--- /dev/null
+module ietf-crypto-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
+ prefix ct;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
+
+ description
+ "This module defines common YANG types for cryptographic
+ applications.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-04-29 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: Common YANG Data Types for Cryptography";
+ }
+
+ /**************************************/
+ /* Identities for Hash Algorithms */
+ /**************************************/
+
+ identity hash-algorithm {
+ description
+ "A base identity for hash algorithm verification.";
+ }
+
+ identity sha-224 {
+ base hash-algorithm;
+ description
+ "The SHA-224 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+ identity sha-256 {
+ base hash-algorithm;
+ description
+ "The SHA-256 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+
+ identity sha-384 {
+ base hash-algorithm;
+ description
+ "The SHA-384 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+
+ identity sha-512 {
+ base hash-algorithm;
+ description
+ "The SHA-512 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+
+ /***********************************************/
+ /* Identities for Asymmetric Key Algorithms */
+ /***********************************************/
+
+ identity asymmetric-key-algorithm {
+ description
+ "Base identity from which all asymmetric key
+ encryption Algorithm.";
+ }
+
+ identity rsa1024 {
+ base asymmetric-key-algorithm;
+ description
+ "The RSA algorithm using a 1024-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity rsa2048 {
+ base asymmetric-key-algorithm;
+ description
+ "The RSA algorithm using a 2048-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity rsa3072 {
+ base asymmetric-key-algorithm;
+ description
+ "The RSA algorithm using a 3072-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity rsa4096 {
+ base asymmetric-key-algorithm;
+ description
+ "The RSA algorithm using a 4096-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity rsa7680 {
+ base asymmetric-key-algorithm;
+ description
+ "The RSA algorithm using a 7680-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity rsa15360 {
+ base asymmetric-key-algorithm;
+ description
+ "The RSA algorithm using a 15360-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity secp192r1 {
+ base asymmetric-key-algorithm;
+ description
+ "The ECDSA algorithm using a NIST P256 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.";
+ }
+ identity secp224r1 {
+ base asymmetric-key-algorithm;
+ description
+ "The ECDSA algorithm using a NIST P256 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.";
+ }
+
+ identity secp256r1 {
+ base asymmetric-key-algorithm;
+ description
+ "The ECDSA algorithm using a NIST P256 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.";
+ }
+
+ identity secp384r1 {
+ base asymmetric-key-algorithm;
+ description
+ "The ECDSA algorithm using a NIST P256 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.";
+ }
+
+ identity secp521r1 {
+ base asymmetric-key-algorithm;
+ description
+ "The ECDSA algorithm using a NIST P256 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.";
+ }
+
+ /*************************************/
+ /* Identities for MAC Algorithms */
+ /*************************************/
+
+ identity mac-algorithm {
+ description
+ "A base identity for mac generation.";
+ }
+
+ identity hmac-sha1 {
+ base mac-algorithm;
+ description
+ "Generating MAC using SHA1 hash function";
+ reference
+ "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
+ }
+
+ identity hmac-sha1-96 {
+ base mac-algorithm;
+ description
+ "Generating MAC using SHA1 hash function";
+ reference
+ "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
+ }
+
+ identity hmac-sha2-224 {
+ base mac-algorithm;
+ description
+ "Generating MAC using SHA2 hash function";
+ reference
+ "RFC 6234:
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and
+ HKDF)";
+ }
+
+ identity hmac-sha2-256 {
+ base mac-algorithm;
+ description
+ "Generating MAC using SHA2 hash function";
+ reference
+ "RFC 6234:
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and
+ HKDF)";
+ }
+
+ identity hmac-sha2-256-128 {
+ base mac-algorithm;
+ description
+ "Generating a 256 bits MAC using SHA2 hash function and
+ truncate it to 128 bits";
+ reference
+ "RFC 4868:
+ Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
+ with IPsec";
+ }
+
+ identity hmac-sha2-384 {
+ base mac-algorithm;
+ description
+ "Generating MAC using SHA2 hash function";
+ reference
+ "RFC 6234:
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and
+ HKDF)";
+ }
+
+ identity hmac-sha2-384-192 {
+ base mac-algorithm;
+ description
+ "Generating a 384 bits MAC using SHA2 hash function and
+ truncate it to 192 bits";
+ reference
+ "RFC 4868:
+ Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
+ IPsec";
+ }
+
+ identity hmac-sha2-512 {
+ base mac-algorithm;
+ description
+ "Generating MAC using SHA2 hash function";
+ reference
+ "RFC 6234:
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and
+ HKDF)";
+ }
+
+ identity hmac-sha2-512-256 {
+ base mac-algorithm;
+ description
+ "Generating a 512 bits MAC using SHA2 hash function and
+ truncating it to 256 bits";
+ reference
+ "RFC 4868:
+ Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
+ IPsec";
+ }
+
+ identity aes-128-gmac {
+ base mac-algorithm;
+ description
+ "Generating MAC using the Advanced Encryption Standard (AES)
+ Galois Message Authentication Code (GMAC) as a mechanism to
+ provide data origin authentication";
+ reference
+ "RFC 4543:
+ The Use of Galois Message Authentication Code (GMAC) in
+ IPsec ESP and AH";
+ }
+
+ identity aes-192-gmac {
+ base mac-algorithm;
+ description
+ "Generating MAC using the Advanced Encryption Standard (AES)
+ Galois Message Authentication Code (GMAC) as a mechanism to
+ provide data origin authentication";
+ reference
+ "RFC 4543:
+ The Use of Galois Message Authentication Code (GMAC) in
+ IPsec ESP and AH";
+ }
+
+ identity aes-256-gmac {
+ base mac-algorithm;
+ description
+ "Generating MAC using the Advanced Encryption Standard (AES)
+ Galois Message Authentication Code (GMAC) as a mechanism to
+ provide data origin authentication";
+ reference
+ "RFC 4543:
+ The Use of Galois Message Authentication Code (GMAC) in
+ IPsec ESP and AH";
+ }
+
+ identity aes-cmac-96 {
+ base mac-algorithm;
+ description
+ "Generating MAC using Advanced Encryption Standard (AES)
+ Cipher-based Message Authentication Code (CMAC)";
+ reference
+ "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";
+ }
+
+ identity aes-cmac-128 {
+ base mac-algorithm;
+ description
+ "Generating MAC using Advanced Encryption Standard (AES)
+ Cipher-based Message Authentication Code (CMAC)";
+ reference
+ "RFC 4493: The AES-CMAC Algorithm";
+ }
+
+ /********************************************/
+ /* Identities for Encryption Algorithms */
+ /********************************************/
+
+ identity encryption-algorithm {
+ description
+ "A base identity for encryption algorithm.";
+ }
+
+ identity aes-128-cbc {
+ base encryption-algorithm;
+ description
+ "Encrypt message with AES algorithm in CBC mode with a key
+ length of 128 bits";
+ reference
+ "RFC 3565:
+ Use of the Advanced Encryption Standard (AES) Encryption
+ Algorithm in Cryptographic Message Syntax (CMS)";
+ }
+
+ identity aes-192-cbc {
+ base encryption-algorithm;
+ description
+ "Encrypt message with AES algorithm in CBC mode with a key
+ length of 192 bits";
+ reference
+ "RFC 3565:
+ Use of the Advanced Encryption Standard (AES) Encryption
+ Algorithm in Cryptographic Message Syntax (CMS)";
+ }
+
+ identity aes-256-cbc {
+ base encryption-algorithm;
+ description
+ "Encrypt message with AES algorithm in CBC mode with a key
+ length of 256 bits";
+ reference
+ "RFC 3565:
+ Use of the Advanced Encryption Standard (AES) Encryption
+ Algorithm in Cryptographic Message Syntax (CMS)";
+ }
+
+ identity aes-128-ctr {
+ base encryption-algorithm;
+ description
+ "Encrypt message with AES algorithm in CTR mode with a key
+ length of 128 bits";
+ reference
+ "RFC 3686:
+ Using Advanced Encryption Standard (AES) Counter Mode with
+ IPsec Encapsulating Security Payload (ESP)";
+ }
+ identity aes-192-ctr {
+ base encryption-algorithm;
+ description
+ "Encrypt message with AES algorithm in CTR mode with a key
+ length of 192 bits";
+ reference
+ "RFC 3686:
+ Using Advanced Encryption Standard (AES) Counter Mode with
+ IPsec Encapsulating Security Payload (ESP)";
+ }
+
+ identity aes-256-ctr {
+ base encryption-algorithm;
+ description
+ "Encrypt message with AES algorithm in CTR mode with a key
+ length of 256 bits";
+ reference
+ "RFC 3686:
+ Using Advanced Encryption Standard (AES) Counter Mode with
+ IPsec Encapsulating Security Payload (ESP)";
+ }
+
+ /****************************************************/
+ /* Identities for Encryption and MAC Algorithms */
+ /****************************************************/
+
+ identity encryption-and-mac-algorithm {
+ description
+ "A base identity for encryption and MAC algorithm.";
+ }
+
+ identity aes-128-ccm {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with AES algorithm in CCM mode with a key
+ length of 128 bits; it can also be used for generating MAC";
+ reference
+ "RFC 4309:
+ Using Advanced Encryption Standard (AES) CCM Mode with
+ IPsec Encapsulating Security Payload (ESP)";
+ }
+
+ identity aes-192-ccm {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with AES algorithm in CCM mode with a key
+ length of 192 bits; it can also be used for generating MAC";
+ reference
+ "RFC 4309:
+ Using Advanced Encryption Standard (AES) CCM Mode with
+ IPsec Encapsulating Security Payload (ESP)";
+ }
+
+ identity aes-256-ccm {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with AES algorithm in CCM mode with a key
+ length of 256 bits; it can also be used for generating MAC";
+ reference
+ "RFC 4309:
+ Using Advanced Encryption Standard (AES) CCM Mode with
+ IPsec Encapsulating Security Payload (ESP)";
+ }
+
+ identity aes-128-gcm {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with AES algorithm in GCM mode with a key
+ length of 128 bits; it can also be used for generating MAC";
+ reference
+ "RFC 4106:
+ The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
+ Security Payload (ESP)";
+ }
+
+ identity aes-192-gcm {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with AES algorithm in GCM mode with a key
+ length of 192 bits; it can also be used for generating MAC";
+ reference
+ "RFC 4106:
+ The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
+ Security Payload (ESP)";
+ }
+
+ identity mac-aes-256-gcm {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with AES algorithm in GCM mode with a key
+ length of 128 bits; it can also be used for generating MAC";
+ reference
+ "RFC 4106:
+ The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
+ Security Payload (ESP)";
+ }
+ identity chacha20-poly1305 {
+ base encryption-and-mac-algorithm;
+ description
+ "Encrypt message with chacha20 algorithm and generate MAC with
+ POLY1305; it can also be used for generating MAC";
+ reference
+ "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
+ }
+
+ /******************************************/
+ /* Identities for signature algorithm */
+ /******************************************/
+
+ identity signature-algorithm {
+ description
+ "A base identity for asymmetric key encryption algorithm.";
+ }
+
+ identity dsa-sha1 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using DSA algorithm with SHA1 hash
+ algorithm";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity rsassa-pkcs1-sha1 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1
+ hash algorithm.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity rsassa-pkcs1-sha256 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the
+ SHA256 hash algorithm.";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
+ (SSH) Protocol
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+ identity rsassa-pkcs1-sha384 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the
+ SHA384 hash algorithm.";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pkcs1-sha512 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the
+ SHA512 hash algorithm.";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
+ (SSH) Protocol
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pss-rsae-sha256 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PSS with mask generation
+ function 1 and SHA256 hash algorithm. If the public key is
+ carried in an X.509 certificate, it MUST use the rsaEncryption
+ OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pss-rsae-sha384 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PSS with mask generation
+ function 1 and SHA384 hash algorithm. If the public key is
+ carried in an X.509 certificate, it MUST use the rsaEncryption
+ OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pss-rsae-sha512 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PSS with mask generation
+ function 1 and SHA512 hash algorithm. If the public key is
+ carried in an X.509 certificate, it MUST use the rsaEncryption
+ OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pss-pss-sha256 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PSS with mask generation
