netconfcentral logo

ietf-system-tls-auth

HTML

ietf-system-tls-auth@2014-05-24



  module ietf-system-tls-auth {

    yang-version 1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-system-tls-auth";

    prefix system-tls-auth;

    import ietf-system {
      prefix sys;
    }
    import ietf-netconf-acm {
      prefix nacm;
    }
    import ietf-yang-types {
      prefix yang;
    }
    import ietf-x509-cert-to-name {
      prefix x509c2n;
    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>

    WG Chair: Mehmet Ersue
              <mailto:mehmet.ersue@nsn.com>

    WG Chair: Bert Wijnen
              <mailto:bertietf@bwijnen.net>

    Editor:   Kent Watsen
              <mailto:kwatsen@juniper.net>

              Juergen Schoenwaelder
              <mailto:j.schoenwaelder@jacobs-university.de>";

    description
      "This module augments the ietf-system module in order to
    add TLS authentication configuration nodes to the
    'authentication' container.

    Copyright (c) 2014 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";

    revision "2014-05-24" {
      description "Initial version";
      reference
        "RFC XXXX: NETCONF Server Configuration Model";

    }


    feature tls-map-certificates {
      description
        "The tls-map-certificates feature indicates that the
      NETCONF server implements mapping X.509 certificates to NETCONF
      usernames.";
    }

    feature tls-map-pre-shared-keys {
      description
        "The tls-map-pre-shared-keys feature indicates that the
      NETCONF server implements mapping TLS pre-shared keys to NETCONF
      usernames.";
    }

    grouping tls-global-config {
      container trusted-ca-certs {
        description
          "A list of Certificate Authority (CA) certificates that a
         NETCONF server can use to authenticate a NETCONF client's
         certificate.  A client's certificate is authenticated if
         its Issuer matches one of the configured trusted CA
         certificates.";
        leaf-list trusted-ca-cert {
          type binary;
          description
            "The binary certificate structure, as
           specified by RFC 5246, Section 7.4.6, i.e.,:

             opaque ASN.1Cert<1..2^24>;

          ";
          reference
            "RFC 5246: The Transport Layer Security (TLS)
            	  Protocol Version 1.2";

        }
      }  // container trusted-ca-certs

      container trusted-client-certs {
        description
          "A list of client certificates that a NETCONF server can
         use to authenticate a NETCONF client's certificate.  A
         client's certificate is authenticated if it is an exact
         match to one of the configured trusted client certificates.";
        leaf-list trusted-client-cert {
          type binary;
          description
            "The binary certificate structure, as
           specified by RFC 5246, Section 7.4.6, i.e.,:

             opaque ASN.1Cert<1..2^24>;

          ";
          reference
            "RFC 5246: The Transport Layer Security (TLS)
            	  Protocol Version 1.2";

        }
      }  // container trusted-client-certs

      container cert-maps {
        if-feature tls-map-certificates;
        description
          "The cert-maps container is used by a NETCONF server to
        map the NETCONF client's presented X.509 certificate to
        a NETCONF username.

        If no matching and valid cert-to-name list entry can be
        found, then the NETCONF server MUST close the connection,
        and MUST NOT accept NETCONF messages over it.";
        uses x509c2n:cert-to-name;
      }  // container cert-maps

      container psk-maps {
        if-feature tls-map-pre-shared-keys;
        description
          "During the TLS Handshake, the client indicates which
         key to use by including a PSK identity in the TLS
         ClientKeyExchange message. On the NETCONF server side,
         this PSK identity is used to look up an entry in the psk-map
         list. If such an entry is found, and the pre-shared keys
         match, then the client is authenticated. The NETCONF
         server uses the value from the user-name leaf in the
         psk-map list as the NETCONF username.  If the NETCONF
         server cannot find an entry in the psk-map list, or if
         the pre-shared keys do not match, then the NETCONF
         server terminates the connection.";
        reference
          "RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer
          	  Security (TLS)";

        list psk-map {
          key "psk-identity";
          leaf psk-identity {
            type string;
            description
              "The PSK identity encoded as a UTF-8 string. For
             details how certain common PSK identity formats can
             be encoded in UTF-8, see section 5.1. of RFC 4279.";
            reference
              "RFC 4279: Pre-Shared Key Ciphersuites for Transport
              Layer Security (TLS)";

          }

          leaf user-name {
            type nacm:user-name-type;
            mandatory true;
            description
              "The NETCONF username associated with this PSK
             identity.";
          }

          leaf not-valid-before {
            type yang:date-and-time;
            description
              "This PSK identity is not valid before the given date
             and time.";
          }

          leaf not-valid-after {
            type yang:date-and-time;
            description
              "This PSK identity is not valid after the given date
             and time.";
          }

          leaf key {
            nacm:default-deny-all;
            type yang:hex-string;
            mandatory true;
            description
              "The key associated with the PSK identity";
            reference
              "RFC 4279: Pre-Shared Key Ciphersuites for Transport
              Layer Security (TLS)";

          }
        }  // list psk-map
      }  // container psk-maps
    }  // grouping tls-global-config

    augment /sys:system/sys:authentication {
      container tls {
        uses tls-global-config;
      }  // container tls
    }
  }  // module ietf-system-tls-auth

Summary

  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-system-tls-auth
Version 2014-05-24
File ietf-system-tls-auth.yang
  
Prefix system-tls-auth
Namespace urn:ietf:params:xml:ns:yang:ietf-system-tls-auth
  
Cooked /cookedmodules/ietf-system-tls-auth/2014-05-24
YANG /src/ietf-system-tls-auth@2014-05-24.yang
XSD /xsd/ietf-system-tls-auth@2014-05-24.xsd
  
Abstract This module augments the ietf-system module in order to add TLS authentication configuration nodes to the 'authentication' conta...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

WG Chair: Mehmet Ersue
	  <mailto:mehmet.ersue@nsn.com>

WG Chair: Bert Wijnen
	  <mailto:bertietf@bwijnen.net>

Editor:   Kent Watsen
	  <mailto:kwatsen@juniper.net>

	  Juergen Schoenwaelder
	  <mailto:j.schoenwaelder@jacobs-university.de>

Description

 
This module augments the ietf-system module in order to
add TLS authentication configuration nodes to the
'authentication' container.

Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.

Groupings

Grouping Objects Abstract
tls-global-config trusted-ca-certs trusted-client-certs cert-maps psk-maps