
}
}
}
}
// *-ref groupings
grouping asymmetric-key-certificate-ref-grouping {
description
"Grouping for the reference to a certificate associated
with an asymmetric key stored in the central keystore.";
leaf asymmetric-key {
nacm:default-deny-write;
if-feature "central-keystore-supported";
if-feature "asymmetric-keys";
type ks:asymmetric-key-ref;
must '../certificate';
description
"A reference to an asymmetric key in the keystore.";
}
leaf certificate {
nacm:default-deny-write;
type leafref {
path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ "[ks:name = current()/../asymmetric-key]/"
+ "ks:certificates/ks:certificate/ks:name";
}
must '../asymmetric-key';
description
"A reference to a specific certificate of the
asymmetric key in the keystore.";
}
}
// inline-or-keystore-* groupings
grouping inline-or-keystore-symmetric-key-grouping {
description
"A grouping for the configuration of a symmetric key. The
symmetric key may be defined inline or as a reference to
a symmetric key stored in the central keystore.
Servers that do not define the 'central-keystore-supported'
feature SHOULD augment in custom 'case' statements enabling
references to alternate keystore locations.";
choice inline-or-keystore {
nacm:default-deny-write;
mandatory true;
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
case inline {
if-feature "inline-definitions-supported";
container inline-definition {
description
"Container to hold the local key definition.";
uses ct:symmetric-key-grouping;
}
}
case central-keystore {
if-feature "central-keystore-supported";
if-feature "symmetric-keys";
leaf central-keystore-reference {
type ks:symmetric-key-ref;
description
"A reference to an symmetric key that exists in
the central keystore.";
}
}
}
}
grouping inline-or-keystore-asymmetric-key-grouping {
description
"A grouping for the configuration of an asymmetric key. The
asymmetric key may be defined inline or as a reference to
an asymmetric key stored in the central keystore.
Servers that do not define the 'central-keystore-supported'
feature SHOULD augment in custom 'case' statements enabling
references to alternate keystore locations.";
choice inline-or-keystore {
nacm:default-deny-write;
mandatory true;
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
case inline {
if-feature "inline-definitions-supported";
container inline-definition {
description
"Container to hold the local key definition.";
uses ct:asymmetric-key-pair-grouping;
}
}
case central-keystore {
if-feature "central-keystore-supported";
if-feature "asymmetric-keys";
leaf central-keystore-reference {
type ks:asymmetric-key-ref;
description
"A reference to an asymmetric key that exists in
the central keystore. The intent is to reference
just the asymmetric key without any regard for
any certificates that may be associated with it.";
}
}
}
}
grouping inline-or-keystore-asymmetric-key-with-certs-grouping {
description
"A grouping for the configuration of an asymmetric key and
its associated certificates. The asymmetric key and its
associated certificates may be defined inline or as a
reference to an asymmetric key (and its associated
certificates) in the central keystore.
Servers that do not define the 'central-keystore-supported'
feature SHOULD augment in custom 'case' statements enabling
references to alternate keystore locations.";
choice inline-or-keystore {
nacm:default-deny-write;
mandatory true;
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
case inline {
if-feature "inline-definitions-supported";
container inline-definition {
description
"Container to hold the local key definition.";
uses ct:asymmetric-key-pair-with-certs-grouping;
}
}
case central-keystore {
if-feature "central-keystore-supported";
if-feature "asymmetric-keys";
leaf central-keystore-reference {
type ks:asymmetric-key-ref;
description
"A reference to an asymmetric-key (and all of its
associated certificates) in the keystore, when
this module is implemented.";
}
}
}
}
grouping inline-or-keystore-end-entity-cert-with-key-grouping {
description
"A grouping for the configuration of an asymmetric key and
its associated end-entity certificate. The asymmetric key
and its associated end-entity certificate may be defined
inline or as a reference to an asymmetric key (and its
associated end-entity certificate) in the central keystore.
Servers that do not define the 'central-keystore-supported'
feature SHOULD augment in custom 'case' statements enabling
references to alternate keystore locations.";
choice inline-or-keystore {
nacm:default-deny-write;
mandatory true;
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
case inline {
if-feature "inline-definitions-supported";
container inline-definition {
description
"Container to hold the local key definition.";
uses ct:asymmetric-key-pair-with-cert-grouping;
}
}
case central-keystore {
if-feature "central-keystore-supported";
if-feature "asymmetric-keys";
container central-keystore-reference {
uses asymmetric-key-certificate-ref-grouping;
description
"A reference to a specific certificate associated with
an asymmetric key stored in the central keystore.";
}
}
}
}
// the keystore grouping
grouping keystore-grouping {
description
"Grouping definition enables use in other contexts. If ever
done, implementations MUST augment new 'case' statements
into the various inline-or-keystore 'choice' statements to
supply leafrefs to the model-specific location(s).";
container asymmetric-keys {
nacm:default-deny-write;
if-feature "asymmetric-keys";
description
"A list of asymmetric keys.";
list asymmetric-key {
key "name";
description
"An asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the asymmetric key.";
}
uses ct:asymmetric-key-pair-with-certs-grouping;
}
}
container symmetric-keys {
nacm:default-deny-write;
if-feature "symmetric-keys";
description
"A list of symmetric keys.";
list symmetric-key {
key "name";
description
"A symmetric key.";
leaf name {
type string;
description
"An arbitrary name for the symmetric key.";
}
uses ct:symmetric-key-grouping;
}
}
}
/*********************************/
/* Protocol accessible nodes */
/*********************************/
container keystore {
if-feature central-keystore-supported;
description
"A central keystore containing a list of symmetric keys and
a list of asymmetric keys.";
nacm:default-deny-write;
uses keystore-grouping {
augment "symmetric-keys/symmetric-key/key-type/encrypted-key/"
+ "encrypted-key/encrypted-by" {
description
"Augments in a choice statement enabling the encrypting
key to be any other symmetric or asymmetric key in the
central keystore.";
uses encrypted-by-grouping;
}
augment "asymmetric-keys/asymmetric-key/private-key-type/"
+ "encrypted-private-key/encrypted-private-key/"
+ "encrypted-by" {
description
"Augments in a choice statement enabling the encrypting
key to be any other symmetric or asymmetric key in the
central keystore.";
uses encrypted-by-grouping;
}
}
}
}

