**/.openapi-generator
.openapi-generator-ignore
yang-parser/yang-parser-jar/src/main/resources/modules/*.yang
+# The following ietf models are temporarily missing and can't be downloaded so are included here
+!yang-parser/yang-parser-jar/src/main/resources/modules/ietf-inet-types-2019-11-04.yang
+!yang-parser/yang-parser-jar/src/main/resources/modules/ietf-yang-types-2019-11-04.yang
+#
yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf*.yang
+# The following ietf models are temporarily missing and can't be downloaded so are included here
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-inet-types-2019-11-04.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-yang-types-2019-11-04.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-crypto-types-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-keystore-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-netconf-client-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-netconf-server-2018-09-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-ssh-client-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-ssh-common-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-ssh-server-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-tcp-client-2019-10-18.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-tcp-common-2019-10-18.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-tcp-server-2019-10-18.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-tls-client-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-tls-common-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-tls-server-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-truststore-2019-11-20.yang
+!yang-parser/yang-parser-jar/src/test/resources/_orig-modules/ietf-yang-push-2019-05-21.yang
+#
yang-parser/yang-parser-jar/src/test/resources/_orig-modules/_3gpp*.yang
yang-parser/yang-parser-jar/src/test/resources/_orig-modules/iana*.yang
pgsql-schema-generator/src/test/resources/generate-defaults/import/*.yang
--- /dev/null
+module ietf-inet-types {
+
+ namespace "urn:ietf:params:xml:ns:yang:ietf-inet-types";
+ prefix "inet";
+
+ organization
+ "IETF Network Modeling (NETMOD) Working Group";
+
+ contact
+ "WG Web: <https://datatracker.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ Editor: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of generally useful derived
+ YANG data types for Internet addresses and related things.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
+ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
+ 'MAY', and 'OPTIONAL' in this document are to be interpreted as
+ described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
+ they appear in all capitals, as shown here.
+
+ Copyright (c) 2019 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX;
+ see the RFC itself for full legal notices.";
+ revision 2019-11-04 {
+ description
+ "This revision adds the following new data types:
+ - ip-address-and-prefix
+ - ipv4-address-and-prefix
+ - ipv6-address-and-prefix
+ - email-address";
+ reference
+ "RFC XXXX: Common YANG Data Types";
+ }
+
+ revision 2013-07-15 {
+ description
+ "This revision adds the following new data types:
+ - ip-address-no-zone
+ - ipv4-address-no-zone
+ - ipv6-address-no-zone";
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ revision 2010-09-24 {
+ description
+ "Initial revision.";
+ reference
+ "RFC 6021: Common YANG Data Types";
+ }
+
+ /*** collection of types related to protocol fields ***/
+
+ typedef ip-version {
+ type enumeration {
+ enum unknown {
+ value "0";
+ description
+ "An unknown or unspecified version of the Internet
+ protocol.";
+ }
+ enum ipv4 {
+ value "1";
+ description
+ "The IPv4 protocol as defined in RFC 791.";
+ }
+ enum ipv6 {
+ value "2";
+ description
+ "The IPv6 protocol as defined in RFC 2460.";
+ }
+ }
+ description
+ "This value represents the version of the IP protocol.
+
+ In the value set and its semantics, this type is equivalent
+ to the InetVersion textual convention of the SMIv2.";
+ reference
+ "RFC 791: Internet Protocol
+ RFC 2460: Internet Protocol, Version 6 (IPv6) Specification
+ RFC 4001: Textual Conventions for Internet Network Addresses";
+ }
+
+ typedef dscp {
+ type uint8 {
+ range "0..63";
+ }
+ description
+ "The dscp type represents a Differentiated Services Code Point
+ that may be used for marking packets in a traffic stream.
+
+ In the value set and its semantics, this type is equivalent
+ to the Dscp textual convention of the SMIv2.";
+ reference
+ "RFC 3289: Management Information Base for the Differentiated
+ Services Architecture
+ RFC 2474: Definition of the Differentiated Services Field
+ (DS Field) in the IPv4 and IPv6 Headers
+ RFC 2780: IANA Allocation Guidelines For Values In
+ the Internet Protocol and Related Headers";
+ }
+
+ typedef ipv6-flow-label {
+ type uint32 {
+ range "0..1048575";
+ }
+ description
+ "The ipv6-flow-label type represents the flow identifier or
+ Flow Label in an IPv6 packet header that may be used to
+ discriminate traffic flows.
+
+ In the value set and its semantics, this type is equivalent
+ to the IPv6FlowLabel textual convention of the SMIv2.";
+ reference
+ "RFC 3595: Textual Conventions for IPv6 Flow Label
+ RFC 2460: Internet Protocol, Version 6 (IPv6) Specification";
+ }
+
+ typedef port-number {
+ type uint16 {
+ range "0..65535";
+ }
+ description
+ "The port-number type represents a 16-bit port number of an
+ Internet transport-layer protocol such as UDP, TCP, DCCP, or
+ SCTP. Port numbers are assigned by IANA. A current list of
+ all assignments is available from <http://www.iana.org/>.
+
+ Note that the port number value zero is reserved by IANA. In
+ situations where the value zero does not make sense, it can
+ be excluded by subtyping the port-number type.
+
+ In the value set and its semantics, this type is equivalent
+ to the InetPortNumber textual convention of the SMIv2.";
+ reference
+ "RFC 768: User Datagram Protocol
+ RFC 793: Transmission Control Protocol
+ RFC 4960: Stream Control Transmission Protocol
+ RFC 4340: Datagram Congestion Control Protocol (DCCP)
+ RFC 4001: Textual Conventions for Internet Network Addresses";
+ }
+
+ /*** collection of types related to autonomous systems ***/
+
+ typedef as-number {
+ type uint32;
+ description
+ "The as-number type represents autonomous system numbers
+ which identify an Autonomous System (AS). An AS is a set
+ of routers under a single technical administration, using
+ an interior gateway protocol and common metrics to route
+ packets within the AS, and using an exterior gateway
+ protocol to route packets to other ASes. IANA maintains
+ the AS number space and has delegated large parts to the
+ regional registries.
+
+ Autonomous system numbers were originally limited to 16
+ bits. BGP extensions have enlarged the autonomous system
+ number space to 32 bits. This type therefore uses an uint32
+ base type without a range restriction in order to support
+ a larger autonomous system number space.
+
+ In the value set and its semantics, this type is equivalent
+ to the InetAutonomousSystemNumber textual convention of
+ the SMIv2.";
+ reference
+ "RFC 1930: Guidelines for creation, selection, and registration
+ of an Autonomous System (AS)
+ RFC 4271: A Border Gateway Protocol 4 (BGP-4)
+ RFC 4001: Textual Conventions for Internet Network Addresses
+ RFC 6793: BGP Support for Four-Octet Autonomous System (AS)
+ Number Space";
+ }
+
+ /*** collection of types related to IP addresses and hostnames ***/
+
+ typedef ip-address {
+ type union {
+ type inet:ipv4-address;
+ type inet:ipv6-address;
+ }
+ description
+ "The ip-address type represents an IP address and is IP
+ version neutral. The format of the textual representation
+ implies the IP version. This type supports scoped addresses
+ by allowing zone identifiers in the address format.";
+ reference
+ "RFC 4007: IPv6 Scoped Address Architecture";
+ }
+
+ typedef ipv4-address {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'
+ + '(%[\p{N}\p{L}]+)?';
+ }
+ description
+ "The ipv4-address type represents an IPv4 address in
+ dotted-quad notation. The IPv4 address may include a zone
+ index, separated by a % sign.
+
+ The zone index is used to disambiguate identical address
+ values. For link-local addresses, the zone index will
+ typically be the interface index number or the name of an
+ interface. If the zone index is not present, the default
+ zone of the device will be used.
+
+ The canonical format for the zone index is the numerical
+ format";
+ }
+
+ typedef ipv6-address {
+ type string {
+ pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ + '(%[\p{N}\p{L}]+)?';
+ pattern '(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ + '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)'
+ + '(%.+)?';
+ }
+ description
+ "The ipv6-address type represents an IPv6 address in full,
+ mixed, shortened, and shortened-mixed notation. The IPv6
+ address may include a zone index, separated by a % sign.
+
+ The zone index is used to disambiguate identical address
+ values. For link-local addresses, the zone index will
+ typically be the interface index number or the name of an
+ interface. If the zone index is not present, the default
+ zone of the device will be used.
+
+ The canonical format of IPv6 addresses uses the textual
+ representation defined in Section 4 of RFC 5952. The
+ canonical format for the zone index is the numerical
+ format as described in Section 11.2 of RFC 4007.";
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ typedef ip-address-no-zone {
+ type union {
+ type inet:ipv4-address-no-zone;
+ type inet:ipv6-address-no-zone;
+ }
+ description
+ "The ip-address-no-zone type represents an IP address and is
+ IP version neutral. The format of the textual representation
+ implies the IP version. This type does not support scoped
+ addresses since it does not allow zone identifiers in the
+ address format.";
+ reference
+ "RFC 4007: IPv6 Scoped Address Architecture";
+ }
+
+ typedef ipv4-address-no-zone {
+ type inet:ipv4-address {
+ pattern '[0-9\.]*';
+ }
+ description
+ "An IPv4 address without a zone index. This type, derived from
+ ipv4-address, may be used in situations where the zone is known
+ from the context and hence no zone index is needed.";
+ }
+
+ typedef ipv6-address-no-zone {
+ type inet:ipv6-address {
+ pattern '[0-9a-fA-F:\.]*';
+ }
+ description
+ "An IPv6 address without a zone index. This type, derived from
+ ipv6-address, may be used in situations where the zone is known
+ from the context and hence no zone index is needed.";
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ typedef ip-prefix {
+ type union {
+ type inet:ipv4-prefix;
+ type inet:ipv6-prefix;
+ }
+ description
+ "The ip-prefix type represents an IP prefix and is IP
+ version neutral. The format of the textual representations
+ implies the IP version.";
+ }
+
+ typedef ipv4-prefix {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'
+ + '/(([0-9])|([1-2][0-9])|(3[0-2]))';
+ }
+ description
+ "The ipv4-prefix type represents an IPv4 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 32.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.
+ The canonical format of an IPv4 prefix has all bits of
+ the IPv4 address set to zero that are not part of the
+ IPv4 prefix.
+
+ The definition of ipv4-prefix does not require that bits,
+ which are not part of the prefix, are set to zero. However,
+ implementations have to return values in canonical format,
+ which requires non-prefix bits to be set to zero. This means
+ that 192.0.2.1/24 must be accepted as a valid value but it
+ will be converted into the canonical format 192.0.2.0/24.";
+ }
+
+ typedef ipv6-prefix {
+ type string {
+ pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ + '(/(([0-9])|([0-9]{2})|(1[0-1][0-9])|(12[0-8])))';
+ pattern '(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ + '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)'
+ + '(/.+)';
+ }
+ description
+ "The ipv6-prefix type represents an IPv6 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 128.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.
+
+ The canonical format of an IPv6 prefix has all bits of
+ the IPv6 address set to zero that are not part of the
+ IPv6 prefix. Furthermore, the IPv6 address is represented
+ as defined in Section 4 of RFC 5952.
+
+ The definition of ipv6-prefix does not require that bits,
+ which are not part of the prefix, are set to zero. However,
+ implementations have to return values in canonical format,
+ which requires non-prefix bits to be set to zero. This means
+ that 2001:db8::1/64 must be accepted as a valid value but it
+ will be converted into the canonical format 2001:db8::/64.";
+ reference
+ "RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ typedef ip-address-and-prefix {
+ type union {
+ type inet:ipv4-address-and-prefix;
+ type inet:ipv6-address-and-prefix;
+ }
+ description
+ "The ip-address-and-prefix type represents an IP address and
+ prefix and is IP version neutral. The format of the textual
+ representations implies the IP version.";
+ }
+
+ typedef ipv4-address-and-prefix {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'
+ + '/(([0-9])|([1-2][0-9])|(3[0-2]))';
+ }
+ description
+ "The ipv4-address-and-prefix type represents an IPv4
+ address and an associated ipv4 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 32.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.";
+ }
+
+ typedef ipv6-address-and-prefix {
+ type string {
+ pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ + '(/(([0-9])|([0-9]{2})|(1[0-1][0-9])|(12[0-8])))';
+ pattern '(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ + '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)'
+ + '(/.+)';
+ }
+ description
+ "The ipv6-address-and-prefix type represents an IPv6
+ address and an associated ipv4 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 128.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.
+
+ The canonical format requires that the IPv6 address is
+ represented as defined in Section 4 of RFC 5952.";
+ reference
+ "RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ /*** collection of domain name and URI types ***/
+
+ typedef domain-name {
+ type string {
+ length "1..253";
+ pattern
+ '((([a-zA-Z0-9_]([a-zA-Z0-9\-_]){0,61})?[a-zA-Z0-9]\.)*'
+ + '([a-zA-Z0-9_]([a-zA-Z0-9\-_]){0,61})?[a-zA-Z0-9]\.?)'
+ + '|\.';
+ }
+ description
+ "The domain-name type represents a DNS domain name. The
+ name SHOULD be fully qualified whenever possible. This
+ type does not support wildcards (see RFC 4592) or
+ classless in-addr.arpa delegations (see RFC 2317).
+
+ Internet domain names are only loosely specified. Section
+ 3.5 of RFC 1034 recommends a syntax (modified in Section
+ 2.1 of RFC 1123). The pattern above is intended to allow
+ for current practice in domain name use, and some possible
+ future expansion. Note that Internet host names have a
+ stricter syntax (described in RFC 952) than the DNS
+ recommendations in RFCs 1034 and 1123, and that systems
+ that want to store host names in schema node instances
+ using the domain-name type are recommended to adhere to
+ this stricter standard to ensure interoperability.
+
+ The encoding of DNS names in the DNS protocol is limited
+ to 255 characters. Since the encoding consists of labels
+ prefixed by a length bytes and there is a trailing NULL
+ byte, only 253 characters can appear in the textual dotted
+ notation.
+
+ The description clause of schema nodes using the domain-name
+ type MUST describe when and how these names are resolved to
+ IP addresses. Note that the resolution of a domain-name value
+ may require to query multiple DNS records (e.g., A for IPv4
+ and AAAA for IPv6). The order of the resolution process and
+ which DNS record takes precedence can either be defined
+ explicitly or may depend on the configuration of the
+ resolver.
+
+ Domain-name values use the US-ASCII encoding. Their canonical
+ format uses lowercase US-ASCII characters. Internationalized
+ domain names MUST be A-labels as per RFC 5890.";
+ reference
+ "RFC 952: DoD Internet Host Table Specification
+ RFC 1034: Domain Names - Concepts and Facilities
+ RFC 1123: Requirements for Internet Hosts -- Application
+ and Support
+ RFC 2317: Classless IN-ADDR.ARPA delegation
+ RFC 2782: A DNS RR for specifying the location of services
+ (DNS SRV)
+ RFC 4592: The Role of Wildcards in the Domain Name System
+ RFC 5890: Internationalized Domain Names in Applications
+ (IDNA): Definitions and Document Framework";
+ }
+
+ typedef host {
+ type union {
+ type inet:ip-address;
+ type inet:domain-name;
+ }
+ description
+ "The host type represents either an IP address or a DNS
+ domain name.";
+ }
+
+ /*
+ * DISCUSS:
+ * - Lada suggested to replace the inet:domain-name usage in
+ * the union with a new host-name definition that follows
+ * the NR-LDH definition in RFC 5890.
+ */
+
+ typedef uri {
+ type string;
+ description
+ "The uri type represents a Uniform Resource Identifier
+ (URI) as defined by STD 66.
+
+ Objects using the uri type MUST be in US-ASCII encoding,
+ and MUST be normalized as described by RFC 3986 Sections
+ 6.2.1, 6.2.2.1, and 6.2.2.2. All unnecessary
+ percent-encoding is removed, and all case-insensitive
+ characters are set to lowercase except for hexadecimal
+ digits, which are normalized to uppercase as described in
+ Section 6.2.2.1.
+
+ The purpose of this normalization is to help provide
+ unique URIs. Note that this normalization is not
+ sufficient to provide uniqueness. Two URIs that are
+ textually distinct after this normalization may still be
+ equivalent.
+
+ Objects using the uri type may restrict the schemes that
+ they permit. For example, 'data:' and 'urn:' schemes
+ might not be appropriate.
+
+ A zero-length URI is not a valid URI. This can be used to
+ express 'URI absent' where required.
+
+ In the value set and its semantics, this type is equivalent
+ to the Uri SMIv2 textual convention defined in RFC 5017.";
+ reference
+ "RFC 3986: Uniform Resource Identifier (URI): Generic Syntax
+ RFC 3305: Report from the Joint W3C/IETF URI Planning Interest
+ Group: Uniform Resource Identifiers (URIs), URLs,
+ and Uniform Resource Names (URNs): Clarifications
+ and Recommendations
+ RFC 5017: MIB Textual Conventions for Uniform Resource
+ Identifiers (URIs)";
+ }
+
+ typedef email-address {
+ type string {
+ // dot-atom-text "@" ...
+ pattern '[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+'
+ + '(\.[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+)*'
+ + '@'
+ + '[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+'
+ + '(\.[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+)*';
+ }
+ description
+ "The email-address type represents an email address as
+ defined as addr-spec in RFC 5322 section 3.4.1.";
+ reference
+ "RFC 5322: Internet Message Format";
+ }
+
+ /*
+ * DISCUSS:
+ * - It was suggested to add email types following RFC 5322
+ * email-address (addr-spec, per Section 3.4.1)
+ * named-email-address (name-addr, per Section 3.4)
+ * - This sounds useful but the devil is in the details,
+ * in particular name-addr is a quite complex construct;
+ * perhaps addr-spec is sufficient, this is also the
+ * format allowed in mailto: URIs (mailto: seems to use
+ * only a subset of addr-spec which may be good enough
+ * here as well).
+ * - Need to define a pattern that has a meaningful trade-off
+ * between precision and complexity (there are very tight
+ * pattern that are very long and complex). The current
+ * pattern does not take care of quoted-string, obs-local-part,
+ * domain-literal, obs-domain.
+ */
+
+ /*
+ * DISCUSS:
+ * - There was a request to add types for URI fields (scheme,
+ * authority, path, query, fragment) but it is not clear how
+ * commonly useful these types are, the WG was pretty silent
+ * about this proposal. On the technical side, it is unclear
+ * whether data is represented with percent escapes resolved
+ * or not. (Mahesh's proposal does not spell this out, the
+ * pattern does not allow the % character, which may be wrong.)
+ */
+}
--- /dev/null
+module ietf-yang-types {
+
+ namespace "urn:ietf:params:xml:ns:yang:ietf-yang-types";
+ prefix "yang";
+
+ organization
+ "IETF Network Modeling (NETMOD) Working Group";
+
+ contact
+ "WG Web: <https://datatracker.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ Editor: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of generally useful derived
+ YANG data types.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
+ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
+ 'MAY', and 'OPTIONAL' in this document are to be interpreted as
+ described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
+ they appear in all capitals, as shown here.
+
+ Copyright (c) 2019 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX;
+ see the RFC itself for full legal notices.";
+
+ revision 2019-11-04 {
+ description
+ "This revision adds the following new data types:
+ - date, time
+ - hours32, minutes32, seconds32, centiseconds32, milliseconds32,
+ - microseconds32, microseconds64, nanoseconds32, nanoseconds64
+ - revision-identifier, node-instance-identifier";
+ reference
+ "RFC XXXX: Common YANG Data Types";
+ }
+
+ revision 2013-07-15 {
+ description
+ "This revision adds the following new data types:
+ - yang-identifier
+ - hex-string
+ - uuid
+ - dotted-quad";
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ revision 2010-09-24 {
+ description
+ "Initial revision.";
+ reference
+ "RFC 6021: Common YANG Data Types";
+ }
+
+ /*** collection of counter and gauge types ***/
+
+ typedef counter32 {
+ type uint32;
+ description
+ "The counter32 type represents a non-negative integer
+ that monotonically increases until it reaches a
+ maximum value of 2^32-1 (4294967295 decimal), when it
+ wraps around and starts increasing again from zero.
+
+ Counters have no defined 'initial' value, and thus, a
+ single value of a counter has (in general) no information
+ content. Discontinuities in the monotonically increasing
+ value normally occur at re-initialization of the
+ management system, and at other times as specified in the
+ description of a schema node using this type. If such
+ other times can occur, for example, the instantiation of
+ a schema node of type counter32 at times other than
+ re-initialization, then a corresponding schema node
+ should be defined, with an appropriate type, to indicate
+ the last discontinuity.
+ The counter32 type should not be used for configuration
+ schema nodes. A default statement SHOULD NOT be used in
+ combination with the type counter32.
+
+ In the value set and its semantics, this type is equivalent
+ to the Counter32 type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef zero-based-counter32 {
+ type yang:counter32;
+ default "0";
+ description
+ "The zero-based-counter32 type represents a counter32
+ that has the defined 'initial' value zero.
+
+ A schema node instance of this type will be set to zero (0)
+ on creation and will thereafter increase monotonically until
+ it reaches a maximum value of 2^32-1 (4294967295 decimal),
+ when it wraps around and starts increasing again from zero.
+
+ Provided that an application discovers a new schema node
+ instance of this type within the minimum time to wrap, it
+ can use the 'initial' value as a delta. It is important for
+ a management station to be aware of this minimum time and the
+ actual time between polls, and to discard data if the actual
+ time is too long or there is no defined minimum time.
+
+ In the value set and its semantics, this type is equivalent
+ to the ZeroBasedCounter32 textual convention of the SMIv2.";
+ reference
+ "RFC 4502: Remote Network Monitoring Management Information
+ Base Version 2";
+ }
+
+ typedef counter64 {
+ type uint64;
+ description
+ "The counter64 type represents a non-negative integer
+ that monotonically increases until it reaches a
+ maximum value of 2^64-1 (18446744073709551615 decimal),
+ when it wraps around and starts increasing again from zero.
+
+ Counters have no defined 'initial' value, and thus, a
+ single value of a counter has (in general) no information
+ content. Discontinuities in the monotonically increasing
+ value normally occur at re-initialization of the
+ management system, and at other times as specified in the
+ description of a schema node using this type. If such
+ other times can occur, for example, the instantiation of
+ a schema node of type counter64 at times other than
+ re-initialization, then a corresponding schema node
+ should be defined, with an appropriate type, to indicate
+ the last discontinuity.
+
+ The counter64 type should not be used for configuration
+ schema nodes. A default statement SHOULD NOT be used in
+ combination with the type counter64.
+
+ In the value set and its semantics, this type is equivalent
+ to the Counter64 type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef zero-based-counter64 {
+ type yang:counter64;
+ default "0";
+ description
+ "The zero-based-counter64 type represents a counter64 that
+ has the defined 'initial' value zero.
+
+ A schema node instance of this type will be set to zero (0)
+ on creation and will thereafter increase monotonically until
+ it reaches a maximum value of 2^64-1 (18446744073709551615
+ decimal), when it wraps around and starts increasing again
+ from zero.
+
+ Provided that an application discovers a new schema node
+ instance of this type within the minimum time to wrap, it
+ can use the 'initial' value as a delta. It is important for
+ a management station to be aware of this minimum time and the
+ actual time between polls, and to discard data if the actual
+ time is too long or there is no defined minimum time.
+
+ In the value set and its semantics, this type is equivalent
+ to the ZeroBasedCounter64 textual convention of the SMIv2.";
+ reference
+ "RFC 2856: Textual Conventions for Additional High Capacity
+ Data Types";
+ }
+
+ typedef gauge32 {
+ type uint32;
+ description
+ "The gauge32 type represents a non-negative integer, which
+ may increase or decrease, but shall never exceed a maximum
+ value, nor fall below a minimum value. The maximum value
+ cannot be greater than 2^32-1 (4294967295 decimal), and
+ the minimum value cannot be smaller than 0. The value of
+ a gauge32 has its maximum value whenever the information
+ being modeled is greater than or equal to its maximum
+ value, and has its minimum value whenever the information
+ being modeled is smaller than or equal to its minimum value.
+ If the information being modeled subsequently decreases
+ below (increases above) the maximum (minimum) value, the
+ gauge32 also decreases (increases).
+
+ In the value set and its semantics, this type is equivalent
+ to the Gauge32 type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef gauge64 {
+ type uint64;
+ description
+ "The gauge64 type represents a non-negative integer, which
+ may increase or decrease, but shall never exceed a maximum
+ value, nor fall below a minimum value. The maximum value
+ cannot be greater than 2^64-1 (18446744073709551615), and
+ the minimum value cannot be smaller than 0. The value of
+ a gauge64 has its maximum value whenever the information
+ being modeled is greater than or equal to its maximum
+ value, and has its minimum value whenever the information
+ being modeled is smaller than or equal to its minimum value.
+ If the information being modeled subsequently decreases
+ below (increases above) the maximum (minimum) value, the
+ gauge64 also decreases (increases).
+
+ In the value set and its semantics, this type is equivalent
+ to the CounterBasedGauge64 SMIv2 textual convention defined
+ in RFC 2856";
+ reference
+ "RFC 2856: Textual Conventions for Additional High Capacity
+ Data Types";
+ }
+
+ /*** collection of identifier-related types ***/
+
+ typedef object-identifier {
+ type string {
+ pattern '(([0-1](\.[1-3]?[0-9]))|(2\.(0|([1-9]\d*))))'
+ + '(\.(0|([1-9]\d*)))*';
+ }
+ description
+ "The object-identifier type represents administratively
+ assigned names in a registration-hierarchical-name tree.
+
+ Values of this type are denoted as a sequence of numerical
+ non-negative sub-identifier values. Each sub-identifier
+ value MUST NOT exceed 2^32-1 (4294967295). Sub-identifiers
+ are separated by single dots and without any intermediate
+ whitespace.
+
+ The ASN.1 standard restricts the value space of the first
+ sub-identifier to 0, 1, or 2. Furthermore, the value space
+ of the second sub-identifier is restricted to the range
+ 0 to 39 if the first sub-identifier is 0 or 1. Finally,
+ the ASN.1 standard requires that an object identifier
+ has always at least two sub-identifiers. The pattern
+ captures these restrictions.
+
+ Although the number of sub-identifiers is not limited,
+ module designers should realize that there may be
+ implementations that stick with the SMIv2 limit of 128
+ sub-identifiers.
+
+ This type is a superset of the SMIv2 OBJECT IDENTIFIER type
+ since it is not restricted to 128 sub-identifiers. Hence,
+ this type SHOULD NOT be used to represent the SMIv2 OBJECT
+ IDENTIFIER type; the object-identifier-128 type SHOULD be
+ used instead.";
+ reference
+ "ISO9834-1: Information technology -- Open Systems
+ Interconnection -- Procedures for the operation of OSI
+ Registration Authorities: General procedures and top
+ arcs of the ASN.1 Object Identifier tree";
+ }
+
+ typedef object-identifier-128 {
+ type object-identifier {
+ pattern '\d*(\.\d*){1,127}';
+ }
+ description
+ "This type represents object-identifiers restricted to 128
+ sub-identifiers.
+
+ In the value set and its semantics, this type is equivalent
+ to the OBJECT IDENTIFIER type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ /*** collection of types related to date and time ***/
+
+ typedef date-and-time {
+ type string {
+ pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "The date-and-time type is a profile of the ISO 8601
+ standard for representation of dates and times using the
+ Gregorian calendar. The profile is defined by the
+ date-time production in Section 5.6 of RFC 3339.
+
+ The date-and-time type is compatible with the dateTime XML
+ schema type with the following notable exceptions:
+
+ (a) The date-and-time type does not allow negative years.
+
+ (b) The date-and-time time-offset -00:00 indicates an unknown
+ time zone (see RFC 3339) while -00:00 and +00:00 and Z
+ all represent the same time zone in dateTime.
+
+ (c) The canonical format (see below) of date-and-time values
+ differs from the canonical format used by the dateTime XML
+ schema type, which requires all times to be in UTC using
+ the time-offset 'Z'.
+
+ This type is not equivalent to the DateAndTime textual
+ convention of the SMIv2 since RFC 3339 uses a different
+ separator between full-date and full-time and provides
+ higher resolution of time-secfrac.
+
+ The canonical format for date-and-time values with a known time
+ zone uses a numeric time zone offset that is calculated using
+ the device's configured known offset to UTC time. A change of
+ the device's offset to UTC time will cause date-and-time values
+ to change accordingly. Such changes might happen periodically
+ in case a server follows automatically daylight saving time
+ (DST) time zone offset changes. The canonical format for
+ date-and-time values with an unknown time zone (usually
+ referring to the notion of local time) uses the time-offset
+ -00:00.";
+ reference
+ "RFC 3339: Date and Time on the Internet: Timestamps
+ RFC 2579: Textual Conventions for SMIv2
+ XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
+ }
+
+ typedef date {
+ type string {
+ pattern '\d{4}-\d{2}-\d{2}'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "The date type represents a time-interval of the length
+ of a day, i.e., 24 hours.
+
+ The date type is compatible with the date XML schema
+ type with the following notable exceptions:
+
+ (a) The date type does not allow negative years.
+
+ (b) The date time-offset -00:00 indicates an unknown
+ time zone (see RFC 3339) while -00:00 and +00:00 and Z
+ all represent the same time zone in date.
+
+ (c) The canonical format (see below) of data values
+ differs from the canonical format used by the date XML
+ schema type, which requires all times to be in UTC using
+ the time-offset 'Z'.
+
+ The canonical format for date values with a known time
+ zone uses a numeric time zone offset that is calculated using
+ the device's configured known offset to UTC time. A change of
+ the device's offset to UTC time will cause date values
+ to change accordingly. Such changes might happen periodically
+ in case a server follows automatically daylight saving time
+ (DST) time zone offset changes. The canonical format for
+ date values with an unknown time zone (usually referring
+ to the notion of local time) uses the time-offset -00:00.";
+ reference
+ "RFC 3339: Date and Time on the Internet: Timestamps
+ XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
+ }
+
+ /*
+ * DISCUSS:
+ * - XML schema seems to use a different canonical format, we
+ * need to take a closer look how to define the canonical format
+ * given that a data really identifies a 24 hour interval and
+ * what XSD means with 'interval midpoint'.
+ */
+
+ typedef time {
+ type string {
+ pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "The time type represents an instance of time of zero-duration
+ that recurs every day.
+
+ The time type is compatible with the time XML schema
+ type with the following notable exceptions:
+
+ (a) The time time-offset -00:00 indicates an unknown
+ time zone (see RFC 3339) while -00:00 and +00:00 and Z
+ all represent the same time zone in time.
+
+ (c) The canonical format (see below) of time values
+ differs from the canonical format used by the time XML
+ schema type, which requires all times to be in UTC using
+ the time-offset 'Z'.
+
+ The canonical format for time values with a known time
+ zone uses a numeric time zone offset that is calculated using
+ the device's configured known offset to UTC time. A change of
+ the device's offset to UTC time will cause time values
+ to change accordingly. Such changes might happen periodically
+ in case a server follows automatically daylight saving time
+ (DST) time zone offset changes. The canonical format for
+ time values with an unknown time zone (usually referring
+ to the notion of local time) uses the time-offset -00:00.";
+ reference
+ "RFC 3339: Date and Time on the Internet: Timestamps
+ XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
+ }
+
+ typedef hours32 {
+ type int32;
+ units "hours";
+ description
+ "A period of time, measured in units of hours.
+
+ The maximum time period that can be expressed is in the
+ range [89478485 days 08:00:00 to 89478485 days 07:00:00].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef minutes32 {
+ type int32;
+ units "minutes";
+ description
+ "A period of time, measured in units of minutes.
+
+ The maximum time period that can be expressed is in the
+ range [-1491308 days 2:08:00 to 1491308 days 2:07:00].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef seconds32 {
+ type int32;
+ units "seconds";
+ description
+ "A period of time, measured in units of seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-24855 days 03:14:08 to 24855 days 03:14:07].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef centiseconds32 {
+ type int32;
+ units "centiseconds";
+ description
+ "A period of time, measured in units of 10^-2 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-248 days 13:13:56 to 248 days 13:13:56].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef milliseconds32 {
+ type int32;
+ units "milliseconds";
+ description
+ "A period of time, measured in units of 10^-3 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-24 days 20:31:23 to 24 days 20:31:23].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef microseconds32 {
+ type int32;
+ units "microseconds";
+ description
+ "A period of time, measured in units of 10^-6 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-00:35:47 to 00:35:47].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef microseconds64 {
+ type int64;
+ units "microseconds";
+ description
+ "A period of time, measured in units of 10^-6 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-106751991 days 04:00:54 to 106751991 days 04:00:54].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef nanoseconds32 {
+ type int32;
+ units "nanoseconds";
+ description
+ "A period of time, measured in units of 10^-9 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-00:00:02 to 00:00:02].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef nanoseconds64 {
+ type int64;
+ units "nanoseconds";
+ description
+ "A period of time, measured in units of 10^-9 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-106753 days 23:12:44 to 106752 days 0:47:16].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef timeticks {
+ type uint32;
+ description
+ "The timeticks type represents a non-negative integer that
+ represents the time, modulo 2^32 (4294967296 decimal), in
+ hundredths of a second between two epochs. When a schema
+ node is defined that uses this type, the description of
+ the schema node identifies both of the reference epochs.
+
+ In the value set and its semantics, this type is equivalent
+ to the TimeTicks type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef timestamp {
+ type yang:timeticks;
+ description
+ "The timestamp type represents the value of an associated
+ timeticks schema node instance at which a specific occurrence
+ happened. The specific occurrence must be defined in the
+ description of any schema node defined using this type. When
+ the specific occurrence occurred prior to the last time the
+ associated timeticks schema node instance was zero, then the
+ timestamp value is zero.
+
+ Note that this requires all timestamp values to be reset to
+ zero when the value of the associated timeticks schema node
+ instance reaches 497+ days and wraps around to zero.
+
+ The associated timeticks schema node must be specified
+ in the description of any schema node using this type.
+
+ In the value set and its semantics, this type is equivalent
+ to the TimeStamp textual convention of the SMIv2.";
+ reference
+ "RFC 2579: Textual Conventions for SMIv2";
+ }
+
+ /*** collection of generic address types ***/
+
+ typedef phys-address {
+ type string {
+ pattern '([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?';
+ }
+ description
+ "Represents media- or physical-level addresses represented
+ as a sequence octets, each octet represented by two hexadecimal
+ numbers. Octets are separated by colons. The canonical
+ representation uses lowercase characters.
+
+ In the value set and its semantics, this type is equivalent
+ to the PhysAddress textual convention of the SMIv2.";
+ reference
+ "RFC 2579: Textual Conventions for SMIv2";
+ }
+
+ typedef mac-address {
+ type string {
+ pattern '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}';
+ }
+ description
+ "The mac-address type represents an IEEE 802 MAC address.
+ The canonical representation uses lowercase characters.
+
+ In the value set and its semantics, this type is equivalent
+ to the MacAddress textual convention of the SMIv2.";
+ reference
+ "IEEE 802: IEEE Standard for Local and Metropolitan Area
+ Networks: Overview and Architecture
+ RFC 2579: Textual Conventions for SMIv2";
+ }
+
+ /*** collection of XML-specific types ***/
+ typedef xpath1.0 {
+ type string;
+ description
+ "This type represents an XPATH 1.0 expression.
+
+ When a schema node is defined that uses this type, the
+ description of the schema node MUST specify the XPath
+ context in which the XPath expression is evaluated.";
+ reference
+ "XPATH: XML Path Language (XPath) Version 1.0";
+ }
+
+ /*
+ * DISCUSS:
+ * - How do we deal with xpath expressions in other encodings
+ * such as JSON. Do we assume an xpath context populated with
+ * module names such that module names can be used to qualify
+ * path expressions. This may need discussion and/or a new
+ * definition.
+ * - This interacts with the definition of node-instance-identifier.
+ */
+
+ /*** collection of string types ***/
+
+ typedef hex-string {
+ type string {
+ pattern '([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?';
+ }
+ description
+ "A hexadecimal string with octets represented as hex digits
+ separated by colons. The canonical representation uses
+ lowercase characters.";
+ }
+
+ typedef uuid {
+ type string {
+ pattern '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-'
+ + '[0-9a-fA-F]{4}-[0-9a-fA-F]{12}';
+ }
+ description
+ "A Universally Unique IDentifier in the string representation
+ defined in RFC 4122. The canonical representation uses
+ lowercase characters.
+
+ The following is an example of a UUID in string representation:
+ f81d4fae-7dec-11d0-a765-00a0c91e6bf6
+ ";
+ reference
+ "RFC 4122: A Universally Unique IDentifier (UUID) URN
+ Namespace";
+ }
+
+ typedef dotted-quad {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])';
+ }
+ description
+ "An unsigned 32-bit number expressed in the dotted-quad
+ notation, i.e., four octets written as decimal numbers
+ and separated with the '.' (full stop) character.";
+ }
+
+ /*** collection of YANG specific types ***/
+
+ typedef yang-identifier {
+ type string {
+ length "1..max";
+ pattern '[a-zA-Z_][a-zA-Z0-9\-_.]*';
+ pattern '.|..|[^xX].*|.[^mM].*|..[^lL].*';
+ }
+ description
+ "A YANG identifier string as defined by the 'identifier'
+ rule in Section 12 of RFC 6020. An identifier must
+ start with an alphabetic character or an underscore
+ followed by an arbitrary sequence of alphabetic or
+ numeric characters, underscores, hyphens, or dots.
+
+ A YANG identifier MUST NOT start with any possible
+ combination of the lowercase or uppercase character
+ sequence 'xml'.";
+ reference
+ "RFC 6020: YANG - A Data Modeling Language for the Network
+ Configuration Protocol (NETCONF)";
+ }
+
+ typedef revision-identifier {
+ type date {
+ pattern '\d{4}-\d{2}-\d{2}';
+ }
+ description
+ "Represents a specific revision of a YANG module by means of
+ a date value without a time zone.";
+ }
+
+ typedef node-instance-identifier {
+ type xpath1.0;
+ description
+ "Path expression used to represent a data node, action,
+ or notification instance-identifier string.
+
+ A node-instance-identifier value is an unrestricted
+ YANG instance-identifier expression or the special
+ value '/', which refers to the entire accessible tree.
+
+ All the rules for instance-identifier apply, except that
+ predicates for keys are optional. If a key predicate is
+ missing, then the node-instance-identifier represents all
+ possible server instances for that key.
+
+ This XML Path Language (XPath) expression is evaluated in the
+ following context:
+
+ o The set of namespace declarations are those in scope on
+ the leaf element where this type is used.
+
+ o The set of variable bindings contains one variable,
+ 'USER', which contains the name of the user of the
+ current session.
+
+ o The function library is the core function library, but
+ note that due to the syntax restrictions of an
+ instance-identifier, no functions are allowed.
+
+ o The context node is the root node in the data tree.
+
+ The accessible tree includes actions and notifications tied
+ to data nodes.";
+ }
+
+ /*
+ * DISCUSS:
+ * - This is taken from RFC 8341 and the idea is that this definition
+ * is useful without requiring a dependency on NACM
+ * - What does the second bullet actually do? Do we keep this?
+ * - This interacts with the definition of xpath1.0.
+ */
+
+ /* DISCUSS:
+ * - It was suggested to add types for longitude, latitude,
+ * postal code, country-code. Do we go there or do we leave
+ * these for other modules to define? It seems such definitions
+ * should go into draft-ietf-netmod-geo-location.
+ */
+
+ /* DISCUSS:
+ * - It was suggested to add percentage types but they tend to differ
+ * widely. However, percentages are also widely used.
+ */
+}
--- /dev/null
+module ietf-crypto-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
+ prefix ct;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ //import iana-hash-algs {
+ // prefix iha;
+ // reference
+ // "RFC XXXX: Common YANG Data Types for Cryptography";
+ //}
+
+ import iana-symmetric-algs {
+ prefix isa;
+ reference
+ "RFC XXXX: Common YANG Data Types for Cryptography";
+ }
+
+ import iana-asymmetric-algs {
+ prefix iasa;
+ reference
+ "RFC XXXX: Common YANG Data Types for Cryptography";
+ }
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
+
+ description
+ "This module defines common YANG types for cryptographic
+ applications.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: Common YANG Data Types for Cryptography";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature "one-asymmetric-key-format" {
+ description
+ "Indicates that the server supports the
+ 'one-asymmetric-key-format' identity.";
+ }
+
+ feature "one-symmetric-key-format" {
+ description
+ "Indicates that the server supports the
+ 'one-symmetric-key-format' identity.";
+ }
+
+ feature "encrypted-one-symmetric-key-format" {
+ description
+ "Indicates that the server supports the
+ 'encrypted-one-symmetric-key-format' identity.";
+ }
+
+ feature "encrypted-one-asymmetric-key-format" {
+ description
+ "Indicates that the server supports the
+ 'encrypted-one-asymmetric-key-format' identity.";
+ }
+
+ /********************************************/
+ /* Identities for Key Format Structures */
+ /********************************************/
+
+ /*** base key formats ****/
+
+ identity key-format-base {
+ description "Base key-format identity for all keys.";
+ }
+
+ identity public-key-format {
+ base "key-format-base";
+ description "Base key-format identity for public keys.";
+ }
+
+ identity private-key-format {
+ base "key-format-base";
+ description "Base key-format identity for private keys.";
+ }
+
+ identity symmetric-key-format {
+ base "key-format-base";
+ description "Base key-format identity for symmetric keys.";
+ }
+
+
+ /**** for private keys ****/
+ identity rsa-private-key-format {
+ base "private-key-format";
+ description
+ "Indicates that the private key value is encoded
+ as an RSAPrivateKey (from RFC 3447).";
+ reference
+ "RFC 3447: PKCS #1: RSA Cryptography
+ Specifications Version 2.2";
+ }
+
+ identity ec-private-key-format {
+ base "private-key-format";
+ description
+ "Indicates that the private key value is encoded
+ as an ECPrivateKey (from RFC 5915)";
+ reference
+ "RFC 5915: Elliptic Curve Private Key Structure";
+ }
+
+ identity one-asymmetric-key-format {
+ if-feature "one-asymmetric-key-format";
+ base "private-key-format";
+ description
+ "Indicates that the private key value is encoded
+ as a OneAsymmetricKey structure (RFC 6031).";
+ // FIXME: DER encoded ASN.1, etc...or flex PEM?
+ reference
+ "RFC 5958: Asymmetric Key Packages";
+ }
+
+ identity encrypted-one-asymmetric-key-format {
+ if-feature "encrypted-one-asymmetric-key-format";
+ base "private-key-format";
+ description
+ "Indicates that the private key value is encoded
+ as a OneAsymmetricKey structure (RFC 5958).";
+ // FIXME: DER encoded ASN.1, etc...or flex PEM?
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)
+ RFC 5958: Asymmetric Key Packages";
+ }
+
+
+ /**** for public keys ****/
+
+ identity ssh-public-key-format {
+ base "public-key-format";
+ description
+ "Indicates that the public key value is encoded
+ an SSH public key, as described by RFC 4716.";
+ reference
+ "RFC 4716: The Secure Shell (SSH) Public Key
+ File Format";
+ }
+
+ identity subject-public-key-info-format {
+ base "public-key-format";
+ description
+ "Indicates that the public key value is encoded as
+ a SubjectPublicKeyInfo structure, as described in
+ RFC 5280.";
+ // FIXME: DER encoded ASN.1, etc...
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile";
+ }
+
+
+ /**** for symmetric keys ****/
+
+ identity octet-string-key-format {
+ base "symmetric-key-format";
+ description
+ "Indicates that the key is encoded as a raw octet string.";
+ // FIXME
+ // Knowing that it is an "OctetString" isn't really helpful.
+ // Knowing the length of the octet string would be helpful,
+ // as it relates to the algorithm's block size. We may want
+ // to only (for now) use "one-symmetric-key-format" for
+ // symmetric keys...were the usability issues Juergen
+ // mentioned before only apply to asymmetric keys?
+ }
+
+ identity one-symmetric-key-format {
+ if-feature "one-symmetric-key-format";
+ base "symmetric-key-format";
+ description
+ "Indicates that the symmetric key value is encoded
+ as a OneSymmetricKey (from RFC 6031).";
+ // FIXME: DER encoded ASN.1, etc...or flex PEM?
+ reference
+ "RFC 6031: Cryptographic Message Syntax (CMS)
+ Symmetric Key Package Content Type";
+ }
+
+ identity encrypted-one-symmetric-key-format {
+ if-feature "encrypted-one-symmetric-key-format";
+ base "symmetric-key-format";
+ description
+ "Indicates that the symmetric key value is encoded
+ as an EncryptedData structure (RFC 5652) containing
+ OneSymmetricKey (RFC 6031).";
+ // FIXME: DER encoded ASN.1, etc...or flex PEM?
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)
+ RFC 6031: Cryptographic Message Syntax (CMS)
+ Symmetric Key Package Content Type";
+ }
+
+
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 5280 */
+ /***************************************************/
+
+ typedef x509 {
+ type binary;
+ description
+ "A Certificate structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef crl {
+ type binary;
+ description
+ "A CertificateList structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***********************************************/
+ /* Typedefs for ASN.1 structures from 5652 */
+ /***********************************************/
+
+ typedef cms {
+ type binary;
+ description
+ "A ContentInfo structure, as specified in RFC 5652,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef data-content-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ data content type, as described by Section 4 in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef signed-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ signed-data content type, as described by Section 5 in
+ RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef enveloped-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ enveloped-data content type, as described by Section 6
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef digested-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ digested-data content type, as described by Section 7
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef encrypted-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ encrypted-data content type, as described by Section 8
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef authenticated-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ authenticated-data content type, as described by Section 9
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+
+ /***************************************************/
+ /* Typedefs for structures related to RFC 4253 */
+ /***************************************************/
+
+ typedef ssh-host-key {
+ type binary;
+ description
+ "The binary public key data for an SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5280 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a self-signed
+ root certificate.";
+ }
+
+ typedef end-entity-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a certificate
+ that is neither self-signed nor having Basic constraint
+ CA true.";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5652 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the chain of
+ X.509 certificates needed to authenticate the certificate
+ presented by a client or end-entity.
+
+ The CMS MUST contain only a single chain of certificates.
+ The client or end-entity certificate MUST only authenticate
+ to last intermediate CA certificate listed in the chain.
+
+ In all cases, the chain MUST include a self-signed root
+ certificate. In the case where the root certificate is
+ itself the issuer of the client or end-entity certificate,
+ only one certificate is present.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef end-entity-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the end
+ entity certificate itself, and MAY contain any number
+ of intermediate certificates leading up to a trust
+ anchor certificate. The trust anchor certificate
+ MAY be included as well.
+
+ The CMS MUST contain a single end entity certificate.
+ The CMS MUST NOT contain any spurious certificates.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef ssh-public-key-type { // DELETE?
+ type binary;
+ description
+ "The binary public key data for this SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport
+ Layer Protocol";
+ }
+
+ /**********************************************/
+ /* Groupings for keys and/or certificates */
+ /**********************************************/
+
+ grouping symmetric-key-grouping {
+ description
+ "A symmetric key and algorithm.";
+ leaf algorithm {
+ type isa:symmetric-algorithm-type;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the key.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ leaf key-format {
+ nacm:default-deny-write;
+ when "../key or ../encrypted-key"; // FIXME: forward ref?!
+ type identityref {
+ base symmetric-key-format;
+ }
+ description "Identifies the symmetric key's format.";
+ }
+ choice key-type {
+ mandatory true;
+ description
+ "Choice between key types.";
+ leaf key {
+ nacm:default-deny-all;
+ type binary;
+ must "../key-format";
+ description
+ "The binary value of the key. The interpretation of
+ the value is defined by 'key-format'. For example,
+ FIXME.";
+ reference
+ "RFC XXXX: FIXME";
+ }
+ leaf hidden-key {
+ nacm:default-deny-write;
+ type empty;
+ description
+ "A permanently hidden key. How such keys are created
+ is outside the scope of this module.";
+ }
+ }
+ }
+
+ grouping public-key-grouping {
+ description
+ "A public key and its associated algorithm.";
+ leaf algorithm {
+ nacm:default-deny-write;
+ type iasa:asymmetric-algorithm-type;
+ mandatory true;
+ description
+ "Identifies the key's algorithm.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ leaf public-key-format {
+ nacm:default-deny-write;
+ when "../public-key";
+ type identityref {
+ base public-key-format;
+ }
+ description "Identifies the key's format.";
+ }
+ leaf public-key {
+ nacm:default-deny-write;
+ type binary;
+ must "../public-key-format";
+ mandatory true;
+ description
+ "The binary value of the public key. The interpretation
+ of the value is defined by 'public-key-format' field.";
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "A private key and its associated public key and algorithm.";
+ uses public-key-grouping;
+ leaf private-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base private-key-format;
+ }
+ description "Identifies the key's format.";
+ }
+ choice private-key-type {
+ mandatory true;
+ description
+ "Choice between key types.";
+ leaf private-key {
+ nacm:default-deny-all;
+ type binary;
+ must "../private-key-format";
+ description
+ "The value of the binary key The key's value is
+ interpreted by the 'private-key-format' field.";
+ }
+ leaf hidden-private-key {
+ nacm:default-deny-write;
+ type empty;
+ description
+ "A permanently hidden key. How such keys are created
+ is outside the scope of this module.";
+ }
+ }
+ }
+
+ grouping trust-anchor-cert-grouping {
+ description
+ "A trust anchor certificate, and a notification for when
+ it is about to (or already has) expire.";
+ leaf cert {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping trust-anchor-certs-grouping {
+ description
+ "A list of trust anchor certificates, and a notification
+ for when one is about to (or already has) expire.";
+ leaf-list cert {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping end-entity-cert-grouping {
+ description
+ "An end entity certificate, and a notification for when
+ it is about to (or already has) expire. Implementations
+ SHOULD assert that, where used, the end entity certificate
+ contains the expected public key.";
+ leaf cert {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping end-entity-certs-grouping {
+ description
+ "A list of end entity certificates, and a notification for
+ when one is about to (or already has) expire.";
+ leaf-list cert {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "A private/public key pair and an associated certificate.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ uses end-entity-cert-grouping;
+ action generate-certificate-signing-request {
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values. The specified assertions need
+ to be appropriate for the certificate's use. For
+ example, an entity certificate for a TLS server
+ SHOULD have values that enable clients to satisfy
+ RFC 6125 processing.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field per the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1
+ encoded using the ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ leaf attributes {
+ type binary;
+ description
+ "The 'attributes' field from the structure
+ CertificationRequestInfo as specified by RFC 2986,
+ Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by
+ RFC 2986, Section 4.2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ } // generate-certificate-signing-request
+ } // asymmetric-key-pair-with-cert-grouping
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "A private/public key pair and associated certificates.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ container certificates {
+ nacm:default-deny-write;
+ description
+ "Certificates associated with this asymmetric key.
+ More than one certificate supports, for instance,
+ a TPM-protected asymmetric key that has both IDevID
+ and LDevID certificates associated.";
+ list certificate {
+ key "name";
+ description
+ "A certificate for this asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate. If the name
+ matches the name of a certificate that exists
+ independently in <operational> (i.e., an IDevID),
+ then the 'cert' node MUST NOT be configured.";
+ }
+ uses end-entity-cert-grouping;
+ }
+ } // certificates
+ action generate-certificate-signing-request {
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values. The specified assertions need
+ to be appropriate for the certificate's use. For
+ example, an entity certificate for a TLS server
+ SHOULD have values that enable clients to satisfy
+ RFC 6125 processing.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field per the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1
+ encoded using the ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ leaf attributes {
+ type binary;
+ description
+ "The 'attributes' field from the structure
+ CertificationRequestInfo as specified by RFC 2986,
+ Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by
+ RFC 2986, Section 4.2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ } // generate-certificate-signing-request
+ } // asymmetric-key-pair-with-certs-grouping
+}
--- /dev/null
+module ietf-inet-types {
+
+ namespace "urn:ietf:params:xml:ns:yang:ietf-inet-types";
+ prefix "inet";
+
+ organization
+ "IETF Network Modeling (NETMOD) Working Group";
+
+ contact
+ "WG Web: <https://datatracker.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ Editor: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of generally useful derived
+ YANG data types for Internet addresses and related things.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
+ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
+ 'MAY', and 'OPTIONAL' in this document are to be interpreted as
+ described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
+ they appear in all capitals, as shown here.
+
+ Copyright (c) 2019 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX;
+ see the RFC itself for full legal notices.";
+ revision 2019-11-04 {
+ description
+ "This revision adds the following new data types:
+ - ip-address-and-prefix
+ - ipv4-address-and-prefix
+ - ipv6-address-and-prefix
+ - email-address";
+ reference
+ "RFC XXXX: Common YANG Data Types";
+ }
+
+ revision 2013-07-15 {
+ description
+ "This revision adds the following new data types:
+ - ip-address-no-zone
+ - ipv4-address-no-zone
+ - ipv6-address-no-zone";
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ revision 2010-09-24 {
+ description
+ "Initial revision.";
+ reference
+ "RFC 6021: Common YANG Data Types";
+ }
+
+ /*** collection of types related to protocol fields ***/
+
+ typedef ip-version {
+ type enumeration {
+ enum unknown {
+ value "0";
+ description
+ "An unknown or unspecified version of the Internet
+ protocol.";
+ }
+ enum ipv4 {
+ value "1";
+ description
+ "The IPv4 protocol as defined in RFC 791.";
+ }
+ enum ipv6 {
+ value "2";
+ description
+ "The IPv6 protocol as defined in RFC 2460.";
+ }
+ }
+ description
+ "This value represents the version of the IP protocol.
+
+ In the value set and its semantics, this type is equivalent
+ to the InetVersion textual convention of the SMIv2.";
+ reference
+ "RFC 791: Internet Protocol
+ RFC 2460: Internet Protocol, Version 6 (IPv6) Specification
+ RFC 4001: Textual Conventions for Internet Network Addresses";
+ }
+
+ typedef dscp {
+ type uint8 {
+ range "0..63";
+ }
+ description
+ "The dscp type represents a Differentiated Services Code Point
+ that may be used for marking packets in a traffic stream.
+
+ In the value set and its semantics, this type is equivalent
+ to the Dscp textual convention of the SMIv2.";
+ reference
+ "RFC 3289: Management Information Base for the Differentiated
+ Services Architecture
+ RFC 2474: Definition of the Differentiated Services Field
+ (DS Field) in the IPv4 and IPv6 Headers
+ RFC 2780: IANA Allocation Guidelines For Values In
+ the Internet Protocol and Related Headers";
+ }
+
+ typedef ipv6-flow-label {
+ type uint32 {
+ range "0..1048575";
+ }
+ description
+ "The ipv6-flow-label type represents the flow identifier or
+ Flow Label in an IPv6 packet header that may be used to
+ discriminate traffic flows.
+
+ In the value set and its semantics, this type is equivalent
+ to the IPv6FlowLabel textual convention of the SMIv2.";
+ reference
+ "RFC 3595: Textual Conventions for IPv6 Flow Label
+ RFC 2460: Internet Protocol, Version 6 (IPv6) Specification";
+ }
+
+ typedef port-number {
+ type uint16 {
+ range "0..65535";
+ }
+ description
+ "The port-number type represents a 16-bit port number of an
+ Internet transport-layer protocol such as UDP, TCP, DCCP, or
+ SCTP. Port numbers are assigned by IANA. A current list of
+ all assignments is available from <http://www.iana.org/>.
+
+ Note that the port number value zero is reserved by IANA. In
+ situations where the value zero does not make sense, it can
+ be excluded by subtyping the port-number type.
+
+ In the value set and its semantics, this type is equivalent
+ to the InetPortNumber textual convention of the SMIv2.";
+ reference
+ "RFC 768: User Datagram Protocol
+ RFC 793: Transmission Control Protocol
+ RFC 4960: Stream Control Transmission Protocol
+ RFC 4340: Datagram Congestion Control Protocol (DCCP)
+ RFC 4001: Textual Conventions for Internet Network Addresses";
+ }
+
+ /*** collection of types related to autonomous systems ***/
+
+ typedef as-number {
+ type uint32;
+ description
+ "The as-number type represents autonomous system numbers
+ which identify an Autonomous System (AS). An AS is a set
+ of routers under a single technical administration, using
+ an interior gateway protocol and common metrics to route
+ packets within the AS, and using an exterior gateway
+ protocol to route packets to other ASes. IANA maintains
+ the AS number space and has delegated large parts to the
+ regional registries.
+
+ Autonomous system numbers were originally limited to 16
+ bits. BGP extensions have enlarged the autonomous system
+ number space to 32 bits. This type therefore uses an uint32
+ base type without a range restriction in order to support
+ a larger autonomous system number space.
+
+ In the value set and its semantics, this type is equivalent
+ to the InetAutonomousSystemNumber textual convention of
+ the SMIv2.";
+ reference
+ "RFC 1930: Guidelines for creation, selection, and registration
+ of an Autonomous System (AS)
+ RFC 4271: A Border Gateway Protocol 4 (BGP-4)
+ RFC 4001: Textual Conventions for Internet Network Addresses
+ RFC 6793: BGP Support for Four-Octet Autonomous System (AS)
+ Number Space";
+ }
+
+ /*** collection of types related to IP addresses and hostnames ***/
+
+ typedef ip-address {
+ type union {
+ type inet:ipv4-address;
+ type inet:ipv6-address;
+ }
+ description
+ "The ip-address type represents an IP address and is IP
+ version neutral. The format of the textual representation
+ implies the IP version. This type supports scoped addresses
+ by allowing zone identifiers in the address format.";
+ reference
+ "RFC 4007: IPv6 Scoped Address Architecture";
+ }
+
+ typedef ipv4-address {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'
+ + '(%[\p{N}\p{L}]+)?';
+ }
+ description
+ "The ipv4-address type represents an IPv4 address in
+ dotted-quad notation. The IPv4 address may include a zone
+ index, separated by a % sign.
+
+ The zone index is used to disambiguate identical address
+ values. For link-local addresses, the zone index will
+ typically be the interface index number or the name of an
+ interface. If the zone index is not present, the default
+ zone of the device will be used.
+
+ The canonical format for the zone index is the numerical
+ format";
+ }
+
+ typedef ipv6-address {
+ type string {
+ pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ + '(%[\p{N}\p{L}]+)?';
+ pattern '(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ + '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)'
+ + '(%.+)?';
+ }
+ description
+ "The ipv6-address type represents an IPv6 address in full,
+ mixed, shortened, and shortened-mixed notation. The IPv6
+ address may include a zone index, separated by a % sign.
+
+ The zone index is used to disambiguate identical address
+ values. For link-local addresses, the zone index will
+ typically be the interface index number or the name of an
+ interface. If the zone index is not present, the default
+ zone of the device will be used.
+
+ The canonical format of IPv6 addresses uses the textual
+ representation defined in Section 4 of RFC 5952. The
+ canonical format for the zone index is the numerical
+ format as described in Section 11.2 of RFC 4007.";
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ typedef ip-address-no-zone {
+ type union {
+ type inet:ipv4-address-no-zone;
+ type inet:ipv6-address-no-zone;
+ }
+ description
+ "The ip-address-no-zone type represents an IP address and is
+ IP version neutral. The format of the textual representation
+ implies the IP version. This type does not support scoped
+ addresses since it does not allow zone identifiers in the
+ address format.";
+ reference
+ "RFC 4007: IPv6 Scoped Address Architecture";
+ }
+
+ typedef ipv4-address-no-zone {
+ type inet:ipv4-address {
+ pattern '[0-9\.]*';
+ }
+ description
+ "An IPv4 address without a zone index. This type, derived from
+ ipv4-address, may be used in situations where the zone is known
+ from the context and hence no zone index is needed.";
+ }
+
+ typedef ipv6-address-no-zone {
+ type inet:ipv6-address {
+ pattern '[0-9a-fA-F:\.]*';
+ }
+ description
+ "An IPv6 address without a zone index. This type, derived from
+ ipv6-address, may be used in situations where the zone is known
+ from the context and hence no zone index is needed.";
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ typedef ip-prefix {
+ type union {
+ type inet:ipv4-prefix;
+ type inet:ipv6-prefix;
+ }
+ description
+ "The ip-prefix type represents an IP prefix and is IP
+ version neutral. The format of the textual representations
+ implies the IP version.";
+ }
+
+ typedef ipv4-prefix {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'
+ + '/(([0-9])|([1-2][0-9])|(3[0-2]))';
+ }
+ description
+ "The ipv4-prefix type represents an IPv4 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 32.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.
+ The canonical format of an IPv4 prefix has all bits of
+ the IPv4 address set to zero that are not part of the
+ IPv4 prefix.
+
+ The definition of ipv4-prefix does not require that bits,
+ which are not part of the prefix, are set to zero. However,
+ implementations have to return values in canonical format,
+ which requires non-prefix bits to be set to zero. This means
+ that 192.0.2.1/24 must be accepted as a valid value but it
+ will be converted into the canonical format 192.0.2.0/24.";
+ }
+
+ typedef ipv6-prefix {
+ type string {
+ pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ + '(/(([0-9])|([0-9]{2})|(1[0-1][0-9])|(12[0-8])))';
+ pattern '(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ + '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)'
+ + '(/.+)';
+ }
+ description
+ "The ipv6-prefix type represents an IPv6 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 128.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.
+
+ The canonical format of an IPv6 prefix has all bits of
+ the IPv6 address set to zero that are not part of the
+ IPv6 prefix. Furthermore, the IPv6 address is represented
+ as defined in Section 4 of RFC 5952.
+
+ The definition of ipv6-prefix does not require that bits,
+ which are not part of the prefix, are set to zero. However,
+ implementations have to return values in canonical format,
+ which requires non-prefix bits to be set to zero. This means
+ that 2001:db8::1/64 must be accepted as a valid value but it
+ will be converted into the canonical format 2001:db8::/64.";
+ reference
+ "RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ typedef ip-address-and-prefix {
+ type union {
+ type inet:ipv4-address-and-prefix;
+ type inet:ipv6-address-and-prefix;
+ }
+ description
+ "The ip-address-and-prefix type represents an IP address and
+ prefix and is IP version neutral. The format of the textual
+ representations implies the IP version.";
+ }
+
+ typedef ipv4-address-and-prefix {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])'
+ + '/(([0-9])|([1-2][0-9])|(3[0-2]))';
+ }
+ description
+ "The ipv4-address-and-prefix type represents an IPv4
+ address and an associated ipv4 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 32.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.";
+ }
+
+ typedef ipv6-address-and-prefix {
+ type string {
+ pattern '((:|[0-9a-fA-F]{0,4}):)([0-9a-fA-F]{0,4}:){0,5}'
+ + '((([0-9a-fA-F]{0,4}:)?(:|[0-9a-fA-F]{0,4}))|'
+ + '(((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}'
+ + '(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])))'
+ + '(/(([0-9])|([0-9]{2})|(1[0-1][0-9])|(12[0-8])))';
+ pattern '(([^:]+:){6}(([^:]+:[^:]+)|(.*\..*)))|'
+ + '((([^:]+:)*[^:]+)?::(([^:]+:)*[^:]+)?)'
+ + '(/.+)';
+ }
+ description
+ "The ipv6-address-and-prefix type represents an IPv6
+ address and an associated ipv4 prefix.
+ The prefix length is given by the number following the
+ slash character and must be less than or equal to 128.
+
+ A prefix length value of n corresponds to an IP address
+ mask that has n contiguous 1-bits from the most
+ significant bit (MSB) and all other bits set to 0.
+
+ The canonical format requires that the IPv6 address is
+ represented as defined in Section 4 of RFC 5952.";
+ reference
+ "RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ /*** collection of domain name and URI types ***/
+
+ typedef domain-name {
+ type string {
+ length "1..253";
+ pattern
+ '((([a-zA-Z0-9_]([a-zA-Z0-9\-_]){0,61})?[a-zA-Z0-9]\.)*'
+ + '([a-zA-Z0-9_]([a-zA-Z0-9\-_]){0,61})?[a-zA-Z0-9]\.?)'
+ + '|\.';
+ }
+ description
+ "The domain-name type represents a DNS domain name. The
+ name SHOULD be fully qualified whenever possible. This
+ type does not support wildcards (see RFC 4592) or
+ classless in-addr.arpa delegations (see RFC 2317).
+
+ Internet domain names are only loosely specified. Section
+ 3.5 of RFC 1034 recommends a syntax (modified in Section
+ 2.1 of RFC 1123). The pattern above is intended to allow
+ for current practice in domain name use, and some possible
+ future expansion. Note that Internet host names have a
+ stricter syntax (described in RFC 952) than the DNS
+ recommendations in RFCs 1034 and 1123, and that systems
+ that want to store host names in schema node instances
+ using the domain-name type are recommended to adhere to
+ this stricter standard to ensure interoperability.
+
+ The encoding of DNS names in the DNS protocol is limited
+ to 255 characters. Since the encoding consists of labels
+ prefixed by a length bytes and there is a trailing NULL
+ byte, only 253 characters can appear in the textual dotted
+ notation.
+
+ The description clause of schema nodes using the domain-name
+ type MUST describe when and how these names are resolved to
+ IP addresses. Note that the resolution of a domain-name value
+ may require to query multiple DNS records (e.g., A for IPv4
+ and AAAA for IPv6). The order of the resolution process and
+ which DNS record takes precedence can either be defined
+ explicitly or may depend on the configuration of the
+ resolver.
+
+ Domain-name values use the US-ASCII encoding. Their canonical
+ format uses lowercase US-ASCII characters. Internationalized
+ domain names MUST be A-labels as per RFC 5890.";
+ reference
+ "RFC 952: DoD Internet Host Table Specification
+ RFC 1034: Domain Names - Concepts and Facilities
+ RFC 1123: Requirements for Internet Hosts -- Application
+ and Support
+ RFC 2317: Classless IN-ADDR.ARPA delegation
+ RFC 2782: A DNS RR for specifying the location of services
+ (DNS SRV)
+ RFC 4592: The Role of Wildcards in the Domain Name System
+ RFC 5890: Internationalized Domain Names in Applications
+ (IDNA): Definitions and Document Framework";
+ }
+
+ typedef host {
+ type union {
+ type inet:ip-address;
+ type inet:domain-name;
+ }
+ description
+ "The host type represents either an IP address or a DNS
+ domain name.";
+ }
+
+ /*
+ * DISCUSS:
+ * - Lada suggested to replace the inet:domain-name usage in
+ * the union with a new host-name definition that follows
+ * the NR-LDH definition in RFC 5890.
+ */
+
+ typedef uri {
+ type string;
+ description
+ "The uri type represents a Uniform Resource Identifier
+ (URI) as defined by STD 66.
+
+ Objects using the uri type MUST be in US-ASCII encoding,
+ and MUST be normalized as described by RFC 3986 Sections
+ 6.2.1, 6.2.2.1, and 6.2.2.2. All unnecessary
+ percent-encoding is removed, and all case-insensitive
+ characters are set to lowercase except for hexadecimal
+ digits, which are normalized to uppercase as described in
+ Section 6.2.2.1.
+
+ The purpose of this normalization is to help provide
+ unique URIs. Note that this normalization is not
+ sufficient to provide uniqueness. Two URIs that are
+ textually distinct after this normalization may still be
+ equivalent.
+
+ Objects using the uri type may restrict the schemes that
+ they permit. For example, 'data:' and 'urn:' schemes
+ might not be appropriate.
+
+ A zero-length URI is not a valid URI. This can be used to
+ express 'URI absent' where required.
+
+ In the value set and its semantics, this type is equivalent
+ to the Uri SMIv2 textual convention defined in RFC 5017.";
+ reference
+ "RFC 3986: Uniform Resource Identifier (URI): Generic Syntax
+ RFC 3305: Report from the Joint W3C/IETF URI Planning Interest
+ Group: Uniform Resource Identifiers (URIs), URLs,
+ and Uniform Resource Names (URNs): Clarifications
+ and Recommendations
+ RFC 5017: MIB Textual Conventions for Uniform Resource
+ Identifiers (URIs)";
+ }
+
+ typedef email-address {
+ type string {
+ // dot-atom-text "@" ...
+ pattern '[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+'
+ + '(\.[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+)*'
+ + '@'
+ + '[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+'
+ + '(\.[a-zA-Z0-9!#$%&'+"'"+'*+/=?^_`{|}~-]+)*';
+ }
+ description
+ "The email-address type represents an email address as
+ defined as addr-spec in RFC 5322 section 3.4.1.";
+ reference
+ "RFC 5322: Internet Message Format";
+ }
+
+ /*
+ * DISCUSS:
+ * - It was suggested to add email types following RFC 5322
+ * email-address (addr-spec, per Section 3.4.1)
+ * named-email-address (name-addr, per Section 3.4)
+ * - This sounds useful but the devil is in the details,
+ * in particular name-addr is a quite complex construct;
+ * perhaps addr-spec is sufficient, this is also the
+ * format allowed in mailto: URIs (mailto: seems to use
+ * only a subset of addr-spec which may be good enough
+ * here as well).
+ * - Need to define a pattern that has a meaningful trade-off
+ * between precision and complexity (there are very tight
+ * pattern that are very long and complex). The current
+ * pattern does not take care of quoted-string, obs-local-part,
+ * domain-literal, obs-domain.
+ */
+
+ /*
+ * DISCUSS:
+ * - There was a request to add types for URI fields (scheme,
+ * authority, path, query, fragment) but it is not clear how
+ * commonly useful these types are, the WG was pretty silent
+ * about this proposal. On the technical side, it is unclear
+ * whether data is represented with percent escapes resolved
+ * or not. (Mahesh's proposal does not spell this out, the
+ * pattern does not allow the % character, which may be wrong.)
