rfc9642v2.txt | rfc9642.txt | |||
---|---|---|---|---|
skipping to change at line 490 ¶ | skipping to change at line 490 ¶ | |||
grouping" grouping discussed in Section 2.1.3.2. | grouping" grouping discussed in Section 2.1.3.2. | |||
2.1.3.7. The "keystore-grouping" Grouping | 2.1.3.7. The "keystore-grouping" Grouping | |||
The following tree diagram [RFC8340] illustrates the "keystore- | The following tree diagram [RFC8340] illustrates the "keystore- | |||
grouping" grouping: | grouping" grouping: | |||
grouping keystore-grouping: | grouping keystore-grouping: | |||
+-- asymmetric-keys {asymmetric-keys}? | +-- asymmetric-keys {asymmetric-keys}? | |||
| +-- asymmetric-key* [name] | | +-- asymmetric-key* [name] | |||
| +-- name? string | | +-- name string | |||
| +---u ct:asymmetric-key-pair-with-certs-grouping | | +---u ct:asymmetric-key-pair-with-certs-grouping | |||
+-- symmetric-keys {symmetric-keys}? | +-- symmetric-keys {symmetric-keys}? | |||
+-- symmetric-key* [name] | +-- symmetric-key* [name] | |||
+-- name? string | +-- name string | |||
+---u ct:symmetric-key-grouping | +---u ct:symmetric-key-grouping | |||
Comments: | Comments: | |||
* The "keystore-grouping" grouping defines a keystore instance as | * The "keystore-grouping" grouping defines a keystore instance as | |||
being composed of symmetric and asymmetric keys. The structure | being composed of symmetric and asymmetric keys. The structure | |||
for the symmetric and asymmetric keys is essentially the same: a | for the symmetric and asymmetric keys is essentially the same: a | |||
"list" inside a "container". | "list" inside a "container". | |||
* For asymmetric keys, each "asymmetric-key" uses the "asymmetric- | * For asymmetric keys, each "asymmetric-key" uses the "asymmetric- | |||
skipping to change at line 524 ¶ | skipping to change at line 524 ¶ | |||
accessible nodes defined in the "ietf-keystore" module without | accessible nodes defined in the "ietf-keystore" module without | |||
expanding the "grouping" statements: | expanding the "grouping" statements: | |||
module: ietf-keystore | module: ietf-keystore | |||
+--rw keystore {central-keystore-supported}? | +--rw keystore {central-keystore-supported}? | |||
+---u keystore-grouping | +---u keystore-grouping | |||
The following tree diagram [RFC8340] lists all the protocol- | The following tree diagram [RFC8340] lists all the protocol- | |||
accessible nodes defined in the "ietf-keystore" module, with all | accessible nodes defined in the "ietf-keystore" module, with all | |||
"grouping" statements expanded, enabling the keystore's full | "grouping" statements expanded, enabling the keystore's full | |||
structure to be seen: | structure to be seen. | |||
Note that long lines in examples are wrapped as described in | ||||
[RFC8792]. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
module: ietf-keystore | module: ietf-keystore | |||
+--rw keystore {central-keystore-supported}? | +--rw keystore {central-keystore-supported}? | |||
+--rw asymmetric-keys {asymmetric-keys}? | +--rw asymmetric-keys {asymmetric-keys}? | |||
| +--rw asymmetric-key* [name] | | +--rw asymmetric-key* [name] | |||
| +--rw name string | | +--rw name string | |||
| +--rw public-key-format? identityref | | +--rw public-key-format? identityref | |||
| +--rw public-key? binary | | +--rw public-key? binary | |||
skipping to change at line 622 ¶ | skipping to change at line 625 ¶ | |||
* The "keystore-grouping" grouping is discussed in Section 2.1.3.7. | * The "keystore-grouping" grouping is discussed in Section 2.1.3.7. | |||
* The reason for why "keystore-grouping" exists separate from the | * The reason for why "keystore-grouping" exists separate from the | |||
protocol-accessible nodes definition is to enable instances of the | protocol-accessible nodes definition is to enable instances of the | |||
keystore to be instantiated in other locations, as may be needed | keystore to be instantiated in other locations, as may be needed | |||
or desired by some modules. | or desired by some modules. | |||
2.2. Example Usage | 2.2. Example Usage | |||
The examples in this section are encoded using XML, such as might be | The examples in this section are encoded using XML | |||
the case when using the NETCONF protocol. Other encodings MAY be | [W3C.REC-xml-20081126], such as might be the case when using the | |||
used, such as JSON when using the RESTCONF protocol. | NETCONF protocol. Other encodings MAY be used, such as JSON when | |||
using the RESTCONF protocol. | ||||
2.2.1. A Keystore Instance | 2.2.1. A Keystore Instance | |||
The following example illustrates keys in <running>. Please see | The following example illustrates keys in <running>. Please see | |||
Section 3 for an example illustrating built-in values in | Section 3 for an example illustrating built-in values in | |||
<operational>. | <operational>. | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<keystore | <keystore | |||
skipping to change at line 776 ¶ | skipping to change at line 780 ¶ | |||