685
modules/ietf-netconf-server@2023-12-28.yang Normal file
View file

@ -0,0 +1,685 @@
module ietf-netconf-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
prefix ncs;
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-x509-cert-to-name {
prefix x509c2n;
reference
"RFC 7407: A YANG Data Model for SNMP Configuration";
}
import ietf-tcp-client {
prefix tcpc;
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
import ietf-tcp-server {
prefix tcps;
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
import ietf-ssh-common {
prefix sshcmn;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
import ietf-ssh-server {
prefix sshs;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
import ietf-tls-server {
prefix tlss;
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
WG List: NETCONF WG list <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
description
"This module contains a collection of YANG definitions
for configuring NETCONF servers.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC HHHH
(https://www.rfc-editor.org/info/rfcHHHH); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC HHHH: NETCONF Client and Server Models";
}
// Features
feature ssh-listen {
description
"The 'ssh-listen' feature indicates that the NETCONF server
supports opening a port to accept NETCONF over SSH
client connections.";
reference
"RFC 6242:
Using the NETCONF Protocol over Secure Shell (SSH)";
}
feature tls-listen {
description
"The 'tls-listen' feature indicates that the NETCONF server
supports opening a port to accept NETCONF over TLS
client connections.";
reference
"RFC 7589: Using the NETCONF Protocol over Transport
Layer Security (TLS) with Mutual X.509
Authentication";
}
feature ssh-call-home {
description
"The 'ssh-call-home' feature indicates that the NETCONF
server supports initiating a NETCONF over SSH call
home connection to NETCONF clients.";
reference
"RFC 8071: NETCONF Call Home and RESTCONF Call Home";
}
feature tls-call-home {
description
"The 'tls-call-home' feature indicates that the NETCONF
server supports initiating a NETCONF over TLS call
home connection to NETCONF clients.";
reference
"RFC 8071: NETCONF Call Home and RESTCONF Call Home";
}
feature central-netconf-server-supported {
description
"The 'central-netconf-server-supported' feature indicates
that the server supports the top-level 'netconf-server'
node.
This feature is needed as some servers may want to use
features defined in this module, which requires this
module to be implemented, without having to support
the top-level 'netconf-server' node.";
}
// Groupings
grouping netconf-server-grouping {
description
"A reusable grouping for configuring a NETCONF server
without any consideration for how underlying transport
sessions are established.
Note that this grouping uses a fairly typical descendant
node name such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming
data model will resolve the issue by wrapping the 'uses'
statement in a container called, e.g.,
'netconf-server-parameters'. This model purposely does
not do this itself so as to provide maximum flexibility
to consuming models.";
container client-identity-mappings {
description
"Specifies mappings through which NETCONF client X.509
certificates are used to determine a NETCONF username,
per RFC 7407.
For TLS-based transports, if no matching and valid
cert-to-name list entry can be found, then the NETCONF
server MUST close the connection, and MUST NOT accept
NETCONF messages over it, per Section 7 in RFC 7589.
For SSH-based transports, a matching cert-to-name
entry overrides the username provided by the SSH
implementation, consistent with the second paragraph
of Section 3 in RFC 6242.";
reference
"RFC 6242:
Using the NETCONF Protocol over Secure Shell (SSH)
RFC 7589:
Using the NETCONF Protocol over Transport Layer
Security (TLS) with Mutual X.509 Authentication";
uses x509c2n:cert-to-name {
refine "cert-to-name/fingerprint" {
mandatory false;
description
"A 'fingerprint' value does not need to be specified
when the 'cert-to-name' mapping is independent of
fingerprint matching. A 'cert-to-name' having no
fingerprint value will match any client certificate
and therefore should only be present at the end of
the user-ordered 'cert-to-name' list.";
}
}
}
}
grouping netconf-server-listen-stack-grouping {
description
"A reusable grouping for configuring a NETCONF server
'listen' protocol stack for listening on a single port.";
choice transport {
mandatory true;
description
"Selects between available transports.";
case ssh {
if-feature "ssh-listen";
container ssh {
description
"TCP, SSH, and NETCONF configuration to listen
for NETCONF over SSH connections.";
container tcp-server-parameters {
description
"TCP-level server parameters to listen
for NETCONF over SSH connections.";
uses tcps:tcp-server-grouping {
refine "local-port" {
default "830";
description
"The NETCONF server will listen on the
IANA-assigned well-known port value
for 'netconf-ssh' (830) if no value
is specified.";
}
}
}
container ssh-server-parameters {
description
"SSH-level server parameters to listen
for NETCONF over SSH connections.";
uses sshs:ssh-server-grouping;
}
container netconf-server-parameters {
description
"NETCONF-level server parameters to listen
for NETCONF over SSH connections.";
uses ncs:netconf-server-grouping {
refine "client-identity-mappings" {
if-feature "sshcmn:ssh-x509-certs";
description
"Adds in an 'if-feature' statement
ensuring the 'client-identity-mappings'
descendant is enabled only when SSH
supports X.509 certificates.";
}
augment "client-identity-mappings" {
description
"Adds a flag indicating if a cert-to-name
is required.";
leaf mapping-required {
type boolean;
description
"Indicates that the cert-to-name mapping
is required (i.e., the SSH-level username
is ignored).";
}
}
}
}
}
}
case tls {
if-feature "tls-listen";
container tls {
description
"TCP, TLS, and NETCONF configuration to listen
for NETCONF over TLS connections.";
container tcp-server-parameters {
description
"TCP-level server parameters to listen
for NETCONF over TLS connections.";
uses tcps:tcp-server-grouping {
refine "local-port" {
default "6513";
description
"The NETCONF server will listen on the
IANA-assigned well-known port value
for 'netconf-tls' (6513) if no value
is specified.";
}
}
}
container tls-server-parameters {
description
"TLS-level server parameters to listen
for NETCONF over TLS connections.";
uses tlss:tls-server-grouping {
refine "client-authentication" {
must 'ca-certs or ee-certs';
description
"NETCONF/TLS servers MUST validate client
certificates. This configures certificates
at the socket-level (i.e. bags). More
discriminating client-certificate checks
SHOULD be implemented by the application.";
reference
"RFC 7589:
Using the NETCONF Protocol over Transport Layer
Security (TLS) with Mutual X.509 Authentication";
}
}
}
container netconf-server-parameters {
description
"NETCONF-level server parameters to listen
for NETCONF over TLS connections.";
uses ncs:netconf-server-grouping {
refine "client-identity-mappings/cert-to-name" {
min-elements 1;
description
"The TLS transport requires a mapping.";
}
}
}
}
}
}
}
grouping netconf-server-callhome-stack-grouping {
description
"A reusable grouping for configuring a NETCONF server
'call-home' protocol stack, for a single outbound
connection.";
choice transport {
mandatory true;
description
"Selects between available transports.";
case ssh {
if-feature "ssh-call-home";
container ssh {
description
"TCP, SSH, and NETCONF configuration to initiate
a NETCONF over SSH Call Home connection.";
container tcp-client-parameters {
description
"TCP-level client parameters to initiate a
NETCONF over SSH Call Home connection.";
uses tcpc:tcp-client-grouping {
refine "remote-port" {
default "4334";
description
"The NETCONF server will attempt to connect
to the IANA-assigned well-known port for
'netconf-ch-ssh' (4334) if no value is
specified.";
}
}
}
container ssh-server-parameters {
description
"SSH-level server parameters to initiate a
NETCONF over SSH Call Home connection.";
uses sshs:ssh-server-grouping;
}
container netconf-server-parameters {
description
"NETCONF-level server parameters to initiate a
NETCONF over SSH Call Home connection.";
uses ncs:netconf-server-grouping {
refine "client-identity-mappings" {
if-feature "sshcmn:ssh-x509-certs";
description
"Adds in an 'if-feature' statement
ensuring the 'client-identity-mappings'
descendant is enabled only when SSH
supports X.509 certificates.";
}
augment "client-identity-mappings" {
description
"Adds a flag indicating if a cert-to-name
is required.";
leaf mapping-required {
type boolean;
description
"Indicates that the cert-to-name mapping
is required (i.e., the SSH-level username
is ignored).";
}
}
}
}
}
}
case tls {
if-feature "tls-call-home";
container tls {
description
"TCP, TLS, and NETCONF configuration to initiate
a NETCONF over TLS Call Home connection.";
container tcp-client-parameters {
description
"TCP-level client parameters to initiate a
NETCONF over TLS Call Home connection.";
uses tcpc:tcp-client-grouping {
refine "remote-port" {
default "4335";
description
"The NETCONF server will attempt to connect
to the IANA-assigned well-known port for
'netconf-ch-tls' (4335) if no value is
specified.";
}
}
}
container tls-server-parameters {
description
"TLS-level server parameters to initiate a
NETCONF over TLS Call Home connection.";
uses tlss:tls-server-grouping {
refine "client-authentication" {
must 'ca-certs or ee-certs';
description
"NETCONF/TLS servers MUST validate client
certificates. This configures certificates
at the socket-level (i.e. bags). More
discriminating client-certificate checks
SHOULD be implemented by the application.";
reference
"RFC 7589:
Using the NETCONF Protocol over Transport Layer
Security (TLS) with Mutual X.509 Authentication";
}
}
}
container netconf-server-parameters {
description
"NETCONF-level server parameters to initiate a
NETCONF over TLS Call Home connection.";
uses ncs:netconf-server-grouping {
refine "client-identity-mappings/cert-to-name" {
min-elements 1;
description
"The TLS transport requires a mapping.";
}
}
}
}
}
}
}
grouping netconf-server-app-grouping {
description
"A reusable grouping for configuring a NETCONF server
application that supports both 'listen' and 'call-home'
protocol stacks for a multiplicity of connections.";
container listen {
if-feature "ssh-listen or tls-listen";
presence
"Indicates that server-listening ports have been configured.
This statement is present so the mandatory descendant
nodes do not imply that this node must be configured.";
description
"Configures listen behavior";
leaf idle-timeout {
type uint16;
units "seconds";
default "180"; // three minutes
description
"Specifies the maximum number of seconds that a NETCONF
session may remain idle. A NETCONF session will be
dropped if it is idle for an interval longer than this
number of seconds. If set to zero, then the server
will never drop a session because it is idle.";
}
container endpoints {
description
"Container for a list of endpoints.";
list endpoint {
key "name";
min-elements 1;
description
"List of endpoints to listen for NETCONF connections.";
leaf name {
type string;
description
"An arbitrary name for the NETCONF listen endpoint.";
}
uses netconf-server-listen-stack-grouping;
}
}
}
container call-home {
if-feature "ssh-call-home or tls-call-home";
presence
"Indicates that server-initiated call home connections have
been configured. This statement is present so the mandatory
descendant nodes do not imply that this node must be
configured.";
description
"Configures the NETCONF server to initiate the underlying
transport connection to NETCONF clients.";
list netconf-client {
key "name";
min-elements 1;
description
"List of NETCONF clients the NETCONF server is to
maintain simultaneous call-home connections with.";
leaf name {
type string;
description
"An arbitrary name for the remote NETCONF client.";
}
container endpoints {
description
"Container for the list of endpoints.";
list endpoint {
key "name";
min-elements 1;
ordered-by user;
description
"A non-empty user-ordered list of endpoints for this
NETCONF server to try to connect to in sequence.
Defining more than one enables high-availability.";
leaf name {
type string;
description
"An arbitrary name for this endpoint.";
}
uses netconf-server-callhome-stack-grouping;
}
}
container connection-type {
description
"Indicates the NETCONF server's preference for how the
NETCONF connection is maintained.";
choice connection-type {
mandatory true;
description
"Selects between available connection types.";
case persistent-connection {
container persistent {
presence
"Indicates that a persistent connection is to be
maintained.";
description
"Maintain a persistent connection to the NETCONF
client. If the connection goes down, immediately
start trying to reconnect to the NETCONF client,
using the reconnection strategy.
This connection type minimizes any NETCONF client
to NETCONF server data-transfer delay, albeit at
the expense of holding resources longer.";
}
}
case periodic-connection {
container periodic {
presence "Indicates that a periodic connection is
to be maintained.";
description
"Periodically connect to the NETCONF client.
This connection type decreases resource
utilization, albeit with increased delay in
NETCONF client to NETCONF server interactions.
The NETCONF client SHOULD gracefully close the
connection using <close-session> upon completing
planned activities. If the NETCONF session is
not closed gracefully, the NETCONF server MUST
immediately attempt to reestablish the connection.
Connections are established at the same start
time regardless how long the previous connection
stayed open.
In the case that the previous connection is still
active (i.e., the NETCONF client has not closed
it yet), establishing a new connection is NOT
RECOMMENDED.";
leaf period {
type uint16;
units "minutes";
default "60";
description
"Duration of time between periodic connections.";
}
leaf anchor-time {
type yang:date-and-time {
// constrained to minute-level granularity
pattern '[0-9]{4}-(1[0-2]|0[1-9])-(0[1-9]|[1-2]'
+ '[0-9]|3[0-1])T(0[0-9]|1[0-9]|2[0-3]):['
+ '0-5][0-9]:00(Z|[\+\-]((1[0-3]|0[0-9]):'
+ '([0-5][0-9])|14:00))?';
}
description
"Designates a timestamp before or after which a
series of periodic connections are determined.
The periodic connections occur at a whole
multiple interval from the anchor time.
If an 'anchor-time' is not provided, then the
server may implicitly set it to the time when
this configuraton is applied (e.g., on boot).
For example, for an anchor time is 15 minutes
past midnight and a period interval of 24 hours,
then a periodic connection will occur 15 minutes
past midnight everyday.";
}
leaf idle-timeout {
type uint16;
units "seconds";
default "180"; // three minutes
description
"Specifies the maximum number of seconds that
a NETCONF session may remain idle. A NETCONF
session will be dropped if it is idle for an
interval longer than this number of seconds.
If set to zero, then the server will never
drop a session because it is idle.";
}
}
} // case periodic-connection
} // choice connection-type
} // container connection-type
container reconnect-strategy {
description
"The reconnection strategy directs how a NETCONF server
reconnects to a NETCONF client, after discovering its
connection to the client has dropped, even if due to a
reboot. The NETCONF server starts with the specified
endpoint and tries to connect to it max-attempts times
before trying the next endpoint in the list (round
robin).";
leaf start-with {
type enumeration {
enum first-listed {
description
"Indicates that reconnections should start with
the first endpoint listed.";
}
enum last-connected {
description
"Indicates that reconnections should start with
the endpoint last connected to. If no previous
connection has ever been established, then the
first endpoint configured is used. NETCONF
servers SHOULD be able to remember the last
endpoint connected to across reboots.";
}
enum random-selection {
description
"Indicates that reconnections should start with
a random endpoint.";
}
}
default "first-listed";
description
"Specifies which of the NETCONF client's endpoints
the NETCONF server should start with when trying
to connect to the NETCONF client.";
}
leaf max-wait {
type uint16 {
range "1..max";
}
units "seconds";
default "5";
description
"Specifies the amount of time in seconds after which,
if the connection is not established, an endpoint
connection attempt is considered unsuccessful.";
}
leaf max-attempts {
type uint8 {
range "1..max";
}
default "3";
description
"Specifies the number times the NETCONF server tries
to connect to a specific endpoint before moving on
to the next endpoint in the list (round robin).";
}
} // container reconnect-strategy
} // list netconf-client
} // container call-home
} // grouping netconf-server-app-grouping
// Protocol accessible node for servers that implement this module.
container netconf-server {
if-feature central-netconf-server-supported;
uses netconf-server-app-grouping;
description
"Top-level container for NETCONF server configuration.";
}
}

261
modules/ietf-ssh-common@2023-12-28.yang Normal file
View file

@ -0,0 +1,261 @@
module ietf-ssh-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
prefix sshcmn;
import iana-ssh-encryption-algs {
prefix sshea;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
import iana-ssh-key-exchange-algs {
prefix sshkea;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
import iana-ssh-mac-algs {
prefix sshma;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
import iana-ssh-public-key-algs {
prefix sshpka;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
import ietf-keystore {
prefix ks;
reference
"RFC CCCC: A YANG Data Model for a Keystore";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
WG List: NETCONF WG list <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Gary Wu <mailto:garywu@cisco.com>";
description
"This module defines a common features and groupings for
Secure Shell (SSH).
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC EEEE
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
// Features
feature ssh-x509-certs {
description
"X.509v3 certificates are supported for SSH.";
reference
"RFC 6187: X.509v3 Certificates for Secure Shell
Authentication";
}
feature transport-params {
description
"SSH transport layer parameters are configurable.";
}
feature public-key-generation {
description
"Indicates that the server implements the
'generate-public-key' RPC.";
}
// Groupings
grouping transport-params-grouping {
description
"A reusable grouping for SSH transport parameters.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
container host-key {
description
"Parameters regarding host key.";
leaf-list host-key-alg {
type identityref {
base sshpka:public-key-alg-base;
}
ordered-by user;
description
"Acceptable host key algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero elements)
the acceptable host key algorithms are implementation-
defined.";
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
}
container key-exchange {
description
"Parameters regarding key exchange.";
leaf-list key-exchange-alg {
type identityref {
base sshkea:key-exchange-alg-base;
}
ordered-by user;
description
"Acceptable key exchange algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero elements)
the acceptable key exchange algorithms are implementation
defined.";
}
}
container encryption {
description
"Parameters regarding encryption.";
leaf-list encryption-alg {
type identityref {
base sshea:encryption-alg-base;
}
ordered-by user;
description
"Acceptable encryption algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero elements)
the acceptable encryption algorithms are implementation
defined.";
}
}
container mac {
description
"Parameters regarding message authentication code (MAC).";
leaf-list mac-alg {
type identityref {
base sshma:mac-alg-base;
}
ordered-by user;
description
"Acceptable MAC algorithms in order of decreasing
preference.
If this leaf-list is not configured (has zero elements)
the acceptable MAC algorithms are implementation-
defined.";
}
}
}
// Protocol-accessible Nodes
rpc generate-public-key {
if-feature "public-key-generation";
description
"Requests the device to generate an public key using
the specified key algorithm.";
input {
leaf algorithm {
type sshpka:public-key-algorithm-ref;
mandatory true;
description
"The algorithm to be used when generating the key.";
}
leaf num-bits {
type uint16;
description
"Specifies the number of bits in the key to create.
For RSA keys, the minimum size is 1024 bits and
the default is 3072 bits. Generally, 3072 bits is
considered sufficient. DSA keys must be exactly 1024
bits as specified by FIPS 186-6. For ECDSA keys, the
'num-bits' value determines the key length by selecting
from one of three elliptic curve sizes: 256, 384 or
521 bits. Attempting to use bit lengths other than
these three values for ECDSA keys will fail. ECDSA-SK,
Ed25519 and Ed25519-SK keys have a fixed length and
thus the 'num-bits' value is not specified.";
reference
"FIPS 186-6: Digital Signature Standard (DSS)";
}
container private-key-encoding {
description
"Indicates how the private key is to be encoded.";
choice private-key-encoding {
mandatory true;
description
"A choice amongst optional private key handling.";
case cleartext {
if-feature "ct:cleartext-private-keys";
leaf cleartext {
type empty;
description
"Indicates that the private key is to be returned
as a cleartext value.";
}
}
case encrypted {
if-feature "ct:encrypted-private-keys";
container encrypted {
description
"Indicates that the private key is to be encrypted
using the specified symmetric or asymmetric key.";
uses ks:encrypted-by-grouping;
}
}
case hidden {
if-feature "ct:hidden-private-keys";
leaf hidden {
type empty;
description
"Indicates that the private key is to be hidden.
Unlike the 'cleartext' and 'encrypt' options, the
key returned is a placeholder for an internally
stored key. See the 'Support for Built-in Keys'
section in RFC CCCC for information about hidden
keys.";
}
}
}
}
}
output {
uses ct:asymmetric-key-pair-grouping;
}
} // end generate-public-key
}

425
modules/ietf-ssh-server@2023-12-28.yang Normal file
View file

@ -0,0 +1,425 @@
module ietf-ssh-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
prefix sshs;
import iana-crypt-hash {
prefix ianach;
reference
"RFC 7317: A YANG Data Model for System Management";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
import ietf-truststore {
prefix ts;
reference
"RFC BBBB: A YANG Data Model for a Truststore";
}
import ietf-keystore {
prefix ks;
reference
"RFC CCCC: A YANG Data Model for a Keystore";
}
import ietf-ssh-common {
prefix sshcmn;
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
WG List: NETCONF WG list <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
description
"This module defines a reusable grouping for SSH servers that
can be used as a basis for specific SSH server instances.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC EEEE
(https://www.rfc-editor.org/info/rfcEEEE); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";
}
// Features
feature ssh-server-keepalives {
description
"Per socket SSH keepalive parameters are configurable for
SSH servers on the server implementing this feature.";
}
feature local-users-supported {
description
"Indicates that the configuration for users can be
configured herein, as opposed to in an application
specific location.";
}
feature local-user-auth-publickey {
if-feature "local-users-supported";
description
"Indicates that the 'publickey' authentication type,
per RFC 4252, is supported for locally-defined users.
The 'publickey' authentication type is required by
RFC 4252, but common implementations allow it to
be disabled.";
reference
"RFC 4252:
The Secure Shell (SSH) Authentication Protocol";
}
feature local-user-auth-password {
if-feature "local-users-supported";
description
"Indicates that the 'password' authentication type,
per RFC 4252, is supported for locally-defined users.";
reference
"RFC 4252:
The Secure Shell (SSH) Authentication Protocol";
}
feature local-user-auth-hostbased {
if-feature "local-users-supported";
description
"Indicates that the 'hostbased' authentication type,
per RFC 4252, is supported for locally-defined users.";
reference
"RFC 4252:
The Secure Shell (SSH) Authentication Protocol";
}
feature local-user-auth-none {
if-feature "local-users-supported";
description
"Indicates that the 'none' authentication type, per
RFC 4252, is supported. It is NOT RECOMMENDED to
enable this feature.";
reference
"RFC 4252:
The Secure Shell (SSH) Authentication Protocol";
}
// Groupings
grouping ssh-server-grouping {
description
"A reusable grouping for configuring a SSH server without
any consideration for how underlying TCP sessions are
established.
Note that this grouping uses fairly typical descendant
node names such that a nesting of 'uses' statements will
have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called
'ssh-server-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility
to consuming models.";
container server-identity {
nacm:default-deny-write;
description
"The list of host keys the SSH server will present when
establishing a SSH connection.";
list host-key {
key "name";
min-elements 1;
ordered-by user;
description
"An ordered list of host keys (see RFC 4251) the SSH
server will use to construct its ordered list of
algorithms, when sending its SSH_MSG_KEXINIT message,
as defined in Section 7.1 of RFC 4253.";
reference
"RFC 4251: The Secure Shell (SSH) Protocol Architecture
RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol";
leaf name {
type string;
description
"An arbitrary name for this host key";
}
choice host-key-type {
mandatory true;
description
"The type of host key being specified";
container public-key {
description
"A locally-defined or referenced asymmetric key pair
to be used for the SSH server's host key.";
reference
"RFC CCCC: A YANG Data Model for a Keystore";
uses ks:inline-or-keystore-asymmetric-key-grouping {
refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format, "ct:ssh-public-key-format")';
}
refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference" {
must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-'
+ 'key-format, "ct:ssh-public-key-format")';
}
}
}
container certificate {
if-feature "sshcmn:ssh-x509-certs";
description
"A locally-defined or referenced end-entity
certificate to be used for the SSH server's
host key.";
reference
"RFC CCCC: A YANG Data Model for a Keystore";
uses
ks:inline-or-keystore-end-entity-cert-with-key-grouping{
refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format, "ct:subject-public-key-'
+ 'info-format")';
}
refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference/asymmetric-key" {
must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-key'
+ '-format, "ct:subject-public-key-info-format")';
}
}
}
}
}
} // container server-identity
container client-authentication {
nacm:default-deny-write;
description
"Specifies how the SSH server can be configured to
authenticate SSH clients. See RFC 4252 for a general
discussion about SSH authentication.";
reference
"RFC 4252: The Secure Shell (SSH) Transport Layer";
container users {
if-feature "local-users-supported";
description
"A list of locally configured users.";
list user {
key "name";
description
"A locally configured user.
The server SHOULD derive the list of authentication
'method names' returned to the SSH client from the
descendant nodes configured herein, per Sections
5.1 and 5.2 in RFC 4252.
The authentication methods are unordered. Clients
must authenticate to all configured methods.
Whenever a choice amongst methods arises,
implementations SHOULD use a default ordering
that prioritizes automation over human-interaction.";
leaf name {
type string;
description
"The 'user name' for the SSH client, as defined in
the SSH_MSG_USERAUTH_REQUEST message in RFC 4253.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol";
}
container public-keys {
if-feature "local-user-auth-publickey";
presence
"Indicates that public keys have been configured.
This statement is present so the mandatory descendant
nodes do not imply that this node must be
configured.";
description
"A set of SSH public keys may be used by the SSH
server to authenticate this user. A user is
authenticated if its public key is an exact
match to a configured public key.";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-public-keys-grouping {
refine "inline-or-truststore/inline/inline-definition/"
+ "public-key" {
must 'derived-from-or-self(public-key-format,'
+ ' "ct:ssh-public-key-format")';
}
refine "inline-or-truststore/central-truststore/"
+ "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:ssh-'
+ 'public-key-format"))])';
}
}
}
leaf password {
if-feature "local-user-auth-password";
type ianach:crypt-hash;
description
"The password for this user.";
}
container hostbased {
if-feature "local-user-auth-hostbased";
presence
"Indicates that hostbased [RFC4252] keys have been
configured. This statement is present so the
mandatory descendant nodes do not imply that this
node must be configured.";
description
"A set of SSH host keys used by the SSH server to
authenticate this user's host. A user's host is
authenticated if its host key is an exact match
to a configured host key.";
reference
"RFC 4252: The Secure Shell (SSH) Transport Layer
RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-public-keys-grouping {
refine "inline-or-truststore/inline/inline-definition/"
+ "public-key" {
must 'derived-from-or-self(public-key-format,'
+ ' "ct:ssh-public-key-format")';
}
refine "inline-or-truststore/central-truststore/"
+ "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:ssh-'
+ 'public-key-format"))])';
}
}
}
leaf none {
if-feature "local-user-auth-none";
type empty;
description
"Indicates that the 'none' method is configured
for this user.";
reference
"RFC 4252: The Secure Shell (SSH) Authentication
Protocol.";
}
}
} // users
container ca-certs {
if-feature "sshcmn:ssh-x509-certs";
presence
"Indicates that CA certificates have been configured.
This statement is present so the mandatory descendant
nodes do not imply this node must be configured.";
description
"A set of certificate authority (CA) certificates used by
the SSH server to authenticate SSH client certificates.
A client certificate is authenticated if it has a valid
chain of trust to a configured CA certificate.";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping;
}
container ee-certs {
if-feature "sshcmn:ssh-x509-certs";
presence
"Indicates that EE certificates have been configured.
This statement is present so the mandatory descendant
nodes do not imply this node must be configured.";
description
"A set of client certificates (i.e., end entity
certificates) used by the SSH server to authenticate
the certificates presented by SSH clients. A client
certificate is authenticated if it is an exact match
to a configured end-entity certificate.";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping;
}
} // container client-authentication
container transport-params {
nacm:default-deny-write;
if-feature "sshcmn:transport-params";
description
"Configurable parameters of the SSH transport layer.";
uses sshcmn:transport-params-grouping;
} // container transport-params
container keepalives {
nacm:default-deny-write;
if-feature "ssh-server-keepalives";
presence
"Indicates that the SSH server proactively tests the
aliveness of the remote SSH client.";
description
"Configures the keep-alive policy, to proactively test
the aliveness of the SSH client. An unresponsive SSH
client is dropped after approximately max-wait *
max-attempts seconds. Per Section 4 of RFC 4254,
the SSH server SHOULD send an SSH_MSG_GLOBAL_REQUEST
message with a purposely nonexistent 'request name'
value (e.g., keepalive@ietf.org) and the 'want reply'
value set to '1'.";
reference
"RFC 4254: The Secure Shell (SSH) Connection Protocol";
leaf max-wait {
type uint16 {
range "1..max";
}
units "seconds";
default "30";
description
"Sets the amount of time in seconds after which
if no data has been received from the SSH client,
a SSH-level message will be sent to test the
aliveness of the SSH client.";
}
leaf max-attempts {
type uint8;
default "3";
description
"Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from
the SSH client before assuming the SSH client is
no longer alive.";
}
}
} // grouping ssh-server-grouping
}

326
modules/ietf-tcp-client@2023-12-28.yang Normal file
View file

@ -0,0 +1,326 @@
module ietf-tcp-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-client";
prefix tcpc;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
import ietf-tcp-common {
prefix tcpcmn;
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
organization
"IETF NETCONF (Network Configuration) Working Group and the
IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
https://datatracker.ietf.org/wg/tcpm
WG List: NETCONF WG list <mailto:netconf@ietf.org>
TCPM WG list <mailto:tcpm@ietf.org>
Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
Michael Scharf
<mailto:michael.scharf@hs-esslingen.de>";
description
"This module defines reusable groupings for TCP clients that
can be used as a basis for specific TCP client instances.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC DDDD
(https://www.rfc-editor.org/info/rfcDDDD); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
// Features
feature local-binding-supported {
description
"Indicates that the server supports configuring local
bindings (i.e., the local address and local port) for
TCP clients.";
}
feature tcp-client-keepalives {
description
"Per socket TCP keepalive parameters are configurable for
TCP clients on the server implementing this feature.";
reference
"RFC 9293: Transmission Control Protocol (TCP)";
}
feature proxy-connect {
description
"Proxy connection configuration is configurable for
TCP clients on the server implementing this feature.
Currently supports SOCKS 4, SOCKS 4a, and SOCKS 5.";
reference
"SOCKS Proceedings:
1992 Usenix Security Symposium.
OpenSSH message:
SOCKS 4A: A Simple Extension to SOCKS 4 Protocol
https://www.openssh.com/txt/socks4a.protocol
RFC 1928:
SOCKS Protocol Version 5";
}
feature socks5-gss-api {
description
"Indicates that the server, when acting as a TCP-client,
supports authenticating to a SOCKS Version 5 proxy server
using GSSAPI credentials.";
reference
"RFC 1928: SOCKS Protocol Version 5";
}
feature socks5-username-password {
description
"Indicates that the server, when acting as a TCP-client,
supports authenticating to a SOCKS Version 5 proxy server
using 'username' and 'password' credentials.";
reference
"RFC 1928: SOCKS Protocol Version 5";
}
// Groupings
grouping tcp-client-grouping {
description
"A reusable grouping for configuring a TCP client.
Note that this grouping uses fairly typical descendant
node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called
'tcp-client-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility
to consuming models.";
leaf remote-address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the remote peer to
establish a connection with. If a domain name is
configured, then the DNS resolution should happen on
each connection attempt. If the DNS resolution
results in multiple IP addresses, the IP addresses
are tried according to local preference order until
a connection has been established or until all IP
addresses have failed.";
}
leaf remote-port {
type inet:port-number;
default "0";
description
"The IP port number for the remote peer to establish a
connection with. An invalid default value is used
so that importing modules may 'refine' it with the
appropriate default port number value.";
}
leaf local-address {
if-feature "local-binding-supported";
type inet:ip-address;
description
"The local IP address/interface to bind to for when
connecting to the remote peer. INADDR_ANY ('0.0.0.0') or
INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to
explicitly indicate the implicit default, that the server
can bind to any IPv4 or IPv6 addresses, respectively.";
}
leaf local-port {
if-feature "local-binding-supported";
type inet:port-number;
default "0";
description
"The local IP port number to bind to for when connecting
to the remote peer. The port number '0', which is the
default value, indicates that any available local port
number may be used.";
}
container proxy-server {
if-feature "proxy-connect";
presence
"Indicates that a proxy connection has been configured.
Present so that the mandatory descendant nodes do not
imply that this node must be configured.";
choice proxy-type {
mandatory true;
description
"Selects a proxy connection protocol.";
case socks4 {
container socks4-parameters {
leaf remote-address {
type inet:ip-address;
mandatory true;
description
"The IP address of the proxy server.";
}
leaf remote-port {
type inet:port-number;
default "1080";
description
"The IP port number for the proxy server.";
}
description
"Parameters for connecting to a TCP-based proxy
server using the SOCKS4 protocol.";
reference
"SOCKS, Proceedings: 1992 Usenix Security Symposium.";
}
}
case socks4a {
container socks4a-parameters {
leaf remote-address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the proxy server.";
}
leaf remote-port {
type inet:port-number;
default "1080";
description
"The IP port number for the proxy server.";
}
description
"Parameters for connecting to a TCP-based proxy
server using the SOCKS4a protocol.";
reference
"SOCKS Proceedings:
1992 Usenix Security Symposium.
OpenSSH message:
SOCKS 4A: A Simple Extension to SOCKS 4 Protocol
https://www.openssh.com/txt/socks4a.protocol";
}
}
case socks5 {
container socks5-parameters {
leaf remote-address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the proxy server.";
}
leaf remote-port {
type inet:port-number;
default "1080";
description
"The IP port number for the proxy server.";
}
container authentication-parameters {
presence
"Indicates that an authentication mechanism
has been configured. Present so that the
mandatory descendant nodes do not imply that
this node must be configured.";
description
"A container for SOCKS Version 5 authentication
mechanisms.
A complete list of methods is defined at:
https://www.iana.org/assignments/socks-methods
/socks-methods.xhtml.";
reference
"RFC 1928: SOCKS Protocol Version 5";
choice auth-type {
mandatory true;
description
"A choice amongst supported SOCKS Version 5
authentication mechanisms.";
case gss-api {
if-feature "socks5-gss-api";
container gss-api {
description
"Contains GSS-API configuration. Defines
as an empty container to enable specific
GSS-API configuration to be augmented in
by future modules.";
reference
"RFC 1928: SOCKS Protocol Version 5
RFC 2743: Generic Security Service
Application Program Interface
Version 2, Update 1";
}
}
case username-password {
if-feature "socks5-username-password";
container username-password {
leaf username {
type string;
mandatory true;
description
"The 'username' value to use for client
identification.";
}
uses ct:password-grouping {
description
"The password to be used for client
authentication.";
}
description
"Contains Username/Password configuration.";
reference
"RFC 1929: Username/Password Authentication
for SOCKS V5";
}
}
}
}
description
"Parameters for connecting to a TCP-based proxy server
using the SOCKS5 protocol.";
reference
"RFC 1928: SOCKS Protocol Version 5";
}
}
}
description
"Proxy server settings.";
}
uses tcpcmn:tcp-common-grouping {
refine "keepalives" {
if-feature "tcp-client-keepalives";
description
"Add an if-feature statement so that implementations
can choose to support TCP client keepalives.";
}
}
}
}

117
modules/ietf-tcp-common@2023-12-28.yang Normal file
View file

@ -0,0 +1,117 @@
module ietf-tcp-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-common";
prefix tcpcmn;
organization
"IETF NETCONF (Network Configuration) Working Group and the
IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
https://datatracker.ietf.org/wg/tcpm
WG List: NETCONF WG list <mailto:netconf@ietf.org>
TCPM WG list <mailto:tcpm@ietf.org>
Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
Michael Scharf
<mailto:michael.scharf@hs-esslingen.de>";
description
"This module define a reusable 'grouping' that is common
to both TCP-clients and TCP-servers. This grouping statement
is used by both the 'ietf-tcp-client' and 'ietf-tcp-server'
modules.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC DDDD
(https://www.rfc-editor.org/info/rfcDDDD); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
// Features
feature keepalives-supported {
description
"Indicates that keepalives are supported.";
}
// Groupings
grouping tcp-common-grouping {
description
"A reusable grouping for configuring TCP parameters common
to TCP connections as well as the operating system as a
whole.";
container keepalives {
if-feature "keepalives-supported";
description
"Configures the keep-alive policy, to proactively test the
aliveness of the TCP peer. An unresponsive TCP peer is
dropped after approximately (idle-time + max-probes *
probe-interval) seconds. Further guidance can be found
in Section 2.1.5 of RFC DDDD.";
reference
"RFC 9293:
Transmission Control Protocol (TCP), Section 3.8.4..";
leaf idle-time {
type uint16 {
range "1..max";
}
units "seconds";
default 7200;
description
"Sets the amount of time after which if no data has been
received from the TCP peer, a TCP-level probe message
will be sent to test the aliveness of the TCP peer.
Two hours (7200 seconds) is safe value, per RFC 1122.";
reference
"RFC 1122:
Requirements for Internet Hosts -- Communication Layers";
}
leaf max-probes {
type uint16 {
range "1..max";
}
default 9;
description
"Sets the maximum number of sequential keep-alive probes
that can fail to obtain a response from the TCP peer
before assuming the TCP peer is no longer alive.";
}
leaf probe-interval {
type uint16 {
range "1..max";
}
units "seconds";
default 75;
description
"Sets the time interval between failed probes. The interval
SHOULD be significantly longer than one second in order to
avoid harm on a congested link.";
}
} // container keepalives
} // grouping tcp-common-grouping
}

116
modules/ietf-tcp-server@2023-12-28.yang Normal file
View file

@ -0,0 +1,116 @@
module ietf-tcp-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-server";
prefix tcps;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-tcp-common {
prefix tcpcmn;
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
organization
"IETF NETCONF (Network Configuration) Working Group and the
IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
contact
"WG Web: https://datatracker.ietf.org/wg/netconf
https://datatracker.ietf.org/wg/tcpm
WG List: NETCONF WG list <mailto:netconf@ietf.org>
TCPM WG list <mailto:tcpm@ietf.org>
Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
Michael Scharf
<mailto:michael.scharf@hs-esslingen.de>";
description
"This module defines reusable groupings for TCP servers that
can be used as a basis for specific TCP server instances.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC DDDD
(https://www.rfc-editor.org/info/rfcDDDD); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";
}
// Features
feature tcp-server-keepalives {
description
"Per socket TCP keepalive parameters are configurable for
TCP servers on the server implementing this feature.";
reference
"RFC 9293: Transmission Control Protocol (TCP)";
}
// Groupings
grouping tcp-server-grouping {
description
"A reusable grouping for configuring a TCP server.
Note that this grouping uses fairly typical descendant
node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called
'tcp-server-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility
to consuming models.";
leaf local-address {
type inet:ip-address;
mandatory true;
description
"The local IP address to listen on for incoming
TCP client connections. INADDR_ANY (0.0.0.0) or
INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be
used when the server is to listen on all IPv4 or
IPv6 addresses, respectively.";
}
leaf local-port {
type inet:port-number;
default "0";
description
"The local port number to listen on for incoming TCP
client connections. An invalid default value (0)
is used (instead of 'mandatory true') so that an
application level data model may 'refine' it with
an application specific default port number value.";
}
uses tcpcmn:tcp-common-grouping {
refine "keepalives" {
if-feature "tcp-server-keepalives";
description
"Add an if-feature statement so that implementations
can choose to support TCP server keepalives.";
}
}
}
}

316
modules/ietf-tls-common@2023-12-28.yang Normal file
View file

@ -0,0 +1,316 @@
module ietf-tls-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn;
import iana-tls-cipher-suite-algs {
prefix tlscsa;
reference
"RFC FFFF: YANG Groupings for TLS Clients and SSH Servers";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
import ietf-keystore {
prefix ks;
reference
"RFC CCCC: A YANG Data Model for a Keystore";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG List: NETCONF WG list <mailto:netconf@ietf.org>
WG Web: https://datatracker.ietf.org/wg/netconf
Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Jeff Hartley <mailto:jeff.hartley@commscope.com>
Author: Gary Wu <mailto:garywu@cisco.com>";
description
"This module defines a common features and groupings for
Transport Layer Security (TLS).
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC FFFF
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls10 {
status "obsolete";
description
"TLS Protocol Version 1.0 is supported. TLS 1.0 is obsolete
and thus it is NOT RECOMMENDED to enable this feature.";
reference
"RFC 2246: The TLS Protocol Version 1.0";
}
feature tls11 {
status "obsolete";
description
"TLS Protocol Version 1.1 is supported. TLS 1.1 is obsolete
and thus it is NOT RECOMMENDED to enable this feature.";
reference
"RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1";
}
feature tls12 {
status "deprecated";
description
"TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete
and thus it is NOT RECOMMENDED to enable this feature.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
feature tls13 {
description
"TLS Protocol Version 1.3 is supported.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
feature hello-params {
description
"TLS hello message parameters are configurable.";
}
feature public-key-generation {
description
"Indicates that the server implements the
'generate-public-key' RPC.";
}
// Identities
identity tls-version-base {
description
"Base identity used to identify TLS protocol versions.";
}
identity tls10 {
if-feature "tls10";
base tls-version-base;
status "obsolete";
description
"TLS Protocol Version 1.0.";
reference
"RFC 2246: The TLS Protocol Version 1.0";
}
identity tls11 {
if-feature "tls11";
base tls-version-base;
status "obsolete";
description
"TLS Protocol Version 1.1.";
reference
"RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1";
}
identity tls12 {
if-feature "tls12";
base tls-version-base;
status "deprecated";
description
"TLS Protocol Version 1.2.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity tls13 {
if-feature "tls13";
base tls-version-base;
description
"TLS Protocol Version 1.3.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
// Typedefs
typedef epsk-supported-hash {
type enumeration {
enum sha-256 {
description
"The SHA-256 Hash.";
}
enum sha-384 {
description
"The SHA-384 Hash.";
}
}
description
"As per Section 4.2.11 of RFC 8446, the hash algorithm
supported by an instance of an External Pre-Shared
Key (EPSK).";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
// Groupings
grouping hello-params-grouping {
description
"A reusable grouping for TLS hello message parameters.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2
RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3";
container tls-versions {
description
"Parameters regarding TLS versions.";
leaf-list tls-version {
type identityref {
base tls-version-base;
}
ordered-by user;
description
"Acceptable TLS protocol versions.
If this leaf-list is not configured (has zero elements)
the acceptable TLS protocol versions are implementation-
defined.";
}
}
container cipher-suites {
description
"Parameters regarding cipher suites.";
leaf-list cipher-suite {
type identityref {
base tlscsa:cipher-suite-alg-base;
}
ordered-by user;
description
"Acceptable cipher suites in order of descending
preference. The configured host key algorithms should
be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC FFFF for
valid combinations.
If this leaf-list is not configured (has zero elements)
the acceptable cipher suites are implementation-
defined.";
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
}
} // hello-params-grouping
rpc generate-public-key {
if-feature "public-key-generation";
description
"Requests the device to generate an public key using
the specified key algorithm.";
input {
leaf algorithm {
type tlscsa:cipher-suite-algorithm-ref;
mandatory true;
description
"The cipher suite algorithm that the generated key is
to work with. Implementations derive the public key
algorithm from the cipher suite algorithm. Example:
cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps
to the RSA public key.";
}
leaf num-bits {
type uint16;
description
"Specifies the number of bits in the key to create.
For RSA keys, the minimum size is 1024 bits and
the default is 3072 bits. Generally, 3072 bits is
considered sufficient. DSA keys must be exactly 1024
bits as specified by FIPS 186-2. For elliptical
keys, the 'num-bits' value determines the key length
of the curve (e.g., 256, 384 or 521), where valid
values supported by the server are conveyed via an
unspecified mechanism. For some public algorithms,
the keys have a fixed length and thus the 'num-bits'
value is not specified.";
}
container private-key-encoding {
description
"Indicates how the private key is to be encoded.";
choice private-key-encoding {
mandatory true;
description
"A choice amongst optional private key handling.";
case cleartext {
if-feature "ct:cleartext-private-keys";
leaf cleartext {
type empty;
description
"Indicates that the private key is to be returned
as a cleartext value.";
}
}
case encrypted {
if-feature "ct:encrypted-private-keys";
container encrypted {
description
"Indicates that the key is to be encrypted using
the specified symmetric or asymmetric key.";
uses ks:encrypted-by-grouping;
}
}
case hidden {
if-feature "ct:hidden-private-keys";
leaf hidden {
type empty;
description
"Indicates that the private key is to be hidden.
Unlike the 'cleartext' and 'encrypt' options, the
key returned is a placeholder for an internally
stored key. See the 'Support for Built-in Keys'
section in RFC CCCC for information about hidden
keys.";
}
}
}
}
}
output {
uses ct:asymmetric-key-pair-grouping;
}
} // end generate-public-key
}

527
modules/ietf-tls-server@2023-12-28.yang Normal file
View file

@ -0,0 +1,527 @@
module ietf-tls-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss;
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
import ietf-truststore {
prefix ts;
reference
"RFC BBBB: A YANG Data Model for a Truststore";
}
import ietf-keystore {
prefix ks;
reference
"RFC CCCC: A YANG Data Model for a Keystore";
}
import ietf-tls-common {
prefix tlscmn;
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG List: NETCONF WG list <mailto:netconf@ietf.org>
WG Web: https://datatracker.ietf.org/wg/netconf
Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Jeff Hartley <mailto:jeff.hartley@commscope.com>";
description
"This module defines reusable groupings for TLS servers that
can be used as a basis for specific TLS server instances.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC FFFF
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls-server-keepalives {
description
"Per socket TLS keepalive parameters are configurable for
TLS servers on the server implementing this feature.";
}
feature server-ident-x509-cert {
description
"Indicates that the server supports identifying itself
using X.509 certificates.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile";
}
feature server-ident-raw-public-key {
description
"Indicates that the server supports identifying itself
using raw public keys.";
reference
"RFC 7250:
Using Raw Public Keys in Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)";
}
feature server-ident-tls12-psk {
if-feature "tlscmn:tls12";
description
"Indicates that the server supports identifying itself
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys).";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
feature server-ident-tls13-epsk {
if-feature "tlscmn:tls13";
description
"Indicates that the server supports identifying itself
using TLS-1.3 External PSKs (pre-shared keys).";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
feature client-auth-supported {
description
"Indicates that the configuration for how to authenticate
clients can be configured herein. TLS-level client
authentication may not be needed when client authentication
is expected to occur only at another protocol layer.";
}
feature client-auth-x509-cert {
description
"Indicates that the server supports authenticating clients
using X.509 certificates.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile";
}
feature client-auth-raw-public-key {
description
"Indicates that the server supports authenticating clients
using raw public keys.";
reference
"RFC 7250:
Using Raw Public Keys in Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS)";
}
feature client-auth-tls12-psk {
description
"Indicates that the server supports authenticating clients
using PSKs (pre-shared or pairwise-symmetric keys).";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
feature client-auth-tls13-epsk {
description
"Indicates that the server supports authenticating clients
using TLS-1.3 External PSKs (pre-shared keys).";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
// Groupings
grouping tls-server-grouping {
description
"A reusable grouping for configuring a TLS server without
any consideration for how underlying TCP sessions are
established.
Note that this grouping uses fairly typical descendant
node names such that a stack of 'uses' statements will
have name conflicts. It is intended that the consuming
data model will resolve the issue (e.g., by wrapping
the 'uses' statement in a container called
'tls-server-parameters'). This model purposely does
not do this itself so as to provide maximum flexibility
to consuming models.";
container server-identity {
nacm:default-deny-write;
description
"A locally-defined or referenced end-entity certificate,
including any configured intermediate certificates, the
TLS server will present when establishing a TLS connection
in its Certificate message, as defined in Section 7.4.2
in RFC 5246 and Section 4.4.2 in RFC 8446.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2
RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3
RFC CCCC: A YANG Data Model for a Keystore";
choice auth-type {
mandatory true;
description
"A choice amongst authentication types, of which one must
be enabled (via its associated 'feature') and selected.";
case certificate {
if-feature "server-ident-x509-cert";
container certificate {
description
"Specifies the server identity using a certificate.";
uses
"ks:inline-or-keystore-end-entity-cert-with-key-"
+ "grouping" {
refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format,' + ' "ct:subject-public-'
+ 'key-info-format")';
}
refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference/asymmetric-key" {
must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-key'
+ '-format, "ct:subject-public-key-info-format")';
}
}
}
}
case raw-private-key {
if-feature "server-ident-raw-public-key";
container raw-private-key {
description
"Specifies the server identity using a raw
private key.";
uses ks:inline-or-keystore-asymmetric-key-grouping {
refine "inline-or-keystore/inline/inline-definition" {
must 'not(public-key-format) or derived-from-or-self'
+ '(public-key-format,' + ' "ct:subject-public-'
+ 'key-info-format")';
}
refine "inline-or-keystore/central-keystore/"
+ "central-keystore-reference" {
must 'not(deref(.)/../ks:public-key-format) or '
+ 'derived-from-or-self(deref(.)/../ks:public-key'
+ '-format, "ct:subject-public-key-info-format")';
}
}
}
}
case tls12-psk {
if-feature "server-ident-tls12-psk";
container tls12-psk {
description
"Specifies the server identity using a PSK (pre-shared
or pairwise-symmetric key).";
uses ks:inline-or-keystore-symmetric-key-grouping;
leaf id-hint {
type string;
description
"The key 'psk_identity_hint' value used in the TLS
'ServerKeyExchange' message.";
reference
"RFC 4279: Pre-Shared Key Ciphersuites for
Transport Layer Security (TLS)";
}
}
}
case tls13-epsk {
if-feature "server-ident-tls13-epsk";
container tls13-epsk {
description
"An External Pre-Shared Key (EPSK) is established
or provisioned out-of-band, i.e., not from a TLS
connection. An EPSK is a tuple of (Base Key,
External Identity, Hash). External PSKs MUST
NOT be imported for (D)TLS 1.2 or prior versions.
When PSKs are provisioned out of band, the PSK
identity and the KDF hash algorithm to be used
with the PSK MUST also be provisioned.
The structure of this container is designed to
satisfy the requirements of RFC 8446 Section
4.2.11, the recommendations from Section 6 in
RFC 9257, and the EPSK input fields detailed in
Section 5.1 in RFC 9258. The base-key is based
upon ks:inline-or-keystore-symmetric-key-grouping
in order to provide users with flexible and
secure storage options.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3
RFC 9257: Guidance for External Pre-Shared Key
(PSK) Usage in TLS
RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3";
uses ks:inline-or-keystore-symmetric-key-grouping;
leaf external-identity {
type string;
mandatory true;
description
"As per Section 4.2.11 of RFC 8446, and Section 4.1
of RFC 9257, a sequence of bytes used to identify
an EPSK. A label for a pre-shared key established
externally.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3
RFC 9257: Guidance for External Pre-Shared Key
(PSK) Usage in TLS";
}
leaf hash {
type tlscmn:epsk-supported-hash;
default sha-256;
description
"As per Section 4.2.11 of RFC 8446, for externally
established PSKs, the Hash algorithm MUST be set
when the PSK is established or default to SHA-256
if no such algorithm is defined. The server MUST
ensure that it selects a compatible PSK (if any)
and cipher suite. Each PSK MUST only be used
with a single hash function.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
leaf context {
type string;
description
"Per Section 5.1 of RFC 9258, context MUST include
the context used to determine the EPSK, if
any exists. For example, context may include
information about peer roles or identities
to mitigate Selfie-style reflection attacks.
Since the EPSK is a key derived from an external
protocol or sequence of protocols, context MUST
include a channel binding for the deriving
protocols [RFC5056]. The details of this
binding are protocol specfic and out of scope
for this document.";
reference
"RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3";
}
leaf target-protocol {
type uint16;
description
"As per Section 3.1 of RFC 9258, the protocol
for which a PSK is imported for use.";
reference
"RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3";
}
leaf target-kdf {
type uint16;
description
"As per Section 3 of RFC 9258, the KDF for
which a PSK is imported for use.";
reference
"RFC 9258: Importing External Pre-Shared Keys
(PSKs) for TLS 1.3";
}
}
}
}
} // container server-identity
container client-authentication {
if-feature "client-auth-supported";
nacm:default-deny-write;
must 'ca-certs or ee-certs or raw-public-keys or tls12-psks
or tls13-epsks';
presence
"Indicates that client authentication is supported (i.e.,
that the server will request clients send certificates).
If not configured, the TLS server SHOULD NOT request the
TLS clients provide authentication credentials.";
description
"Specifies how the TLS server can authenticate TLS clients.
Any combination of credentials is additive and unordered.
Note that no configuration is required for PSK (pre-shared
or pairwise-symmetric key) based authentication as the key
is necessarily the same as configured in the '../server-
identity' node.";
container ca-certs {
if-feature "client-auth-x509-cert";
presence
"Indicates that CA certificates have been configured.
This statement is present so the mandatory descendant
nodes do not imply that this node must be configured.";
description
"A set of certificate authority (CA) certificates used by
the TLS server to authenticate TLS client certificates.
A client certificate is authenticated if it has a valid
chain of trust to a configured CA certificate.";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping;
}
container ee-certs {
if-feature "client-auth-x509-cert";
presence
"Indicates that EE certificates have been configured.
This statement is present so the mandatory descendant
nodes do not imply that this node must be configured.";
description
"A set of client certificates (i.e., end entity
certificates) used by the TLS server to authenticate
certificates presented by TLS clients. A client
certificate is authenticated if it is an exact
match to a configured client certificate.";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-certs-grouping;
}
container raw-public-keys {
if-feature "client-auth-raw-public-key";
presence
"Indicates that raw public keys have been configured.
This statement is present so the mandatory descendant
nodes do not imply that this node must be configured.";
description
"A set of raw public keys used by the TLS server to
authenticate raw public keys presented by the TLS
client. A raw public key is authenticated if it
is an exact match to a configured raw public key.";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
uses ts:inline-or-truststore-public-keys-grouping {
refine "inline-or-truststore/inline/inline-definition/"
+ "public-key" {
must 'derived-from-or-self(public-key-format,'
+ ' "ct:subject-public-key-info-format")';
}
refine "inline-or-truststore/central-truststore/"
+ "central-truststore-reference" {
must 'not(deref(.)/../ts:public-key/ts:public-key-'
+ 'format[not(derived-from-or-self(., "ct:subject-'
+ 'public-key-info-format"))])';
}
}
}
leaf tls12-psks {
if-feature "client-auth-tls12-psk";
type empty;
description
"Indicates that the TLS server can authenticate TLS clients
using configured PSKs (pre-shared or pairwise-symmetric
keys).
No configuration is required since the PSK value is the
same as PSK value configured in the 'server-identity'
node.";
}
leaf tls13-epsks {
if-feature "client-auth-tls13-epsk";
type empty;
description
"Indicates that the TLS 1.3 server can authenticate TLS
clients using configured external PSKs (pre-shared keys).
No configuration is required since the PSK value is the
same as PSK value configured in the 'server-identity'
node.";
}
} // container client-authentication
container hello-params {
nacm:default-deny-write;
if-feature "tlscmn:hello-params";
uses tlscmn:hello-params-grouping;
description
"Configurable parameters for the TLS hello message.";
} // container hello-params
container keepalives {
nacm:default-deny-write;
if-feature "tls-server-keepalives";
description
"Configures the keepalive policy for the TLS server.";
leaf peer-allowed-to-send {
type empty;
description
"Indicates that the remote TLS client is allowed to send
HeartbeatRequest messages, as defined by RFC 6520
to this TLS server.";
reference
"RFC 6520: Transport Layer Security (TLS) and Datagram
Transport Layer Security (DTLS) Heartbeat Extension";
}
container test-peer-aliveness {
presence
"Indicates that the TLS server proactively tests the
aliveness of the remote TLS client.";
description
"Configures the keep-alive policy to proactively test
the aliveness of the TLS client. An unresponsive
TLS client is dropped after approximately max-wait
* max-attempts seconds.";
leaf max-wait {
type uint16 {
range "1..max";
}
units "seconds";
default "30";
description
"Sets the amount of time in seconds after which if
no data has been received from the TLS client, a
TLS-level message will be sent to test the
aliveness of the TLS client.";
}
leaf max-attempts {
type uint8;
default "3";
description
"Sets the maximum number of sequential keep-alive
messages that can fail to obtain a response from
the TLS client before assuming the TLS client is
no longer alive.";
}
}
} // container keepalives
} // grouping tls-server-grouping
}

391
modules/ietf-truststore@2023-12-28.yang Normal file
View file

@ -0,0 +1,391 @@
module ietf-truststore {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-truststore";
prefix ts;
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC AAAA: YANG Data Types and Groupings for Cryptography";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web : https://datatracker.ietf.org/wg/netconf
WG List : NETCONF WG list <mailto:netconf@ietf.org>
Author : Kent Watsen <kent+ietf@watsen.net>";
description
"This module defines a 'truststore' to centralize management
of trust anchors including certificates and public keys.
Copyright (c) 2023 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC BBBB
(https://www.rfc-editor.org/info/rfcBBBB); see the RFC
itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2023-12-28 {
description
"Initial version";
reference
"RFC BBBB: A YANG Data Model for a Truststore";
}
/****************/
/* Features */
/****************/
feature central-truststore-supported {
description
"The 'central-truststore-supported' feature indicates that
the server supports the truststore (i.e., implements the
'ietf-truststore' module).";
}
feature inline-definitions-supported {
description
"The 'inline-definitions-supported' feature indicates that
the server supports locally-defined trust anchors.";
}
feature certificates {
description
"The 'certificates' feature indicates that the server
implements the /truststore/certificate-bags subtree.";
}
feature public-keys {
description
"The 'public-keys' feature indicates that the server
implements the /truststore/public-key-bags subtree.";
}
/****************/
/* Typedefs */
/****************/
typedef certificate-bag-ref {
type leafref {
path "/ts:truststore/ts:certificate-bags/"
+ "ts:certificate-bag/ts:name";
}
description
"This typedef defines a reference to a certificate bag
in the central truststore.";
}
typedef certificate-ref {
type leafref {
path "/ts:truststore/ts:certificate-bags/ts:certificate-bag"
+ "[ts:name = current()/../certificate-bag]/"
+ "ts:certificate/ts:name";
}
description
"This typedef defines a reference to a specific certificate
in a certificate bag in the central truststore. This typedef
requires that there exist a sibling 'leaf' node called
'certificate-bag' that SHOULD have the typedef
'certificate-bag-ref'.";
}
typedef public-key-bag-ref {
type leafref {
path "/ts:truststore/ts:public-key-bags/"
+ "ts:public-key-bag/ts:name";
}
description
"This typedef defines a reference to a public key bag
in the central truststore.";
}
typedef public-key-ref {
type leafref {
path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
+ "[ts:name = current()/../public-key-bag]/"
+ "ts:public-key/ts:name";
}
description
"This typedef defines a reference to a specific public key
in a public key bag in the truststore. This typedef
requires that there exist a sibling 'leaf' node called
'public-key-bag' that SHOULD have the typedef
'public-key-bag-ref'.";
}
/*****************/
/* Groupings */
/*****************/
// *-ref groupings
grouping certificate-ref-grouping {
description
"Grouping for the reference to a certificate in a
certificate-bag in the central truststore.";
leaf certificate-bag {
nacm:default-deny-write;
if-feature "central-truststore-supported";
if-feature "certificates";
type ts:certificate-bag-ref;
must "../certificate";
description
"Reference to a certificate-bag in the truststore.";
}
leaf certificate {
nacm:default-deny-write;
type ts:certificate-ref;
must "../certificate-bag";
description
"Reference to a specific certificate in the
referenced certificate-bag.";
}
}
grouping public-key-ref-grouping {
description
"Grouping for the reference to a public key in a
public-key-bag in the central truststore.";
leaf public-key-bag {
nacm:default-deny-write;
if-feature "central-truststore-supported";
if-feature "public-keys";
type ts:public-key-bag-ref;
description
"Reference of a public key bag in the truststore inlucding
the certificate to authenticate the TLS client.";
}
leaf public-key {
nacm:default-deny-write;
type ts:public-key-ref;
description
"Reference to a specific public key in the
referenced public-key-bag.";
}
}
// inline-or-truststore-* groupings
grouping inline-or-truststore-certs-grouping {
description
"A grouping for the configuration of a list of certificates.
The list of certificate may be defined inline or as a
reference to a certificate bag in the central truststore.
Servers that do not define the 'central-truststore-supported'
feature SHOULD augment in custom 'case' statements enabling
references to alternate truststore locations.";
choice inline-or-truststore {
nacm:default-deny-write;
mandatory true;
description
"A choice between an inlined definition and a definition
that exists in the truststore.";
case inline {
if-feature "inline-definitions-supported";
container inline-definition {
description
"A container for locally configured trust anchor
certificates.";
list certificate {
key "name";
min-elements 1;
description
"A trust anchor certificate.";
leaf name {
type string;
description
"An arbitrary name for this certificate.";
}
uses ct:trust-anchor-cert-grouping {
refine "cert-data" {
mandatory true;
}
}
}
}
}
case central-truststore {
if-feature "central-truststore-supported";
if-feature "certificates";
leaf central-truststore-reference {
type ts:certificate-bag-ref;
description
"A reference to a certificate bag that exists in the
central truststore.";
}
}
}
}
grouping inline-or-truststore-public-keys-grouping {
description
"A grouping that allows the public keys to be either
configured locally, within the using data model, or be a
reference to a public key bag stored in the truststore.
Servers that do not define the 'central-truststore-supported'
feature SHOULD augment in custom 'case' statements enabling
references to alternate truststore locations.";
choice inline-or-truststore {
nacm:default-deny-write;
mandatory true;
description
"A choice between an inlined definition and a definition
that exists in the truststore.";
case inline {
if-feature "inline-definitions-supported";
container inline-definition {
description
"A container to hold local public key definitions.";
list public-key {
key "name";
description
"A public key definition.";
leaf name {
type string;
description
"An arbitrary name for this public key.";
}
uses ct:public-key-grouping;
}
}
}
case central-truststore {
if-feature "central-truststore-supported";
if-feature "public-keys";
leaf central-truststore-reference {
type ts:public-key-bag-ref;
description
"A reference to a bag of public keys that exists
in the central truststore.";
}
}
}
}
// the truststore grouping
grouping truststore-grouping {
description
"A grouping definition that enables use in other contexts.
Where used, implementations MUST augment new 'case'
statements into the various inline-or-truststore 'choice'
statements to supply leafrefs to the model-specific
location(s).";
container certificate-bags {
nacm:default-deny-write;
if-feature "certificates";
description
"A collection of certificate bags.";
list certificate-bag {
key "name";
description
"A bag of certificates. Each bag of certificates SHOULD
be for a specific purpose. For instance, one bag could
be used to authenticate a specific set of servers, while
another could be used to authenticate a specific set of
clients.";
leaf name {
type string;
description
"An arbitrary name for this bag of certificates.";
}
leaf description {
type string;
description
"A description for this bag of certificates. The
intended purpose for the bag SHOULD be described.";
}
list certificate {
key "name";
description
"A trust anchor certificate.";
leaf name {
type string;
description
"An arbitrary name for this certificate.";
}
uses ct:trust-anchor-cert-grouping {
refine "cert-data" {
mandatory true;
}
}
}
}
}
container public-key-bags {
nacm:default-deny-write;
if-feature "public-keys";
description
"A collection of public key bags.";
list public-key-bag {
key "name";
description
"A bag of public keys. Each bag of keys SHOULD be for
a specific purpose. For instance, one bag could be used
authenticate a specific set of servers, while another
could be used to authenticate a specific set of clients.";
leaf name {
type string;
description
"An arbitrary name for this bag of public keys.";
}
leaf description {
type string;
description
"A description for this bag public keys. The
intended purpose for the bag SHOULD be described.";
}
list public-key {
key "name";
description
"A public key.";
leaf name {
type string;
description
"An arbitrary name for this public key.";
}
uses ct:public-key-grouping;
}
}
}
}
/*********************************/
/* Protocol accessible nodes */
/*********************************/
container truststore {
if-feature central-truststore-supported;
nacm:default-deny-write;
description
"The truststore contains bags of certificates and
public keys.";
uses truststore-grouping;
}
}

314
modules/ietf-x509-cert-to-name@2014-12-10.yang Normal file
View file

@ -0,0 +1,314 @@
module ietf-x509-cert-to-name {
yang-version 1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
prefix x509c2n;
import ietf-yang-types {
prefix yang;
}
organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/netmod/>
WG List: <mailto:netmod@ietf.org>
WG Chair: Thomas Nadeau
<mailto:tnadeau@lucidvision.com>
WG Chair: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>
Editor: Martin Bjorklund
<mailto:mbj@tail-f.com>
Editor: Juergen Schoenwaelder
<mailto:j.schoenwaelder@jacobs-university.de>";
description
"This module contains a collection of YANG definitions for
extracting a name from an X.509 certificate.
The algorithm used to extract a name from an X.509 certificate
was first defined in RFC 6353.
Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)";
revision "2014-12-10" {
description "Initial revision.";
reference
"RFC 7407: A YANG Data Model for SNMP Configuration";
}
typedef tls-fingerprint {
type yang:hex-string {
pattern
'([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
}
description
"A fingerprint value that can be used to uniquely reference
other data of potentially arbitrary length.
A tls-fingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The
first octet value identifying the hashing algorithm is taken
from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
remaining octets are filled using the results of the hashing
algorithm.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
}
identity cert-to-name {
description
"Base identity for algorithms to derive a name from a
certificate.";
}
identity specified {
base cert-to-name;
description
"Directly specifies the name to be used for the certificate.
The value of the leaf 'name' in the cert-to-name list is
used.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
}
identity san-rfc822-name {
base cert-to-name;
description
"Maps a subjectAltName's rfc822Name to a name. The local part
of the rfc822Name is passed unaltered, but the host-part of
the name must be passed in lowercase. For example, the
rfc822Name field FooBar@Example.COM is mapped to name
FooBar@example.com.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
}
identity san-dns-name {
base cert-to-name;
description
"Maps a subjectAltName's dNSName to a name after first
converting it to all lowercase (RFC 5280 does not specify
converting to lowercase, so this involves an extra step).
This mapping results in a 1:1 correspondence between
subjectAltName dNSName values and the name values.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
}
identity san-ip-address {
base cert-to-name;
description
"Maps a subjectAltName's iPAddress to a name by
transforming the binary-encoded address as follows:
1) for IPv4, the value is converted into a
decimal-dotted quad address (e.g., '192.0.2.1').
2) for IPv6 addresses, the value is converted into a
32-character, all-lowercase hexadecimal string
without any colon separators.
This mapping results in a 1:1 correspondence between
subjectAltName iPAddress values and the name values.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
}
identity san-any {
base cert-to-name;
description
"Maps any of the following fields using the corresponding
mapping algorithms:
+------------+-----------------+
| Type | Algorithm |
|------------+-----------------|
| rfc822Name | san-rfc822-name |
| dNSName | san-dns-name |
| iPAddress | san-ip-address |
+------------+-----------------+
The first matching subjectAltName value found in the
certificate of the above types MUST be used when deriving
the name. The mapping algorithm specified in the
'Algorithm' column MUST be used to derive the name.
This mapping results in a 1:1 correspondence between
subjectAltName values and name values. The three sub-mapping
algorithms produced by this combined algorithm cannot produce
conflicting results between themselves.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
}
identity common-name {
base cert-to-name;
description
"Maps a certificate's CommonName to a name after converting
it to a UTF-8 encoding. The usage of CommonNames is
deprecated, and users are encouraged to use subjectAltName
mapping methods instead. This mapping results in a 1:1
correspondence between certificate CommonName values and name
values.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
}
grouping cert-to-name {
description
"Defines nodes for mapping certificates to names. Modules
that use this grouping should describe how the resulting
name is used.";
list cert-to-name {
key "id";
description
"This list defines how certificates are mapped to names.
The name is derived by considering each cert-to-name
list entry in order. The cert-to-name entry's fingerprint
determines whether the list entry is a match:
1) If the cert-to-name list entry's fingerprint value
matches that of the presented certificate, then consider
the list entry a successful match.
2) If the cert-to-name list entry's fingerprint value
matches that of a locally held copy of a trusted CA
certificate, and that CA certificate was part of the CA
certificate chain to the presented certificate, then
consider the list entry a successful match.
Once a matching cert-to-name list entry has been found, the
map-type is used to determine how the name associated with
the certificate should be determined. See the map-type
leaf's description for details on determining the name value.
If it is impossible to determine a name from the cert-to-name
list entry's data combined with the data presented in the
certificate, then additional cert-to-name list entries MUST
be searched to look for another potential match.
Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all
child certificates' subjectAltName fields to map directly to
a name via a 1:1 transformation.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
leaf id {
type uint32;
description
"The id specifies the order in which the entries in the
cert-to-name list are searched. Entries with lower
numbers are searched first.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
}
leaf fingerprint {
type tls-fingerprint;
mandatory true;
description
"Specifies a value with which the fingerprint of the
full certificate presented by the peer is compared. If
the fingerprint of the full certificate presented by the
peer does not match the fingerprint configured, then the
entry is skipped, and the search for a match continues.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
}
leaf map-type {
type identityref {
base cert-to-name;
}
mandatory true;
description
"Specifies the algorithm used to map the certificate
presented by the peer to a name.
Mappings that need additional configuration objects should
use the 'when' statement to make them conditional based on
the map-type.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
}
leaf name {
when
"../map-type = 'x509c2n:specified'";
type string;
mandatory true;
description
"Directly specifies the NETCONF username when the
map-type is 'specified'.";
reference
"RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
}
} // list cert-to-name
} // grouping cert-to-name
} // module ietf-x509-cert-to-name

475
modules/libnetconf2-netconf-server@2024-07-09.yang Normal file
View file

@ -0,0 +1,475 @@
module libnetconf2-netconf-server {
yang-version 1.1;
namespace "urn:cesnet:libnetconf2-netconf-server";
prefix np2;
import ietf-netconf-server {
prefix ncs;
}
import ietf-crypto-types {
prefix ct;
}
import iana-ssh-public-key-algs {
prefix sshpka;
}
import iana-ssh-key-exchange-algs {
prefix sshkea;
}
import iana-ssh-encryption-algs {
prefix sshea;
}
import iana-ssh-mac-algs {
prefix sshma;
}
import ietf-tls-server {
prefix tlss;
}
revision "2024-07-09" {
description "Second revision.";
}
// Identities
/*
identity ed25519-private-key-format {
base ct:private-key-format;
description
"This identity would indicate that the
private key is encoded in a ED25519PrivateKey
format. However no such format is currently
standardized or even exists.
If you wish to use a private key that uses
an ED25519 algorithm, you need to pick either
the private-key-info-format or
openssh-private-key-format identity.";
}
*/
identity private-key-info-format {
base ct:private-key-format;
description
"Indicates that the private key is encoded
as a PrivateKeyInfo structure (from RFC 5208).
The expected header of the private key:
-----BEGIN PRIVATE KEY-----
The expected footer of the private key:
-----END PRIVATE KEY-----
Supported private key algorithms to use with
this format are: RSA, EC and ED25519.
Commonly used public key format for this
type of private key is represented by the
SubjectPublicKeyInfo identity.";
reference
"RFC 5208: PKCS #8: Private-Key Information
Syntax Specification Version 1.2";
}
identity openssh-private-key-format {
base ct:private-key-format;
description
"Indicates that the private key is encoded
in the OpenSSH format.
The expected header of the private key:
-----BEGIN OPENSSH PRIVATE KEY-----
The expected footer of the private key:
-----END OPENSSH PRIVATE KEY-----
Supported private key algorithms to use with
this format are: RSA, EC and ED25519.
Commonly used public key format for this
type of private key is either the
SSH2 public key format (from RFC 4716)
or the Public key format defined in RFC 4253,
Section 6.6.";
reference
"The OpenSSH Private Key Format:
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
RFC 4716:
The Secure Shell (SSH) Public Key File Format
RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
identity openssh-ssh-ed25519-cert-v01 {
base sshpka:public-key-alg-base;
description
"SSH-ED25519-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-ecdsa-sha2-nistp521-cert-v01 {
base sshpka:public-key-alg-base;
description
"ECDSA-SHA2-NISTP521-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-ecdsa-sha2-nistp384-cert-v01 {
base sshpka:public-key-alg-base;
description
"ECDSA-SHA2-NISTP384-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-ecdsa-sha2-nistp256-cert-v01 {
base sshpka:public-key-alg-base;
description
"ECDSA-SHA2-NISTP256-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-rsa-sha2-512-cert-v01 {
base sshpka:public-key-alg-base;
description
"RSA-SHA2-512-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-rsa-sha2-256-cert-v01 {
base sshpka:public-key-alg-base;
description
"RSA-SHA2-256-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-ssh-rsa-cert-v01 {
base sshpka:public-key-alg-base;
description
"SSH-RSA-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity openssh-ssh-dss-cert-v01 {
base sshpka:public-key-alg-base;
description
"SSH-DSS-CERT-V01@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.certkeys:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD";
}
identity libssh-curve25519-sha256 {
base sshkea:key-exchange-alg-base;
description
"CURVE25519-SHA256@LIBSSH.ORG";
reference
"curve25519-sha256@libssh.org specification:
https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt";
}
identity openssh-chacha20-poly1305 {
base sshea:encryption-alg-base;
description
"CHACHA20-POLY1305@OPENSSH.COM";
reference
"OpenSSH PROTOCOL.chacha20poly1305:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD";
}
identity openssh-aes256-gcm {
base sshea:encryption-alg-base;
description
"AES256-GCM@OPENSSH.COM";
reference
"OpenSSH PROTOCOL, Section 1.6:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}
identity openssh-aes128-gcm {
base sshea:encryption-alg-base;
description
"AES128-GCM@OPENSSH.COM";
reference
"OpenSSH PROTOCOL, Section 1.6:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}
identity openssh-hmac-sha2-256-etm {
base sshma:mac-alg-base;
description
"HMAC-SHA2-256-ETM@OPENSSH.COM";
reference
"OpenSSH PROTOCOL:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}
identity openssh-hmac-sha2-512-etm {
base sshma:mac-alg-base;
description
"HMAC-SHA2-512-ETM@OPENSSH.COM";
reference
"OpenSSH PROTOCOL:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}
identity openssh-hmac-sha1-etm {
base sshma:mac-alg-base;
description
"HMAC-SHA1-ETM@OPENSSH.COM";
reference
"OpenSSH PROTOCOL:
https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD";
}
// Typedefs
typedef time-period {
type string {
pattern '(1[0-2]|[1-9])m|[1-4]w|[1-7]d|(2[0-4]|1[0-9]|[1-9])h';
}
description
"The time-period type allows to specify time in either months, weeks, days, or hours.
Its purpose is to create time intervals for the certificate expiration notifications.";
}
// Groupings
grouping ssh-authentication-params-grouping {
description
"Grouping for SSH authentication parameters.";
leaf auth-timeout {
type uint16;
default 30;
units "seconds";
description
"Represents the maximum amount of seconds an authentication can go on for.";
}
}
grouping ssh-server-banner-grouping {
description
"Grouping for the SSH server banner.";
leaf banner {
type string {
length "1..247";
}
description
"The banner that will be sent to the client when connecting to the server.
If not set, the libnetconf2 default with its version will be used.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol, section 4.2.";
}
}
grouping system-auth-public-keys-grouping {
description
"Grouping for using the system configured keys in the SSH public key authentication method.";
container use-system-keys {
presence
"Indicates that the given user will be authenticated using the system's configured public keys.";
description
"Authentication is done using the system's mechanisms.";
reference
"libnetconf2 documentation:
Section SSH";
}
}
grouping keyboard-interactive-grouping {
description
"Grouping for the SSH Keyboard interactive authentication method.";
container keyboard-interactive {
presence "Indicates that the given client supports the SSH Keyboard Interactive authentication method.";
description
"Keyboard interactive SSH authentication method.";
reference
"RFC 4256:
Generic Message Exchange Authentication for
the Secure Shell Protocol (SSH)";
choice method {
mandatory true;
description
"Method to perform the authentication with.";
container use-system-auth {
presence
"Indicates that the system will handle the authentication.";
description
"Authentication is done using the system's mechanisms.";
reference
"libnetconf2 documentation:
Section SSH";
}
}
}
}
grouping endpoint-reference-grouping {
description
"Grouping for the endpoint reference.";
leaf endpoint-reference {
type leafref {
path "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:name";
}
description
"Reference to another endpoint. The purpose is to use the referenced endpoint's authentication mechanisms.
If a connection occurs on an endpoint, the connecting user will be tried to be authenticated
using the given endpoint's defined methods. If the user wasn't authenticated and the endpoint
references another endpoint, the authentication will be tried again. However, this time
using the referenced endpoint's mechanisms. The references can be
multiple, however there must not be a cycle.";
}
}
// Augments
augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
"/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
uses ssh-authentication-params-grouping;
}
augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
"/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
uses ssh-authentication-params-grouping;
}
augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
"/ncs:ssh/ncs:ssh-server-parameters/ncs:server-identity" {
uses ssh-server-banner-grouping;
}
augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
"/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:server-identity" {
uses ssh-authentication-params-grouping;
}
augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters" +
"/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
case system-auth-public-keys {
uses system-auth-public-keys-grouping;
}
}
augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
"/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user/ncs:public-keys/ncs:inline-or-truststore" {
case system-auth-public-keys {
uses system-auth-public-keys-grouping;
}
}
augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
"/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
uses keyboard-interactive-grouping;
}
augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
"/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication/ncs:users/ncs:user" {
uses keyboard-interactive-grouping;
}
augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:ssh" +
"/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
uses endpoint-reference-grouping;
}
augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
"/ncs:endpoint/ncs:transport/ncs:ssh/ncs:ssh/ncs:ssh-server-parameters/ncs:client-authentication" {
uses endpoint-reference-grouping;
}
augment "/ncs:netconf-server/ncs:listen/ncs:endpoints/ncs:endpoint/ncs:transport/ncs:tls" +
"/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
uses endpoint-reference-grouping;
}
augment "/ncs:netconf-server/ncs:call-home/ncs:netconf-client/ncs:endpoints" +
"/ncs:endpoint/ncs:transport/ncs:tls/ncs:tls/ncs:tls-server-parameters/ncs:client-authentication" {
uses endpoint-reference-grouping;
}
// Protocol-accessible Nodes
container ln2-netconf-server {
container certificate-expiration-notif-intervals {
if-feature "ct:certificate-expiration-notification";
description
"Container for the certificate expiration notification intervals.
Its child nodes describe the ability to set the time intervals for the certificate
expiration notifications. These intervals are given in the form of an anchor and a period.
By default, these notifications are generated 3, 2, and 1 month; 2 weeks; 7, 6, 5, 4, 3, 2 and 1 day before a certificate expires.
Additionally, notifications are generated on the day of expiration and every day thereafter.
Simplified example of YANG data that describe the default intervals:
Anchor Period
3m ... 1m
2w ... 1w
7d ... 1d
";
list interval {
key "anchor period";
leaf anchor {
type time-period;
description
"The time anchor for the notification. The anchor is the time
before the certificate expiration when a notification will be sent.
It is essentially the lower bound of the given interval.";
}
leaf period {
type time-period;
// Require the period to be smaller than the anchor (only units are checked for simplicity)
must "(contains(., 'm') and contains(../anchor, 'm')) or
(contains(., 'w') and (contains(../anchor, 'm') or contains(../anchor, 'w'))) or
(contains(., 'd') and (contains(../anchor, 'm') or contains(../anchor, 'w') or contains(../anchor, 'd'))) or
contains(., 'h')" {
error-message
"Certificate expiration notification period must be smaller than the anchor.";
}
description
"The period of the notification. The period is the time
between two notifications within the given time interval.";
}
}
}
}
}