+ */
+}
--- /dev/null
+module ietf-keystore {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
+ prefix ks;
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ //import iana-hash-algs {
+ // prefix iha;
+ // reference
+ // "RFC AAAA: Common YANG Data Types for Cryptography";
+ //}
+
+ import iana-symmetric-algs {
+ prefix isa;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ import iana-asymmetric-algs {
+ prefix iasa;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines a keystore to centralize management
+ of security credentials.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: A YANG Data Model for a Keystore";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature keystore-supported {
+ description
+ "The 'keystore-supported' feature indicates that the server
+ supports the keystore.";
+ }
+
+ feature local-definitions-supported {
+ description
+ "The 'local-definitions-supported' feature indicates that the
+ server supports locally-defined keys.";
+ }
+
+ feature key-generation {
+ description
+ "Indicates that the server supports the actions related to
+ the life cycling keys in <operational>. To be used by
+ configuration, keys in <operational> must be copied to
+ <running>.";
+ }
+
+ /****************/
+ /* Typedefs */
+ /****************/
+
+ typedef symmetric-key-ref {
+ type leafref {
+ path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key"
+ + "/ks:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to a symmetric key stored in the keystore.";
+ }
+
+ typedef asymmetric-key-ref {
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ + "/ks:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to an asymmetric key stored in the keystore.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+
+ grouping key-reference-type-grouping {
+ description
+ "A reusable grouping for a choice for the type of key
+ referenced in the keystore.";
+ choice key-type {
+ mandatory true;
+ description
+ "A choice between a reference to a symmetric or asymmetric
+ key in the keystore.";
+ leaf symmetric-key-ref {
+ if-feature "keystore-supported";
+ type leafref {
+ path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/"
+ + "ks:name";
+ }
+ description
+ "Identifies a symmetric key used to encrypt this key.";
+ }
+ leaf asymmetric-key-ref {
+ if-feature "keystore-supported";
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/"
+ + "ks:name";
+ }
+ description
+ "Identifies an asymmetric key used to encrypt this key.";
+ }
+ }
+ }
+
+ grouping encrypted-value-grouping {
+ description
+ "A reusable grouping for a value that has been encrypted by
+ a symmetric or asymmetric key in the keystore.";
+ uses "key-reference-type-grouping";
+ leaf value {
+ type binary;
+ description
+ "The private key, encrypted using the specified symmetric
+ or asymmetric key.";
+ }
+ }
+
+ grouping symmetric-key-grouping {
+ description
+ "This grouping is identical to the one in ietf-crypto-types
+ except that it adds a case statement enabling the key
+ value to be encrypted by a symmetric or an asymmetric
+ key known to the keystore.";
+ uses ct:symmetric-key-grouping {
+ augment "key-type" {
+ description
+ "Augments a new 'case' statement into the 'choice'
+ statement defined by the ietf-crypto-types module.";
+ container encrypted-key {
+ must "../key-format";
+ description
+ "A container for the encrypted symmetric key value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "This grouping is identical to the one in ietf-crypto-types
+ except that it adds a case statement enabling the key
+ value to be encrypted by a symmetric or an asymmetric
+ key known to the keystore.";
+ uses ct:asymmetric-key-pair-grouping {
+ augment "private-key-type" {
+ description
+ "Augments a new 'case' statement into the 'choice'
+ statement defined by the ietf-crypto-types module.";
+ container encrypted-private-key {
+ must "../private-key-format";
+ description
+ "A container for the encrypted asymmetric private
+ key value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "This grouping is identical to the one in ietf-crypto-types
+ except that it adds a case statement enabling the key
+ value to be encrypted by a symmetric or an asymmetric
+ key known to the keystore.";
+ uses ct:asymmetric-key-pair-with-cert-grouping {
+ augment "private-key-type" {
+ description
+ "Augments a new 'case' statement into the 'choice'
+ statement defined by the ietf-crypto-types module.";
+ container encrypted-private-key {
+ must "../private-key-format";
+ description
+ "A container for the encrypted asymmetric private
+ key value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "This grouping is identical to the one in ietf-crypto-types
+ except that it adds a case statement enabling the key
+ value to be encrypted by a symmetric or an asymmetric
+ key known to the keystore.";
+ uses ct:asymmetric-key-pair-with-certs-grouping {
+ augment "private-key-type" {
+ description
+ "Augments a new 'case' statement into the 'choice'
+ statement defined by the ietf-crypto-types module.";
+ container encrypted-private-key {
+ must "../private-key-format";
+ description
+ "A container for the encrypted asymmetric private
+ key value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping asymmetric-key-certificate-ref-grouping {
+ leaf asymmetric-key {
+ type ks:asymmetric-key-ref;
+ must '../certificate';
+ description
+ "A reference to an asymmetric key in the keystore.";
+ }
+ leaf certificate {
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[ks:"
+ + "name = current()/../asymmetric-key]/ks:certificates"
+ + "/ks:certificate/ks:name";
+ }
+ must '../asymmetric-key';
+ description
+ "A reference to a specific certificate of the
+ asymmetric key in the keystore.";
+ }
+ description
+ "This grouping defines a reference to a specific certificate
+ associated with an asymmetric key stored in the keystore.";
+ }
+
+
+ // local-or-keystore-* groupings
+
+ grouping local-or-keystore-symmetric-key-grouping {
+ description
+ "A grouping that expands to allow the symmetric key to be
+ either stored locally, within the using data model, or be
+ a reference to an symmetric key stored in the keystore.";
+ choice local-or-keystore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses symmetric-key-grouping;
+ }
+ }
+ case keystore {
+ if-feature "keystore-supported";
+ leaf keystore-reference {
+ type ks:symmetric-key-ref;
+ description
+ "A reference to an symmetric key that exists in
+ the keystore.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ }
+ }
+
+ grouping local-or-keystore-asymmetric-key-grouping {
+ description
+ "A grouping that expands to allow the asymmetric key to be
+ either stored locally, within the using data model, or be
+ a reference to an asymmetric key stored in the keystore.";
+ choice local-or-keystore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses asymmetric-key-pair-grouping;
+ }
+ }
+ case keystore {
+ if-feature "keystore-supported";
+ leaf keystore-reference {
+ type ks:asymmetric-key-ref;
+ description
+ "A reference to an asymmetric key that exists in
+ the keystore. The intent is to reference just the
+ asymmetric key without any regard for any certificates
+ that may be associated with it.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ }
+ }
+
+ grouping local-or-keystore-asymmetric-key-with-certs-grouping {
+ description
+ "A grouping that expands to allow an asymmetric key and its
+ associated certificates to be either stored locally, within
+ the using data model, or be a reference to an asymmetric key
+ (and its associated certificates) stored in the keystore.";
+ choice local-or-keystore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses asymmetric-key-pair-with-certs-grouping;
+ }
+ }
+ case keystore {
+ if-feature "keystore-supported";
+ leaf keystore-reference {
+ type ks:asymmetric-key-ref;
+ description
+ "A reference to an asymmetric-key (and all of its
+ associated certificates) in the keystore.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ }
+ }
+
+ grouping local-or-keystore-end-entity-cert-with-key-grouping {
+ description
+ "A grouping that expands to allow an end-entity certificate
+ (and its associated private key) to be either stored locally,
+ within the using data model, or be a reference to a specific
+ certificate in the keystore.";
+ choice local-or-keystore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses asymmetric-key-pair-with-cert-grouping;
+ }
+ }
+ case keystore {
+ if-feature "keystore-supported";
+ container keystore-reference {
+ uses asymmetric-key-certificate-ref-grouping;
+ description
+ "A reference to a specific certificate (and its
+ associated private key) in the keystore.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ }
+ }
+
+ grouping keystore-grouping {
+ description
+ "Grouping definition enables use in other contexts. If ever
+ done, implementations SHOULD augment new 'case' statements
+ into local-or-keystore 'choice' statements to supply leafrefs
+ to the new location.";
+ container asymmetric-keys {
+ description
+ "A list of asymmetric keys.";
+ list asymmetric-key {
+ key "name";
+ description
+ "An asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the asymmetric key.";
+ }
+ uses ks:asymmetric-key-pair-with-certs-grouping;
+ }
+ action generate-asymmetric-key {
+ //nacm:default-deny-all;
+ description
+ "Requests the device to generate an asymmetric key using
+ the specified key algorithm, optionally encrypted using
+ a key in the keystore. The output is this RPC can be
+ used as input to a subsequent configuration request.";
+ input {
+ leaf algorithm {
+ type iasa:asymmetric-algorithm-type;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the key.";
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+ container encrypt-with {
+ presence
+ "Indicates that the key should be encrypted using
+ the specified symmetric or asymmetric key. If not
+ specified, then the private key is not encrypted
+ when returned.";
+ description
+ "A container for the 'key-type' choice.";
+ uses key-reference-type-grouping;
+ }
+ }
+ output {
+ uses ks:asymmetric-key-pair-grouping;
+ }
+ } // end generate-asymmetric-key
+ }
+ container symmetric-keys {
+ description
+ "A list of symmetric keys.";
+ list symmetric-key {
+ key "name";
+ description
+ "A symmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the symmetric key.";
+ }
+ uses ks:symmetric-key-grouping;
+ }
+ action generate-symmetric-key {
+ //nacm:default-deny-all;
+ description
+ "Requests the device to generate an symmetric key using
+ the specified key algorithm, optionally encrypted using
+ a key in the keystore. The output is this RPC can be
+ used as input to a subsequent configuration request.";
+ input {
+ leaf algorithm {
+ type isa:symmetric-algorithm-type;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the key.";
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+ container encrypt-with {
+ presence
+ "Indicates that the key should be encrypted using
+ the specified symmetric or asymmetric key. If not
+ specified, then the private key is not encrypted
+ when returned.";
+ description
+ "A container for the 'key-type' choice.";
+ uses key-reference-type-grouping;
+ }
+ }
+ output {
+ uses ks:symmetric-key-grouping;
+ }
+ } // end generate-symmetric-key
+ }
+ } // grouping keystore-grouping
+
+
+ /*********************************/
+ /* Protocol accessible nodes */
+ /*********************************/
+
+ container keystore {
+ nacm:default-deny-write;
+ description
+ "The keystore contains a list of keys.";
+ uses keystore-grouping;
+ }
+
+
+}
--- /dev/null
+module ietf-netconf-client {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-client";
+ prefix ncc;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-tcp-client {
+ prefix tcpc;
+ reference
+ "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ import ietf-tcp-server {
+ prefix tcps;
+ reference
+ "RFC BBBB: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ import ietf-ssh-client {
+ prefix sshc;
+ revision-date 2019-11-20; // stable grouping definitions
+ reference
+ "RFC CCCC: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-tls-client {
+ prefix tlsc;
+ revision-date 2019-11-20; // stable grouping definitions
+ reference
+ "RFC DDDD: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module contains a collection of YANG definitions
+ for configuring NETCONF clients.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: NETCONF Client and Server Models";
+ }
+
+ // Features
+
+ feature ssh-initiate {
+ description
+ "The 'ssh-initiate' feature indicates that the NETCONF client
+ supports initiating SSH connections to NETCONF servers.";
+ reference
+ "RFC 6242:
+ Using the NETCONF Protocol over Secure Shell (SSH)";
+ }
+
+ feature tls-initiate {
+ description
+ "The 'tls-initiate' feature indicates that the NETCONF client
+ supports initiating TLS connections to NETCONF servers.";
+ reference
+ "RFC 7589: Using the NETCONF Protocol over Transport
+ Layer Security (TLS) with Mutual X.509 Authentication";
+ }
+
+ feature ssh-listen {
+ description
+ "The 'ssh-listen' feature indicates that the NETCONF client
+ supports opening a port to listen for incoming NETCONF
+ server call-home SSH connections.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature tls-listen {
+ description
+ "The 'tls-listen' feature indicates that the NETCONF client
+ supports opening a port to listen for incoming NETCONF
+ server call-home TLS connections.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ // Groupings
+
+ grouping netconf-client-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF client
+ without any consideration for how underlying transport
+ sessions are established.
+
+ This grouping currently doesn't define any nodes.";
+ }
+
+ grouping netconf-client-initiate-stack-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF client
+ 'initiate' protocol stack for a single connection.";
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature "ssh-initiate";
+ container ssh {
+ description
+ "Specifies IP and SSH specific configuration
+ for the connection.";
+ container tcp-client-parameters {
+ description
+ "A wrapper around the TCP client parameters
+ to avoid name collisions.";
+ uses tcpc:tcp-client-grouping {
+ refine "remote-port" {
+ default "830";
+ description
+ "The NETCONF client will attempt to connect
+ to the IANA-assigned well-known port value
+ for 'netconf-ssh' (443) if no value is
+ specified.";
+ }
+ }
+ }
+ container ssh-client-parameters {
+ description
+ "A wrapper around the SSH client parameters to
+ avoid name collisions.";
+ uses sshc:ssh-client-grouping;
+ }
+ container netconf-client-parameters {
+ description
+ "A wrapper around the NETCONF client parameters
+ to avoid name collisions.";
+ uses ncc:netconf-client-grouping;
+ }
+ }
+ }
+ case tls {
+ if-feature "tls-initiate";
+ container tls {
+ description
+ "Specifies IP and TLS specific configuration
+ for the connection.";
+ container tcp-client-parameters {
+ description
+ "A wrapper around the TCP client parameters
+ to avoid name collisions.";
+ uses tcpc:tcp-client-grouping {
+ refine "remote-port" {
+ default "6513";
+ description
+ "The NETCONF client will attempt to connect
+ to the IANA-assigned well-known port value
+ for 'netconf-tls' (6513) if no value is
+ specified.";
+ }
+ }
+ }
+ container tls-client-parameters {
+ must "client-identity" {
+ description
+ "NETCONF/TLS clients MUST pass some
+ authentication credentials.";
+ }
+ description
+ "A wrapper around the TLS client parameters
+ to avoid name collisions.";
+ uses tlsc:tls-client-grouping;
+ }
+ container netconf-client-parameters {
+ description
+ "A wrapper around the NETCONF client parameters
+ to avoid name collisions.";
+ uses ncc:netconf-client-grouping;
+ }
+ }
+ }
+ }
+ } // netconf-client-initiate-stack-grouping
+
+ grouping netconf-client-listen-stack-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF client
+ 'listen' protocol stack for a single connection.";
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature "ssh-listen";
+ container ssh {
+ description
+ "SSH-specific listening configuration for inbound
+ connections.";
+ container tcp-server-parameters {
+ description
+ "A wrapper around the TCP server parameters
+ to avoid name collisions.";
+ uses tcps:tcp-server-grouping {
+ refine "local-port" {
+ default "4334";
+ description
+ "The NETCONF client will listen on the IANA-
+ assigned well-known port for 'netconf-ch-ssh'
+ (4334) if no value is specified.";
+ }
+ }
+ }
+ container ssh-client-parameters {
+ description
+ "A wrapper around the SSH client parameters
+ to avoid name collisions.";
+ uses sshc:ssh-client-grouping;
+ }
+ container netconf-client-parameters {
+ description
+ "A wrapper around the NETCONF client parameters
+ to avoid name collisions.";
+ uses ncc:netconf-client-grouping;
+ }
+ }
+ }
+ case tls {
+ if-feature "tls-listen";
+ container tls {
+ description
+ "TLS-specific listening configuration for inbound
+ connections.";
+ container tcp-server-parameters {
+ description
+ "A wrapper around the TCP server parameters
+ to avoid name collisions.";
+ uses tcps:tcp-server-grouping {
+ refine "local-port" {
+ default "4334";
+ description
+ "The NETCONF client will listen on the IANA-
+ assigned well-known port for 'netconf-ch-ssh'
+ (4334) if no value is specified.";
+ }
+ }
+ }
+ container tls-client-parameters {
+ must "client-identity" {
+ description
+ "NETCONF/TLS clients MUST pass some
+ authentication credentials.";
+ }
+ description
+ "A wrapper around the TLS client parameters
+ to avoid name collisions.";
+ uses tlsc:tls-client-grouping;
+ }
+ container netconf-client-parameters {
+ description
+ "A wrapper around the NETCONF client parameters
+ to avoid name collisions.";
+ uses ncc:netconf-client-grouping;
+ }
+ }
+ }
+ }
+ } // netconf-client-listen-stack-grouping
+
+ grouping netconf-client-app-grouping {
+ description
+ "A reusable grouping for configuring a NETCONF client
+ application that supports both 'initiate' and 'listen'
+ protocol stacks for a multiplicity of connections.";
+ container initiate {
+ if-feature "ssh-initiate or tls-initiate";
+ presence "Enables client to initiate TCP connections";
+ description
+ "Configures client initiating underlying TCP connections.";
+ list netconf-server {
+ key "name";
+ min-elements 1;
+ description
+ "List of NETCONF servers the NETCONF client is to
+ maintain simultaneous connections with.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the NETCONF server.";
+ }
+ container endpoints {
+ description
+ "Container for the list of endpoints.";
+ list endpoint {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "A user-ordered list of endpoints that the NETCONF
+ client will attempt to connect to in the specified
+ sequence. Defining more than one enables
+ high-availability.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the endpoint.";
+ }
+ uses netconf-client-initiate-stack-grouping;
+ } // list endpoint
+ } // container endpoints
+
+ container connection-type {
+ description
+ "Indicates the NETCONF client's preference for how the
+ NETCONF connection is maintained.";
+ choice connection-type {
+ mandatory true;
+ description
+ "Selects between available connection types.";
+ case persistent-connection {
+ container persistent {
+ presence "Indicates that a persistent connection is
+ to be maintained.";
+ description
+ "Maintain a persistent connection to the NETCONF
+ server. If the connection goes down, immediately
+ start trying to reconnect to the NETCONF server,
+ using the reconnection strategy.
+
+ This connection type minimizes any NETCONF server
+ to NETCONF client data-transfer delay, albeit at
+ the expense of holding resources longer.";
+ }
+ }
+ case periodic-connection {
+ container periodic {
+ presence "Indicates that a periodic connection is
+ to be maintained.";
+ description
+ "Periodically connect to the NETCONF server.
+
+ This connection type increases resource
+ utilization, albeit with increased delay in
+ NETCONF server to NETCONF client interactions.
+
+ The NETCONF client should close the underlying
+ TCP connection upon completing planned activities.
+
+ In the case that the previous connection is still
+ active, establishing a new connection is NOT
+ RECOMMENDED.";
+ leaf period {
+ type uint16;
+ units "minutes";
+ default "60";
+ description
+ "Duration of time between periodic connections.";
+ }
+ leaf anchor-time {
+ type yang:date-and-time {
+ // constrained to minute-level granularity
+ pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "Designates a timestamp before or after which a
+ series of periodic connections are determined.
+ The periodic connections occur at a whole
+ multiple interval from the anchor time. For
+ example, for an anchor time is 15 minutes past
+ midnight and a period interval of 24 hours, then
+ a periodic connection will occur 15 minutes past
+ midnight everyday.";
+ }
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default 120; // two minutes
+ description
+ "Specifies the maximum number of seconds that
+ a NETCONF session may remain idle. A NETCONF
+ session will be dropped if it is idle for an
+ interval longer then this number of seconds.
+ If set to zero, then the NETCONF client will
+ never drop a session because it is idle.";
+ }
+ }
+ }
+ }
+ }
+ container reconnect-strategy {
+ description
+ "The reconnection strategy directs how a NETCONF client
+ reconnects to a NETCONF server, after discovering its
+ connection to the server has dropped, even if due to a
+ reboot. The NETCONF client starts with the specified
+ endpoint and tries to connect to it max-attempts times
+ before trying the next endpoint in the list (round
+ robin).";
+ leaf start-with {
+ type enumeration {
+ enum first-listed {
+ description
+ "Indicates that reconnections should start with
+ the first endpoint listed.";
+ }
+ enum last-connected {
+ description
+ "Indicates that reconnections should start with
+ the endpoint last connected to. If no previous
+ connection has ever been established, then the
+ first endpoint configured is used. NETCONF
+ clients SHOULD be able to remember the last
+ endpoint connected to across reboots.";
+ }
+ enum random-selection {
+ description
+ "Indicates that reconnections should start with
+ a random endpoint.";
+ }
+ }
+ default "first-listed";
+ description
+ "Specifies which of the NETCONF server's endpoints
+ the NETCONF client should start with when trying
+ to connect to the NETCONF server.";
+ }
+ leaf max-attempts {
+ type uint8 {
+ range "1..max";
+ }
+ default "3";
+ description
+ "Specifies the number times the NETCONF client tries
+ to connect to a specific endpoint before moving on
+ to the next endpoint in the list (round robin).";
+ }
+ }
+ } // netconf-server
+ } // initiate
+
+ container listen {
+ if-feature "ssh-listen or tls-listen";
+ presence "Enables client to accept call-home connections";
+ description
+ "Configures client accepting call-home TCP connections.";
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default "3600"; // one hour
+ description
+ "Specifies the maximum number of seconds that a NETCONF
+ session may remain idle. A NETCONF session will be
+ dropped if it is idle for an interval longer than this
+ number of seconds. If set to zero, then the server
+ will never drop a session because it is idle. Sessions
+ that have a notification subscription active are never
+ dropped.";
+ }
+ list endpoint {
+ key "name";
+ min-elements 1;
+ description
+ "List of endpoints to listen for NETCONF connections.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the NETCONF listen endpoint.";
+ }
+ uses netconf-client-listen-stack-grouping;
+ } // endpoint
+ } // listen
+ } // netconf-client-app-grouping
+
+ // Protocol accessible node, for servers that implement this
+ // module.
+
+ container netconf-client {
+ uses netconf-client-app-grouping;
+ description
+ "Top-level container for NETCONF client configuration.";
+ }
+}
--- /dev/null
+module ietf-netconf-server {
+ yang-version 1.1;
+
+ namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-server";
+ prefix "ncs";
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-x509-cert-to-name {
+ prefix x509c2n;
+ reference
+ "RFC 7407: A YANG Data Model for SNMP Configuration";
+ }
+
+ import ietf-ssh-server {
+ prefix ss;
+ revision-date 2018-09-20; // stable grouping definitions
+ reference
+ "RFC YYYY: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-tls-server {
+ prefix ts;
+ revision-date 2018-09-20; // stable grouping definitions
+ reference
+ "RFC ZZZZ: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+
+ Author: Kent Watsen
+ <mailto:kwatsen@juniper.net>
+
+ Author: Gary Wu
+ <mailto:garywu@cisco.com>
+
+ Author: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+
+ description
+ "This module contains a collection of YANG definitions for
+ configuring NETCONF servers.
+
+ Copyright (c) 2017 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+
+ revision "2018-09-20" {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: NETCONF Client and Server Models";
+ }
+
+
+ // Features
+
+ feature listen {
+ description
+ "The 'listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF client connections
+ using at least one transport (e.g., SSH, TLS, etc.).";
+ }
+
+ feature ssh-listen {
+ description
+ "The 'ssh-listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF over SSH
+ client connections.";
+ reference
+ "RFC 6242:
+ Using the NETCONF Protocol over Secure Shell (SSH)";
+ }
+
+ feature tls-listen {
+ description
+ "The 'tls-listen' feature indicates that the NETCONF server
+ supports opening a port to accept NETCONF over TLS
+ client connections.";
+ reference
+ "RFC 7589: Using the NETCONF Protocol over Transport
+ Layer Security (TLS) with Mutual X.509
+ Authentication";
+ }
+
+ feature call-home {
+ description
+ "The 'call-home' feature indicates that the NETCONF server
+ supports initiating NETCONF call home connections to
+ NETCONF clients using at least one transport (e.g., SSH,
+ TLS, etc.).";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature ssh-call-home {
+ description
+ "The 'ssh-call-home' feature indicates that the NETCONF
+ server supports initiating a NETCONF over SSH call
+ home connection to NETCONF clients.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+ feature tls-call-home {
+ description
+ "The 'tls-call-home' feature indicates that the NETCONF
+ server supports initiating a NETCONF over TLS call
+ home connection to NETCONF clients.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF Call Home";
+ }
+
+
+ // protocol accessible nodes
+
+ container netconf-server {
+ uses netconf-server-grouping;
+ description
+ "Top-level container for NETCONF server configuration.";
+ }
+
+ // reusable groupings
+
+ grouping netconf-server-grouping {
+ description
+ "Top-level grouping for NETCONF server configuration.";
+ container listen {
+ if-feature listen;
+ presence "Enables server to listen for TCP connections";
+ description "Configures listen behavior";
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default 3600; // one hour
+ description
+ "Specifies the maximum number of seconds that a NETCONF
+ session may remain idle. A NETCONF session will be
+ dropped if it is idle for an interval longer than this
+ number of seconds. If set to zero, then the server
+ will never drop a session because it is idle. Sessions
+ that have a notification subscription active are never
+ dropped.";
+ }
+ list endpoint {
+ key name;
+ min-elements 1;
+ description
+ "List of endpoints to listen for NETCONF connections.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the NETCONF listen endpoint.";
+ }
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature ssh-listen;
+ container ssh {
+ description
+ "SSH-specific listening configuration for inbound
+ connections.";
+ leaf address {
+ type inet:ip-address;
+ mandatory true;
+ description
+ "The IP address to listen on for incoming
+ connections. The NETCONF server will listen
+ on all configured interfaces if no value is
+ specified. INADDR_ANY (0.0.0.0) or INADDR6_ANY
+ (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when
+ the server is to listen on all IPv4 or IPv6
+ addresses, respectively.";
+ }
+ leaf port {
+ type inet:port-number;
+ default 830;
+ description
+ "The local port number to listen on. If no value
+ is specified, the IANA-assigned port value for
+ 'netconf-ssh' (830) is used.";
+ }
+ uses ss:ssh-server-grouping;
+ }
+ }
+ case tls {
+ if-feature tls-listen;
+ container tls {
+ description
+ "TLS-specific listening configuration for inbound
+ connections.";
+ leaf address {
+ type inet:ip-address;
+ mandatory true;
+ description
+ "The IP address to listen on for incoming
+ connections. The NETCONF server will listen
+ on all configured interfaces if no value is
+ specified. INADDR_ANY (0.0.0.0) or INADDR6_ANY
+ (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when
+ the server is to listen on all IPv4 or IPv6
+ addresses, respectively.";
+ }
+ leaf port {
+ type inet:port-number;
+ default 6513;
+ description
+ "The local port number to listen on. If no value
+ is specified, the IANA-assigned port value for
+ 'netconf-tls' (6513) is used.";
+ }
+ uses ts:tls-server-grouping {
+ refine "client-auth" {
+ must 'pinned-ca-certs or pinned-client-certs';
+ description
+ "NETCONF/TLS servers MUST validate client
+ certiticates.";
+ }
+ augment "client-auth" {
+ description
+ "Augments in the cert-to-name structure.";
+ container cert-maps {
+ uses x509c2n:cert-to-name;
+ description
+ "The cert-maps container is used by a TLS-
+ based NETCONF server to map the NETCONF
+ client's presented X.509 certificate to a
+ NETCONF username. If no matching and valid
+ cert-to-name list entry can be found, then
+ the NETCONF server MUST close the connection,
+ and MUST NOT accept NETCONF messages over
+ it.";
+ reference
+ "RFC WWWW: NETCONF over TLS, Section 7";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ container call-home {
+ if-feature call-home;
+ presence "Enables server to initiate TCP connections";
+ description "Configures call-home behavior";
+ list netconf-client {
+ key name;
+ min-elements 1;
+ description
+ "List of NETCONF clients the NETCONF server is to
+ initiate call-home connections to in parallel.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the remote NETCONF client.";
+ }
+ container endpoints {
+ description
+ "Container for the list of endpoints.";
+ list endpoint {
+ key name;
+ min-elements 1;
+ ordered-by user;
+ description
+ "A non-empty user-ordered list of endpoints for this
+ NETCONF server to try to connect to in sequence.
+ Defining more than one enables high-availability.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this endpoint.";
+ }
+ choice transport {
+ mandatory true;
+ description
+ "Selects between available transports.";
+ case ssh {
+ if-feature ssh-call-home;
+ container ssh {
+ description
+ "Specifies SSH-specific call-home transport
+ configuration.";
+ leaf address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the endpoint.
+ If a domain name is configured, then the
+ DNS resolution should happen on each usage
+ attempt. If the the DNS resolution results
+ in multiple IP addresses, the IP addresses
+ will be tried according to local preference
+ order until a connection has been established
+ or until all IP addresses have failed.";
+ }
+ leaf port {
+ type inet:port-number;
+ default 4334;
+ description
+ "The IP port for this endpoint. The NETCONF
+ server will use the IANA-assigned well-known
+ port for 'netconf-ch-ssh' (4334) if no value
+ is specified.";
+ }
+ uses ss:ssh-server-grouping;
+ }
+ }
+ case tls {
+ if-feature tls-call-home;
+ container tls {
+ description
+ "Specifies TLS-specific call-home transport
+ configuration.";
+ leaf address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the endpoint.
+ If a domain name is configured, then the
+ DNS resolution should happen on each usage
+ attempt. If the the DNS resolution results
+ in multiple IP addresses, the IP addresses
+ will be tried according to local preference
+ order until a connection has been established
+ or until all IP addresses have failed.";
+ }
+ leaf port {
+ type inet:port-number;
+ default 4335;
+ description
+ "The IP port for this endpoint. The NETCONF
+ server will use the IANA-assigned well-known
+ port for 'netconf-ch-tls' (4335) if no value
+ is specified.";
+ }
+ uses ts:tls-server-grouping {
+ refine "client-auth" {
+ must 'pinned-ca-certs or pinned-client-certs';
+ description
+ "NETCONF/TLS servers MUST validate client
+ certiticates.";
+ }
+ augment "client-auth" {
+ description
+ "Augments in the cert-to-name structure.";
+ container cert-maps {
+ uses x509c2n:cert-to-name;
+ description
+ "The cert-maps container is used by a
+ TLS-based NETCONF server to map the
+ NETCONF client's presented X.509
+ certificate to a NETCONF username. If
+ no matching and valid cert-to-name list
+ entry can be found, then the NETCONF
+ server MUST close the connection, and
+ MUST NOT accept NETCONF messages over
+ it.";
+ reference
+ "RFC WWWW: NETCONF over TLS, Section 7";
+ }
+ }
+ }
+ }
+ } // end tls
+ } // end choice
+ } // end endpoint
+ }
+ container connection-type {
+ description
+ "Indicates the kind of connection to use.";
+ choice connection-type {
+ mandatory true;
+ description
+ "Selects between available connection types.";
+ case persistent-connection {
+ container persistent {
+ presence
+ "Indicates that a persistent connection is to be
+ maintained.";
+ description
+ "Maintain a persistent connection to the NETCONF
+ client. If the connection goes down, immediately
+ start trying to reconnect to it, using the
+ reconnection strategy.
+
+ This connection type minimizes any NETCONF client
+ to NETCONF server data-transfer delay, albeit at
+ the expense of holding resources longer.";
+ container keep-alives {
+ description
+ "Configures the keep-alive policy, to
+ proactively test the aliveness of the SSH/TLS
+ client. An unresponsive SSH/TLS client will
+ be dropped after approximately max-attempts *
+ max-wait seconds.";
+ reference
+ "RFC 8071: NETCONF Call Home and RESTCONF
+ Call Home, Section 4.1, item S7";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units seconds;
+ default 30;
+ description
+ "Sets the amount of time in seconds after
+ which if no data has been received from
+ the SSH/TLS client, a SSH/TLS-level message
+ will be sent to test the aliveness of the
+ SSH/TLS client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default 3;
+ description
+ "Sets the maximum number of sequential keep-
+ alive messages that can fail to obtain a
+ response from the SSH/TLS client before
+ assuming the SSH/TLS client is no longer
+ alive.";
+ }
+ }
+ }
+ }
+
+ case periodic-connection {
+ container periodic {
+ presence
+ "Indicates that a periodic connection is to be
+ maintained.";
+ description
+ "Periodically connect to the NETCONF client. The
+ NETCONF client should close the underlying TLS
+ connection upon completing planned activities.
+
+ This connection type increases resource
+ utilization, albeit with increased delay in
+ NETCONF client to NETCONF client interactions.";
+ leaf period {
+ type uint16;
+ units "minutes";
+ default 60;
+ description
+ "Duration of time between periodic connections.";
+ }
+ leaf anchor-time {
+ type yang:date-and-time {
+ // constrained to minute-level granularity
+ pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "Designates a timestamp before or after which a
+ series of periodic connections are determined.
+ The periodic connections occur at a whole
+ multiple interval from the anchor time. For
+ example, for an anchor time is 15 minutes past
+ midnight and a period interval of 24 hours, then
+ a periodic connection will occur 15 minutes past
+ midnight everyday.";
+ }
+ leaf idle-timeout {
+ type uint16;
+ units "seconds";
+ default 120; // two minutes
+ description
+ "Specifies the maximum number of seconds that
+ a NETCONF session may remain idle. A NETCONF
+ session will be dropped if it is idle for an
+ interval longer than this number of seconds.
+ If set to zero, then the server will never
+ drop a session because it is idle.";
+ }
+ }
+ }
+ }
+ }
+ container reconnect-strategy {
+ description
+ "The reconnection strategy directs how a NETCONF server
+ reconnects to a NETCONF client, after discovering its
+ connection to the client has dropped, even if due to a
+ reboot. The NETCONF server starts with the specified
+ endpoint and tries to connect to it max-attempts times
+ before trying the next endpoint in the list (round
+ robin).";
+ leaf start-with {
+ type enumeration {
+ enum first-listed {
+ description
+ "Indicates that reconnections should start with
+ the first endpoint listed.";
+ }
+ enum last-connected {
+ description
+ "Indicates that reconnections should start with
+ the endpoint last connected to. If no previous
+ connection has ever been established, then the
+ first endpoint configured is used. NETCONF
+ servers SHOULD be able to remember the last
+ endpoint connected to across reboots.";
+ }
+ enum random-selection {
+ description
+ "Indicates that reconnections should start with
+ a random endpoint.";
+ }
+ }
+ default first-listed;
+ description
+ "Specifies which of the NETCONF client's endpoints
+ the NETCONF server should start with when trying
+ to connect to the NETCONF client.";
+ }
+ leaf max-attempts {
+ type uint8 {
+ range "1..max";
+ }
+ default 3;
+ description
+ "Specifies the number times the NETCONF server tries
+ to connect to a specific endpoint before moving on
+ to the next endpoint in the list (round robin).";
+ }
+ }
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-ssh-client {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-client";
+ prefix sshc;
+
+ import ietf-ssh-common {
+ prefix sshcmn;
+ revision-date 2019-11-20; // stable grouping definitions
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines reusable groupings for SSH clients that
+ can be used as a basis for specific SSH client instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Features
+
+ feature ssh-client-transport-params-config {
+ description
+ "SSH transport layer parameters are configurable on an SSH
+ client.";
+ }
+
+ feature ssh-client-keepalives {
+ description
+ "Per socket SSH keepalive parameters are configurable for
+ SSH clients on the server implementing this feature.";
+ }
+
+ // Groupings
+
+ grouping ssh-client-grouping {
+ description
+ "A reusable grouping for configuring a SSH client without
+ any consideration for how an underlying TCP session is
+ established.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'ssh-client-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container client-identity {
+ nacm:default-deny-write;
+ description
+ "The credentials used by the client to authenticate to
+ the SSH server.";
+ leaf username {
+ type string;
+ description
+ "The username of this user. This will be the username
+ used, for instance, to log into an SSH server.";
+ }
+ choice auth-type {
+ mandatory true;
+ description
+ "The authentication type. What happens when more than
+ one decendent is configured is undefined. FIXME.";
+ leaf password {
+ nacm:default-deny-all;
+ type string;
+ description
+ "A password to be used for client authentication.";
+ }
+ container public-key {
+ uses ks:local-or-keystore-asymmetric-key-grouping {
+ refine "local-or-keystore/local/local-definition" {
+ must 'public-key-format = "ct:ssh-public-key-format"';
+ }
+ // FIXME: also need a must expression to ensure the
+ // *referenced* key's public-key-format is
+ // "ct:ssh-public-key-format"
+ }
+ description
+ "A locally-defined or referenced asymmetric key
+ pair to be used for client authentication.";
+ reference
+ "RFC ZZZZ: YANG Data Model for a Centralized
+ Keystore Mechanism";
+ }
+ container certificate {
+ if-feature "sshcmn:ssh-x509-certs";
+ uses
+ ks:local-or-keystore-end-entity-cert-with-key-grouping;
+ description
+ "A locally-defined or referenced certificate
+ to be used for client authentication.";
+ reference
+ "RFC ZZZZ: YANG Data Model for a Centralized
+ Keystore Mechanism";
+ }
+ }
+ } // container client-identity
+
+ container server-authentication {
+ nacm:default-deny-write;
+ must 'ssh-host-keys or ca-certs or server-certs';
+ description
+ "Specifies how the SSH client can authenticate SSH servers.
+ Any combination of credentials is additive and unordered.";
+ container ssh-host-keys {
+ presence
+ "Indicates that the client can authenticate servers
+ using the configured SSH host keys.";
+ description
+ "A list of SSH host keys used by the SSH client to
+ authenticate SSH server host keys. A server host key
+ is authenticated if it is an exact match to a
+ configured SSH host key.";
+ reference
+ "RFC YYYY: YANG Data Model for Global Trust Anchors";
+ uses ts:local-or-truststore-host-keys-grouping;
+ }
+ container ca-certs {
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that the client can authenticate servers
+ using the configured trust anchor certificates.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the SSH client to authenticate SSH servers. A server
+ is authenticated if its certificate has a valid chain
+ of trust to a configured CA certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for Global Trust Anchors";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container server-certs {
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that the client can authenticate servers
+ using the configured server certificates.";
+ description
+ "A set of end-entity certificates used by the SSH client
+ to authenticate SSH servers. A server is authenticated
+ if its certificate is an exact match to a configured
+ server certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for Global Trust Anchors";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ } // container server-authentication
+
+ container transport-params {
+ nacm:default-deny-write;
+ if-feature "ssh-client-transport-params-config";
+ description
+ "Configurable parameters of the SSH transport layer.";
+ uses sshcmn:transport-params-grouping;
+ } // container transport-parameters
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "ssh-client-keepalives";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the SSH server. An unresponsive TLS
+ server is dropped after approximately max-wait *
+ max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which if
+ no data has been received from the SSH server, a
+ TLS-level message will be sent to test the
+ aliveness of the SSH server.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the SSH server before assuming the SSH server is
+ no longer alive.";
+ }
+ } // container keepalives
+ } // grouping ssh-client-grouping
+}
--- /dev/null
+module ietf-ssh-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-common";
+ prefix sshcmn;
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines a common features, identities, and
+ groupings for Secure Shell (SSH).
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Features
+
+ feature ssh-ecc {
+ description
+ "Elliptic Curve Cryptography is supported for SSH.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ feature ssh-x509-certs {
+ description
+ "X.509v3 certificates are supported for SSH per RFC 6187.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+ feature ssh-dh-group-exchange {
+ description
+ "Diffie-Hellman Group Exchange is supported for SSH.";
+ reference
+ "RFC 4419: Diffie-Hellman Group Exchange for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ feature ssh-ctr {
+ description
+ "SDCTR encryption mode is supported for SSH.";
+ reference
+ "RFC 4344: The Secure Shell (SSH) Transport Layer
+ Encryption Modes";
+ }
+
+ feature ssh-sha2 {
+ description
+ "The SHA2 family of cryptographic hash functions is
+ supported for SSH.";
+ reference
+ "FIPS PUB 180-4: Secure Hash Standard (SHS)";
+ }
+
+ // Identities
+
+ identity public-key-alg-base {
+ description
+ "Base identity used to identify public key algorithms.";
+ }
+
+ identity ssh-dss {
+ base public-key-alg-base;
+ description
+ "Digital Signature Algorithm using SHA-1 as the
+ hashing algorithm.";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity ssh-rsa {
+ base public-key-alg-base;
+ description
+ "RSASSA-PKCS1-v1_5 signature scheme using SHA-1 as the
+ hashing algorithm.";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity ecdsa-sha2-nistp256 {
+ if-feature "ssh-ecc and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
+ nistp256 curve and the SHA2 family of hashing algorithms.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-nistp384 {
+ if-feature "ssh-ecc and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
+ nistp384 curve and the SHA2 family of hashing algorithms.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdsa-sha2-nistp521 {
+ if-feature "ssh-ecc and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "Elliptic Curve Digital Signature Algorithm (ECDSA) using the
+ nistp521 curve and the SHA2 family of hashing algorithms.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity x509v3-ssh-rsa {
+ if-feature "ssh-x509-certs";
+ base public-key-alg-base;
+ description
+ "RSASSA-PKCS1-v1_5 signature scheme using a public key stored
+ in an X.509v3 certificate and using SHA-1 as the hashing
+ algorithm.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+
+ identity x509v3-rsa2048-sha256 {
+ if-feature "ssh-x509-certs and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "RSASSA-PKCS1-v1_5 signature scheme using a public key stored
+ in an X.509v3 certificate and using SHA-256 as the hashing
+ algorithm. RSA keys conveyed using this format MUST have a
+ modulus of at least 2048 bits.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-nistp256 {
+ if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "Elliptic Curve Digital Signature Algorithm (ECDSA)
+ using the nistp256 curve with a public key stored in
+ an X.509v3 certificate and using the SHA2 family of
+ hashing algorithms.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-nistp384 {
+ if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "Elliptic Curve Digital Signature Algorithm (ECDSA)
+ using the nistp384 curve with a public key stored in
+ an X.509v3 certificate and using the SHA2 family of
+ hashing algorithms.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+
+ identity x509v3-ecdsa-sha2-nistp521 {
+ if-feature "ssh-ecc and ssh-x509-certs and ssh-sha2";
+ base public-key-alg-base;
+ description
+ "Elliptic Curve Digital Signature Algorithm (ECDSA)
+ using the nistp521 curve with a public key stored in
+ an X.509v3 certificate and using the SHA2 family of
+ hashing algorithms.";
+ reference
+ "RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication";
+ }
+
+ identity key-exchange-alg-base {
+ description
+ "Base identity used to identify key exchange algorithms.";
+ }
+
+ identity diffie-hellman-group14-sha1 {
+ base key-exchange-alg-base;
+ description
+ "Diffie-Hellman key exchange with SHA-1 as HASH and
+ Oakley Group 14 (2048-bit MODP Group).";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group-exchange-sha1 {
+ if-feature "ssh-dh-group-exchange";
+ base key-exchange-alg-base;
+ description
+ "Diffie-Hellman Group and Key Exchange with SHA-1 as HASH.";
+ reference
+ "RFC 4419: Diffie-Hellman Group Exchange for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group-exchange-sha256 {
+ if-feature "ssh-dh-group-exchange and ssh-sha2";
+ base key-exchange-alg-base;
+ description
+ "Diffie-Hellman Group and Key Exchange with SHA-256 as HASH.";
+ reference
+ "RFC 4419: Diffie-Hellman Group Exchange for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity ecdh-sha2-nistp256 {
+ if-feature "ssh-ecc and ssh-sha2";
+ base key-exchange-alg-base;
+ description
+ "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
+ nistp256 curve and the SHA2 family of hashing algorithms.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+ identity ecdh-sha2-nistp384 {
+ if-feature "ssh-ecc and ssh-sha2";
+ base key-exchange-alg-base;
+ description
+ "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
+ nistp384 curve and the SHA2 family of hashing algorithms.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity ecdh-sha2-nistp521 {
+ if-feature "ssh-ecc and ssh-sha2";
+ base key-exchange-alg-base;
+ description
+ "Elliptic Curve Diffie-Hellman (ECDH) key exchange using the
+ nistp521 curve and the SHA2 family of hashing algorithms.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer";
+ }
+
+ identity encryption-alg-base {
+ description
+ "Base identity used to identify encryption algorithms.";
+ }
+
+ identity triple-des-cbc {
+ base encryption-alg-base;
+ description
+ "Three-key 3DES in CBC mode.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes128-cbc {
+ base encryption-alg-base;
+ description
+ "AES in CBC mode, with a 128-bit key.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes192-cbc {
+ base encryption-alg-base;
+ description
+ "AES in CBC mode, with a 192-bit key.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes256-cbc {
+ base encryption-alg-base;
+ description
+ "AES in CBC mode, with a 256-bit key.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity aes128-ctr {
+ if-feature "ssh-ctr";
+ base encryption-alg-base;
+ description
+ "AES in SDCTR mode, with 128-bit key.";
+ reference
+ "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
+ Modes";
+ }
+
+ identity aes192-ctr {
+ if-feature "ssh-ctr";
+ base encryption-alg-base;
+ description
+ "AES in SDCTR mode, with 192-bit key.";
+ reference
+ "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
+ Modes";
+ }
+
+ identity aes256-ctr {
+ if-feature "ssh-ctr";
+ base encryption-alg-base;
+ description
+ "AES in SDCTR mode, with 256-bit key.";
+ reference
+ "RFC 4344: The Secure Shell (SSH) Transport Layer Encryption
+ Modes";
+ }
+
+ identity mac-alg-base {
+ description
+ "Base identity used to identify message authentication
+ code (MAC) algorithms.";
+ }
+
+ identity hmac-sha1 {
+ base mac-alg-base;
+ description
+ "HMAC-SHA1";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity hmac-sha2-256 {
+ if-feature "ssh-sha2";
+ base mac-alg-base;
+ description
+ "HMAC-SHA2-256";
+ reference
+ "RFC 6668: SHA-2 Data Integrity Verification for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity hmac-sha2-512 {
+ if-feature "ssh-sha2";
+ base mac-alg-base;
+ description
+ "HMAC-SHA2-512";
+ reference
+ "RFC 6668: SHA-2 Data Integrity Verification for the
+ Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ // Groupings
+
+ grouping transport-params-grouping {
+ description
+ "A reusable grouping for SSH transport parameters.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ container host-key {
+ description
+ "Parameters regarding host key.";
+ leaf-list host-key-alg {
+ type identityref {
+ base public-key-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable host key algorithms in order of descending
+ preference. The configured host key algorithms should
+ be compatible with the algorithm used by the configured
+ private key. Please see Section 5 of RFC XXXX for
+ valid combinations.
+ If this leaf-list is not configured (has zero elements)
+ the acceptable host key algorithms are implementation-
+ defined.";
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+ }
+ container key-exchange {
+ description
+ "Parameters regarding key exchange.";
+ leaf-list key-exchange-alg {
+ type identityref {
+ base key-exchange-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable key exchange algorithms in order of descending
+ preference.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable key exchange algorithms are implementation
+ defined.";
+ }
+ }
+ container encryption {
+ description
+ "Parameters regarding encryption.";
+ leaf-list encryption-alg {
+ type identityref {
+ base encryption-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable encryption algorithms in order of descending
+ preference.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable encryption algorithms are implementation
+ defined.";
+ }
+ }
+ container mac {
+ description
+ "Parameters regarding message authentication code (MAC).";
+ leaf-list mac-alg {
+ type identityref {
+ base mac-alg-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable MAC algorithms in order of descending
+ preference.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable MAC algorithms are implementation-
+ defined.";
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-ssh-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ssh-server";
+ prefix sshs;
+
+ import ietf-ssh-common {
+ prefix sshcmn;
+ revision-date 2019-11-20; // stable grouping definitions
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import iana-crypt-hash {
+ prefix ianach;
+ reference
+ "RFC 7317: A YANG Data Model for System Management";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines reusable groupings for SSH servers that
+ can be used as a basis for specific SSH server instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for SSH Clients and SSH Servers";
+ }
+
+ // Features
+
+ feature ssh-server-transport-params-config {
+ description
+ "SSH transport layer parameters are configurable on an SSH
+ server.";
+ }
+
+ feature ssh-server-keepalives {
+ description
+ "Per socket SSH keepalive parameters are configurable for
+ SSH servers on the server implementing this feature.";
+ }
+
+ feature client-auth-config-supported {
+ description
+ "Indicates that the configuration for how to authenticate
+ clients can be configured herein, as opposed to in an
+ application specific location. That is, to support the
+ consuming data models that prefer to place client
+ authentication with client definitions, rather then
+ in a data model principally concerned with configuring
+ the transport.";
+ }
+
+ feature external-client-auth-supported {
+ description
+ "Indicates that the SSH server supports external configuration
+ of client credentials.";
+ }
+
+ // Groupings
+
+ grouping ssh-server-grouping {
+ description
+ "A reusable grouping for configuring a SSH server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'ssh-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "The list of host-keys the SSH server will present when
+ establishing a SSH connection.";
+ list host-key {
+ key "name";
+ min-elements 1;
+ ordered-by user;
+ description
+ "An ordered list of host keys the SSH server will use to
+ construct its ordered list of algorithms, when sending
+ its SSH_MSG_KEXINIT message, as defined in Section 7.1
+ of RFC 4253.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this host-key";
+ }
+ choice host-key-type {
+ mandatory true;
+ description
+ "The type of host key being specified";
+ container public-key {
+ uses ks:local-or-keystore-asymmetric-key-grouping {
+ refine "local-or-keystore/local/local-definition" {
+ must
+ 'public-key-format = "ct:ssh-public-key-format"';
+ }
+ // FIXME: also need a must expression to ensure the
+ // *referenced* key's public-key-format is
+ // "ct:ssh-public-key-format"
+ }
+ description
+ "A locally-defined or referenced asymmetric key pair
+ to be used for the SSH server's host key.";
+ reference
+ "RFC ZZZZ: YANG Data Model for a Centralized
+ Keystore Mechanism";
+ }
+ container certificate {
+ if-feature "sshcmn:ssh-x509-certs";
+ uses
+ ks:local-or-keystore-end-entity-cert-with-key-grouping;
+ must "public-key-format = ct:ssh-public-key-format";
+ description
+ "A locally-defined or referenced end-entity
+ certificate to be used for the SSH server's
+ host key.";
+ reference
+ "RFC ZZZZ: YANG Data Model for a Centralized
+ Keystore Mechanism";
+ }
+ }
+ }
+ } // container server-identity
+
+ container client-authentication {
+ nacm:default-deny-write;
+ description
+ "Specifies how the SSH server can authenticate SSH clients.";
+ container supported-authentication-methods {
+ description
+ "Indicates which authentication methods the server
+ supports.";
+ leaf publickey {
+ type empty;
+ description
+ "Indicates that the 'publickey' method is supported.
+ Note that RFC 6187 X.509v3 Certificates for SSH uses
+ the 'publickey' method name.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.
+ RFC 6187: X.509v3 Certificates for Secure Shell
+ Authentication.";
+ }
+ leaf passsword {
+ type empty;
+ description
+ "Indicates that the 'password' method is supported.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ leaf hostbased {
+ type empty;
+ description
+ "Indicates that the 'hostbased' method is supported.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ leaf none {
+ type empty;
+ description
+ "Indicates that the 'none' method is supported.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ leaf-list other {
+ type string;
+ description
+ "Indicates a supported method name not defined by
+ RFC 4253.";
+ reference
+ "RFC 4252: The Secure Shell (SSH) Authentication
+ Protocol.";
+ }
+ }
+
+ container users {
+ if-feature "client-auth-config-supported";
+ description
+ "A list of locally configured users.";
+ list user {
+ key name;
+ description
+ "The list of local users configured on this device.";
+
+ leaf name {
+ type string;
+ description
+ "The user name string identifying this entry.";
+ }
+ leaf password {
+ type ianach:crypt-hash;
+ description
+ "The password for this entry.";
+ }
+ container host-keys { // FIXME: plural too much?
+ presence
+ "Indicates that the server can authenticate this
+ user using the configured SSH host keys.";
+ description
+ "A set of SSH host keys used by the SSH server to
+ authenticate this user. A user is authenticated
+ if its host key is an exact match to a configured
+ host key.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer";
+ uses ts:local-or-truststore-host-keys-grouping;
+ }
+ }
+ }
+ container ca-certs {
+ if-feature "client-auth-config-supported";
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that the SSH server can authenticate SSH
+ clients using configured certificate authority (CA)
+ certificates.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the SSH server to authenticate SSH client certificates.
+ A client certificate is authenticated if it has a valid
+ chain of trust to a configured CA certificate.";
+ reference
+ "RFC YYYY:
+ YANG Data Model for Global Trust Anchors";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container client-certs { // FIXME: plural too much?
+ if-feature "client-auth-config-supported";
+ if-feature "sshcmn:ssh-x509-certs";
+ presence
+ "Indicates that the SSH server can authenticate SSH
+ clients using configured client certificates.";
+ description
+ "A set of client certificates (i.e., end entity
+ certificates) used by the SSH server to authenticate
+ the certificates presented by SSH clients. A client
+ certificate is authenticated if it is an exact match
+ to a configured client certificate.";
+ reference
+ "RFC YYYY:
+ YANG Data Model for Global Trust Anchors";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ } // container client-authentication
+
+ container transport-params {
+ nacm:default-deny-write;
+ if-feature "ssh-server-transport-params-config";
+ description
+ "Configurable parameters of the SSH transport layer.";
+ uses sshcmn:transport-params-grouping;
+ } // container transport-params
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "ssh-server-keepalives";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the SSL client. An unresponsive SSL
+ client is dropped after approximately max-wait *
+ max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which
+ if no data has been received from the SSL client,
+ a SSL-level message will be sent to test the
+ aliveness of the SSL client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the SSL client before assuming the SSL client is
+ no longer alive.";
+ }
+ } // container keepalives
+ } // grouping server-identity-grouping
+}
--- /dev/null
+module ietf-tcp-client {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-client";
+ prefix tcpc;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-tcp-common {
+ prefix tcpcmn;
+ reference
+ "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group and the
+ IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ <http://datatracker.ietf.org/wg/tcpm/>
+ WG List: <mailto:netconf@ietf.org>
+ <mailto:tcpm@ietf.org>
+ Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Michael Scharf
+ <mailto:michael.scharf@hs-esslingen.de>";
+
+ description
+ "This module defines reusable groupings for TCP clients that
+ can be used as a basis for specific TCP client instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-10-18 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ // Features
+
+ feature local-binding-supported {
+ description
+ "Indicates that the server supports configuring local
+ bindings (i.e., the local address and local port) for
+ TCP clients.";
+ }
+
+ feature tcp-client-keepalives {
+ description
+ "Per socket TCP keepalive parameters are configurable for
+ TCP clients on the server implementing this feature.";
+ }
+
+ // Groupings
+
+ grouping tcp-client-grouping {
+ description
+ "A reusable grouping for configuring a TCP client.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tcp-client-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ leaf remote-address {
+ type inet:host;
+ mandatory true;
+ description
+ "The IP address or hostname of the remote peer to
+ establish a connection with. If a domain name is
+ configured, then the DNS resolution should happen on
+ each connection attempt. If the DNS resolution
+ results in multiple IP addresses, the IP addresses
+ are tried according to local preference order until
+ a connection has been established or until all IP
+ addresses have failed.";
+ }
+ leaf remote-port {
+ type inet:port-number;
+ default "0";
+ description
+ "The IP port number for the remote peer to establish a
+ connection with. An invalid default value (0) is used
+ (instead of 'mandatory true') so that as application
+ level data model may 'refine' it with an application
+ specific default port number value.";
+ }
+ leaf local-address {
+ if-feature "local-binding-supported";
+ type inet:ip-address;
+ description
+ "The local IP address/interface (VRF?) to bind to for when
+ connecting to the remote peer. INADDR_ANY ('0.0.0.0') or
+ INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to
+ explicitly indicate the implicit default, that the server
+ can bind to any IPv4 or IPv6 addresses, respectively.";
+ }
+ leaf local-port {
+ if-feature "local-binding-supported";
+ type inet:port-number;
+ default "0";
+ description
+ "The local IP port number to bind to for when connecting
+ to the remote peer. The port number '0', which is the
+ default value, indicates that any available local port
+ number may be used.";
+ }
+ uses tcpcmn:tcp-connection-grouping {
+ augment "keepalives" {
+ if-feature "tcp-client-keepalives";
+ description
+ "Add an if-feature statement so that implementations
+ can choose to support TCP client keepalives.";
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-tcp-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-common";
+ prefix tcpcmn;
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group and the
+ IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ <http://datatracker.ietf.org/wg/tcpm/>
+ WG List: <mailto:netconf@ietf.org>
+ <mailto:tcpm@ietf.org>
+ Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Michael Scharf
+ <mailto:michael.scharf@hs-esslingen.de>";
+
+ description
+ "This module defines reusable groupings for TCP commons that
+ can be used as a basis for specific TCP common instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-10-18 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ // Features
+ feature keepalives-supported {
+ description
+ "Indicates that keepalives are supported.";
+ }
+
+ // Groupings
+
+ grouping tcp-common-grouping {
+ description
+ "A reusable grouping for configuring TCP parameters common
+ to TCP connections as well as the operating system as a
+ whole.";
+ container keepalives {
+ if-feature "keepalives-supported";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test the
+ aliveness of the TCP peer. An unresponsive TCP peer is
+ dropped after approximately (idle-time + max-probes
+ * probe-interval) seconds.";
+ leaf idle-time {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ mandatory true;
+ description
+ "Sets the amount of time after which if no data has been
+ received from the TCP peer, a TCP-level probe message
+ will be sent to test the aliveness of the TCP peer.
+ Two hours (7200 seconds) is safe value, per RFC 1122.";
+ reference
+ "RFC 1122:
+ Requirements for Internet Hosts -- Communication Layers";
+ }
+ leaf max-probes {
+ type uint16 {
+ range "1..max";
+ }
+ mandatory true;
+ description
+ "Sets the maximum number of sequential keep-alive probes
+ that can fail to obtain a response from the TCP peer
+ before assuming the TCP peer is no longer alive.";
+ }
+ leaf probe-interval {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ mandatory true;
+ description
+ "Sets the time interval between failed probes. The interval
+ SHOULD be significantly longer than one second in order to
+ avoid harm on a congested link.";
+ }
+ } // container keepalives
+ } // grouping tcp-common-grouping
+
+ grouping tcp-connection-grouping {
+ description
+ "A reusable grouping for configuring TCP parameters common
+ to TCP connections.";
+ uses tcp-common-grouping;
+ }
+
+/*
+ The following is for a future bis...
+ This comment is here now so as support discussion with TCPM.
+ This comment will be removed before publication.
+
+ Should future system-level parameters be defined as a
+ grouping or a container?
+
+ grouping tcp-system-grouping {
+ description
+ "A reusable grouping for configuring TCP parameters common
+ to the operating system as a whole.";
+
+ // currently just a placeholder
+ }
+*/
+
+}
--- /dev/null
+module ietf-tcp-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tcp-server";
+ prefix tcps;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-tcp-common {
+ prefix tcpcmn;
+ reference
+ "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group and the
+ IETF TCP Maintenance and Minor Extensions (TCPM) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ <http://datatracker.ietf.org/wg/tcpm/>
+ WG List: <mailto:netconf@ietf.org>
+ <mailto:tcpm@ietf.org>
+ Authors: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Michael Scharf
+ <mailto:michael.scharf@hs-esslingen.de>";
+
+ description
+ "This module defines reusable groupings for TCP servers that
+ can be used as a basis for specific TCP server instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-10-18 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TCP Clients and TCP Servers";
+ }
+
+ // Features
+
+ feature tcp-server-keepalives {
+ description
+ "Per socket TCP keepalive parameters are configurable for
+ TCP servers on the server implementing this feature.";
+ }
+
+ // Groupings
+
+ grouping tcp-server-grouping {
+ description
+ "A reusable grouping for configuring a TCP server.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tcp-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+ leaf local-address {
+ type inet:ip-address;
+ mandatory true;
+ description
+ "The local IP address to listen on for incoming
+ TCP client connections. INADDR_ANY (0.0.0.0) or
+ INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be
+ used when the server is to listen on all IPv4 or
+ IPv6 addresses, respectively.";
+ }
+ leaf local-port {
+ type inet:port-number;
+ default "0";
+ description
+ "The local port number to listen on for incoming TCP
+ client connections. An invalid default value (0)
+ is used (instead of 'mandatory true') so that an
+ application level data model may 'refine' it with
+ an application specific default port number value.";
+ }
+ uses tcpcmn:tcp-connection-grouping {
+ augment "keepalives" {
+ if-feature "tcp-server-keepalives";
+ description
+ "Add an if-feature statement so that implementations
+ can choose to support TCP server keepalives.";
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-tls-client {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
+ prefix tlsc;
+
+ import ietf-tls-common {
+ prefix tlscmn;
+ revision-date 2019-11-20; // stable grouping definitions
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines reusable groupings for TLS clients that
+ can be used as a basis for specific TLS client instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ // Features
+
+ feature tls-client-hello-params-config {
+ description
+ "TLS hello message parameters are configurable on a TLS
+ client.";
+ }
+
+ feature tls-client-keepalives {
+ description
+ "Per socket TLS keepalive parameters are configurable for
+ TLS clients on the server implementing this feature.";
+ }
+
+ feature x509-certificate-auth {
+ description
+ "Indicates that the client supports authenticating servers
+ using X.509 certificates.";
+ }
+
+ feature raw-public-key-auth {
+ description
+ "Indicates that the client supports authenticating servers
+ using ray public keys.";
+ }
+
+ feature psk-auth {
+ description
+ "Indicates that the client supports authenticating servers
+ using PSKs (pre-shared or pairwise-symmetric keys).";
+ }
+
+
+
+ // Groupings
+
+ grouping tls-client-grouping {
+ description
+ "A reusable grouping for configuring a TLS client without
+ any consideration for how an underlying TCP session is
+ established.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tls-client-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container client-identity {
+ nacm:default-deny-write;
+ description
+ "A locally-defined or referenced end-entity certificate,
+ including any configured intermediate certificates, the
+ TLS client will present when establishing a TLS connection
+ in its Certificate message, as defined in Section 7.4.2
+ in RFC 5246.";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2
+ RFC ZZZZ:
+ YANG Data Model for a 'Keystore' Mechanism";
+
+ choice auth-type {
+ mandatory true;
+ description
+ "A choice amongst available authentication types.";
+ container certificate {
+ if-feature x509-certificate-auth;
+ description
+ "Specifies the client identity using a certificate.";
+ uses ks:local-or-keystore-end-entity-cert-with-key-grouping
+ {
+ refine "local-or-keystore/local/local-definition" {
+ must 'public-key-format =
+ "ct:subject-public-key-info-format"';
+ }
+ // FIXME: also need a must expression to ensure the
+ // *referenced* key's public-key-format is
+ // "ct:subject-public-key-info-format"
+ }
+ }
+ container raw-public-key {
+ if-feature raw-public-key-auth;
+ description
+ "Specifies the client identity using a raw private key.";
+ uses ks:local-or-keystore-asymmetric-key-grouping;
+ // FIXME: add a must expression contraining key-formats?
+ }
+ container psk {
+ if-feature psk-auth;
+ description
+ "Specifies the client identity using a PSK.";
+ uses ks:local-or-keystore-symmetric-key-grouping;
+ // FIXME: add a must expression contraining key-formats?
+ }
+ }
+ } // container client-identity
+
+ container server-authentication {
+ nacm:default-deny-write;
+ must 'ca-certs or server-certs';
+ description
+ "Specifies how the TLS client can authenticate TLS servers.
+ Any combination of credentials is additive and unordered.
+
+ Note that no configuration is required for PSK (pre-shared
+ or pairwise-symmetric key) based authentication as the key
+ is necessarily the same as configured in the '../client-
+ identity' node.";
+ container ca-certs {
+ if-feature "x509-certificate-auth";
+ presence
+ "Indicates that the TLS client can authenticate TLS servers
+ using configured certificate authority certificates.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the TLS client to authenticate TLS server certificates.
+ A server certificate is authenticated if it has a valid
+ chain of trust to a configured CA certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container server-certs { // FIXME: plural too much?
+ if-feature "x509-certificate-auth";
+ presence
+ "Indicates that the TLS client can authenticate TLS servers
+ using configured server certificates.";
+ description
+ "A set of server certificates (i.e., end entity
+ certificates) used by the TLS client to authenticate
+ certificates presented by TLS servers. A server
+ certificate is authenticated if it is an exact
+ match to a configured server certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container raw-public-keys {
+ if-feature "raw-public-key-auth";
+ presence
+ "Indicates that the TLS client can authenticate TLS servers
+ using configured server certificates.";
+ description
+ "A set of raw public keys used by the TLS client to
+ authenticate raw public keys presented by the TLS server.
+ A raw public key is authenticated if it is an exact match
+ to a configured raw public key.";
+ reference
+ "RFC YYYY: YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-raw-pub-keys-grouping;
+ }
+ container psks {
+ if-feature "psk-auth";
+ presence
+ "Indicates that the TLS client can authenticate TLS servers
+ using a configure PSK (pre-shared or pairwise-symmetric
+ key).";
+ description
+ "No configuration is required since the PSK value would be
+ the same as PSK value configured in the 'client-identity'
+ node.";
+ }
+ } // container server-authentication
+
+ container hello-params {
+ nacm:default-deny-write;
+ if-feature "tls-client-hello-params-config";
+ uses tlscmn:hello-params-grouping;
+ description
+ "Configurable parameters for the TLS hello message.";
+ } // container hello-params
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "tls-client-keepalives";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the TLS server. An unresponsive
+ TLS server is dropped after approximately max-wait
+ * max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which if
+ no data has been received from the TLS server, a
+ TLS-level message will be sent to test the
+ aliveness of the TLS server.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the TLS server before assuming the TLS server is
+ no longer alive.";
+ }
+ } // container keepalives
+ } // grouping tls-client-grouping
+}
--- /dev/null
+module ietf-tls-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
+ prefix tlscmn;
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines a common features, identities, and
+ groupings for Transport Layer Security (TLS).
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ // Features
+
+ feature tls-1_0 {
+ description
+ "TLS Protocol Version 1.0 is supported.";
+ reference
+ "RFC 2246: The TLS Protocol Version 1.0";
+ }
+ feature tls-1_1 {
+ description
+ "TLS Protocol Version 1.1 is supported.";
+ reference
+ "RFC 4346: The Transport Layer Security (TLS) Protocol
+ Version 1.1";
+ }
+
+ feature tls-1_2 {
+ description
+ "TLS Protocol Version 1.2 is supported.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ feature tls-1_3 {
+ description
+ "TLS Protocol Version 1.2 is supported.";
+ reference
+ "RFC 8446: The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+
+ feature tls-ecc {
+ description
+ "Elliptic Curve Cryptography (ECC) is supported for TLS.";
+ reference
+ "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS)";
+ }
+
+ feature tls-dhe {
+ description
+ "Ephemeral Diffie-Hellman key exchange is supported for TLS.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ feature tls-3des {
+ description
+ "The Triple-DES block cipher is supported for TLS.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ feature tls-gcm {
+ description
+ "The Galois/Counter Mode authenticated encryption mode is
+ supported for TLS.";
+ reference
+ "RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for
+ TLS";
+ }
+
+ feature tls-sha2 {
+ description
+ "The SHA2 family of cryptographic hash functions is supported
+ for TLS.";
+ reference
+ "FIPS PUB 180-4: Secure Hash Standard (SHS)";
+ }
+
+ // Identities
+
+ identity tls-version-base {
+ description
+ "Base identity used to identify TLS protocol versions.";
+ }
+
+ identity tls-1.0 {
+ if-feature "tls-1_0";
+ base tls-version-base;
+ description
+ "TLS Protocol Version 1.0.";
+ reference
+ "RFC 2246: The TLS Protocol Version 1.0";
+ }
+
+ identity tls-1.1 {
+ if-feature "tls-1_1";
+ base tls-version-base;
+ description
+ "TLS Protocol Version 1.1.";
+ reference
+ "RFC 4346: The Transport Layer Security (TLS) Protocol
+ Version 1.1";
+ }
+
+ identity tls-1.2 {
+ if-feature "tls-1_2";
+ base tls-version-base;
+ description
+ "TLS Protocol Version 1.2.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity cipher-suite-base {
+ description
+ "Base identity used to identify TLS cipher suites.";
+ }
+
+ identity rsa-with-aes-128-cbc-sha {
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity rsa-with-aes-256-cbc-sha {
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity rsa-with-aes-128-cbc-sha256 {
+ if-feature "tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity rsa-with-aes-256-cbc-sha256 {
+ if-feature "tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity dhe-rsa-with-aes-128-cbc-sha {
+ if-feature "tls-dhe";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity dhe-rsa-with-aes-256-cbc-sha {
+ if-feature "tls-dhe";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity dhe-rsa-with-aes-128-cbc-sha256 {
+ if-feature "tls-dhe and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity dhe-rsa-with-aes-256-cbc-sha256 {
+ if-feature "tls-dhe and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
+ if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-ecdsa-with-aes-256-cbc-sha384 {
+ if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-rsa-with-aes-128-cbc-sha256 {
+ if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-rsa-with-aes-256-cbc-sha384 {
+ if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-ecdsa-with-aes-128-gcm-sha256 {
+ if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-ecdsa-with-aes-256-gcm-sha384 {
+ if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-rsa-with-aes-128-gcm-sha256 {
+ if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity ecdhe-rsa-with-aes-256-gcm-sha384 {
+ if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.";
+ reference
+ "RFC 5289: TLS Elliptic Curve Cipher Suites with
+ SHA-256/384 and AES Galois Counter Mode (GCM)";
+ }
+
+ identity rsa-with-3des-ede-cbc-sha {
+ if-feature "tls-3des";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ }
+
+ identity ecdhe-rsa-with-3des-ede-cbc-sha {
+ if-feature "tls-ecc and tls-3des";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.";
+ reference
+ "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS)";
+ }
+
+ identity ecdhe-rsa-with-aes-128-cbc-sha {
+ if-feature "tls-ecc";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA.";
+ reference
+ "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS)";
+ }
+
+ identity ecdhe-rsa-with-aes-256-cbc-sha {
+ if-feature "tls-ecc";
+ base cipher-suite-base;
+ description
+ "Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.";
+ reference
+ "RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS)";
+ }
+
+ // Groupings
+
+ grouping hello-params-grouping {
+ description
+ "A reusable grouping for TLS hello message parameters.";
+ reference
+ "RFC 5246: The Transport Layer Security (TLS) Protocol
+ Version 1.2";
+ container tls-versions {
+ description
+ "Parameters regarding TLS versions.";
+ leaf-list tls-version {
+ type identityref {
+ base tls-version-base;
+ }
+ description
+ "Acceptable TLS protocol versions.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable TLS protocol versions are implementation-
+ defined.";
+ }
+ }
+ container cipher-suites {
+ description
+ "Parameters regarding cipher suites.";
+ leaf-list cipher-suite {
+ type identityref {
+ base cipher-suite-base;
+ }
+ ordered-by user;
+ description
+ "Acceptable cipher suites in order of descending
+ preference. The configured host key algorithms should
+ be compatible with the algorithm used by the configured
+ private key. Please see Section 5 of RFC XXXX for
+ valid combinations.
+
+ If this leaf-list is not configured (has zero elements)
+ the acceptable cipher suites are implementation-
+ defined.";
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-tls-server {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
+ prefix tlss;
+
+ import ietf-tls-common {
+ prefix tlscmn;
+ revision-date 2019-11-20; // stable grouping definitions
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: Common YANG Data Types for Cryptography";
+ }
+
+ import ietf-truststore {
+ prefix ts;
+ reference
+ "RFC BBBB: A YANG Data Model for a Truststore";
+ }
+
+ import ietf-keystore {
+ prefix ks;
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Gary Wu <mailto:garywu@cisco.com>";
+
+ description
+ "This module defines reusable groupings for TLS servers that
+ can be used as a basis for specific TLS server instances.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
+ }
+
+ // Features
+
+ feature tls-server-hello-params-config {
+ description
+ "TLS hello message parameters are configurable on a TLS
+ server.";
+ }
+
+ feature tls-server-keepalives {
+ description
+ "Per socket TLS keepalive parameters are configurable for
+ TLS servers on the server implementing this feature.";
+ }
+
+ feature client-auth-config-supported {
+ description
+ "Indicates that the configuration for how to authenticate
+ clients can be configured herein, as opposed to in an
+ application specific location. That is, to support the
+ consuming data models that prefer to place client
+ authentication with client definitions, rather then
+ in a data model principally concerned with configuring
+ the transport.";
+ }
+
+ feature external-client-auth-supported {
+ description
+ "Indicates that the TLS server supports external
+ configuration of client credentials.";
+ }
+
+ feature x509-certificate-auth {
+ description
+ "Indicates that the server supports authenticating clients
+ using X.509 certificates.";
+ }
+
+ feature raw-public-key-auth {
+ description
+ "Indicates that the server supports authenticating clients
+ using ray public keys.";
+ }
+
+ feature psk-auth {
+ description
+ "Indicates that the server supports authenticating clients
+ using PSKs (pre-shared or pairwise-symmetric keys).";
+ }
+
+ // Groupings
+
+ grouping tls-server-grouping {
+ description
+ "A reusable grouping for configuring a TLS server without
+ any consideration for how underlying TCP sessions are
+ established.
+
+ Note that this grouping uses fairly typical descendent
+ node names such that a stack of 'uses' statements will
+ have name conflicts. It is intended that the consuming
+ data model will resolve the issue (e.g., by wrapping
+ the 'uses' statement in a container called
+ 'tls-server-parameters'). This model purposely does
+ not do this itself so as to provide maximum flexibility
+ to consuming models.";
+
+ container server-identity {
+ nacm:default-deny-write;
+ description
+ "A locally-defined or referenced end-entity certificate,
+ including any configured intermediate certificates, the
+ TLS server will present when establishing a TLS connection
+ in its Certificate message, as defined in Section 7.4.2
+ in RFC 5246.";
+ reference
+ "RFC 5246:
+ The Transport Layer Security (TLS) Protocol Version 1.2
+ RFC ZZZZ:
+ YANG Data Model for a 'Keystore' Mechanism";
+ choice auth-type {
+ mandatory true;
+ description
+ "A choice amongst authentication types.";
+ container certificate {
+ if-feature x509-certificate-auth;
+ description
+ "Specifies the server identity using a certificate.";
+ uses ks:local-or-keystore-end-entity-cert-with-key-grouping
+ {
+ refine "local-or-keystore/local/local-definition" {
+ must 'public-key-format =
+ "ct:subject-public-key-info-format"';
+ }
+ // FIXME: also need a must expression to ensure the
+ // *referenced* key's public-key-format is
+ // "ct:subject-public-key-info-format"
+ }
+ }
+ container raw-private-key {
+ if-feature raw-public-key-auth;
+ description
+ "Specifies the server identity using a raw private key.";
+ uses ks:local-or-keystore-asymmetric-key-grouping;
+ // FIXME: add a must expression contraining key-formats?
+ }
+ container psk {
+ if-feature psk-auth;
+ description
+ "Specifies the server identity using a PSK.";
+ uses ks:local-or-keystore-symmetric-key-grouping;
+ // FIXME: add a must expression contraining key-formats?
+ }
+ }
+ } // container server-identity
+
+ container client-authentication {
+ if-feature "client-auth-config-supported";
+ nacm:default-deny-write;
+ presence
+ "Indicates that client authentication is supported (i.e.,
+ that the server will request clients send certificates).";
+ description
+ "Specifies how the TLS server can authenticate TLS clients.
+ Any combination of credentials is additive and unordered.
+
+ Note that no configuration is required for PSK (pre-shared
+ or pairwise-symmetric key) based authentication as the key
+ is necessarily the same as configured in the '../server-
+ identity' node.";
+ container ca-certs {
+ if-feature "x509-certificate-auth";
+ presence
+ "Indicates that the TLS server can authenticate TLS clients
+ using configured certificate authority certificates.";
+ description
+ "A set of certificate authority (CA) certificates used by
+ the TLS server to authenticate TLS client certificates. A
+ client certificate is authenticated if it has a valid
+ chain of trust to a configured CA certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container client-certs { // FIXME: plural too much?
+ if-feature "x509-certificate-auth";
+ presence
+ "Indicates that the TLS server can authenticate TLS clients
+ using configured client certificates.";
+ description
+ "A set of client certificates (i.e., end entity
+ certificates) used by the TLS server to authenticate
+ certificates presented by TLS clients. A client
+ certificate is authenticated if it is an exact match
+ to a configured client certificate.";
+ reference
+ "RFC YYYY: YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-certs-grouping;
+ }
+ container raw-public-keys {
+ if-feature "raw-public-key-auth";
+ presence
+ "Indicates that the TLS server can authenticate TLS clients
+ using configured client certificates.";
+ description
+ "A set of raw public keys used by the TLS server to
+ authenticate raw public keys presented by the TLS client.
+ A raw public key is authenticated if it is an exact match
+ to a configured raw public key.";
+ reference
+ "RFC YYYY: YANG Data Model for a Truststore";
+ uses ts:local-or-truststore-raw-pub-keys-grouping;
+ }
+ } // container client-authentication
+ container hello-params {
+ nacm:default-deny-write;
+ if-feature "tls-server-hello-params-config";
+ uses tlscmn:hello-params-grouping;
+ description
+ "Configurable parameters for the TLS hello message.";
+ } // container hello-params
+
+ container keepalives {
+ nacm:default-deny-write;
+ if-feature "tls-server-keepalives";
+ presence "Indicates that keepalives are enabled.";
+ description
+ "Configures the keep-alive policy, to proactively test
+ the aliveness of the TLS client. An unresponsive
+ TLS client is dropped after approximately max-wait
+ * max-attempts seconds.";
+ leaf max-wait {
+ type uint16 {
+ range "1..max";
+ }
+ units "seconds";
+ default "30";
+ description
+ "Sets the amount of time in seconds after which if
+ no data has been received from the TLS client, a
+ TLS-level message will be sent to test the
+ aliveness of the TLS client.";
+ }
+ leaf max-attempts {
+ type uint8;
+ default "3";
+ description
+ "Sets the maximum number of sequential keep-alive
+ messages that can fail to obtain a response from
+ the TLS client before assuming the TLS client is
+ no longer alive.";
+ }
+ } // container keepalives
+ } // grouping tls-server-grouping
+}
--- /dev/null
+module ietf-truststore {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-truststore";
+ prefix ts;
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web : <http://datatracker.ietf.org/wg/netconf/>
+ WG List : <mailto:netconf@ietf.org>
+ Author : Kent Watsen <kent+ietf@watsen.net>
+ Author : Henk Birkholz <henk.birkholz@sit.fraunhofer.de>";
+
+ description
+ "This module defines a truststore to centralize management
+ of trust anchors including X.509 certificates, SSH host
+ keys, raw public keys, and PSKs (pairwise-symmetric or
+ pre-shared keys).
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-11-20 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: A YANG Data Model for a Truststore";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature truststore-supported {
+ description
+ "The 'truststore-supported' feature indicates that the
+ server supports the truststore (i.e., implements the
+ 'ietf-truststore' module).";
+ }
+
+ feature local-definitions-supported {
+ description
+ "The 'local-definitions-supported' feature indicates that
+ the server supports locally-defined trust anchors.";
+ }
+
+ feature x509-certificates {
+ description
+ "The 'x509-certificates' feature indicates that the server
+ implements the /truststore/certificates subtree.";
+ }
+
+ feature ssh-host-keys {
+ description
+ "The 'ssh-host-keys' feature indicates that the server
+ implements the /truststore/host-keys subtree.";
+ }
+
+ feature raw-public-keys {
+ description
+ "The 'raw-public-keys' feature indicates that the server
+ implements the /truststore/raw-public-keys subtree.";
+ }
+
+ /****************/
+ /* Typedefs */
+ /****************/
+
+ typedef certificates-ref {
+ type leafref {
+ path "/ts:truststore/ts:certificates/ts:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to a set of certificates defined in the truststore.";
+ }
+
+ typedef host-keys-ref {
+ type leafref {
+ path "/ts:truststore/ts:host-keys/ts:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to a set of host keys defined in the truststore.";
+ }
+
+ typedef raw-public-keys-ref {
+ type leafref {
+ path "/ts:truststore/ts:raw-public-keys/ts:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to a set of raw public keys defined in the truststore.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping local-or-truststore-certs-grouping {
+ description
+ "A grouping that expands to allow trust anchors to be
+ either stored locally, within the using data model, or be
+ a reference to trust anchors stored in the truststore.";
+ choice local-or-truststore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local trust anchor definitions.";
+ uses ct:trust-anchor-certs-grouping;
+ }
+ }
+ case truststore {
+ if-feature "truststore-supported";
+ if-feature "x509-certificates";
+ leaf truststore-reference {
+ type ts:certificates-ref;
+ description
+ "A reference to a set of trust anchors that exists
+ in the truststore.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the truststore.";
+ }
+ }
+
+ grouping local-or-truststore-host-keys-grouping {
+ description
+ "A grouping that expands to allow host keys to be
+ either stored locally, within the using data model, or be
+ a reference to host keys stored in the truststore.";
+ choice local-or-truststore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold local host key definitions.";
+ leaf-list host-key {
+ nacm:default-deny-write;
+ type ct:ssh-host-key;
+ description
+ "The binary public key data for this host key.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ }
+ }
+ case truststore {
+ if-feature "truststore-supported";
+ if-feature "ssh-host-keys";
+ leaf truststore-reference {
+ type ts:host-keys-ref;
+ description
+ "A reference to a set of host keys that exist in
+ the truststore.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the truststore.";
+ }
+ }
+
+ grouping local-or-truststore-raw-pub-keys-grouping {
+ description
+ "A grouping that expands to allow raw public keys to be
+ available either locally, within the using data model, or
+ be a reference to raw public keys stored in the truststore.";
+ choice local-or-truststore {
+ mandatory true;
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold local raw public key definitions.";
+ list raw-public-key {
+ key name;
+ description
+ "A raw public key definition.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this raw public key.";
+ }
+ uses ct:public-key-grouping;
+ }
+ }
+ }
+ case truststore {
+ if-feature "truststore-supported";
+ if-feature "raw-public-keys";
+ leaf truststore-reference {
+ type ts:raw-public-keys-ref;
+ description
+ "A reference to a set of raw public keys that exist
+ in the truststore.";
+ }
+ }
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the truststore.";
+ }
+ }
+
+ grouping truststore-grouping {
+ description
+ "Grouping definition enables use in other contexts. If ever
+ done, implementations SHOULD augment new 'case' statements
+ into local-or-keystore 'choice' statements to supply leafrefs
+ to the new location.";
+ list certificates {
+ if-feature "x509-certificates";
+ key "name";
+ description
+ "A list of certificates. These certificates can be
+ used by a server to authenticate clients, or by a client
+ to authenticate servers. Each list of certificates
+ SHOULD be specific to a purpose, as the list as a whole
+ may be referenced by other modules. For instance, a
+ RESTCONF server's configuration might use a specific list
+ of certificates for when authenticating RESTCONF
+ client connections.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this list of certificates.";
+ }
+ leaf description {
+ type string;
+ description
+ "An arbitrary description for this list of
+ certificates.";
+ }
+ list certificate {
+ key "name";
+ description
+ "A certificate.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this certificate. The
+ name must be unique across all lists of
+ certificates (not just this list) so that leafrefs
+ from another module can resolve to unique values.";
+ }
+ uses ct:trust-anchor-cert-grouping {
+ refine "cert" {
+ mandatory true;
+ }
+ }
+ }
+ }
+ list host-keys {
+ if-feature "ssh-host-keys";
+ key "name";
+ description
+ "A list of host keys. These host-keys can be used by
+ clients to authenticate SSH servers. Each list of host
+ keys SHOULD be specific to a purpose, so the list as a
+ whole may be referenced by other modules. For instance,
+ a client's configuration might point to a specific list
+ of host keys for when authenticating specific SSH servers.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this list of SSH
+ host keys.";
+ }
+ leaf description {
+ type string;
+ description
+ "An arbitrary description for this list of SSH
+ host keys.";
+ }
+ list host-key {
+ key "name";
+ description
+ "A host key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this host-key.";
+ }
+ leaf host-key {
+ type ct:ssh-host-key;
+ mandatory true;
+ description
+ "The binary public key data for this host key.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ }
+ }
+ list raw-public-keys {
+ if-feature "raw-public-keys";
+ key "name";
+ description
+ "A list of raw public keys. These raw public keys can be
+ used by a server to authenticate clients, or by a client
+ to authenticate servers. Each list of raw public keys
+ SHOULD be specific to a purpose, so the list as a whole
+ may be referenced by other modules. For instance, a
+ client's configuration might point to a specific list
+ of raw public keys for when authenticating specific TLS
+ endpoints.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this list of raw public keys.";
+ }
+ leaf description {
+ type string;
+ description
+ "An arbitrary description for this list raw public keys.";
+ }
+ list raw-public-key {
+ key "name";
+ description
+ "A raw public key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this raw public key.";
+ }
+ uses ct:public-key-grouping;
+ }
+ }
+ }
+
+ /*********************************/
+ /* Protocol accessible nodes */
+ /*********************************/
+
+ container truststore {
+ nacm:default-deny-write;
+ description
+ "The truststore contains sets of X.509 certificates and
+ SSH host keys.";
+ uses truststore-grouping;
+ }
+}
--- /dev/null
+module ietf-yang-push {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-yang-push";
+ prefix yp;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+ import ietf-subscribed-notifications {
+ prefix sn;
+ reference
+ "draft-ietf-netconf-subscribed-notifications:
+ Customized Subscriptions to a Publisher's Event Streams
+ NOTE TO RFC Editor: Please replace above reference to
+ draft-ietf-netconf-subscribed-notifications with RFC number
+ when published (i.e. RFC xxxx).";
+ }
+ import ietf-datastores {
+ prefix ds;
+ reference
+ "RFC 8342: Network Management Datastore Architecture (NMDA)";
+ }
+ import ietf-restconf {
+ prefix rc;
+ reference
+ "RFC 8040: RESTCONF Protocol";
+ }
+ import ietf-yang-patch {
+ prefix ypatch;
+ reference
+ "RFC 8072: YANG Patch Media Type";
+ }
+
+ organization
+ "IETF NETCONF Working Group";
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netconf/>
+
+ WG List: <mailto:netconf@ietf.org>
+
+ Editor: Alexander Clemm
+ <mailto:ludwig@clemm.org>
+ Editor: Eric Voit
+ <mailto:evoit@cisco.com>
+ Editor: Alberto Gonzalez Prieto
+ <mailto:agonzalezpri@vmware.com>
+ Editor: Ambika Prasad Tripathy
+ <mailto:ambtripa@cisco.com>
+ Editor: Einar Nilsen-Nygaard
+ <mailto:einarnn@cisco.com>
+ Editor: Andy Bierman
+ <mailto:andy@yumaworks.com>
+ Editor: Balazs Lengyel
+ <mailto:balazs.lengyel@ericsson.com>";
+ description
+ "This module contains YANG specifications for YANG push.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
+ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
+ 'MAY', and 'OPTIONAL' in this document are to be interpreted as
+ described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
+ they appear in all capitals, as shown here.
+
+ Copyright (c) 2019 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject to
+ the license terms contained in, the Simplified BSD License set
+ forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX;
+ see the RFC itself for full legal notices.";
+
+ // RFC Ed.: replace XXXX with actual RFC number and remove this
+ // note.
+
+ revision 2019-05-21 {
+ description
+ "Initial revision.
+ NOTE TO RFC EDITOR:
+ (1)Please replace the above revision date to
+ the date of RFC publication when published.
+ (2) Please replace the date in the file name
+ (ietf-yang-push@2019-05-21.yang) to the date of RFC
+ publication.
+ (3) Please replace the following reference to
+ draft-ietf-netconf-yang-push-25 with RFC number when
+ published (i.e. RFC xxxx).";
+ reference
+ "draft-ietf-netconf-yang-push-25";
+ }
+
+ /*
+ * FEATURES
+ */
+
+ feature on-change {
+ description
+ "This feature indicates that on-change triggered subscriptions
+ are supported.";
+ }
+
+ /*
+ * IDENTITIES
+ */
+
+ /* Error type identities for datastore subscription */
+
+ identity resync-subscription-error {
+ description
+ "Problem found while attempting to fulfill an
+ 'resync-subscription' RPC request.";
+ }
+
+ identity cant-exclude {
+ base sn:establish-subscription-error;
+ description
+ "Unable to remove the set of 'excluded-changes'. This means
+ the publisher is unable to restrict 'push-change-update's to
+ just the change types requested for this subscription.";
+ }
+
+ identity datastore-not-subscribable {
+ base sn:establish-subscription-error;
+ base sn:subscription-terminated-reason;
+ description
+ "This is not a subscribable datastore.";
+ }
+
+ identity no-such-subscription-resync {
+ base resync-subscription-error;
+ description
+ "Referenced subscription doesn't exist. This may be as a result
+ of a non-existent subscription ID, an ID which belongs to
+ another subscriber, or an ID for configured subscription.";
+ }
+
+ identity on-change-unsupported {
+ base sn:establish-subscription-error;
+ description
+ "On-change is not supported for any objects which are
+ selectable by this filter.";
+ }
+
+ identity on-change-sync-unsupported {
+ base sn:establish-subscription-error;
+ description
+ "Neither sync on start nor resynchronization are supported for
+ this subscription. This error will be used for two
+ reasons. First if an 'establish-subscription' RPC includes
+ 'sync-on-start', yet the publisher can't support sending a
+ 'push-update' for this subscription for reasons other than
+ 'on-change-unsupported' or 'sync-too-big'. And second, if the
+ 'resync-subscription' RPC is invoked either for an existing
+ periodic subscription, or for an on-change subscription which
+ can't support resynchronization.";
+ }
+
+ identity period-unsupported {
+ base sn:establish-subscription-error;
+ base sn:modify-subscription-error;
+ base sn:subscription-suspended-reason;
+ description
+ "Requested time period or dampening-period is too short. This
+ can be for both periodic and on-change subscriptions (with or
+ without dampening.) Hints suggesting alternative periods may
+ be returned as supplemental information.";
+ }
+
+ identity update-too-big {
+ base sn:establish-subscription-error;
+ base sn:modify-subscription-error;
+ base sn:subscription-suspended-reason;
+ description
+ "Periodic or on-change push update datatrees exceed a maximum
+ size limit. Hints on estimated size of what was too big may
+ be returned as supplemental information.";
+ }
+
+ identity sync-too-big {
+ base sn:establish-subscription-error;
+ base sn:modify-subscription-error;
+ base resync-subscription-error;
+ base sn:subscription-suspended-reason;
+ description
+ "Sync-on-start or resynchronization datatree exceeds a maximum
+ size limit. Hints on estimated size of what was too big may
+ be returned as supplemental information.";
+ }
+
+ identity unchanging-selection {
+ base sn:establish-subscription-error;
+ base sn:modify-subscription-error;
+ base sn:subscription-terminated-reason;
+ description
+ "Selection filter is unlikely to ever select datatree nodes.
+ This means that based on the subscriber's current access
+ rights, the publisher recognizes that the selection filter is
+ unlikely to ever select datatree nodes which change. Examples
+ for this might be that node or subtree doesn't exist, read
+ access is not permitted for a receiver, or static objects that
+ only change at reboot have been chosen.";
+ }
+
+ /*
+ * TYPE DEFINITIONS
+ */
+
+ typedef change-type {
+ type enumeration {
+ enum create {
+ description
+ "A change that refers to the creation of a new datastore
+ node.";
+ }
+ enum delete {
+ description
+ "A change that refers to the deletion of a datastore
+ node.";
+ }
+ enum insert {
+ description
+ "A change that refers to the insertion of a new
+ user-ordered datastore node.";
+ }
+ enum move {
+ description
+ "A change that refers to a reordering of the target
+ datastore node.";
+ }
+ enum replace {
+ description
+ "A change that refers to a replacement of the target
+ datastore node's value.";
+ }
+ }
+ description
+ "Specifies different types of datastore changes.
+
+ This type is based on the edit operations defined for YANG
+ Patch, with the difference that it is valid for a receiver to
+ process an update record which performs a create operation on
+ a datastore node the receiver believes exists, or to process a
+ delete on a datastore node the receiver believes is missing.";
+ reference
+ "RFC 8072: YANG Patch Media Type, section 2.5";
+ }
+
+ typedef selection-filter-ref {
+ type leafref {
+ path "/sn:filters/yp:selection-filter/yp:filter-id";
+ }
+ description
+ "This type is used to reference a selection filter.";
+ }
+
+ typedef centiseconds {
+ type uint32;
+ description
+ "A period of time, measured in units of 0.01 seconds.";
+ }
+
+ /*
+ * GROUP DEFINITIONS
+ */
+
+ grouping datastore-criteria {
+ description
+ "A grouping to define criteria for which selected objects
+ from a targeted datastore should be included in push
+ updates.";
+ leaf datastore {
+ type identityref {
+ base ds:datastore;
+ }
+ mandatory true;
+ description
+ "Datastore from which to retrieve data.";
+ }
+ uses selection-filter-objects;
+ }
+
+ grouping selection-filter-types {
+ description
+ "This grouping defines the types of selectors for objects
+ from a datastore.";
+ choice filter-spec {
+ description
+ "The content filter specification for this request.";
+ anydata datastore-subtree-filter {
+ if-feature "sn:subtree";
+ description
+ "This parameter identifies the portions of the
+ target datastore to retrieve.";
+ reference
+ "RFC 6241: Network Configuration Protocol, Section 6.";
+ }
+ leaf datastore-xpath-filter {
+ if-feature "sn:xpath";
+ type yang:xpath1.0;
+ description
+ "This parameter contains an XPath expression identifying
+ the portions of the target datastore to retrieve.
+
+ If the expression returns a node-set, all nodes in the
+ node-set are selected by the filter. Otherwise, if the
+ expression does not return a node-set, the filter
+ doesn't select any nodes.
+
+ The expression is evaluated in the following XPath
+ context:
+
+ o The set of namespace declarations is the set of prefix
+ and namespace pairs for all YANG modules implemented
+ by the server, where the prefix is the YANG module
+ name and the namespace is as defined by the
+ 'namespace' statement in the YANG module.
+
+ If the leaf is encoded in XML, all namespace
+ declarations in scope on the 'stream-xpath-filter'
+ leaf element are added to the set of namespace
+ declarations. If a prefix found in the XML is
+ already present in the set of namespace declarations,
+ the namespace in the XML is used.
+
+ o The set of variable bindings is empty.
+
+ o The function library is the core function library, and
+ the XPath functions defined in section 10 in RFC 7950.
+
+ o The context node is the root node of the target
+ datastore.";
+ }
+ }
+ }
+
+ grouping selection-filter-objects {
+ description
+ "This grouping defines a selector for objects from a
+ datastore.";
+ choice selection-filter {
+ description
+ "The source of the selection filter applied to the
+ subscription. This will come either referenced from a global
+ list, or be provided within the subscription itself.";
+ case by-reference {
+ description
+ "Incorporate a filter that has been configured
+ separately.";
+ leaf selection-filter-ref {
+ type selection-filter-ref;
+ mandatory true;
+ description
+ "References an existing selection filter which is to be
+ applied to the subscription.";
+ }
+ }
+ case within-subscription {
+ description
+ "Local definition allows a filter to have the same
+ lifecycle as the subscription.";
+ uses selection-filter-types;
+ }
+ }
+ }
+
+ grouping update-policy-modifiable {
+ description
+ "This grouping describes the datastore specific subscription
+ conditions that can be changed during the lifetime of the
+ subscription.";
+ choice update-trigger {
+ description
+ "Defines necessary conditions for sending an event record to
+ the subscriber.";
+ case periodic {
+ container periodic {
+ presence "indicates a periodic subscription";
+ description
+ "The publisher is requested to notify periodically the
+ current values of the datastore as defined by the
+ selection filter.";
+ leaf period {
+ type centiseconds;
+ mandatory true;
+ description
+ "Duration of time which should occur between periodic
+ push updates, in one hundredths of a second.";
+ }
+ leaf anchor-time {
+ type yang:date-and-time;
+ description
+ "Designates a timestamp before or after which a series
+ of periodic push updates are determined. The next
+ update will take place at a whole multiple interval
+ from the anchor time. For example, for an anchor time
+ is set for the top of a particular minute and a period
+ interval of a minute, updates will be sent at the top
+ of every minute this subscription is active.";
+ }
+ }
+ }
+ case on-change {
+ if-feature "on-change";
+ container on-change {
+ presence "indicates an on-change subscription";
+ description
+ "The publisher is requested to notify changes in values
+ in the datastore subset as defined by a selection
+ filter.";
+ leaf dampening-period {
+ type centiseconds;
+ default "0";
+ description
+ "Specifies the minimum interval between the assembly of
+ successive update records for a single receiver of a
+ subscription. Whenever subscribed objects change, and
+ a dampening period interval (which may be zero) has
+ elapsed since the previous update record creation for
+ a receiver, then any subscribed objects and properties
+ which have changed since the previous update record
+ will have their current values marshalled and placed
+ into a new update record.";
+ }
+ }
+ }
+ }
+ }
+
+ grouping update-policy {
+ description
+ "This grouping describes the datastore-specific subscription
+ conditions of a subscription.";
+ uses update-policy-modifiable {
+ augment "update-trigger/on-change/on-change" {
+ description
+ "Includes objects not modifiable once subscription is
+ established.";
+ leaf sync-on-start {
+ type boolean;
+ default "true";
+ description
+ "When this object is set to false, it restricts an
+ on-change subscription from sending push-update
+ notifications. When false, pushing a full selection per
+ the terms of the selection filter MUST NOT be done for
+ this subscription. Only updates about changes,
+ i.e. only push-change-update notifications are sent.
+ When true (default behavior), in order to facilitate a
+ receiver's synchronization, a full update is sent when
+ the subscription starts using a push-update
+ notification. After that, push-change-update
+ notifications are exclusively sent unless the publisher
+ chooses to resync the subscription via a new push-update
+ notification.";
+ }
+ leaf-list excluded-change {
+ type change-type;
+ description
+ "Use to restrict which changes trigger an update. For
+ example, if modify is excluded, only creation and
+ deletion of objects is reported.";
+ }
+ }
+ }
+ }
+ grouping hints {
+ description
+ "Parameters associated with some error for a subscription
+ made upon a datastore.";
+ leaf period-hint {
+ type centiseconds;
+ description
+ "Returned when the requested time period is too short. This
+ hint can assert a viable period for either a periodic push
+ cadence or an on-change dampening interval.";
+ }
+ leaf filter-failure-hint {
+ type string;
+ description
+ "Information describing where and/or why a provided filter
+ was unsupportable for a subscription.";
+ }
+ leaf object-count-estimate {
+ type uint32;
+ description
+ "If there are too many objects which could potentially be
+ returned by the selection filter, this identifies the
+ estimate of the number of objects which the filter would
+ potentially pass.";
+ }
+ leaf object-count-limit {
+ type uint32;
+ description
+ "If there are too many objects which could be returned by
+ the selection filter, this identifies the upper limit of
+ the publisher's ability to service for this subscription.";
+ }
+ leaf kilobytes-estimate {
+ type uint32;
+ description
+ "If the returned information could be beyond the capacity
+ of the publisher, this would identify the data size which
+ could result from this selection filter.";
+ }
+ leaf kilobytes-limit {
+ type uint32;
+ description
+ "If the returned information would be beyond the capacity
+ of the publisher, this identifies the upper limit of the
+ publisher's ability to service for this subscription.";
+ }
+ }
+
+ /*
+ * RPCs
+ */
+
+ rpc resync-subscription {
+ if-feature "on-change";
+ description
+ "This RPC allows a subscriber of an active on-change
+ subscription to request a full push of objects.
+
+ A successful invocation results in a push-update of all
+ datastore nodes that the subscriber is permitted to access.
+ This RPC can only be invoked on the same session on which the
+ subscription is currently active. In case of an error, a
+ resync-subscription-error is sent as part of an error
+ response.";
+ input {
+ leaf id {
+ type sn:subscription-id;
+ mandatory true;
+ description
+ "Identifier of the subscription that is to be resynced.";
+ }
+ }
+ }
+
+ rc:yang-data resync-subscription-error {
+ container resync-subscription-error {
+ description
+ "If a 'resync-subscription' RPC fails, the subscription is
+ not resynced and the RPC error response MUST indicate the
+ reason for this failure. This YANG-data MAY be inserted as
+ structured data within a subscription's RPC error response
+ to indicate the failure reason.";
+ leaf reason {
+ type identityref {
+ base resync-subscription-error;
+ }
+ mandatory true;
+ description
+ "Indicates the reason why the publisher has declined a
+ request for subscription resynchronization.";
+ }
+ uses hints;
+ }
+ }
+
+ augment "/sn:establish-subscription/sn:input" {
+ description
+ "This augmentation adds additional subscription parameters
+ that apply specifically to datastore updates to RPC input.";
+ uses update-policy;
+ }
+
+ augment "/sn:establish-subscription/sn:input/sn:target" {
+ description
+ "This augmentation adds the datastore as a valid target
+ for the subscription to RPC input.";
+ case datastore {
+ description
+ "Information specifying the parameters of an request for a
+ datastore subscription.";
+ uses datastore-criteria;
+ }
+ }
+
+ rc:yang-data establish-subscription-datastore-error-info {
+ container establish-subscription-datastore-error-info {
+ description
+ "If any 'establish-subscription' RPC parameters are
+ unsupportable against the datastore, a subscription is not
+ created and the RPC error response MUST indicate the reason
+ why the subscription failed to be created. This YANG-data
+ MAY be inserted as structured data within a subscription's
+ RPC error response to indicate the failure reason. This
+ YANG-data MUST be inserted if hints are to be provided back
+ to the subscriber.";
+ leaf reason {
+ type identityref {
+ base sn:establish-subscription-error;
+ }
+ description
+ "Indicates the reason why the subscription has failed to
+ be created to a targeted datastore.";
+ }
+ uses hints;
+ }
+ }
+
+ augment "/sn:modify-subscription/sn:input" {
+ description
+ "This augmentation adds additional subscription parameters
+ specific to datastore updates.";
+ uses update-policy-modifiable;
+ }
+
+ augment "/sn:modify-subscription/sn:input/sn:target" {
+ description
+ "This augmentation adds the datastore as a valid target
+ for the subscription to RPC input.";
+ case datastore {
+ description
+ "Information specifying the parameters of an request for a
+ datastore subscription.";
+ uses datastore-criteria;
+ }
+ }
+
+ rc:yang-data modify-subscription-datastore-error-info {
+ container modify-subscription-datastore-error-info {
+ description
+ "This YANG-data MAY be provided as part of a subscription's
+ RPC error response when there is a failure of a
+ 'modify-subscription' RPC which has been made against a
+ datastore. This YANG-data MUST be used if hints are to be
+ provides back to the subscriber.";
+ leaf reason {
+ type identityref {
+ base sn:modify-subscription-error;
+ }
+ description
+ "Indicates the reason why the subscription has failed to
+ be modified.";
+ }
+ uses hints;
+ }
+ }
+
+ /*
+ * NOTIFICATIONS
+ */
+
+ notification push-update {
+ description
+ "This notification contains a push update, containing data
+ subscribed to via a subscription. This notification is sent
+ for periodic updates, for a periodic subscription. It can
+ also be used for synchronization updates of an on-change
+ subscription. This notification shall only be sent to
+ receivers of a subscription. It does not constitute a
+ general-purpose notification that would be subscribable as
+ part of the NETCONF event stream by any receiver.";
+ leaf id {
+ type sn:subscription-id;
+ description
+ "This references the subscription which drove the
+ notification to be sent.";
+ }
+ anydata datastore-contents {
+ description
+ "This contains the updated data. It constitutes a snapshot
+ at the time-of-update of the set of data that has been
+ subscribed to. The snapshot corresponds to the same
+ snapshot that would be returned in a corresponding get
+ operation with the same selection filter parameters
+ applied.";
+ }
+ leaf incomplete-update {
+ type empty;
+ description
+ "This is a flag which indicates that not all datastore
+ nodes subscribed to are included with this update. In
+ other words, the publisher has failed to fulfill its full
+ subscription obligations, and despite its best efforts is
+ providing an incomplete set of objects.";
+ }
+ }
+
+ notification push-change-update {
+ if-feature "on-change";
+ description
+ "This notification contains an on-change push update. This
+ notification shall only be sent to the receivers of a
+ subscription. It does not constitute ageneral-purpose
+ notification that would be subscribable as part of the
+ NETCONF event stream by any receiver.";
+ leaf id {
+ type sn:subscription-id;
+ description
+ "This references the subscription which drove the
+ notification to be sent.";
+ }
+ container datastore-changes {
+ description
+ "This contains the set of datastore changes of the target
+ datastore starting at the time of the previous update, per
+ the terms of the subscription.";
+ uses ypatch:yang-patch;
+ }
+ leaf incomplete-update {
+ type empty;
+ description
+ "The presence of this object indicates not all changes which
+ have occurred since the last update are included with this
+ update. In other words, the publisher has failed to
+ fulfill its full subscription obligations, for example in
+ cases where it was not able to keep up with a change
+ burst.";
+ }
+ }
+
+ augment "/sn:subscription-started" {
+ description
+ "This augmentation adds datastore-specific objects to
+ the notification that a subscription has started.";
+ uses update-policy;
+ }
+
+ augment "/sn:subscription-started/sn:target" {
+ description
+ "This augmentation allows the datastore to be included as
+ part of the notification that a subscription has started.";
+ case datastore {
+ uses datastore-criteria {
+ refine "selection-filter/within-subscription" {
+ description
+ "Specifies the selection filter and where it originated
+ from. If the 'selection-filter-ref' is populated, the
+ filter within the subscription came from the 'filters'
+ container. Otherwise it is populated in-line as part of
+ the subscription itself.";
+ }
+ }
+ }
+ }
+
+ augment "/sn:subscription-modified" {
+ description
+ "This augmentation adds datastore-specific objects to
+ the notification that a subscription has been modified.";
+ uses update-policy;
+ }
+
+ augment "/sn:subscription-modified/sn:target" {
+ description
+ "This augmentation allows the datastore to be included as
+ part of the notification that a subscription has been
+ modified.";
+ case datastore {
+ uses datastore-criteria {
+ refine "selection-filter/within-subscription" {
+ description
+ "Specifies the selection filter and where it originated
+ from. If the 'selection-filter-ref' is populated, the
+ filter within the subscription came from the 'filters'
+ container. Otherwise it is populated in-line as part of
+ the subscription itself.";
+ }
+ }
+ }
+ }
+
+ /*
+ * DATA NODES
+ */
+
+ augment "/sn:filters" {
+ description
+ "This augmentation allows the datastore to be included as part
+ of the selection filtering criteria for a subscription.";
+ list selection-filter {
+ key "filter-id";
+ description
+ "A list of pre-configured filters that can be applied
+ to datastore subscriptions.";
+ leaf filter-id {
+ type string;
+ description
+ "An identifier to differentiate between selection
+ filters.";
+ }
+ uses selection-filter-types;
+ }
+ }
+
+ augment "/sn:subscriptions/sn:subscription" {
+ when 'yp:datastore';
+ description
+ "This augmentation adds many datastore specific objects to a
+ subscription.";
+ uses update-policy;
+ }
+
+ augment "/sn:subscriptions/sn:subscription/sn:target" {
+ description
+ "This augmentation allows the datastore to be included as
+ part of the selection filtering criteria for a subscription.";
+ case datastore {
+ uses datastore-criteria;
+ }
+ }
+}
--- /dev/null
+module ietf-yang-types {
+
+ namespace "urn:ietf:params:xml:ns:yang:ietf-yang-types";
+ prefix "yang";
+
+ organization
+ "IETF Network Modeling (NETMOD) Working Group";
+
+ contact
+ "WG Web: <https://datatracker.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ Editor: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of generally useful derived
+ YANG data types.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
+ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
+ 'MAY', and 'OPTIONAL' in this document are to be interpreted as
+ described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
+ they appear in all capitals, as shown here.
+
+ Copyright (c) 2019 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX;
+ see the RFC itself for full legal notices.";
+
+ revision 2019-11-04 {
+ description
+ "This revision adds the following new data types:
+ - date, time
+ - hours32, minutes32, seconds32, centiseconds32, milliseconds32,
+ - microseconds32, microseconds64, nanoseconds32, nanoseconds64
+ - revision-identifier, node-instance-identifier";
+ reference
+ "RFC XXXX: Common YANG Data Types";
+ }
+
+ revision 2013-07-15 {
+ description
+ "This revision adds the following new data types:
+ - yang-identifier
+ - hex-string
+ - uuid
+ - dotted-quad";
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ revision 2010-09-24 {
+ description
+ "Initial revision.";
+ reference
+ "RFC 6021: Common YANG Data Types";
+ }
+
+ /*** collection of counter and gauge types ***/
+
+ typedef counter32 {
+ type uint32;
+ description
+ "The counter32 type represents a non-negative integer
+ that monotonically increases until it reaches a
+ maximum value of 2^32-1 (4294967295 decimal), when it
+ wraps around and starts increasing again from zero.
+
+ Counters have no defined 'initial' value, and thus, a
+ single value of a counter has (in general) no information
+ content. Discontinuities in the monotonically increasing
+ value normally occur at re-initialization of the
+ management system, and at other times as specified in the
+ description of a schema node using this type. If such
+ other times can occur, for example, the instantiation of
+ a schema node of type counter32 at times other than
+ re-initialization, then a corresponding schema node
+ should be defined, with an appropriate type, to indicate
+ the last discontinuity.
+ The counter32 type should not be used for configuration
+ schema nodes. A default statement SHOULD NOT be used in
+ combination with the type counter32.
+
+ In the value set and its semantics, this type is equivalent
+ to the Counter32 type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef zero-based-counter32 {
+ type yang:counter32;
+ default "0";
+ description
+ "The zero-based-counter32 type represents a counter32
+ that has the defined 'initial' value zero.
+
+ A schema node instance of this type will be set to zero (0)
+ on creation and will thereafter increase monotonically until
+ it reaches a maximum value of 2^32-1 (4294967295 decimal),
+ when it wraps around and starts increasing again from zero.
+
+ Provided that an application discovers a new schema node
+ instance of this type within the minimum time to wrap, it
+ can use the 'initial' value as a delta. It is important for
+ a management station to be aware of this minimum time and the
+ actual time between polls, and to discard data if the actual
+ time is too long or there is no defined minimum time.
+
+ In the value set and its semantics, this type is equivalent
+ to the ZeroBasedCounter32 textual convention of the SMIv2.";
+ reference
+ "RFC 4502: Remote Network Monitoring Management Information
+ Base Version 2";
+ }
+
+ typedef counter64 {
+ type uint64;
+ description
+ "The counter64 type represents a non-negative integer
+ that monotonically increases until it reaches a
+ maximum value of 2^64-1 (18446744073709551615 decimal),
+ when it wraps around and starts increasing again from zero.
+
+ Counters have no defined 'initial' value, and thus, a
+ single value of a counter has (in general) no information
+ content. Discontinuities in the monotonically increasing
+ value normally occur at re-initialization of the
+ management system, and at other times as specified in the
+ description of a schema node using this type. If such
+ other times can occur, for example, the instantiation of
+ a schema node of type counter64 at times other than
+ re-initialization, then a corresponding schema node
+ should be defined, with an appropriate type, to indicate
+ the last discontinuity.
+
+ The counter64 type should not be used for configuration
+ schema nodes. A default statement SHOULD NOT be used in
+ combination with the type counter64.
+
+ In the value set and its semantics, this type is equivalent
+ to the Counter64 type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef zero-based-counter64 {
+ type yang:counter64;
+ default "0";
+ description
+ "The zero-based-counter64 type represents a counter64 that
+ has the defined 'initial' value zero.
+
+ A schema node instance of this type will be set to zero (0)
+ on creation and will thereafter increase monotonically until
+ it reaches a maximum value of 2^64-1 (18446744073709551615
+ decimal), when it wraps around and starts increasing again
+ from zero.
+
+ Provided that an application discovers a new schema node
+ instance of this type within the minimum time to wrap, it
+ can use the 'initial' value as a delta. It is important for
+ a management station to be aware of this minimum time and the
+ actual time between polls, and to discard data if the actual
+ time is too long or there is no defined minimum time.
+
+ In the value set and its semantics, this type is equivalent
+ to the ZeroBasedCounter64 textual convention of the SMIv2.";
+ reference
+ "RFC 2856: Textual Conventions for Additional High Capacity
+ Data Types";
+ }
+
+ typedef gauge32 {
+ type uint32;
+ description
+ "The gauge32 type represents a non-negative integer, which
+ may increase or decrease, but shall never exceed a maximum
+ value, nor fall below a minimum value. The maximum value
+ cannot be greater than 2^32-1 (4294967295 decimal), and
+ the minimum value cannot be smaller than 0. The value of
+ a gauge32 has its maximum value whenever the information
+ being modeled is greater than or equal to its maximum
+ value, and has its minimum value whenever the information
+ being modeled is smaller than or equal to its minimum value.
+ If the information being modeled subsequently decreases
+ below (increases above) the maximum (minimum) value, the
+ gauge32 also decreases (increases).
+
+ In the value set and its semantics, this type is equivalent
+ to the Gauge32 type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef gauge64 {
+ type uint64;
+ description
+ "The gauge64 type represents a non-negative integer, which
+ may increase or decrease, but shall never exceed a maximum
+ value, nor fall below a minimum value. The maximum value
+ cannot be greater than 2^64-1 (18446744073709551615), and
+ the minimum value cannot be smaller than 0. The value of
+ a gauge64 has its maximum value whenever the information
+ being modeled is greater than or equal to its maximum
+ value, and has its minimum value whenever the information
+ being modeled is smaller than or equal to its minimum value.
+ If the information being modeled subsequently decreases
+ below (increases above) the maximum (minimum) value, the
+ gauge64 also decreases (increases).
+
+ In the value set and its semantics, this type is equivalent
+ to the CounterBasedGauge64 SMIv2 textual convention defined
+ in RFC 2856";
+ reference
+ "RFC 2856: Textual Conventions for Additional High Capacity
+ Data Types";
+ }
+
+ /*** collection of identifier-related types ***/
+
+ typedef object-identifier {
+ type string {
+ pattern '(([0-1](\.[1-3]?[0-9]))|(2\.(0|([1-9]\d*))))'
+ + '(\.(0|([1-9]\d*)))*';
+ }
+ description
+ "The object-identifier type represents administratively
+ assigned names in a registration-hierarchical-name tree.
+
+ Values of this type are denoted as a sequence of numerical
+ non-negative sub-identifier values. Each sub-identifier
+ value MUST NOT exceed 2^32-1 (4294967295). Sub-identifiers
+ are separated by single dots and without any intermediate
+ whitespace.
+
+ The ASN.1 standard restricts the value space of the first
+ sub-identifier to 0, 1, or 2. Furthermore, the value space
+ of the second sub-identifier is restricted to the range
+ 0 to 39 if the first sub-identifier is 0 or 1. Finally,
+ the ASN.1 standard requires that an object identifier
+ has always at least two sub-identifiers. The pattern
+ captures these restrictions.
+
+ Although the number of sub-identifiers is not limited,
+ module designers should realize that there may be
+ implementations that stick with the SMIv2 limit of 128
+ sub-identifiers.
+
+ This type is a superset of the SMIv2 OBJECT IDENTIFIER type
+ since it is not restricted to 128 sub-identifiers. Hence,
+ this type SHOULD NOT be used to represent the SMIv2 OBJECT
+ IDENTIFIER type; the object-identifier-128 type SHOULD be
+ used instead.";
+ reference
+ "ISO9834-1: Information technology -- Open Systems
+ Interconnection -- Procedures for the operation of OSI
+ Registration Authorities: General procedures and top
+ arcs of the ASN.1 Object Identifier tree";
+ }
+
+ typedef object-identifier-128 {
+ type object-identifier {
+ pattern '\d*(\.\d*){1,127}';
+ }
+ description
+ "This type represents object-identifiers restricted to 128
+ sub-identifiers.
+
+ In the value set and its semantics, this type is equivalent
+ to the OBJECT IDENTIFIER type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ /*** collection of types related to date and time ***/
+
+ typedef date-and-time {
+ type string {
+ pattern '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "The date-and-time type is a profile of the ISO 8601
+ standard for representation of dates and times using the
+ Gregorian calendar. The profile is defined by the
+ date-time production in Section 5.6 of RFC 3339.
+
+ The date-and-time type is compatible with the dateTime XML
+ schema type with the following notable exceptions:
+
+ (a) The date-and-time type does not allow negative years.
+
+ (b) The date-and-time time-offset -00:00 indicates an unknown
+ time zone (see RFC 3339) while -00:00 and +00:00 and Z
+ all represent the same time zone in dateTime.
+
+ (c) The canonical format (see below) of date-and-time values
+ differs from the canonical format used by the dateTime XML
+ schema type, which requires all times to be in UTC using
+ the time-offset 'Z'.
+
+ This type is not equivalent to the DateAndTime textual
+ convention of the SMIv2 since RFC 3339 uses a different
+ separator between full-date and full-time and provides
+ higher resolution of time-secfrac.
+
+ The canonical format for date-and-time values with a known time
+ zone uses a numeric time zone offset that is calculated using
+ the device's configured known offset to UTC time. A change of
+ the device's offset to UTC time will cause date-and-time values
+ to change accordingly. Such changes might happen periodically
+ in case a server follows automatically daylight saving time
+ (DST) time zone offset changes. The canonical format for
+ date-and-time values with an unknown time zone (usually
+ referring to the notion of local time) uses the time-offset
+ -00:00.";
+ reference
+ "RFC 3339: Date and Time on the Internet: Timestamps
+ RFC 2579: Textual Conventions for SMIv2
+ XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
+ }
+
+ typedef date {
+ type string {
+ pattern '\d{4}-\d{2}-\d{2}'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "The date type represents a time-interval of the length
+ of a day, i.e., 24 hours.
+
+ The date type is compatible with the date XML schema
+ type with the following notable exceptions:
+
+ (a) The date type does not allow negative years.
+
+ (b) The date time-offset -00:00 indicates an unknown
+ time zone (see RFC 3339) while -00:00 and +00:00 and Z
+ all represent the same time zone in date.
+
+ (c) The canonical format (see below) of data values
+ differs from the canonical format used by the date XML
+ schema type, which requires all times to be in UTC using
+ the time-offset 'Z'.
+
+ The canonical format for date values with a known time
+ zone uses a numeric time zone offset that is calculated using
+ the device's configured known offset to UTC time. A change of
+ the device's offset to UTC time will cause date values
+ to change accordingly. Such changes might happen periodically
+ in case a server follows automatically daylight saving time
+ (DST) time zone offset changes. The canonical format for
+ date values with an unknown time zone (usually referring
+ to the notion of local time) uses the time-offset -00:00.";
+ reference
+ "RFC 3339: Date and Time on the Internet: Timestamps
+ XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
+ }
+
+ /*
+ * DISCUSS:
+ * - XML schema seems to use a different canonical format, we
+ * need to take a closer look how to define the canonical format
+ * given that a data really identifies a 24 hour interval and
+ * what XSD means with 'interval midpoint'.
+ */
+
+ typedef time {
+ type string {
+ pattern '\d{2}:\d{2}:\d{2}(\.\d+)?'
+ + '(Z|[\+\-]\d{2}:\d{2})';
+ }
+ description
+ "The time type represents an instance of time of zero-duration
+ that recurs every day.
+
+ The time type is compatible with the time XML schema
+ type with the following notable exceptions:
+
+ (a) The time time-offset -00:00 indicates an unknown
+ time zone (see RFC 3339) while -00:00 and +00:00 and Z
+ all represent the same time zone in time.
+
+ (c) The canonical format (see below) of time values
+ differs from the canonical format used by the time XML
+ schema type, which requires all times to be in UTC using
+ the time-offset 'Z'.
+
+ The canonical format for time values with a known time
+ zone uses a numeric time zone offset that is calculated using
+ the device's configured known offset to UTC time. A change of
+ the device's offset to UTC time will cause time values
+ to change accordingly. Such changes might happen periodically
+ in case a server follows automatically daylight saving time
+ (DST) time zone offset changes. The canonical format for
+ time values with an unknown time zone (usually referring
+ to the notion of local time) uses the time-offset -00:00.";
+ reference
+ "RFC 3339: Date and Time on the Internet: Timestamps
+ XSD-TYPES: XML Schema Part 2: Datatypes Second Edition";
+ }
+
+ typedef hours32 {
+ type int32;
+ units "hours";
+ description
+ "A period of time, measured in units of hours.
+
+ The maximum time period that can be expressed is in the
+ range [89478485 days 08:00:00 to 89478485 days 07:00:00].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef minutes32 {
+ type int32;
+ units "minutes";
+ description
+ "A period of time, measured in units of minutes.
+
+ The maximum time period that can be expressed is in the
+ range [-1491308 days 2:08:00 to 1491308 days 2:07:00].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef seconds32 {
+ type int32;
+ units "seconds";
+ description
+ "A period of time, measured in units of seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-24855 days 03:14:08 to 24855 days 03:14:07].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef centiseconds32 {
+ type int32;
+ units "centiseconds";
+ description
+ "A period of time, measured in units of 10^-2 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-248 days 13:13:56 to 248 days 13:13:56].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef milliseconds32 {
+ type int32;
+ units "milliseconds";
+ description
+ "A period of time, measured in units of 10^-3 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-24 days 20:31:23 to 24 days 20:31:23].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef microseconds32 {
+ type int32;
+ units "microseconds";
+ description
+ "A period of time, measured in units of 10^-6 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-00:35:47 to 00:35:47].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef microseconds64 {
+ type int64;
+ units "microseconds";
+ description
+ "A period of time, measured in units of 10^-6 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-106751991 days 04:00:54 to 106751991 days 04:00:54].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef nanoseconds32 {
+ type int32;
+ units "nanoseconds";
+ description
+ "A period of time, measured in units of 10^-9 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-00:00:02 to 00:00:02].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef nanoseconds64 {
+ type int64;
+ units "nanoseconds";
+ description
+ "A period of time, measured in units of 10^-9 seconds.
+
+ The maximum time period that can be expressed is in the
+ range [-106753 days 23:12:44 to 106752 days 0:47:16].
+
+ This type should be range restricted in situations
+ where only non-negative time periods are desirable,
+ (i.e., range '0..max').";
+ }
+
+ typedef timeticks {
+ type uint32;
+ description
+ "The timeticks type represents a non-negative integer that
+ represents the time, modulo 2^32 (4294967296 decimal), in
+ hundredths of a second between two epochs. When a schema
+ node is defined that uses this type, the description of
+ the schema node identifies both of the reference epochs.
+
+ In the value set and its semantics, this type is equivalent
+ to the TimeTicks type of the SMIv2.";
+ reference
+ "RFC 2578: Structure of Management Information Version 2
+ (SMIv2)";
+ }
+
+ typedef timestamp {
+ type yang:timeticks;
+ description
+ "The timestamp type represents the value of an associated
+ timeticks schema node instance at which a specific occurrence
+ happened. The specific occurrence must be defined in the
+ description of any schema node defined using this type. When
+ the specific occurrence occurred prior to the last time the
+ associated timeticks schema node instance was zero, then the
+ timestamp value is zero.
+
+ Note that this requires all timestamp values to be reset to
+ zero when the value of the associated timeticks schema node
+ instance reaches 497+ days and wraps around to zero.
+
+ The associated timeticks schema node must be specified
+ in the description of any schema node using this type.
+
+ In the value set and its semantics, this type is equivalent
+ to the TimeStamp textual convention of the SMIv2.";
+ reference
+ "RFC 2579: Textual Conventions for SMIv2";
+ }
+
+ /*** collection of generic address types ***/
+
+ typedef phys-address {
+ type string {
+ pattern '([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?';
+ }
+ description
+ "Represents media- or physical-level addresses represented
+ as a sequence octets, each octet represented by two hexadecimal
+ numbers. Octets are separated by colons. The canonical
+ representation uses lowercase characters.
+
+ In the value set and its semantics, this type is equivalent
+ to the PhysAddress textual convention of the SMIv2.";
+ reference
+ "RFC 2579: Textual Conventions for SMIv2";
+ }
+
+ typedef mac-address {
+ type string {
+ pattern '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}';
+ }
+ description
+ "The mac-address type represents an IEEE 802 MAC address.
+ The canonical representation uses lowercase characters.
+
+ In the value set and its semantics, this type is equivalent
+ to the MacAddress textual convention of the SMIv2.";
+ reference
+ "IEEE 802: IEEE Standard for Local and Metropolitan Area
+ Networks: Overview and Architecture
+ RFC 2579: Textual Conventions for SMIv2";
+ }
+
+ /*** collection of XML-specific types ***/
+ typedef xpath1.0 {
+ type string;
+ description
+ "This type represents an XPATH 1.0 expression.
+
+ When a schema node is defined that uses this type, the
+ description of the schema node MUST specify the XPath
+ context in which the XPath expression is evaluated.";
+ reference
+ "XPATH: XML Path Language (XPath) Version 1.0";
+ }
+
+ /*
+ * DISCUSS:
+ * - How do we deal with xpath expressions in other encodings
+ * such as JSON. Do we assume an xpath context populated with
+ * module names such that module names can be used to qualify
+ * path expressions. This may need discussion and/or a new
+ * definition.
+ * - This interacts with the definition of node-instance-identifier.
+ */
+
+ /*** collection of string types ***/
+
+ typedef hex-string {
+ type string {
+ pattern '([0-9a-fA-F]{2}(:[0-9a-fA-F]{2})*)?';
+ }
+ description
+ "A hexadecimal string with octets represented as hex digits
+ separated by colons. The canonical representation uses
+ lowercase characters.";
+ }
+
+ typedef uuid {
+ type string {
+ pattern '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-'
+ + '[0-9a-fA-F]{4}-[0-9a-fA-F]{12}';
+ }
+ description
+ "A Universally Unique IDentifier in the string representation
+ defined in RFC 4122. The canonical representation uses
+ lowercase characters.
+
+ The following is an example of a UUID in string representation:
+ f81d4fae-7dec-11d0-a765-00a0c91e6bf6
+ ";
+ reference
+ "RFC 4122: A Universally Unique IDentifier (UUID) URN
+ Namespace";
+ }
+
+ typedef dotted-quad {
+ type string {
+ pattern
+ '(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}'
+ + '([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])';
+ }
+ description
+ "An unsigned 32-bit number expressed in the dotted-quad
+ notation, i.e., four octets written as decimal numbers
+ and separated with the '.' (full stop) character.";
+ }
+
+ /*** collection of YANG specific types ***/
+
+ typedef yang-identifier {
+ type string {
+ length "1..max";
+ pattern '[a-zA-Z_][a-zA-Z0-9\-_.]*';
+ pattern '.|..|[^xX].*|.[^mM].*|..[^lL].*';
+ }
+ description
+ "A YANG identifier string as defined by the 'identifier'
+ rule in Section 12 of RFC 6020. An identifier must
+ start with an alphabetic character or an underscore
+ followed by an arbitrary sequence of alphabetic or
+ numeric characters, underscores, hyphens, or dots.
+
+ A YANG identifier MUST NOT start with any possible
+ combination of the lowercase or uppercase character
+ sequence 'xml'.";
+ reference
+ "RFC 6020: YANG - A Data Modeling Language for the Network
+ Configuration Protocol (NETCONF)";
+ }
+
+ typedef revision-identifier {
+ type date {
+ pattern '\d{4}-\d{2}-\d{2}';
+ }
+ description
+ "Represents a specific revision of a YANG module by means of
+ a date value without a time zone.";
+ }
+
+ typedef node-instance-identifier {
+ type xpath1.0;
+ description
+ "Path expression used to represent a data node, action,
+ or notification instance-identifier string.
+
+ A node-instance-identifier value is an unrestricted
+ YANG instance-identifier expression or the special
+ value '/', which refers to the entire accessible tree.
+
+ All the rules for instance-identifier apply, except that
+ predicates for keys are optional. If a key predicate is
+ missing, then the node-instance-identifier represents all
+ possible server instances for that key.
+
+ This XML Path Language (XPath) expression is evaluated in the
+ following context:
+
+ o The set of namespace declarations are those in scope on
+ the leaf element where this type is used.
+
+ o The set of variable bindings contains one variable,
+ 'USER', which contains the name of the user of the
+ current session.
+
+ o The function library is the core function library, but
+ note that due to the syntax restrictions of an
+ instance-identifier, no functions are allowed.
+
+ o The context node is the root node in the data tree.
+
+ The accessible tree includes actions and notifications tied
+ to data nodes.";
+ }
+
+ /*
+ * DISCUSS:
+ * - This is taken from RFC 8341 and the idea is that this definition
+ * is useful without requiring a dependency on NACM
+ * - What does the second bullet actually do? Do we keep this?
+ * - This interacts with the definition of xpath1.0.
+ */
+
+ /* DISCUSS:
+ * - It was suggested to add types for longitude, latitude,
+ * postal code, country-code. Do we go there or do we leave
+ * these for other modules to define? It seems such definitions
+ * should go into draft-ietf-netmod-geo-location.
+ */
+
+ /* DISCUSS:
+ * - It was suggested to add percentage types but they tend to differ
+ * widely. However, percentages are also widely used.
+ */
+}
Code Review / smo / teiv.git / commitdiff