<expiration-date>2018-08-05T14:18:53-05:00</expiration\ | <expiration-date>2018-08-05T14:18:53-05:00</expiration\ | |||
-date> | -date> | |||
</certificate-expiration> | </certificate-expiration> | |||
</certificate> | </certificate> | |||
</certificates> | </certificates> | |||
</asymmetric-key> | </asymmetric-key> | |||
</asymmetric-keys> | </asymmetric-keys> | |||
</keystore> | </keystore> | |||
</notification> | </notification> | |||
2.2.3. The "Local or Keystore" Groupings | 2.2.3. The "Inline or Keystore" Groupings | |||
This section illustrates the various "inline-or-keystore" groupings | This section illustrates the various "inline-or-keystore" groupings | |||
defined in the "ietf-keystore" module, specifically the "inline-or- | defined in the "ietf-keystore" module, specifically the "inline-or- | |||
keystore-symmetric-key-grouping" (Section 2.1.3.3), "inline-or- | keystore-symmetric-key-grouping" (Section 2.1.3.3), "inline-or- | |||
keystore-asymmetric-key-grouping" (Section 2.1.3.4), "inline-or- | keystore-asymmetric-key-grouping" (Section 2.1.3.4), "inline-or- | |||
keystore-asymmetric-key-with-certs-grouping" (Section 2.1.3.5), and | keystore-asymmetric-key-with-certs-grouping" (Section 2.1.3.5), and | |||
"inline-or-keystore-end-entity-cert-with-key-grouping" | "inline-or-keystore-end-entity-cert-with-key-grouping" | |||
(Section 2.1.3.6) groupings. | (Section 2.1.3.6) groupings. | |||
These examples assume the existence of an example module called "ex- | These examples assume the existence of an example module called "ex- | |||
skipping to change at line 1591 ¶ | skipping to change at line 1595 ¶ | |||
The primary characteristic of the built-in keys is that they are | The primary characteristic of the built-in keys is that they are | |||
provided by the server, as opposed to being configured. As such, | provided by the server, as opposed to being configured. As such, | |||
they are present in <operational> (Section 5.3 of [RFC8342]) and | they are present in <operational> (Section 5.3 of [RFC8342]) and | |||
<system> [NETMOD-SYSTEM-CONFIG], if implemented. | <system> [NETMOD-SYSTEM-CONFIG], if implemented. | |||
The example below illustrates what the keystore in <operational> | The example below illustrates what the keystore in <operational> | |||
might look like for a server in its factory default state. Note that | might look like for a server in its factory default state. Note that | |||
the built-in keys have the "or:origin" annotation value "or:system". | the built-in keys have the "or:origin" annotation value "or:system". | |||
Note: the following examples use XML [W3C.REC-xml-20081126] encoding. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore" | <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | |||
or:origin="or:intended"> | or:origin="or:intended"> | |||
<asymmetric-keys> | <asymmetric-keys> | |||
<asymmetric-key or:origin="or:system"> | <asymmetric-key or:origin="or:system"> | |||
<name>Manufacturer-Generated Hidden Key</name> | <name>Manufacturer-Generated Hidden Key</name> | |||
<public-key-format>ct:subject-public-key-info-format</public-k\ | <public-key-format>ct:subject-public-key-info-format</public-k\ | |||
skipping to change at line 1876 ¶ | skipping to change at line 1882 ¶ | |||
This module also does not constrain the usage of the associated | This module also does not constrain the usage of the associated | |||
public keys other than in the context of a configured certificate | public keys other than in the context of a configured certificate | |||
(e.g., an identity certificate), in which case the key usage is | (e.g., an identity certificate), in which case the key usage is | |||
constrained by the certificate. | constrained by the certificate. | |||
5.3. Security Considerations for the "ietf-keystore" YANG Module | 5.3. Security Considerations for the "ietf-keystore" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section follows the template defined in Section 3.7.1 of | |||
[RFC8407]. | [RFC8407]. | |||
The YANG module specified in this document defines a schema for data | The ietf-keystore YANG module defines a data model that is designed | |||
that is designed to be accessed via network management protocols such | to be accessed via YANG-based management protocols, such as NETCONF | |||
as NETCONF [RFC6241] or RESTCONF [RFC8040]. Both of these protocols | [RFC6241] and RESTCONF [RFC8040]. These protocols have mandatory-to- | |||
have mandatory-to-implement secure transport layers (e.g., Secure | implement secure transport layers (e.g., SSH [RFC4252], TLS | |||
Shell (SSH), TLS) with mutual authentication. | [RFC8446], and QUIC [RFC9000]) and mandatory-to-implement mutal | |||
authentication. | ||||
The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
preconfigured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
content. | content. | |||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the Security | |||
Considerations for dependent YANG modules for information as to which | Considerations for dependent YANG modules for information as to which | |||