+ function 1 and SHA256 hash algorithm. If the public key is
+ carried in an X.509 certificate, it MUST use the RSASSA-PSS
+ OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pss-pss-sha384 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PSS with mask generation
+ function 1 and SHA256 hash algorithm. If the public key is
+ carried in an X.509 certificate, it MUST use the RSASSA-PSS
+ OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity rsassa-pss-pss-sha512 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using RSASSA-PSS with mask generation
+ function 1 and SHA256 hash algorithm. If the public key is
+ carried in an X.509 certificate, it MUST use the RSASSA-PSS
+ OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity ecdsa-secp256r1-sha256 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using ECDSA with curve name secp256r1
+ and SHA256 hash algorithm.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity ecdsa-secp384r1-sha384 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using ECDSA with curve name secp384r1
+ and SHA384 hash algorithm.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity ecdsa-secp521r1-sha512 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using ECDSA with curve name secp521r1
+ and SHA512 hash algorithm.";
+ reference
+ "RFC 5656: Elliptic Curve Algorithm Integration in the
+ Secure Shell Transport Layer
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity ed25519 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using EdDSA as defined in RFC 8032 or
+ its successors.";
+ reference
+ "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+
+ identity ed448 {
+ base signature-algorithm;
+ description
+ "The signature algorithm using EdDSA as defined in RFC 8032 or
+ its successors.";
+ reference
+ "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+
+ identity eccsi {
+ base signature-algorithm;
+ description
+ "The signature algorithm using ECCSI signature as defined in
+ RFC 6507.";
+ reference
+ "RFC 6507:
+ Elliptic Curve-Based Certificateless Signatures for
+ Identity-based Encryption (ECCSI)";
+ }
+
+ /**********************************************/
+ /* Identities for key exchange algorithms */
+ /**********************************************/
+
+ identity key-exchange-algorithm {
+ description
+ "A base identity for Diffie-Hellman based key exchange
+ algorithm.";
+ }
+
+ identity psk-only {
+ base key-exchange-algorithm;
+ description
+ "Using Pre-shared key for authentication and key exchange";
+ reference
+ "RFC 4279:
+ Pre-Shared Key cipher suites for Transport Layer Security
+ (TLS)";
+ }
+
+ identity dhe-ffdhe2048 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with 2048 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
+ for Transport Layer Security (TLS)";
+ }
+
+ identity dhe-ffdhe3072 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with 3072 bit finite
+ field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
+ for Transport Layer Security (TLS)";
+ }
+
+ identity dhe-ffdhe4096 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with 4096 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
+ for Transport Layer Security (TLS)";
+ }
+
+ identity dhe-ffdhe6144 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with 6144 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
+ for Transport Layer Security (TLS)";
+ }
+
+ identity dhe-ffdhe8192 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with 8192 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
+ for Transport Layer Security (TLS)";
+ }
+
+ identity psk-dhe-ffdhe2048 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman key
+ generation mechanism, where the DH group is FFDHE2048";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-dhe-ffdhe3072 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman key
+ generation mechanism, where the DH group is FFDHE3072";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-dhe-ffdhe4096 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman key
+ generation mechanism, where the DH group is FFDHE4096";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-dhe-ffdhe6144 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman key
+ generation mechanism, where the DH group is FFDHE6144";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-dhe-ffdhe8192 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman key
+ generation mechanism, where the DH group is FFDHE8192";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity ecdhe-secp256r1 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic group
+ over curve secp256r1";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity ecdhe-secp384r1 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic group
+ over curve secp384r1";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity ecdhe-secp521r1 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic group
+ over curve secp521r1";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity ecdhe-x25519 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic group
+ over curve x25519";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity ecdhe-x448 {
+ base key-exchange-algorithm;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic group
+ over curve x448";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites for
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";
+ }
+
+ identity psk-ecdhe-secp256r1 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with elliptic group-based
+ Ephemeral Diffie Hellman key exchange over curve secp256r1";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-ecdhe-secp384r1 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with elliptic group-based
+ Ephemeral Diffie Hellman key exchange over curve secp384r1";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-ecdhe-secp521r1 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with elliptic group-based
+ Ephemeral Diffie Hellman key exchange over curve secp521r1";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-ecdhe-x25519 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with elliptic group-based
+ Ephemeral Diffie Hellman key exchange over curve x25519";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity psk-ecdhe-x448 {
+ base key-exchange-algorithm;
+ description
+ "Key exchange using pre-shared key with elliptic group-based
+ Ephemeral Diffie Hellman key exchange over curve x448";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol Version 1.3";
+ }
+
+ identity diffie-hellman-group14-sha1 {
+ base key-exchange-algorithm;
+ description
+ "Using DH group14 and SHA1 for key exchange";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity diffie-hellman-group14-sha256 {
+ base key-exchange-algorithm;
+ description
+ "Using DH group14 and SHA256 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group15-sha512 {
+ base key-exchange-algorithm;
+ description
+ "Using DH group15 and SHA512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group16-sha512 {
+ base key-exchange-algorithm;
+ description
+ "Using DH group16 and SHA512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group17-sha512 {
+ base key-exchange-algorithm;
+ description
+ "Using DH group17 and SHA512 for key exchange";
+
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity diffie-hellman-group18-sha512 {
+ base key-exchange-algorithm;
+ description
+ "Using DH group18 and SHA512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+
+ identity ecdh-sha2-secp256r1 {
+ base key-exchange-algorithm;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over curve
+ secp256r1 and using SHA2 for MAC generation";
+ reference
+ "RFC 6239: Suite B Cryptographic Suites for Secure Shell
+ (SSH)";
+ }
+
+ identity ecdh-sha2-secp384r1 {
+ base key-exchange-algorithm;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over curve
+ secp384r1 and using SHA2 for MAC generation";
+ reference
+ "RFC 6239: Suite B Cryptographic Suites for Secure Shell
+ (SSH)";
+ }
+
+ identity rsaes-oaep {
+ base key-exchange-algorithm;
+ description
+ "RSAES-OAEP combines the RSAEP and RSADP primitives with the
+ EME-OAEP encoding method";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ identity rsaes-pkcs1-v1_5 {
+ base key-exchange-algorithm;
+ description
+ " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives
+ with the EME-PKCS1-v1_5 encoding method";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+
+ /**********************************************************/
+ /* Typedefs for identityrefs to above base identities */
+ /**********************************************************/
+
+ typedef hash-algorithm-ref {
+ type identityref {
+ base hash-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'hash-algorithm' base identity.";
+ }
+
+ typedef signature-algorithm-ref {
+ type identityref {
+ base signature-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'signature-algorithm' base identity.";
+ }
+
+ typedef mac-algorithm-ref {
+ type identityref {
+ base mac-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'mac-algorithm' base identity.";
+ }
+
+ typedef encryption-algorithm-ref {
+ type identityref {
+ base encryption-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'encryption-algorithm'
+ base identity.";
+ }
+
+ typedef encryption-and-mac-algorithm-ref {
+ type identityref {
+ base encryption-and-mac-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'encryption-and-mac-algorithm'
+ base identity.";
+ }
+
+ typedef asymmetric-key-algorithm-ref {
+ type identityref {
+ base asymmetric-key-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'asymmetric-key-algorithm'
+ base identity.";
+ }
+
+ typedef key-exchange-algorithm-ref {
+ type identityref {
+ base key-exchange-algorithm;
+ }
+ description
+ "This typedef enables importing modules to easily define an
+ identityref to the 'key-exchange-algorithm' base identity.";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 5280 */
+ /***************************************************/
+
+ typedef x509 {
+ type binary;
+ description
+ "A Certificate structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef crl {
+ type binary;
+ description
+ "A CertificateList structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***********************************************/
+ /* Typedefs for ASN.1 structures from 5652 */
+ /***********************************************/
+
+ typedef cms {
+ type binary;
+ description
+ "A ContentInfo structure, as specified in RFC 5652,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef data-content-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ data content type, as described by Section 4 in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef signed-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ signed-data content type, as described by Section 5 in
+ RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef enveloped-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ enveloped-data content type, as described by Section 6
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef digested-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ digested-data content type, as described by Section 7
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef encrypted-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ encrypted-data content type, as described by Section 8
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef authenticated-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ authenticated-data content type, as described by Section 9
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ /***************************************************/
+ /* Typedefs for structures related to RFC 4253 */
+ /***************************************************/
+
+ typedef ssh-host-key {
+ type binary;
+ description
+ "The binary public key data for this SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5280 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a self-signed
+ root certificate.";
+ }
+
+ typedef end-entity-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a certificate
+ that is neither self-signed nor having Basic constraint
+ CA true.";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5652 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the chain of
+ X.509 certificates needed to authenticate the certificate
+ presented by a client or end-entity.
+
+ The CMS MUST contain only a single chain of certificates.
+ The client or end-entity certificate MUST only authenticate
+ to last intermediate CA certificate listed in the chain.
+
+ In all cases, the chain MUST include a self-signed root
+ certificate. In the case where the root certificate is
+ itself the issuer of the client or end-entity certificate,
+ only one certificate is present.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef end-entity-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the end
+ entity certificate itself, and MAY contain any number
+ of intermediate certificates leading up to a trust
+ anchor certificate. The trust anchor certificate
+ MAY be included as well.
+
+ The CMS MUST contain a single end entity certificate.
+ The CMS MUST NOT contain any spurious certificates.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ /**********************************************/
+ /* Groupings for keys and/or certificates */
+ /**********************************************/
+
+ grouping public-key-grouping {
+ description
+ "A public key.
+
+ The 'algorithm' and 'public-key' nodes are not
+ mandatory because they MAY be defined in <operational>.
+ Implementations SHOULD assert that these values are
+ either configured or that they exist in <operational>.";
+ leaf algorithm {
+ nacm:default-deny-write;
+ type asymmetric-key-algorithm-ref;
+ must '../public-key';
+ description
+ "Identifies the key's algorithm. More specifically,
+ this leaf specifies how the 'public-key' binary leaf
+ is encoded.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ leaf public-key {
+ nacm:default-deny-write;
+ type binary;
+ must '../algorithm';
+ description
+ "A binary that contains the value of the public key. The
+ interpretation of the content is defined by the key
+ algorithm. For example, a DSA key is an integer, an RSA
+ key is represented as RSAPublicKey as defined in
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key
+ is represented using the 'publicKey' described in
+ RFC 5915.";
+ reference
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
+ RSA Cryptography Specifications Version 2.2.
+ RFC 5915: Elliptic Curve Private Key Structure.";
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "A private/public key pair.
+ The 'algorithm', 'public-key', and 'private-key' nodes are
+ not mandatory because they MAY be defined in <operational>.
+ Implementations SHOULD assert that these values are either
+ configured or that they exist in <operational>.";
+ uses public-key-grouping;
+ leaf private-key {
+ nacm:default-deny-all;
+ type union {
+ type binary;
+ type enumeration {
+ enum permanently-hidden {
+ description
+ "The private key is inaccessible due to being
+ protected by the system (e.g., a cryptographic
+ hardware module).
+
+ How such keys are backed-up and restored, if
+ at all, is implementation specific.
+
+ Servers MUST fail any attempt by a client to
+ configure this value directly. This value is
+ not set by clients, but rather is set by the
+ 'generate-hidden-key' and 'install-hidden-key'
+ actions.";
+ }
+ }
+ }
+ must '../public-key';
+ description
+ "A binary that contains the value of the private key. The
+ interpretation of the content is defined by the key
+ algorithm. For example, a DSA key is an integer, an RSA
+ key is represented as RSAPrivateKey as defined in
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key
+ is represented as ECPrivateKey as defined in RFC 5915.";
+ reference
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
+ RSA Cryptography Specifications Version 2.2.
+ RFC 5915: Elliptic Curve Private Key Structure.";
+ } // private-key
+
+ action generate-hidden-key {
+ nacm:default-deny-all;
+ description
+ "Requests the device to generate a hidden key using the
+ specified asymmetric key algorithm. This action is
+ used to request the system to generate a key that is
+ 'permanently-hidden', perhaps protected by a cryptographic
+ hardware module. The resulting asymmetric key values are
+ considered operational state and hence present only in
+ <operational> and bound to the lifetime of the parent
+ 'config true' node. Subsequent invocations of this or
+ the 'install-hidden-key' action are denied with error-tag
+ 'data-exists'.";
+ input {
+ leaf algorithm {
+ type asymmetric-key-algorithm-ref;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the
+ asymmetric key.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ }
+ } // generate-hidden-key
+
+ action install-hidden-key {
+ nacm:default-deny-all;
+ description
+ "Requests the device to load the specified values into
+ a hidden key. The resulting asymmetric key values are
+ considered operational state and hence present only in
+ <operational> and bound to the lifetime of the parent
+ 'config true' node. Subsequent invocations of this
+ or the 'generate-hidden-key' action are denied with
+ error-tag 'data-exists'.";
+ input {
+ leaf algorithm {
+ type asymmetric-key-algorithm-ref;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the
+ asymmetric key.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ leaf public-key {
+ type binary;
+ description
+ "A binary that contains the value of the public key.
+ The interpretation of the content is defined by the key
+ algorithm. For example, a DSA key is an integer, an
+ RSA key is represented as RSAPublicKey as defined in
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key
+ is represented using the 'publicKey' described in
+ RFC 5915.";
+ reference
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
+ RSA Cryptography Specifications Version 2.2.
+ RFC 5915: Elliptic Curve Private Key Structure.";
+ }
+ leaf private-key {
+ type binary;
+ description
+ "A binary that contains the value of the private key.
+ The interpretation of the content is defined by the key
+ algorithm. For example, a DSA key is an integer, an RSA
+ key is represented as RSAPrivateKey as defined in
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key
+ is represented as ECPrivateKey as defined in RFC 5915.";
+ reference
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
+ RSA Cryptography Specifications Version 2.2.
+ RFC 5915: Elliptic Curve Private Key Structure.";
+ }
+ }
+ } // install-hidden-key
+ } // asymmetric-key-pair-grouping
+
+
+ grouping trust-anchor-cert-grouping {
+ description
+ "A trust anchor certificate, and a notification for when
+ it is about to (or already has) expire.";
+ leaf cert {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping trust-anchor-certs-grouping {
+ description
+ "A list of trust anchor certificates, and a notification
+ for when one is about to (or already has) expire.";
+ leaf-list cert {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping end-entity-cert-grouping {
+ description
+ "An end entity certificate, and a notification for when
+ it is about to (or already has) expire.";
+ leaf cert {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping end-entity-certs-grouping {
+ description
+ "A list of end entity certificates, and a notification for
+ when one is about to (or already has) expire.";
+ leaf-list cert {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "A private/public key pair and an associated certificate.";
+ uses asymmetric-key-pair-grouping;
+ uses end-entity-cert-grouping;
+
+ action generate-certificate-signing-request {
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values. The specified assertions need
+ to be appropriate for the certificate's use. For
+ example, an entity certificate for a TLS server
+ SHOULD have values that enable clients to satisfy
+ RFC 6125 processing.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field per the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1
+ encoded using the ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ leaf attributes {
+ type binary;
+ description
+ "The 'attributes' field from the structure
+ CertificationRequestInfo as specified by RFC 2986,
+ Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by
+ RFC 2986, Section 4.2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ } // generate-certificate-signing-request
+ } // asymmetric-key-pair-with-cert-grouping
+
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "A private/public key pair and associated certificates.";
+ uses asymmetric-key-pair-grouping;
+ container certificates {
+ nacm:default-deny-write;
+ description
+ "Certificates associated with this asymmetric key.
+ More than one certificate supports, for instance,
+ a TPM-protected asymmetric key that has both IDevID
+ and LDevID certificates associated.";
+ list certificate {
+ key "name";
+ description
+ "A certificate for this asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate. If the name
+ matches the name of a certificate that exists
+ independently in <operational> (i.e., an IDevID),
+ then the 'cert' node MUST NOT be configured.";
+ }
+ uses end-entity-cert-grouping;
+ }
+ } // certificates
+
+ action generate-certificate-signing-request {
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values. The specified assertions need
+ to be appropriate for the certificate's use. For
+ example, an entity certificate for a TLS server
+ SHOULD have values that enable clients to satisfy
+ RFC 6125 processing.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field per the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1
+ encoded using the ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ leaf attributes {
+ type binary;
+ description
+ "The 'attributes' field from the structure
+ CertificationRequestInfo as specified by RFC 2986,
+ Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by
+ RFC 2986, Section 4.2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ } // generate-certificate-signing-request
+ } // asymmetric-key-pair-with-certs-grouping
+}
--- /dev/null
+module ietf-dhcpv6-common {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-common";
+ prefix "dhcpv6-common";
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ organization "DHC WG";
+ contact
+ "yong@csnet1.cs.tsinghua.edu.cn
+ lh.sunlinh@gmail.com
+ ian.farrer@telekom.de
+ sladjana.zechlin@telekom.de
+ hezihao9512@gmail.com";
+
+ description "This YANG module defines common components
+ used for the configuration and management of DHCPv6.
+
+ Copyright (c) 2021 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC 8513; see
+ the RFC itself for full legal notices.";
+
+ revision 2021-01-29 {
+ description "Version update for draft -17 publication.";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang-17";
+ }
+
+ revision 2021-01-06 {
+ description "Version update for draft -16 publication.";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang-16";
+ }
+
+ revision 2020-12-22 {
+ description "Version update for draft -13 publication.";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang-15";
+ }
+
+ revision 2020-12-10 {
+ description "Version update for draft -13 publication.";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang-13";
+ }
+
+ revision 2020-12-01 {
+ description "Version update for draft -12 publication.";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang-12";
+ }
+
+ revision 2020-05-26 {
+ description "Version update for draft -11 publication and
+ to align revisions across the different modules.";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang-11";
+ }
+
+ revision 2018-09-04 {
+ description "";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang";
+ }
+
+ revision 2018-01-30 {
+ description "Initial revision";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang";
+ }
+
+ typedef threshold {
+ type union {
+ type uint16 {
+ range 0..100;
+ }
+ type enumeration {
+ enum "disabled" {
+ description "No threshold";
+ }
+ }
+ }
+ description "Threshold value in percent";
+ }
+
+ typedef timer-seconds32 {
+ type uint32 {
+ range "1..4294967295";
+ }
+ units "seconds";
+ description
+ "Timer value type, in seconds (32-bit range).";
+ }
+
+/*
+* Groupings
+*/
+
+ grouping duid {
+ description "Each server and client has only one DUID (DHCP
+ Unique Identifier). The DUID here identifies a unique
+ DHCPv6 server for clients. DUID consists of a two-octet
+ type field and an arbitrary length (no more than 128 bytes)
+ content field. Currently there are four defined types of
+ DUIDs in RFC8415 and RFC6355 - DUID-LLT, DUID-EN, DUID-LL
+ and DUID-UUID. DUID-unstructured represents DUIDs which
+ do not follow any of the defined formats.";
+ reference "RFC8415: Section 11 and RFC6355: Section 4";
+ leaf type-code {
+ type uint16;
+ default 65535;
+ description "Type code of this DUID.";
+ }
+ choice duid-type {
+ default duid-unstructured;
+ description "Selects the format of the DUID.";
+ case duid-llt {
+ description "DUID Based on Link-layer Address Plus Time
+ (Type 1 - DUID-LLT).";
+ reference "RFC8415 Section 11.2";
+ leaf duid-llt-hardware-type {
+ type uint16;
+ description "Hardware type as assigned by IANA (RFC826).";
+ }
+ leaf duid-llt-time {
+ type yang:timeticks;
+ description "The time that the DUID is generated
+ represented in seconds since midnight (UTC),
+ January 1, 2000, modulo 2^32.";
+ }
+ leaf duid-llt-link-layer-address {
+ type yang:mac-address;
+ description "Link-layer address as described in RFC2464.";
+ }
+ }
+ case duid-en {
+ description "DUID Assigned by Vendor Based on Enterprise
+ Number (Type 2 - DUID-EN).";
+ reference "RFC8415 Section 11.3";
+ leaf duid-en-enterprise-number {
+ type uint32;
+ description "Vendor's registered Private Enterprise Number
+ as maintained by IANA.";
+ }
+ leaf duid-en-identifier {
+ type string;
+ description "Identifier, unique to the device.";
+ }
+ }
+ case duid-ll {
+ description "DUID Based on Link-layer Address
+ (Type 3 - DUID-LL).";
+ reference "RFC8415 Section 11.4";
+ leaf duid-ll-hardware-type {
+ type uint16;
+ description "Hardware type, as assigned by IANA (RFC826).";
+ }
+ leaf duid-ll-link-layer-address {
+ type yang:mac-address;
+ description "Link-layer address, as described in RFC2464";
+ }
+ }
+ case duid-uuid {
+ description "DUID Based on Universally Unique Identifier
+ (Type 4 - DUID-UUID).";
+ reference "RFC6335 Definition of the UUID-Based Unique
+ Identifier";
+ leaf uuid {
+ type yang:uuid;
+ description "A Universally Unique Identifier in the string
+ representation, defined in RFC4122. The canonical
+ representation uses lowercase characters.";
+ }
+ }
+ case duid-unstructured {
+ description "DUID which does not follow any of the other
+ structures, expressed as bytes.";
+ leaf data {
+ type binary;
+ description "The bits to be used as the identifier.";
+ }
+ }
+ }
+ leaf active-duid {
+ type binary;
+ config "false";
+ description "The DUID which is currently in use.";
+ }
+ }
+
+ grouping auth-option-group {
+ description "OPTION_AUTH (11) Authentication Option.";
+ reference "RFC8415: Dynamic Host Configuration Protocol
+ for IPv6 (DHCPv6)";
+ container auth-option {
+ description "OPTION_AUTH (11) Authentication Option
+ container.";
+ leaf protocol {
+ type uint8;
+ description "The authentication protocol used in this
+ Authentication option.";
+ }
+ leaf algorithm {
+ type uint8;
+ description "The algorithm used in the authentication
+ protocol.";
+ }
+ leaf rdm {
+ type uint8;
+ description "The replay detection method used
+ in this Authentication option.";
+ }
+ leaf replay-detection {
+ type uint64;
+ description "The replay detection information for the RDM.";
+ }
+ leaf auth-information {
+ type string;
+ description "The authentication information, as specified
+ by the protocol and algorithm used in this Authentication
+ option.";
+ }
+ }
+ }
+ grouping status-code-option-group {
+ description "OPTION_STATUS_CODE (13) Status Code Option.";
+ reference "RFC8415: Dynamic Host Configuration Protocol
+ for IPv6 (DHCPv6)";
+ container status-code-option {
+ description "OPTION_STATUS_CODE (13) Status Code Option
+ container.";
+ leaf status-code {
+ type uint16;
+ description "The numeric code for the status encoded
+ in this option. See the Status Codes registry at
+ <https://www.iana.org/assignments/dhcpv6-parameters>
+ for the current list of status codes.";
+ }
+ leaf status-message {
+ type string;
+ description "A UTF-8 encoded text string suitable for
+ display to an end user. MUST NOT be null-terminated.";
+ }
+ }
+ }
+
+ grouping rapid-commit-option-group {
+ description "OPTION_RAPID_COMMIT (14) Rapid Commit Option.";
+ reference "RFC8415: Dynamic Host Configuration Protocol for
+ IPv6 (DHCPv6)";
+ container rapid-commit-option {
+ presence "Enable sending of this option";
+ description "OPTION_RAPID_COMMIT (14) Rapid Commit Option
+ container.";
+ }
+ }
+
+ grouping vendor-specific-information-option-group {
+ description "OPTION_VENDOR_OPTS (17) Vendor-specific
+ Information Option.";
+ reference "RFC8415: Dynamic Host Configuration Protocol
+ for IPv6 (DHCPv6)";
+ container vendor-specific-information-option {
+ description "OPTION_VENDOR_OPTS (17) Vendor-specific
+ Information Option container.";
+ list vendor-specific-information-option-instances {
+ key enterprise-number;
+ description "The vendor specific information option allows
+ for multiple instances in a single message. Each list entry
+ defines the contents of an instance of the option.";
+ leaf enterprise-number {
+ type uint32;
+ description "The vendor's registered Enterprise Number,
+ as maintained by IANA.";
+ }
+ list vendor-option-data {
+ key sub-option-code;
+ description "Vendor options, interpreted by vendor-specific
+ client/server functions.";
+ leaf sub-option-code {
+ type uint16;
+ description "The code for the sub-option.";
+ }
+ leaf sub-option-data {
+ type string;
+ description "The data area for the sub-option.";
+ }
+ }
+ }
+ }
+ }
+
+ grouping reconfigure-accept-option-group {
+ description "OPTION_RECONF_ACCEPT (20) Reconfigure Accept
+ Option.
+ A client uses the Reconfigure Accept option to announce to
+ the server whether the client is willing to accept Reconfigure
+ messages, and a server uses this option to tell the client
+ whether or not to accept Reconfigure messages. In the absence
+ of this option, the default behavior is that the client is
+ unwilling to accept Reconfigure messages. The presence node
+ is used to enable the option.";
+ reference "RFC8415: Dynamic Host Configuration Protocol
+ for IPv6 (DHCPv6)";
+ container reconfigure-accept-option {
+ presence "Enable sending of this option";
+ description "OPTION_RECONF_ACCEPT (20) Reconfigure Accept
+ Option container.";
+ }
+ }
+}
--- /dev/null
+module ietf-dhcpv6-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-types";
+ prefix "dhcpv6-types";
+
+ import ietf-inet-types {
+ prefix inet;
+ }
+ import ietf-yang-types {
+ prefix yang;
+ }
+
+ organization "DHC WG";
+ contact
+ "cuiyong@tsinghua.edu.cn
+ lh.sunlinh@gmail.com
+ ian.farrer@telekom.de
+ sladjana.zechlin@telekom.de
+ hezihao9512@gmail.com";
+
+ description "This model defines a YANG data model that can be
+ used to define some commonly used DHCPv6 types";
+
+ revision 2018-09-04 {
+ description "";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang";
+ }
+
+ revision 2018-01-30 {
+ description "Initial revision";
+ reference "I-D: draft-ietf-dhc-dhcpv6-yang";
+ }
+
+ /*
+ * Grouping
+ */
+ grouping vendor-infor {
+ description "Vendor information.";
+ container vendor-info {
+ description "";
+ leaf ent-num {
+ type uint32;
+ mandatory true;
+ description "enterprise number";
+ }
+ leaf-list data {
+ type string;
+ description "specific vendor info";
+ }
+ }
+ }
+
+ grouping duid {
+ description
+ "Each server and client has only one DUID (DHCP Unique Identifier).
+ The DUID here identifies a unique DHCPv6 server for clients. DUID
+ consists of a two-octet type field and an arbitrary length (no more
+ than 128 bytes) content field. Currently there are four defined types
+ of DUIDs in RFC3315 and RFC6355 - DUID-LLT, DUID-EN, DUID-LL and
+ DUID-UUID. DUID-Unknown represents those unconventional DUIDs.";
+ reference "RFC3315: Section 9 and RFC6355: Section 4";
+ leaf type-code {
+ type uint16;
+ default 65535;
+ description "Type code of this DUID";
+ }
+ choice duid-type {
+ default duid-unknown;
+ description "Selects the format for the DUID.";
+ case duid-llt {
+ description "DUID Based on Link-layer Address Plus Time
+ (Type 1 - DUID-LLT)";
+ reference "RFC3315 Section 9.2";
+ leaf duid-llt-hardware-type {
+ type uint16;
+ description "Hardware type as assigned by IANA (RFC826).";
+ }
+ leaf duid-llt-time {
+ type yang:timeticks;
+ description "The time value is the time that the DUID is
+ generated represented in seconds since midnight (UTC),
+ January 1, 2000, modulo 2^32.";
+ }
+ leaf duid-llt-link-layer-addr {
+ type yang:mac-address;
+ description "Link-layer address as described in RFC2464";
+ }
+ }
+ case duid-en {
+ description "DUID Assigned by Vendor Based on Enterprise Number
+ (Type 2 - DUID-EN)";
+ reference "RFC3315 Section 9.3";
+ leaf duid-en-enterprise-number {
+ type uint32;
+ description "Vendor's registered Private Enterprise Number as
+ maintained by IANA";
+ }
+ leaf duid-en-identifier {
+ type string;
+ description "Identifier, unique to the device that is
+ using it";
+ }
+ }
+ case duid-ll {
+ description "DUID Based on Link-layer Address (Type 3 - DUID-LL)";
+ reference "RFC3315 Section 9.4";
+ leaf duid-ll-hardware-type {
+ type uint16;
+ description "Hardware type as assigned by IANA (RFC826).";
+ }
+ leaf duid-ll-link-layer-addr {
+ type yang:mac-address;
+ description "Link-layer address as described in RFC2464";
+ }
+ }
+ case duid-uuid {
+ description "DUID Based on Universally Unique Identifier
+ (Type 4 - DUID-UUID)";
+ reference "RFC6335 Definition of the UUID-Based Unique Identifier";
+ leaf uuid {
+ type yang:uuid;
+ description "A Universally Unique IDentifier in the string
+ representation defined in RFC 4122. The canonical
+ representation uses lowercase characters";
+ }
+ }
+ case duid-unknown {
+ description "DUID based on free raw bytes";
+ leaf data {
+ type binary;
+ description "The bits to be used as the identifier";
+ }
+ }
+ }
+ }
+
+ grouping portset-param {
+ description "portset parameters";
+ container port-parameter {
+ description "port parameter";
+ leaf offset {
+ type uint8;
+ mandatory true;
+ description "offset in a port set";
+ }
+ leaf psid-len {
+ type uint8;
+ mandatory true;
+ description "length of a psid";
+ }
+ leaf psid {
+ type uint16;
+ mandatory true;
+ description "psid value";
+ }
+ }
+ }
+
+ grouping iaid {
+ description "IA is a construct through which a server and a
+ client can identify, group, and manage a set of related IPv6
+ addresses. The key of the list is a 4-byte number IAID defined
+ in [RFC3315].";
+ list identity-association {
+ config "false";
+ description "IA";
+ leaf iaid {
+ type uint32;
+ mandatory true;
+ description "IAID";
+ }
+ leaf ia-type {
+ type string;
+ mandatory true;
+ description "IA type";
+ }
+ leaf-list ipv6-addr {
+ type inet:ipv6-address;
+ description "ipv6 address";
+ }
+ leaf-list ipv6-prefix {
+ type inet:ipv6-prefix;
+ description "ipv6 prefix";
+ }
+ leaf-list prefix-length {
+ type uint8;
+ description "ipv6 prefix length";
+ }
+ leaf t1-time {
+ type yang:timeticks;
+ mandatory true;
+ description "t1 time";
+ }
+ leaf t2-time {
+ type yang:timeticks;
+ mandatory true;
+ description "t2 time";
+ }
+ leaf preferred-lifetime {
+ type yang:timeticks;
+ mandatory true;
+ description "preferred lifetime";
+ }
+ leaf valid-lifetime {
+ type yang:timeticks;
+ mandatory true;
+ description "valid lifetime";
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-subscribed-notifications {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications";
+ prefix sn;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+ import ietf-interfaces {
+ prefix if;
+ reference
+ "RFC 8343: A YANG Data Model for Interface Management";
+ }
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+ import ietf-network-instance {
+ prefix ni;
+ reference
+ "RFC 8529: YANG Data Model for Network Instances";
+ }
+ import ietf-restconf {
+ prefix rc;
+ reference
+ "RFC 8040: RESTCONF Protocol";
+ }
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+ contact
+ "WG Web: <https:/datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Alexander Clemm
+ <mailto:ludwig@clemm.org>
+ Author: Eric Voit
+ <mailto:evoit@cisco.com>
+ Author: Alberto Gonzalez Prieto
+ <mailto:alberto.gonzalez@microsoft.com>
+ Author: Einar Nilsen-Nygaard
+ <mailto:einarnn@cisco.com>
+ Author: Ambika Prasad Tripathy
+ <mailto:ambtripa@cisco.com>";
+ description
+ "This module defines a YANG data model for subscribing to event
+ records and receiving matching content in notification messages.
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
+ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
+ 'MAY', and 'OPTIONAL' in this document are to be interpreted as
+ described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
+ they appear in all capitals, as shown here.
+ Copyright (c) 2019 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject to
+ the license terms contained in, the Simplified BSD License set
+ forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+ This version of this YANG module is part of RFC 8639; see the
+ RFC itself for full legal notices.";
+
+ revision 2019-09-09 {
+ description
+ "Initial version.";
+ reference
+ "RFC 8639: A YANG Data Model for Subscriptions to
+ Event Notifications";
+ }
+
+ /*
+ * FEATURES
+ */
+
+ feature configured {
+ description
+ "This feature indicates that configuration of subscriptions is
+ supported.";
+ }
+
+ feature dscp {
+ description
+ "This feature indicates that a publisher supports the ability
+ to set the Differentiated Services Code Point (DSCP) value in
+ outgoing packets.";
+ }
+
+ feature encode-json {
+ description
+ "This feature indicates that JSON encoding of notification
+ messages is supported.";
+ }
+
+ feature encode-xml {
+ description
+ "This feature indicates that XML encoding of notification
+ messages is supported.";
+ }
+
+ feature interface-designation {
+ description
+ "This feature indicates that a publisher supports sourcing all
+ receiver interactions for a configured subscription from a
+ single designated egress interface.";
+ }
+
+ feature qos {
+ description
+ "This feature indicates that a publisher supports absolute
+ dependencies of one subscription's traffic over another
+ as well as weighted bandwidth sharing between subscriptions.
+ Both of these are Quality of Service (QoS) features that allow
+ differentiated treatment of notification messages between a
+ publisher and a specific receiver.";
+ }
+
+ feature replay {
+ description
+ "This feature indicates that historical event record replay is
+ supported. With replay, it is possible for past event records
+ to be streamed in chronological order.";
+ }
+
+ feature subtree {
+ description
+ "This feature indicates support for YANG subtree filtering.";
+ reference
+ "RFC 6241: Network Configuration Protocol (NETCONF),
+ Section 6";
+ }
+
+ feature supports-vrf {
+ description
+ "This feature indicates that a publisher supports VRF
+ configuration for configured subscriptions. VRF support for
+ dynamic subscriptions does not require this feature.";
+ reference
+ "RFC 8529: YANG Data Model for Network Instances,
+ Section 6";
+ }
+
+ feature xpath {
+ description
+ "This feature indicates support for XPath filtering.";
+ reference
+ "XML Path Language (XPath) Version 1.0
+ (https://www.w3.org/TR/1999/REC-xpath-19991116)";
+ }
+
+ /*
+ * EXTENSIONS
+ */
+
+ extension subscription-state-notification {
+ description
+ "This statement applies only to notifications. It indicates
+ that the notification is a subscription state change
+ notification. Therefore, it does not participate in a regular
+ event stream and does not need to be specifically subscribed
+ to in order to be received. This statement can only occur as
+ a substatement of the YANG 'notification' statement. This
+ statement is not for use outside of this YANG module.";
+ }
+
+ /*
+ * IDENTITIES
+ */
+ /* Identities for RPC and notification errors */
+
+ identity delete-subscription-error {
+ description
+ "Base identity for the problem found while attempting to
+ fulfill either a 'delete-subscription' RPC request or a
+ 'kill-subscription' RPC request.";
+ }
+
+ identity establish-subscription-error {
+ description
+ "Base identity for the problem found while attempting to
+ fulfill an 'establish-subscription' RPC request.";
+ }
+
+ identity modify-subscription-error {
+ description
+ "Base identity for the problem found while attempting to
+ fulfill a 'modify-subscription' RPC request.";
+ }
+
+ identity subscription-suspended-reason {
+ description
+ "Base identity for the problem condition communicated to a
+ receiver as part of a 'subscription-suspended'
+ notification.";
+ }
+
+ identity subscription-terminated-reason {
+ description
+ "Base identity for the problem condition communicated to a
+ receiver as part of a 'subscription-terminated'
+ notification.";
+ }
+
+ identity dscp-unavailable {
+ base establish-subscription-error;
+ if-feature "dscp";
+ description
+ "The publisher is unable to mark notification messages with
+ prioritization information in a way that will be respected
+ during network transit.";
+ }
+
+ identity encoding-unsupported {
+ base establish-subscription-error;
+ description
+ "Unable to encode notification messages in the desired
+ format.";
+ }
+
+ identity filter-unavailable {
+ base subscription-terminated-reason;
+ description
+ "Referenced filter does not exist. This means a receiver is
+ referencing a filter that doesn't exist or to which it
+ does not have access permissions.";
+ }
+
+ identity filter-unsupported {
+ base establish-subscription-error;
+ base modify-subscription-error;
+ description
+ "Cannot parse syntax in the filter. This failure can be from
+ a syntax error or a syntax too complex to be processed by the
+ publisher.";
+ }
+
+ identity insufficient-resources {
+ base establish-subscription-error;
+ base modify-subscription-error;
+ base subscription-suspended-reason;
+ description
+ "The publisher does not have sufficient resources to support
+ the requested subscription. An example might be that
+ allocated CPU is too limited to generate the desired set of
+ notification messages.";
+ }
+
+ identity no-such-subscription {
+ base modify-subscription-error;
+ base delete-subscription-error;
+ base subscription-terminated-reason;
+ description
+ "Referenced subscription doesn't exist. This may be as a
+ result of a nonexistent subscription ID, an ID that belongs to
+ another subscriber, or an ID for a configured subscription.";
+ }
+
+ identity replay-unsupported {
+ base establish-subscription-error;
+ if-feature "replay";
+ description
+ "Replay cannot be performed for this subscription. This means
+ the publisher will not provide the requested historic
+ information from the event stream via replay to this
+ receiver.";
+ }
+
+ identity stream-unavailable {
+ base subscription-terminated-reason;
+ description
+ "Not a subscribable event stream. This means the referenced
+ event stream is not available for subscription by the
+ receiver.";
+ }
+
+ identity suspension-timeout {
+ base subscription-terminated-reason;
+ description
+ "Termination of a previously suspended subscription. The
+ publisher has eliminated the subscription, as it exceeded a
+ time limit for suspension.";
+ }
+
+ identity unsupportable-volume {
+ base subscription-suspended-reason;
+ description
+ "The publisher does not have the network bandwidth needed to
+ get the volume of generated information intended for a
+ receiver.";
+ }
+
+ /* Identities for encodings */
+
+ identity configurable-encoding {
+ description
+ "If a transport identity derives from this identity, it means
+ that it supports configurable encodings. An example of a
+ configurable encoding might be a new identity such as
+ 'encode-cbor'. Such an identity could use
+ 'configurable-encoding' as its base. This would allow a
+ dynamic subscription encoded in JSON (RFC 8259) to request
+ that notification messages be encoded via the Concise Binary
+ Object Representation (CBOR) (RFC 7049). Further details for
+ any specific configurable encoding would be explored in a
+ transport document based on this specification.";
+ reference
+ "RFC 8259: The JavaScript Object Notation (JSON) Data
+ Interchange Format
+ RFC 7049: Concise Binary Object Representation (CBOR)";
+ }
+
+ identity encoding {
+ description
+ "Base identity to represent data encodings.";
+ }
+
+ identity encode-xml {
+ base encoding;
+ if-feature "encode-xml";
+ description
+ "Encode data using XML as described in RFC 7950.";
+ reference
+ "RFC 7950: The YANG 1.1 Data Modeling Language";
+ }
+
+ identity encode-json {
+ base encoding;
+ if-feature "encode-json";
+ description
+ "Encode data using JSON as described in RFC 7951.";
+ reference
+ "RFC 7951: JSON Encoding of Data Modeled with YANG";
+ }
+
+ /* Identities for transports */
+
+ identity transport {
+ description
+ "An identity that represents the underlying mechanism for
+ passing notification messages.";
+ }
+
+ /*
+ * TYPEDEFs
+ */
+
+ typedef encoding {
+ type identityref {
+ base encoding;
+ }
+ description
+ "Specifies a data encoding, e.g., for a data subscription.";
+ }
+
+ typedef stream-filter-ref {
+ type leafref {
+ path "/sn:filters/sn:stream-filter/sn:name";
+ }
+ description
+ "This type is used to reference an event stream filter.";
+ }
+
+ typedef stream-ref {
+ type leafref {
+ path "/sn:streams/sn:stream/sn:name";
+ }
+ description
+ "This type is used to reference a system-provided
+ event stream.";
+ }
+
+ typedef subscription-id {
+ type uint32;
+ description
+ "A type for subscription identifiers.";
+ }
+
+ typedef transport {
+ type identityref {
+ base transport;
+ }
+ description
+ "Specifies the transport used to send notification messages
+ to a receiver.";
+ }
+
+ /*
+ * GROUPINGS
+ */
+
+ grouping stream-filter-elements {
+ description
+ "This grouping defines the base for filters applied to event
+ streams.";
+ choice filter-spec {
+ description
+ "The content filter specification for this request.";
+ anydata stream-subtree-filter {
+ if-feature "subtree";
+ description
+ "Event stream evaluation criteria encoded in the syntax of
+ a subtree filter as defined in RFC 6241, Section 6.
+ The subtree filter is applied to the representation of
+ individual, delineated event records as contained in the
+ event stream.
+ If the subtree filter returns a non-empty node set, the
+ filter matches the event record, and the event record is
+ included in the notification message sent to the
+ receivers.";
+ reference
+ "RFC 6241: Network Configuration Protocol (NETCONF),
+ Section 6";
+ }
+ leaf stream-xpath-filter {
+ if-feature "xpath";
+ type yang:xpath1.0;
+ description
+ "Event stream evaluation criteria encoded in the syntax of
+ an XPath 1.0 expression.
+ The XPath expression is evaluated on the representation of
+ individual, delineated event records as contained in
+ the event stream.
+ The result of the XPath expression is converted to a
+ boolean value using the standard XPath 1.0 rules. If the
+ boolean value is 'true', the filter matches the event
+ record, and the event record is included in the
+ notification message sent to the receivers.
+ The expression is evaluated in the following XPath
+ context:
+ o The set of namespace declarations is the set of
+ prefix and namespace pairs for all YANG modules
+ implemented by the server, where the prefix is the
+ YANG module name and the namespace is as defined by
+ the 'namespace' statement in the YANG module.
+ If the leaf is encoded in XML, all namespace
+ declarations in scope on the 'stream-xpath-filter'
+ leaf element are added to the set of namespace
+ declarations. If a prefix found in the XML is
+ already present in the set of namespace
+ declarations, the namespace in the XML is used.
+ o The set of variable bindings is empty.
+ o The function library is comprised of the core
+ function library and the XPath functions defined in
+ Section 10 in RFC 7950.
+ o The context node is the root node.";
+ reference
+ "XML Path Language (XPath) Version 1.0
+ (https://www.w3.org/TR/1999/REC-xpath-19991116)
+ RFC 7950: The YANG 1.1 Data Modeling Language,
+ Section 10";
+ }
+ }
+ }
+
+ grouping update-qos {
+ description
+ "This grouping describes QoS information concerning a
+ subscription. This information is passed to lower layers
+ for transport prioritization and treatment.";
+ leaf dscp {
+ if-feature "dscp";
+ type inet:dscp;
+ default "0";
+ description
+ "The desired network transport priority level. This is the
+ priority set on notification messages encapsulating the
+ results of the subscription. This transport priority is
+ shared for all receivers of a given subscription.";
+ }
+ leaf weighting {
+ if-feature "qos";
+ type uint8 {
+ range "0 .. 255";
+ }
+ description
+ "Relative weighting for a subscription. Larger weights get
+ more resources. Allows an underlying transport layer to
+ perform informed load-balance allocations between various
+ subscriptions.";
+ reference
+ "RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2),
+ Section 5.3.2";
+ }
+ leaf dependency {
+ if-feature "qos";
+ type subscription-id;
+ description
+ "Provides the 'subscription-id' of a parent subscription.
+ The parent subscription has absolute precedence should
+ that parent have push updates ready to egress the publisher.
+ In other words, there should be no streaming of objects from
+ the current subscription if the parent has something ready
+ to push.
+ If a dependency is asserted via configuration or via an RPC
+ but the referenced 'subscription-id' does not exist, the
+ dependency is silently discarded. If a referenced
+ subscription is deleted, this dependency is removed.";
+ reference
+ "RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2),
+ Section 5.3.1";
+ }
+ }
+
+ grouping subscription-policy-modifiable {
+ description
+ "This grouping describes all objects that may be changed
+ in a subscription.";
+ choice target {
+ mandatory true;
+ description
+ "Identifies the source of information against which a
+ subscription is being applied as well as specifics on the
+ subset of information desired from that source.";
+ case stream {
+ choice stream-filter {
+ description
+ "An event stream filter can be applied to a subscription.
+ That filter will either come referenced from a global
+ list or be provided in the subscription itself.";
+ case by-reference {
+ description
+ "Apply a filter that has been configured separately.";
+ leaf stream-filter-name {
+ type stream-filter-ref;
+ mandatory true;
+ description
+ "References an existing event stream filter that is
+ to be applied to an event stream for the
+ subscription.";
+ }
+ }
+ case within-subscription {
+ description
+ "A local definition allows a filter to have the same
+ lifecycle as the subscription.";
+ uses stream-filter-elements;
+ }
+ }
+ }
+ }
+ leaf stop-time {
+ type yang:date-and-time;
+ description
+ "Identifies a time after which notification messages for a
+ subscription should not be sent. If 'stop-time' is not
+ present, the notification messages will continue until the
+ subscription is terminated. If 'replay-start-time' exists,
+ 'stop-time' must be for a subsequent time. If
+ 'replay-start-time' doesn't exist, 'stop-time', when
+ established, must be for a future time.";
+ }
+ }
+
+ grouping subscription-policy-dynamic {
+ description
+ "This grouping describes the only information concerning a
+ subscription that can be passed over the RPCs defined in this
+ data model.";
+ uses subscription-policy-modifiable {
+ augment "target/stream" {
+ description
+ "Adds additional objects that can be modified by an RPC.";
+ leaf stream {
+ type stream-ref {
+ require-instance false;
+ }
+ mandatory true;
+ description
+ "Indicates the event stream to be considered for
+ this subscription.";
+ }
+ leaf replay-start-time {
+ if-feature "replay";
+ type yang:date-and-time;
+ config false;
+ description
+ "Used to trigger the 'replay' feature for a dynamic
+ subscription, where event records that are selected
+ need to be at or after the specified starting time. If
+ 'replay-start-time' is not present, this is not a replay
+ subscription and event record push should start
+ immediately. It is never valid to specify start times
+ that are later than or equal to the current time.";
+ }
+ }
+ }
+ uses update-qos;
+ }
+
+ grouping subscription-policy {
+ description
+ "This grouping describes the full set of policy information
+ concerning both dynamic and configured subscriptions, with the
+ exclusion of both receivers and networking information
+ specific to the publisher, such as what interface should be
+ used to transmit notification messages.";
+ uses subscription-policy-dynamic;
+ leaf transport {
+ if-feature "configured";
+ type transport;
+ description
+ "For a configured subscription, this leaf specifies the
+ transport used to deliver messages destined for all
+ receivers of that subscription.";
+ }
+ leaf encoding {
+ when 'not(../transport) or derived-from(../transport,
+ "sn:configurable-encoding")';
+ type encoding;
+ description
+ "The type of encoding for notification messages. For a
+ dynamic subscription, if not included as part of an
+ 'establish-subscription' RPC, the encoding will be populated
+ with the encoding used by that RPC. For a configured
+ subscription, if not explicitly configured, the encoding
+ will be the default encoding for an underlying transport.";
+ }
+ leaf purpose {
+ if-feature "configured";
+ type string;
+ description
+ "Open text allowing a configuring entity to embed the
+ originator or other specifics of this subscription.";
+ }
+ }
+
+ /*
+ * RPCs
+ */
+
+ rpc establish-subscription {
+ description
+ "This RPC allows a subscriber to create (and possibly
+ negotiate) a subscription on its own behalf. If successful,
+ the subscription remains in effect for the duration of the
+ subscriber's association with the publisher or until the
+ subscription is terminated. If an error occurs or the
+ publisher cannot meet the terms of a subscription, an RPC
+ error is returned, and the subscription is not created.
+ In that case, the RPC reply's 'error-info' MAY include
+ suggested parameter settings that would have a higher
+ likelihood of succeeding in a subsequent
+ 'establish-subscription' request.";
+ input {
+ uses subscription-policy-dynamic;
+ leaf encoding {
+ type encoding;
+ description
+ "The type of encoding for the subscribed data. If not
+ included as part of the RPC, the encoding MUST be set by
+ the publisher to be the encoding used by this RPC.";
+ }
+ }
+ output {
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "Identifier used for this subscription.";
+ }
+ leaf replay-start-time-revision {
+ if-feature "replay";
+ type yang:date-and-time;
+ description
+ "If a replay has been requested, this object represents
+ the earliest time covered by the event buffer for the
+ requested event stream. The value of this object is the
+ 'replay-log-aged-time' if it exists. Otherwise, it is
+ the 'replay-log-creation-time'. All buffered event
+ records after this time will be replayed to a receiver.
+ This object will only be sent if the starting time has
+ been revised to be later than the time requested by the
+ subscriber.";
+ }
+ }
+ }
+
+ rc:yang-data establish-subscription-stream-error-info {
+ container establish-subscription-stream-error-info {
+ description
+ "If any 'establish-subscription' RPC parameters are
+ unsupportable against the event stream, a subscription
+ is not created and the RPC error response MUST indicate the
+ reason why the subscription failed to be created. This
+ yang-data MAY be inserted as structured data in a
+ subscription's RPC error response to indicate the reason for
+ the failure. This yang-data MUST be inserted if hints are
+ to be provided back to the subscriber.";
+ leaf reason {
+ type identityref {
+ base establish-subscription-error;
+ }
+ description
+ "Indicates the reason why the subscription has failed to
+ be created to a targeted event stream.";
+ }
+ leaf filter-failure-hint {
+ type string;
+ description
+ "Information describing where and/or why a provided
+ filter was unsupportable for a subscription. The
+ syntax and semantics of this hint are
+ implementation specific.";
+ }
+ }
+ }
+
+ rpc modify-subscription {
+ description
+ "This RPC allows a subscriber to modify a dynamic
+ subscription's parameters. If successful, the changed
+ subscription parameters remain in effect for the duration of
+ the subscription, until the subscription is again modified, or
+ until the subscription is terminated. In the case of an error
+ or an inability to meet the modified parameters, the
+ subscription is not modified and the original subscription
+ parameters remain in effect. In that case, the RPC error MAY
+ include 'error-info' suggested parameter hints that would have
+ a high likelihood of succeeding in a subsequent
+ 'modify-subscription' request. A successful
+ 'modify-subscription' will return a suspended subscription to
+ the 'active' state.";
+ input {
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "Identifier to use for this subscription.";
+ }
+ uses subscription-policy-modifiable;
+ }
+ }
+
+ rc:yang-data modify-subscription-stream-error-info {
+ container modify-subscription-stream-error-info {
+ description
+ "This yang-data MAY be provided as part of a subscription's
+ RPC error response when there is a failure of a
+ 'modify-subscription' RPC that has been made against an
+ event stream. This yang-data MUST be used if hints are to
+ be provided back to the subscriber.";
+ leaf reason {
+ type identityref {
+ base modify-subscription-error;
+ }
+ description
+ "Information in a 'modify-subscription' RPC error response
+ that indicates the reason why the subscription to an event
+ stream has failed to be modified.";
+ }
+ leaf filter-failure-hint {
+ type string;
+ description
+ "Information describing where and/or why a provided
+ filter was unsupportable for a subscription. The syntax
+ and semantics of this hint are
+ implementation specific.";
+ }
+ }
+ }
+
+ rpc delete-subscription {
+ description
+ "This RPC allows a subscriber to delete a subscription that
+ was previously created by that same subscriber using the
+ 'establish-subscription' RPC.
+ If an error occurs, the server replies with an 'rpc-error'
+ where the 'error-info' field MAY contain a
+ 'delete-subscription-error-info' structure.";
+ input {
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "Identifier of the subscription that is to be deleted.
+ Only subscriptions that were created using
+ 'establish-subscription' from the same origin as this RPC
+ can be deleted via this RPC.";
+ }
+ }
+ }
+
+ rpc kill-subscription {
+ nacm:default-deny-all;
+ description
+ "This RPC allows an operator to delete a dynamic subscription
+ without restrictions on the originating subscriber or
+ underlying transport session.
+ If an error occurs, the server replies with an 'rpc-error'
+ where the 'error-info' field MAY contain a
+ 'delete-subscription-error-info' structure.";
+ input {
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "Identifier of the subscription that is to be deleted.
+ Only subscriptions that were created using
+ 'establish-subscription' can be deleted via this RPC.";
+ }
+ }
+ }
+
+ rc:yang-data delete-subscription-error-info {
+ container delete-subscription-error-info {
+ description
+ "If a 'delete-subscription' RPC or a 'kill-subscription' RPC
+ fails, the subscription is not deleted and the RPC error
+ response MUST indicate the reason for this failure. This
+ yang-data MAY be inserted as structured data in a
+ subscription's RPC error response to indicate the reason
+ for the failure.";
+ leaf reason {
+ type identityref {
+ base delete-subscription-error;
+ }
+ mandatory true;
+ description
+ "Indicates the reason why the subscription has failed to be
+ deleted.";
+ }
+ }
+ }
+
+ /*
+ * NOTIFICATIONS
+ */
+
+ notification replay-completed {
+ sn:subscription-state-notification;
+ if-feature "replay";
+ description
+ "This notification is sent to indicate that all of the replay
+ notifications have been sent.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the affected subscription.";
+ }
+ }
+
+ notification subscription-completed {
+ sn:subscription-state-notification;
+ if-feature "configured";
+ description
+ "This notification is sent to indicate that a subscription has
+ finished passing event records, as the 'stop-time' has been
+ reached.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the gracefully completed subscription.";
+ }
+ }
+
+ notification subscription-modified {
+ sn:subscription-state-notification;
+ description
+ "This notification indicates that a subscription has been
+ modified. Notification messages sent from this point on will
+ conform to the modified terms of the subscription. For
+ completeness, this subscription state change notification
+ includes both modified and unmodified aspects of a
+ subscription.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the affected subscription.";
+ }
+ uses subscription-policy {
+ refine "target/stream/stream-filter/within-subscription" {
+ description
+ "Filter applied to the subscription. If the
+ 'stream-filter-name' is populated, the filter in the
+ subscription came from the 'filters' container.
+ Otherwise, it is populated in-line as part of the
+ subscription.";
+ }
+ }
+ }
+
+ notification subscription-resumed {
+ sn:subscription-state-notification;
+ description
+ "This notification indicates that a subscription that had
+ previously been suspended has resumed. Notifications will
+ once again be sent. In addition, a 'subscription-resumed'
+ indicates that no modification of parameters has occurred
+ since the last time event records have been sent.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the affected subscription.";
+ }
+ }
+
+ notification subscription-started {
+ sn:subscription-state-notification;
+ if-feature "configured";
+ description
+ "This notification indicates that a subscription has started
+ and notifications will now be sent.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the affected subscription.";
+ }
+ uses subscription-policy {
+ refine "target/stream/replay-start-time" {
+ description
+ "Indicates the time that a replay is using for the
+ streaming of buffered event records. This will be
+ populated with the most recent of the following:
+ the event time of the previous event record sent to a
+ receiver, the 'replay-log-creation-time', the
+ 'replay-log-aged-time', or the most recent publisher
+ boot time.";
+ }
+ refine "target/stream/stream-filter/within-subscription" {
+ description
+ "Filter applied to the subscription. If the
+ 'stream-filter-name' is populated, the filter in the
+ subscription came from the 'filters' container.
+ Otherwise, it is populated in-line as part of the
+ subscription.";
+ }
+ augment "target/stream" {
+ description
+ "This augmentation adds additional parameters specific to a
+ 'subscription-started' notification.";
+ leaf replay-previous-event-time {
+ when '../replay-start-time';
+ if-feature "replay";
+ type yang:date-and-time;
+ description
+ "If there is at least one event in the replay buffer
+ prior to 'replay-start-time', this gives the time of
+ the event generated immediately prior to the
+ 'replay-start-time'.
+ If a receiver previously received event records for
+ this configured subscription, it can compare this time
+ to the last event record previously received. If the
+ two are not the same (perhaps due to a reboot), then a
+ dynamic replay can be initiated to acquire any missing
+ event records.";
+ }
+ }
+ }
+ }
+
+ notification subscription-suspended {
+ sn:subscription-state-notification;
+ description
+ "This notification indicates that a suspension of the
+ subscription by the publisher has occurred. No further
+ notifications will be sent until the subscription resumes.
+ This notification shall only be sent to receivers of a
+ subscription; it does not constitute a general-purpose
+ notification.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the affected subscription.";
+ }
+ leaf reason {
+ type identityref {
+ base subscription-suspended-reason;
+ }
+ mandatory true;
+ description
+ "Identifies the condition that resulted in the suspension.";
+ }
+ }
+
+ notification subscription-terminated {
+ sn:subscription-state-notification;
+ description
+ "This notification indicates that a subscription has been
+ terminated.";
+ leaf id {
+ type subscription-id;
+ mandatory true;
+ description
+ "This references the affected subscription.";
+ }
+ leaf reason {
+ type identityref {
+ base subscription-terminated-reason;
+ }
+ mandatory true;
+ description
+ "Identifies the condition that resulted in the termination.";
+ }
+ }
+
+ /*
+ * DATA NODES
+ */
+
+ container streams {
+ config false;
+ description
+ "Contains information on the built-in event streams provided by
+ the publisher.";
+ list stream {
+ key "name";
+ description
+ "Identifies the built-in event streams that are supported by
+ the publisher.";
+ leaf name {
+ type string;
+ description
+ "A handle for a system-provided event stream made up of a
+ sequential set of event records, each of which is
+ characterized by its own domain and semantics.";
+ }
+ leaf description {
+ type string;
+ description
+ "A description of the event stream, including such
+ information as the type of event records that are
+ available in this event stream.";
+ }
+ leaf replay-support {
+ if-feature "replay";
+ type empty;
+ description
+ "Indicates that event record replay is available on this
+ event stream.";
+ }
+ leaf replay-log-creation-time {
+ when '../replay-support';
+ if-feature "replay";
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "The timestamp of the creation of the log used to support
+ the replay function on this event stream. This time
+ might be earlier than the earliest available information
+ contained in the log. This object is updated if the log
+ resets for some reason.";
+ }
+ leaf replay-log-aged-time {
+ when '../replay-support';
+ if-feature "replay";
+ type yang:date-and-time;
+ description
+ "The timestamp associated with the last event record that
+ has been aged out of the log. This timestamp identifies
+ how far back in history this replay log extends, if it
+ doesn't extend back to the 'replay-log-creation-time'.
+ This object MUST be present if replay is supported and any
+ event records have been aged out of the log.";
+ }
+ }
+ }
+ container filters {
+ description
+ "Contains a list of configurable filters that can be applied to
+ subscriptions. This facilitates the reuse of complex filters
+ once defined.";
+ list stream-filter {
+ key "name";
+ description
+ "A list of preconfigured filters that can be applied to
+ subscriptions.";
+ leaf name {
+ type string;
+ description
+ "A name to differentiate between filters.";
+ }
+ uses stream-filter-elements;
+ }
+ }
+ container subscriptions {
+ description
+ "Contains the list of currently active subscriptions, i.e.,
+ subscriptions that are currently in effect, used for
+ subscription management and monitoring purposes. This
+ includes subscriptions that have been set up via
+ RPC primitives as well as subscriptions that have been
+ established via configuration.";
+ list subscription {
+ key "id";
+ description
+ "The identity and specific parameters of a subscription.
+ Subscriptions in this list can be created using a control
+ channel or RPC or can be established through configuration.
+ If the 'kill-subscription' RPC or configuration operations
+ are used to delete a subscription, a
+ 'subscription-terminated' message is sent to any active or
+ suspended receivers.";
+ leaf id {
+ type subscription-id;
+ description
+ "Identifier of a subscription; unique in a given
+ publisher.";
+ }
+ uses subscription-policy {
+ refine "target/stream/stream" {
+ description
+ "Indicates the event stream to be considered for this
+ subscription. If an event stream has been removed
+ and can no longer be referenced by an active
+ subscription, send a 'subscription-terminated'
+ notification with 'stream-unavailable' as the reason.
+ If a configured subscription refers to a nonexistent
+ event stream, move that subscription to the
+ 'invalid' state.";
+ }
+ refine "transport" {
+ description
+ "For a configured subscription, this leaf specifies the
+ transport used to deliver messages destined for all
+ receivers of that subscription. This object is
+ mandatory for subscriptions in the configuration
+ datastore. This object (1) is not mandatory for dynamic
+ subscriptions in the operational state datastore and
+ (2) should not be present for other types of dynamic
+ subscriptions.";
+ }
+ augment "target/stream" {
+ description
+ "Enables objects to be added to a configured stream
+ subscription.";
+ leaf configured-replay {
+ if-feature "configured";
+ if-feature "replay";
+ type empty;
+ description
+ "The presence of this leaf indicates that replay for
+ the configured subscription should start at the
+ earliest time in the event log or at the publisher
+ boot time, whichever is later.";
+ }
+ }
+ }
+ choice notification-message-origin {
+ if-feature "configured";
+ description
+ "Identifies the egress interface on the publisher
+ from which notification messages are to be sent.";
+ case interface-originated {
+ description
+ "When notification messages are to egress a specific,
+ designated interface on the publisher.";
+ leaf source-interface {
+ if-feature "interface-designation";
+ type if:interface-ref;
+ description
+ "References the interface for notification messages.";
+ }
+ }
+ case address-originated {
+ description
+ "When notification messages are to depart from a
+ publisher using a specific originating address and/or
+ routing context information.";
+ leaf source-vrf {
+ if-feature "supports-vrf";
+ type leafref {
+ path "/ni:network-instances/ni:network-instance/ni:name";
+ }
+ description
+ "VRF from which notification messages should egress a
+ publisher.";
+ }
+ leaf source-address {
+ type inet:ip-address-no-zone;
+ description
+ "The source address for the notification messages.
+ If a source VRF exists but this object doesn't, a
+ publisher's default address for that VRF must
+ be used.";
+ }
+ }
+ }
+ leaf configured-subscription-state {
+ if-feature "configured";
+ type enumeration {
+ enum valid {
+ value 1;
+ description
+ "The subscription is supportable with its current
+ parameters.";
+ }
+ enum invalid {
+ value 2;
+ description
+ "The subscription as a whole is unsupportable with its
+ current parameters.";
+ }
+ enum concluded {
+ value 3;
+ description
+ "A subscription is inactive, as it has hit a
+ stop time. It no longer has receivers in the
+ 'active' or 'suspended' state, but the subscription
+ has not yet been removed from configuration.";
+ }
+ }
+ config false;
+ description
+ "The presence of this leaf indicates that the subscription
+ originated from configuration, not through a control
+ channel or RPC. The value indicates the state of the
+ subscription as established by the publisher.";
+ }
+ container receivers {
+ description
+ "Set of receivers in a subscription.";
+ list receiver {
+ key "name";
+ min-elements 1;
+ description
+ "A host intended as a recipient for the notification
+ messages of a subscription. For configured
+ subscriptions, transport-specific network parameters
+ (or a leafref to those parameters) may be augmented to a
+ specific receiver in this list.";
+ leaf name {
+ type string;
+ description
+ "Identifies a unique receiver for a subscription.";
+ }
+ leaf sent-event-records {
+ type yang:zero-based-counter64;
+ config false;
+ description
+ "The number of event records sent to the receiver. The
+ count is initialized when a dynamic subscription is
+ established or when a configured receiver
+ transitions to the 'valid' state.";
+ }
+ leaf excluded-event-records {
+ type yang:zero-based-counter64;
+ config false;
+ description
+ "The number of event records explicitly removed via
+ either an event stream filter or an access control
+ filter so that they are not passed to a receiver.
+ This count is set to zero each time
+ 'sent-event-records' is initialized.";
+ }
+ leaf state {
+ type enumeration {
+ enum active {
+ value 1;
+ description
+ "The receiver is currently being sent any
+ applicable notification messages for the
+ subscription.";
+ }
+ enum suspended {
+ value 2;
+ description
+ "The receiver state is 'suspended', so the
+ publisher is currently unable to provide
+ notification messages for the subscription.";
+ }
+ enum connecting {
+ value 3;
+ if-feature "configured";
+ description
+ "A subscription has been configured, but a
+ 'subscription-started' subscription state change
+ notification needs to be successfully received
+ before notification messages are sent.
+ If the 'reset' action is invoked for a receiver of
+ an active configured subscription, the state
+ must be moved to 'connecting'.";
+ }
+ enum disconnected {
+ value 4;
+ if-feature "configured";
+ description
+ "A subscription has failed to send a
+ 'subscription-started' state change to the
+ receiver. Additional connection attempts are not
+ currently being made.";
+ }
+ }
+ config false;
+ mandatory true;
+ description
+ "Specifies the state of a subscription from the
+ perspective of a particular receiver. With this
+ information, it is possible to determine whether a
+ publisher is currently generating notification
+ messages intended for that receiver.";
+ }
+ action reset {
+ if-feature "configured";
+ description
+ "Allows the reset of this configured subscription's
+ receiver to the 'connecting' state. This enables the
+ connection process to be reinitiated.";
+ output {
+ leaf time {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Time at which a publisher returned the receiver to
+ the 'connecting' state.";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
--- /dev/null
+module ietf-x509-cert-to-name {
+
+ namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
+ prefix x509c2n;
+
+ import ietf-yang-types {
+ prefix yang;
+ }
+
+ organization
+ "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
+
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ WG Chair: Thomas Nadeau
+ <mailto:tnadeau@lucidvision.com>
+
+ WG Chair: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>
+
+ Editor: Martin Bjorklund
+ <mailto:mbj@tail-f.com>
+
+ Editor: Juergen Schoenwaelder
+ <mailto:j.schoenwaelder@jacobs-university.de>";
+
+ description
+ "This module contains a collection of YANG definitions for
+ extracting a name from an X.509 certificate.
+ The algorithm used to extract a name from an X.509 certificate
+ was first defined in RFC 6353.
+
+ Copyright (c) 2014 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC 7407; see
+ the RFC itself for full legal notices.";
+
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model for
+ the Simple Network Management Protocol (SNMP)";
+
+ revision 2014-12-10 {
+ description
+ "Initial revision.";
+ reference
+ "RFC 7407: A YANG Data Model for SNMP Configuration";
+
+ }
+
+ typedef tls-fingerprint {
+ type yang:hex-string {
+ pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
+ }
+ description
+ "A fingerprint value that can be used to uniquely reference
+ other data of potentially arbitrary length.
+
+ A tls-fingerprint value is composed of a 1-octet hashing
+ algorithm identifier followed by the fingerprint value. The
+ first octet value identifying the hashing algorithm is taken
+ from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
+ remaining octets are filled using the results of the hashing
+ algorithm.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
+ }
+
+ /* Identities */
+
+ identity cert-to-name {
+ description
+ "Base identity for algorithms to derive a name from a
+ certificate.";
+ }
+
+ identity specified {
+ base cert-to-name;
+ description
+ "Directly specifies the name to be used for the certificate.
+ The value of the leaf 'name' in the cert-to-name list is
+ used.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
+ }
+
+ identity san-rfc822-name {
+ base cert-to-name;
+ description
+ "Maps a subjectAltName's rfc822Name to a name. The local part
+ of the rfc822Name is passed unaltered, but the host-part of
+ the name must be passed in lowercase. For example, the
+ rfc822Name field FooBar@Example.COM is mapped to name
+ FooBar@example.com.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
+ }
+
+ identity san-dns-name {
+ base cert-to-name;
+ description
+ "Maps a subjectAltName's dNSName to a name after first
+ converting it to all lowercase (RFC 5280 does not specify
+ converting to lowercase, so this involves an extra step).
+ This mapping results in a 1:1 correspondence between
+ subjectAltName dNSName values and the name values.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
+ }
+
+ identity san-ip-address {
+ base cert-to-name;
+ description
+ "Maps a subjectAltName's iPAddress to a name by
+ transforming the binary-encoded address as follows:
+
+ 1) for IPv4, the value is converted into a
+ decimal-dotted quad address (e.g., '192.0.2.1').
+
+ 2) for IPv6 addresses, the value is converted into a
+ 32-character, all-lowercase hexadecimal string
+ without any colon separators.
+
+ This mapping results in a 1:1 correspondence between
+ subjectAltName iPAddress values and the name values.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
+ }
+
+ identity san-any {
+ base cert-to-name;
+ description
+ "Maps any of the following fields using the corresponding
+ mapping algorithms:
+
+ +------------+-----------------+
+ | Type | Algorithm |
+ |------------+-----------------|
+ | rfc822Name | san-rfc822-name |
+ | dNSName | san-dns-name |
+ | iPAddress | san-ip-address |
+ +------------+-----------------+
+
+ The first matching subjectAltName value found in the
+ certificate of the above types MUST be used when deriving
+ the name. The mapping algorithm specified in the
+ 'Algorithm' column MUST be used to derive the name.
+
+ This mapping results in a 1:1 correspondence between
+ subjectAltName values and name values. The three sub-mapping
+ algorithms produced by this combined algorithm cannot produce
+ conflicting results between themselves.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
+ }
+
+ identity common-name {
+ base cert-to-name;
+ description
+ "Maps a certificate's CommonName to a name after converting
+ it to a UTF-8 encoding. The usage of CommonNames is
+ deprecated, and users are encouraged to use subjectAltName
+ mapping methods instead. This mapping results in a 1:1
+ correspondence between certificate CommonName values and name
+ values.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
+ }
+
+ /*
+ * Groupings
+ */
+
+ grouping cert-to-name {
+ description
+ "Defines nodes for mapping certificates to names. Modules
+ that use this grouping should describe how the resulting
+ name is used.";
+
+ list cert-to-name {
+ key id;
+ description
+ "This list defines how certificates are mapped to names.
+ The name is derived by considering each cert-to-name
+ list entry in order. The cert-to-name entry's fingerprint
+ determines whether the list entry is a match:
+
+ 1) If the cert-to-name list entry's fingerprint value
+ matches that of the presented certificate, then consider
+ the list entry a successful match.
+
+ 2) If the cert-to-name list entry's fingerprint value
+ matches that of a locally held copy of a trusted CA
+ certificate, and that CA certificate was part of the CA
+ certificate chain to the presented certificate, then
+ consider the list entry a successful match.
+
+ Once a matching cert-to-name list entry has been found, the
+ map-type is used to determine how the name associated with
+ the certificate should be determined. See the map-type
+ leaf's description for details on determining the name value.
+ If it is impossible to determine a name from the cert-to-name
+ list entry's data combined with the data presented in the
+ certificate, then additional cert-to-name list entries MUST
+ be searched to look for another potential match.
+
+ Security administrators are encouraged to make use of
+ certificates with subjectAltName fields that can be mapped to
+ names so that a single root CA certificate can allow all
+ child certificates' subjectAltName fields to map directly to
+ a name via a 1:1 transformation.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
+
+ leaf id {
+ type uint32;
+ description
+ "The id specifies the order in which the entries in the
+ cert-to-name list are searched. Entries with lower
+ numbers are searched first.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
+ }
+
+ leaf fingerprint {
+ type x509c2n:tls-fingerprint;
+ mandatory true;
+ description
+ "Specifies a value with which the fingerprint of the
+ full certificate presented by the peer is compared. If
+ the fingerprint of the full certificate presented by the
+ peer does not match the fingerprint configured, then the
+ entry is skipped, and the search for a match continues.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
+ }
+
+ leaf map-type {
+ type identityref {
+ base cert-to-name;
+ }
+ mandatory true;
+ description
+ "Specifies the algorithm used to map the certificate
+ presented by the peer to a name.
+
+ Mappings that need additional configuration objects should
+ use the 'when' statement to make them conditional based on
+ the map-type.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
+ }
+
+ leaf name {
+ when "../map-type = 'x509c2n:specified'";
+ type string;
+ mandatory true;
+ description
+ "Directly specifies the NETCONF username when the
+ map-type is 'specified'.";
+ reference
+ "RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
+ }
+ }
+ }
+}
--- /dev/null
+../../ietf/ietf-crypto-types@2019-04-29.yang
\ No newline at end of file
--- /dev/null
+../../ietf/ietf-dhcpv6-common@2021-01-29.yang
\ No newline at end of file
--- /dev/null
+../../ietf/ietf-dhcpv6-types@2018-09-04.yang
\ No newline at end of file
--- /dev/null
+../../ietf/ietf-netconf-monitoring@2010-10-04.yang
\ No newline at end of file
--- /dev/null
+../../ietf/ietf-subscribed-notifications@2019-09-09.yang
\ No newline at end of file
--- /dev/null
+../../ietf/ietf-x509-cert-to-name@2014-12-10.yang
\ No newline at end of file