skipping to change at line 1962 ¶ | skipping to change at line 1969 ¶ | |||
7. References | 7. References | |||
7.1. Normative References | 7.1. Normative References | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | ||||
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | ||||
January 2006, <https://www.rfc-editor.org/info/rfc4252>. | ||||
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
<https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
skipping to change at line 1989 ¶ | skipping to change at line 2000 ¶ | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | ||||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | ||||
<https://www.rfc-editor.org/info/rfc8446>. | ||||
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | ||||
Multiplexed and Secure Transport", RFC 9000, | ||||
DOI 10.17487/RFC9000, May 2021, | ||||
<https://www.rfc-editor.org/info/rfc9000>. | ||||
[RFC9640] Watsen, K., "YANG Data Types and Groupings for | [RFC9640] Watsen, K., "YANG Data Types and Groupings for | |||
Cryptography", RFC 9640, DOI 10.17487/RFC9640, August | Cryptography", RFC 9640, DOI 10.17487/RFC9640, August | |||
2024, <https://www.rfc-editor.org/info/rfc9640>. | 2024, <https://www.rfc-editor.org/info/rfc9640>. | |||
7.2. Informative References | 7.2. Informative References | |||
[HTTP-CLIENT-SERVER] | [HTTP-CLIENT-SERVER] | |||
Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
netconf-http-client-server-23, 15 August 2024, | netconf-http-client-server-23, 15 August 2024, | |||
skipping to change at line 2041 ¶ | skipping to change at line 2061 ¶ | |||
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
<https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | ||||
"Handling Long Lines in Content of Internet-Drafts and | ||||
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | ||||
<https://www.rfc-editor.org/info/rfc8792>. | ||||
[RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | |||
RFC 9641, DOI 10.17487/RFC9641, August 2024, | RFC 9641, DOI 10.17487/RFC9641, August 2024, | |||
<https://www.rfc-editor.org/info/rfc9641>. | <https://www.rfc-editor.org/info/rfc9641>. | |||
[RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, August | and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, August | |||
2024, <https://www.rfc-editor.org/info/rfc9643>. | 2024, <https://www.rfc-editor.org/info/rfc9643>. | |||
[RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
Servers", RFC 9644, DOI 10.17487/RFC9644, August 2024, | Servers", RFC 9644, DOI 10.17487/RFC9644, August 2024, | |||
skipping to change at line 2063 ¶ | skipping to change at line 2088 ¶ | |||
[RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
Servers", RFC 9645, DOI 10.17487/RFC9645, August 2024, | Servers", RFC 9645, DOI 10.17487/RFC9645, August 2024, | |||
<https://www.rfc-editor.org/info/rfc9645>. | <https://www.rfc-editor.org/info/rfc9645>. | |||
[Std-802.1AR-2018] | [Std-802.1AR-2018] | |||
IEEE, "IEEE Standard for Local and Metropolitan Area | IEEE, "IEEE Standard for Local and Metropolitan Area | |||
Networks - Secure Device Identity", IEEE Std 802.1AR-2018, | Networks - Secure Device Identity", IEEE Std 802.1AR-2018, | |||
DOI 10.1109/IEEESTD.2018.8423794, August 2018, | DOI 10.1109/IEEESTD.2018.8423794, August 2018, | |||
<https://standards.ieee.org/standard/802_1AR-2018.html>. | <https://standards.ieee.org/standard/802_1AR-2018.html>. | |||
[W3C.REC-xml-20081126] | ||||
Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., | ||||
and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
(Fifth Edition)", W3C Recommendation REC-xml-20081126, | ||||
November 2008, <https://www.w3.org/TR/xml/>. | ||||
Acknowledgements | Acknowledgements | |||
The authors would like to thank the following for lively discussions | The authors would like to thank the following for lively discussions | |||
on list and in the halls (ordered by first name): Alan Luchuk, Andy | on list and in the halls (ordered by first name): Alan Luchuk, Andy | |||
Bierman, Balázs Kovács, Benoit Claise, Bert Wijnen, David Lamparter, | Bierman, Balázs Kovács, Benoit Claise, Bert Wijnen, David Lamparter, | |||
Eric Voit, Éric Vyncke, Francesca Palombini, Jürgen Schönwälder, | Eric Voit, Éric Vyncke, Francesca Palombini, Jürgen Schönwälder, | |||
Ladislav Lhotka, Liang Xia, Magnus Nyström, Mahesh Jethanandani, | Ladislav Lhotka, Liang Xia, Magnus Nyström, Mahesh Jethanandani, | |||
Martin Björklund, Mehmet Ersue, Murray Kucherawy, Paul Wouters, Phil | Martin Björklund, Mehmet Ersue, Murray Kucherawy, Paul Wouters, Phil | |||
Shafer, Qin Wu, Radek Krejci, Ramkumar Dhanapal, Reese Enghardt, | Shafer, Qin Wu, Radek Krejci, Ramkumar Dhanapal, Reese Enghardt, | |||
Reshad Rahman, Rob Wilton, Roman Danyliw, Sandra Murphy, Sean Turner, | Reshad Rahman, Rob Wilton, Roman Danyliw, Sandra Murphy, Sean Turner, | |||
End of changes. 11 change blocks. | ||||
12 lines changed or deleted | 43 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |