From: Martin Skorupski Date: Sat, 1 Apr 2023 12:00:15 +0000 (+0200) Subject: Add WG4 yangs published 2023-03 (v11) X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?p=scp%2Foam%2Fmodeling.git;a=commitdiff_plain;h=94328dd109a282fe2e2305cf43cf9ac8a5881165 Add WG4 yangs published 2023-03 (v11) - update ietf imports needed for WG4 OFHM v11 Issue-ID: OAM-322 Change-Id: Iddf4be1634c42d5177afe158b011070b4aa84880 Signed-off-by: Martin Skorupski --- diff --git a/data-model/yang/published/ietf/ietf-crypto-types@2019-04-29.yang b/data-model/yang/published/ietf/ietf-crypto-types@2019-04-29.yang new file mode 100644 index 0000000..1b94b03 --- /dev/null +++ b/data-model/yang/published/ietf/ietf-crypto-types@2019-04-29.yang @@ -0,0 +1,1783 @@ +module ietf-crypto-types { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; + prefix ct; + + import ietf-yang-types { + prefix yang; + reference + "RFC 6991: Common YANG Data Types"; + } + + import ietf-netconf-acm { + prefix nacm; + reference + "RFC 8341: Network Configuration Access Control Model"; + } + + organization + "IETF NETCONF (Network Configuration) Working Group"; + + contact + "WG Web: + WG List: + Author: Kent Watsen + Author: Wang Haiguang "; + + description + "This module defines common YANG types for cryptographic + applications. + + Copyright (c) 2019 IETF Trust and the persons identified + as authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with + or without modification, is permitted pursuant to, and + subject to the license terms contained in, the Simplified + BSD License set forth in Section 4.c of the IETF Trust's + Legal Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC XXXX + (https://www.rfc-editor.org/info/rfcXXXX); see the RFC + itself for full legal notices.; + + The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', + 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', + 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document + are to be interpreted as described in BCP 14 (RFC 2119) + (RFC 8174) when, and only when, they appear in all + capitals, as shown here."; + + revision 2019-04-29 { + description + "Initial version"; + reference + "RFC XXXX: Common YANG Data Types for Cryptography"; + } + + /**************************************/ + /* Identities for Hash Algorithms */ + /**************************************/ + + identity hash-algorithm { + description + "A base identity for hash algorithm verification."; + } + + identity sha-224 { + base hash-algorithm; + description + "The SHA-224 algorithm."; + reference + "RFC 6234: US Secure Hash Algorithms."; + } + identity sha-256 { + base hash-algorithm; + description + "The SHA-256 algorithm."; + reference + "RFC 6234: US Secure Hash Algorithms."; + } + + identity sha-384 { + base hash-algorithm; + description + "The SHA-384 algorithm."; + reference + "RFC 6234: US Secure Hash Algorithms."; + } + + identity sha-512 { + base hash-algorithm; + description + "The SHA-512 algorithm."; + reference + "RFC 6234: US Secure Hash Algorithms."; + } + + /***********************************************/ + /* Identities for Asymmetric Key Algorithms */ + /***********************************************/ + + identity asymmetric-key-algorithm { + description + "Base identity from which all asymmetric key + encryption Algorithm."; + } + + identity rsa1024 { + base asymmetric-key-algorithm; + description + "The RSA algorithm using a 1024-bit key."; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity rsa2048 { + base asymmetric-key-algorithm; + description + "The RSA algorithm using a 2048-bit key."; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity rsa3072 { + base asymmetric-key-algorithm; + description + "The RSA algorithm using a 3072-bit key."; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity rsa4096 { + base asymmetric-key-algorithm; + description + "The RSA algorithm using a 4096-bit key."; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity rsa7680 { + base asymmetric-key-algorithm; + description + "The RSA algorithm using a 7680-bit key."; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity rsa15360 { + base asymmetric-key-algorithm; + description + "The RSA algorithm using a 15360-bit key."; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity secp192r1 { + base asymmetric-key-algorithm; + description + "The ECDSA algorithm using a NIST P256 Curve."; + reference + "RFC 6090: + Fundamental Elliptic Curve Cryptography Algorithms."; + } + identity secp224r1 { + base asymmetric-key-algorithm; + description + "The ECDSA algorithm using a NIST P256 Curve."; + reference + "RFC 6090: + Fundamental Elliptic Curve Cryptography Algorithms."; + } + + identity secp256r1 { + base asymmetric-key-algorithm; + description + "The ECDSA algorithm using a NIST P256 Curve."; + reference + "RFC 6090: + Fundamental Elliptic Curve Cryptography Algorithms."; + } + + identity secp384r1 { + base asymmetric-key-algorithm; + description + "The ECDSA algorithm using a NIST P256 Curve."; + reference + "RFC 6090: + Fundamental Elliptic Curve Cryptography Algorithms."; + } + + identity secp521r1 { + base asymmetric-key-algorithm; + description + "The ECDSA algorithm using a NIST P256 Curve."; + reference + "RFC 6090: + Fundamental Elliptic Curve Cryptography Algorithms."; + } + + /*************************************/ + /* Identities for MAC Algorithms */ + /*************************************/ + + identity mac-algorithm { + description + "A base identity for mac generation."; + } + + identity hmac-sha1 { + base mac-algorithm; + description + "Generating MAC using SHA1 hash function"; + reference + "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; + } + + identity hmac-sha1-96 { + base mac-algorithm; + description + "Generating MAC using SHA1 hash function"; + reference + "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; + } + + identity hmac-sha2-224 { + base mac-algorithm; + description + "Generating MAC using SHA2 hash function"; + reference + "RFC 6234: + US Secure Hash Algorithms (SHA and SHA-based HMAC and + HKDF)"; + } + + identity hmac-sha2-256 { + base mac-algorithm; + description + "Generating MAC using SHA2 hash function"; + reference + "RFC 6234: + US Secure Hash Algorithms (SHA and SHA-based HMAC and + HKDF)"; + } + + identity hmac-sha2-256-128 { + base mac-algorithm; + description + "Generating a 256 bits MAC using SHA2 hash function and + truncate it to 128 bits"; + reference + "RFC 4868: + Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 + with IPsec"; + } + + identity hmac-sha2-384 { + base mac-algorithm; + description + "Generating MAC using SHA2 hash function"; + reference + "RFC 6234: + US Secure Hash Algorithms (SHA and SHA-based HMAC and + HKDF)"; + } + + identity hmac-sha2-384-192 { + base mac-algorithm; + description + "Generating a 384 bits MAC using SHA2 hash function and + truncate it to 192 bits"; + reference + "RFC 4868: + Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with + IPsec"; + } + + identity hmac-sha2-512 { + base mac-algorithm; + description + "Generating MAC using SHA2 hash function"; + reference + "RFC 6234: + US Secure Hash Algorithms (SHA and SHA-based HMAC and + HKDF)"; + } + + identity hmac-sha2-512-256 { + base mac-algorithm; + description + "Generating a 512 bits MAC using SHA2 hash function and + truncating it to 256 bits"; + reference + "RFC 4868: + Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with + IPsec"; + } + + identity aes-128-gmac { + base mac-algorithm; + description + "Generating MAC using the Advanced Encryption Standard (AES) + Galois Message Authentication Code (GMAC) as a mechanism to + provide data origin authentication"; + reference + "RFC 4543: + The Use of Galois Message Authentication Code (GMAC) in + IPsec ESP and AH"; + } + + identity aes-192-gmac { + base mac-algorithm; + description + "Generating MAC using the Advanced Encryption Standard (AES) + Galois Message Authentication Code (GMAC) as a mechanism to + provide data origin authentication"; + reference + "RFC 4543: + The Use of Galois Message Authentication Code (GMAC) in + IPsec ESP and AH"; + } + + identity aes-256-gmac { + base mac-algorithm; + description + "Generating MAC using the Advanced Encryption Standard (AES) + Galois Message Authentication Code (GMAC) as a mechanism to + provide data origin authentication"; + reference + "RFC 4543: + The Use of Galois Message Authentication Code (GMAC) in + IPsec ESP and AH"; + } + + identity aes-cmac-96 { + base mac-algorithm; + description + "Generating MAC using Advanced Encryption Standard (AES) + Cipher-based Message Authentication Code (CMAC)"; + reference + "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; + } + + identity aes-cmac-128 { + base mac-algorithm; + description + "Generating MAC using Advanced Encryption Standard (AES) + Cipher-based Message Authentication Code (CMAC)"; + reference + "RFC 4493: The AES-CMAC Algorithm"; + } + + /********************************************/ + /* Identities for Encryption Algorithms */ + /********************************************/ + + identity encryption-algorithm { + description + "A base identity for encryption algorithm."; + } + + identity aes-128-cbc { + base encryption-algorithm; + description + "Encrypt message with AES algorithm in CBC mode with a key + length of 128 bits"; + reference + "RFC 3565: + Use of the Advanced Encryption Standard (AES) Encryption + Algorithm in Cryptographic Message Syntax (CMS)"; + } + + identity aes-192-cbc { + base encryption-algorithm; + description + "Encrypt message with AES algorithm in CBC mode with a key + length of 192 bits"; + reference + "RFC 3565: + Use of the Advanced Encryption Standard (AES) Encryption + Algorithm in Cryptographic Message Syntax (CMS)"; + } + + identity aes-256-cbc { + base encryption-algorithm; + description + "Encrypt message with AES algorithm in CBC mode with a key + length of 256 bits"; + reference + "RFC 3565: + Use of the Advanced Encryption Standard (AES) Encryption + Algorithm in Cryptographic Message Syntax (CMS)"; + } + + identity aes-128-ctr { + base encryption-algorithm; + description + "Encrypt message with AES algorithm in CTR mode with a key + length of 128 bits"; + reference + "RFC 3686: + Using Advanced Encryption Standard (AES) Counter Mode with + IPsec Encapsulating Security Payload (ESP)"; + } + identity aes-192-ctr { + base encryption-algorithm; + description + "Encrypt message with AES algorithm in CTR mode with a key + length of 192 bits"; + reference + "RFC 3686: + Using Advanced Encryption Standard (AES) Counter Mode with + IPsec Encapsulating Security Payload (ESP)"; + } + + identity aes-256-ctr { + base encryption-algorithm; + description + "Encrypt message with AES algorithm in CTR mode with a key + length of 256 bits"; + reference + "RFC 3686: + Using Advanced Encryption Standard (AES) Counter Mode with + IPsec Encapsulating Security Payload (ESP)"; + } + + /****************************************************/ + /* Identities for Encryption and MAC Algorithms */ + /****************************************************/ + + identity encryption-and-mac-algorithm { + description + "A base identity for encryption and MAC algorithm."; + } + + identity aes-128-ccm { + base encryption-and-mac-algorithm; + description + "Encrypt message with AES algorithm in CCM mode with a key + length of 128 bits; it can also be used for generating MAC"; + reference + "RFC 4309: + Using Advanced Encryption Standard (AES) CCM Mode with + IPsec Encapsulating Security Payload (ESP)"; + } + + identity aes-192-ccm { + base encryption-and-mac-algorithm; + description + "Encrypt message with AES algorithm in CCM mode with a key + length of 192 bits; it can also be used for generating MAC"; + reference + "RFC 4309: + Using Advanced Encryption Standard (AES) CCM Mode with + IPsec Encapsulating Security Payload (ESP)"; + } + + identity aes-256-ccm { + base encryption-and-mac-algorithm; + description + "Encrypt message with AES algorithm in CCM mode with a key + length of 256 bits; it can also be used for generating MAC"; + reference + "RFC 4309: + Using Advanced Encryption Standard (AES) CCM Mode with + IPsec Encapsulating Security Payload (ESP)"; + } + + identity aes-128-gcm { + base encryption-and-mac-algorithm; + description + "Encrypt message with AES algorithm in GCM mode with a key + length of 128 bits; it can also be used for generating MAC"; + reference + "RFC 4106: + The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating + Security Payload (ESP)"; + } + + identity aes-192-gcm { + base encryption-and-mac-algorithm; + description + "Encrypt message with AES algorithm in GCM mode with a key + length of 192 bits; it can also be used for generating MAC"; + reference + "RFC 4106: + The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating + Security Payload (ESP)"; + } + + identity mac-aes-256-gcm { + base encryption-and-mac-algorithm; + description + "Encrypt message with AES algorithm in GCM mode with a key + length of 128 bits; it can also be used for generating MAC"; + reference + "RFC 4106: + The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating + Security Payload (ESP)"; + } + identity chacha20-poly1305 { + base encryption-and-mac-algorithm; + description + "Encrypt message with chacha20 algorithm and generate MAC with + POLY1305; it can also be used for generating MAC"; + reference + "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; + } + + /******************************************/ + /* Identities for signature algorithm */ + /******************************************/ + + identity signature-algorithm { + description + "A base identity for asymmetric key encryption algorithm."; + } + + identity dsa-sha1 { + base signature-algorithm; + description + "The signature algorithm using DSA algorithm with SHA1 hash + algorithm"; + reference + "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; + } + + identity rsassa-pkcs1-sha1 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 + hash algorithm."; + reference + "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; + } + + identity rsassa-pkcs1-sha256 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PKCS1-v1_5 with the + SHA256 hash algorithm."; + reference + "RFC 8332: + Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell + (SSH) Protocol + RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + identity rsassa-pkcs1-sha384 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PKCS1-v1_5 with the + SHA384 hash algorithm."; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pkcs1-sha512 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PKCS1-v1_5 with the + SHA512 hash algorithm."; + reference + "RFC 8332: + Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell + (SSH) Protocol + RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pss-rsae-sha256 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PSS with mask generation + function 1 and SHA256 hash algorithm. If the public key is + carried in an X.509 certificate, it MUST use the rsaEncryption + OID"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pss-rsae-sha384 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PSS with mask generation + function 1 and SHA384 hash algorithm. If the public key is + carried in an X.509 certificate, it MUST use the rsaEncryption + OID"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pss-rsae-sha512 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PSS with mask generation + function 1 and SHA512 hash algorithm. If the public key is + carried in an X.509 certificate, it MUST use the rsaEncryption + OID"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pss-pss-sha256 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PSS with mask generation + function 1 and SHA256 hash algorithm. If the public key is + carried in an X.509 certificate, it MUST use the RSASSA-PSS + OID"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pss-pss-sha384 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PSS with mask generation + function 1 and SHA256 hash algorithm. If the public key is + carried in an X.509 certificate, it MUST use the RSASSA-PSS + OID"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity rsassa-pss-pss-sha512 { + base signature-algorithm; + description + "The signature algorithm using RSASSA-PSS with mask generation + function 1 and SHA256 hash algorithm. If the public key is + carried in an X.509 certificate, it MUST use the RSASSA-PSS + OID"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity ecdsa-secp256r1-sha256 { + base signature-algorithm; + description + "The signature algorithm using ECDSA with curve name secp256r1 + and SHA256 hash algorithm."; + reference + "RFC 5656: Elliptic Curve Algorithm Integration in the + Secure Shell Transport Layer + RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity ecdsa-secp384r1-sha384 { + base signature-algorithm; + description + "The signature algorithm using ECDSA with curve name secp384r1 + and SHA384 hash algorithm."; + reference + "RFC 5656: Elliptic Curve Algorithm Integration in the + Secure Shell Transport Layer + RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity ecdsa-secp521r1-sha512 { + base signature-algorithm; + description + "The signature algorithm using ECDSA with curve name secp521r1 + and SHA512 hash algorithm."; + reference + "RFC 5656: Elliptic Curve Algorithm Integration in the + Secure Shell Transport Layer + RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity ed25519 { + base signature-algorithm; + description + "The signature algorithm using EdDSA as defined in RFC 8032 or + its successors."; + reference + "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; + } + + identity ed448 { + base signature-algorithm; + description + "The signature algorithm using EdDSA as defined in RFC 8032 or + its successors."; + reference + "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; + } + + identity eccsi { + base signature-algorithm; + description + "The signature algorithm using ECCSI signature as defined in + RFC 6507."; + reference + "RFC 6507: + Elliptic Curve-Based Certificateless Signatures for + Identity-based Encryption (ECCSI)"; + } + + /**********************************************/ + /* Identities for key exchange algorithms */ + /**********************************************/ + + identity key-exchange-algorithm { + description + "A base identity for Diffie-Hellman based key exchange + algorithm."; + } + + identity psk-only { + base key-exchange-algorithm; + description + "Using Pre-shared key for authentication and key exchange"; + reference + "RFC 4279: + Pre-Shared Key cipher suites for Transport Layer Security + (TLS)"; + } + + identity dhe-ffdhe2048 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with 2048 bit + finite field"; + reference + "RFC 7919: + Negotiated Finite Field Diffie-Hellman Ephemeral Parameters + for Transport Layer Security (TLS)"; + } + + identity dhe-ffdhe3072 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with 3072 bit finite + field"; + reference + "RFC 7919: + Negotiated Finite Field Diffie-Hellman Ephemeral Parameters + for Transport Layer Security (TLS)"; + } + + identity dhe-ffdhe4096 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with 4096 bit + finite field"; + reference + "RFC 7919: + Negotiated Finite Field Diffie-Hellman Ephemeral Parameters + for Transport Layer Security (TLS)"; + } + + identity dhe-ffdhe6144 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with 6144 bit + finite field"; + reference + "RFC 7919: + Negotiated Finite Field Diffie-Hellman Ephemeral Parameters + for Transport Layer Security (TLS)"; + } + + identity dhe-ffdhe8192 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with 8192 bit + finite field"; + reference + "RFC 7919: + Negotiated Finite Field Diffie-Hellman Ephemeral Parameters + for Transport Layer Security (TLS)"; + } + + identity psk-dhe-ffdhe2048 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with Diffie-Hellman key + generation mechanism, where the DH group is FFDHE2048"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-dhe-ffdhe3072 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with Diffie-Hellman key + generation mechanism, where the DH group is FFDHE3072"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-dhe-ffdhe4096 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with Diffie-Hellman key + generation mechanism, where the DH group is FFDHE4096"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-dhe-ffdhe6144 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with Diffie-Hellman key + generation mechanism, where the DH group is FFDHE6144"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-dhe-ffdhe8192 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with Diffie-Hellman key + generation mechanism, where the DH group is FFDHE8192"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity ecdhe-secp256r1 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with elliptic group + over curve secp256r1"; + reference + "RFC 8422: + Elliptic Curve Cryptography (ECC) Cipher Suites for + Transport Layer Security (TLS) Versions 1.2 and Earlier"; + } + + identity ecdhe-secp384r1 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with elliptic group + over curve secp384r1"; + reference + "RFC 8422: + Elliptic Curve Cryptography (ECC) Cipher Suites for + Transport Layer Security (TLS) Versions 1.2 and Earlier"; + } + + identity ecdhe-secp521r1 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with elliptic group + over curve secp521r1"; + reference + "RFC 8422: + Elliptic Curve Cryptography (ECC) Cipher Suites for + Transport Layer Security (TLS) Versions 1.2 and Earlier"; + } + + identity ecdhe-x25519 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with elliptic group + over curve x25519"; + reference + "RFC 8422: + Elliptic Curve Cryptography (ECC) Cipher Suites for + Transport Layer Security (TLS) Versions 1.2 and Earlier"; + } + + identity ecdhe-x448 { + base key-exchange-algorithm; + description + "Ephemeral Diffie Hellman key exchange with elliptic group + over curve x448"; + reference + "RFC 8422: + Elliptic Curve Cryptography (ECC) Cipher Suites for + Transport Layer Security (TLS) Versions 1.2 and Earlier"; + } + + identity psk-ecdhe-secp256r1 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with elliptic group-based + Ephemeral Diffie Hellman key exchange over curve secp256r1"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-ecdhe-secp384r1 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with elliptic group-based + Ephemeral Diffie Hellman key exchange over curve secp384r1"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-ecdhe-secp521r1 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with elliptic group-based + Ephemeral Diffie Hellman key exchange over curve secp521r1"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-ecdhe-x25519 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with elliptic group-based + Ephemeral Diffie Hellman key exchange over curve x25519"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity psk-ecdhe-x448 { + base key-exchange-algorithm; + description + "Key exchange using pre-shared key with elliptic group-based + Ephemeral Diffie Hellman key exchange over curve x448"; + reference + "RFC 8446: + The Transport Layer Security (TLS) Protocol Version 1.3"; + } + + identity diffie-hellman-group14-sha1 { + base key-exchange-algorithm; + description + "Using DH group14 and SHA1 for key exchange"; + reference + "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; + } + + identity diffie-hellman-group14-sha256 { + base key-exchange-algorithm; + description + "Using DH group14 and SHA256 for key exchange"; + reference + "RFC 8268: + More Modular Exponentiation (MODP) Diffie-Hellman (DH) + Key Exchange (KEX) Groups for Secure Shell (SSH)"; + } + + identity diffie-hellman-group15-sha512 { + base key-exchange-algorithm; + description + "Using DH group15 and SHA512 for key exchange"; + reference + "RFC 8268: + More Modular Exponentiation (MODP) Diffie-Hellman (DH) + Key Exchange (KEX) Groups for Secure Shell (SSH)"; + } + + identity diffie-hellman-group16-sha512 { + base key-exchange-algorithm; + description + "Using DH group16 and SHA512 for key exchange"; + reference + "RFC 8268: + More Modular Exponentiation (MODP) Diffie-Hellman (DH) + Key Exchange (KEX) Groups for Secure Shell (SSH)"; + } + + identity diffie-hellman-group17-sha512 { + base key-exchange-algorithm; + description + "Using DH group17 and SHA512 for key exchange"; + + reference + "RFC 8268: + More Modular Exponentiation (MODP) Diffie-Hellman (DH) + Key Exchange (KEX) Groups for Secure Shell (SSH)"; + } + + identity diffie-hellman-group18-sha512 { + base key-exchange-algorithm; + description + "Using DH group18 and SHA512 for key exchange"; + reference + "RFC 8268: + More Modular Exponentiation (MODP) Diffie-Hellman (DH) + Key Exchange (KEX) Groups for Secure Shell (SSH)"; + } + + identity ecdh-sha2-secp256r1 { + base key-exchange-algorithm; + description + "Elliptic curve-based Diffie Hellman key exchange over curve + secp256r1 and using SHA2 for MAC generation"; + reference + "RFC 6239: Suite B Cryptographic Suites for Secure Shell + (SSH)"; + } + + identity ecdh-sha2-secp384r1 { + base key-exchange-algorithm; + description + "Elliptic curve-based Diffie Hellman key exchange over curve + secp384r1 and using SHA2 for MAC generation"; + reference + "RFC 6239: Suite B Cryptographic Suites for Secure Shell + (SSH)"; + } + + identity rsaes-oaep { + base key-exchange-algorithm; + description + "RSAES-OAEP combines the RSAEP and RSADP primitives with the + EME-OAEP encoding method"; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + identity rsaes-pkcs1-v1_5 { + base key-exchange-algorithm; + description + " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives + with the EME-PKCS1-v1_5 encoding method"; + reference + "RFC 8017: + PKCS #1: RSA Cryptography Specifications Version 2.2."; + } + + /**********************************************************/ + /* Typedefs for identityrefs to above base identities */ + /**********************************************************/ + + typedef hash-algorithm-ref { + type identityref { + base hash-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'hash-algorithm' base identity."; + } + + typedef signature-algorithm-ref { + type identityref { + base signature-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'signature-algorithm' base identity."; + } + + typedef mac-algorithm-ref { + type identityref { + base mac-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'mac-algorithm' base identity."; + } + + typedef encryption-algorithm-ref { + type identityref { + base encryption-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'encryption-algorithm' + base identity."; + } + + typedef encryption-and-mac-algorithm-ref { + type identityref { + base encryption-and-mac-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'encryption-and-mac-algorithm' + base identity."; + } + + typedef asymmetric-key-algorithm-ref { + type identityref { + base asymmetric-key-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'asymmetric-key-algorithm' + base identity."; + } + + typedef key-exchange-algorithm-ref { + type identityref { + base key-exchange-algorithm; + } + description + "This typedef enables importing modules to easily define an + identityref to the 'key-exchange-algorithm' base identity."; + } + + /***************************************************/ + /* Typedefs for ASN.1 structures from RFC 5280 */ + /***************************************************/ + + typedef x509 { + type binary; + description + "A Certificate structure, as specified in RFC 5280, + encoded using ASN.1 distinguished encoding rules (DER), + as specified in ITU-T X.690."; + reference + "RFC 5280: + Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + + typedef crl { + type binary; + description + "A CertificateList structure, as specified in RFC 5280, + encoded using ASN.1 distinguished encoding rules (DER), + as specified in ITU-T X.690."; + reference + "RFC 5280: + Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + + /***********************************************/ + /* Typedefs for ASN.1 structures from 5652 */ + /***********************************************/ + + typedef cms { + type binary; + description + "A ContentInfo structure, as specified in RFC 5652, + encoded using ASN.1 distinguished encoding rules (DER), + as specified in ITU-T X.690."; + reference + "RFC 5652: + Cryptographic Message Syntax (CMS) + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + + typedef data-content-cms { + type cms; + description + "A CMS structure whose top-most content type MUST be the + data content type, as described by Section 4 in RFC 5652."; + reference + "RFC 5652: Cryptographic Message Syntax (CMS)"; + } + + typedef signed-data-cms { + type cms; + description + "A CMS structure whose top-most content type MUST be the + signed-data content type, as described by Section 5 in + RFC 5652."; + reference + "RFC 5652: Cryptographic Message Syntax (CMS)"; + } + + typedef enveloped-data-cms { + type cms; + description + "A CMS structure whose top-most content type MUST be the + enveloped-data content type, as described by Section 6 + in RFC 5652."; + reference + "RFC 5652: Cryptographic Message Syntax (CMS)"; + } + + typedef digested-data-cms { + type cms; + description + "A CMS structure whose top-most content type MUST be the + digested-data content type, as described by Section 7 + in RFC 5652."; + reference + "RFC 5652: Cryptographic Message Syntax (CMS)"; + } + + typedef encrypted-data-cms { + type cms; + description + "A CMS structure whose top-most content type MUST be the + encrypted-data content type, as described by Section 8 + in RFC 5652."; + reference + "RFC 5652: Cryptographic Message Syntax (CMS)"; + } + + typedef authenticated-data-cms { + type cms; + description + "A CMS structure whose top-most content type MUST be the + authenticated-data content type, as described by Section 9 + in RFC 5652."; + reference + "RFC 5652: Cryptographic Message Syntax (CMS)"; + } + + /***************************************************/ + /* Typedefs for structures related to RFC 4253 */ + /***************************************************/ + + typedef ssh-host-key { + type binary; + description + "The binary public key data for this SSH key, as + specified by RFC 4253, Section 6.6, i.e.: + + string certificate or public key format + identifier + byte[n] key/certificate data."; + reference + "RFC 4253: The Secure Shell (SSH) Transport Layer + Protocol"; + } + + /*********************************************************/ + /* Typedefs for ASN.1 structures related to RFC 5280 */ + /*********************************************************/ + + typedef trust-anchor-cert-x509 { + type x509; + description + "A Certificate structure that MUST encode a self-signed + root certificate."; + } + + typedef end-entity-cert-x509 { + type x509; + description + "A Certificate structure that MUST encode a certificate + that is neither self-signed nor having Basic constraint + CA true."; + } + + /*********************************************************/ + /* Typedefs for ASN.1 structures related to RFC 5652 */ + /*********************************************************/ + + typedef trust-anchor-cert-cms { + type signed-data-cms; + description + "A CMS SignedData structure that MUST contain the chain of + X.509 certificates needed to authenticate the certificate + presented by a client or end-entity. + + The CMS MUST contain only a single chain of certificates. + The client or end-entity certificate MUST only authenticate + to last intermediate CA certificate listed in the chain. + + In all cases, the chain MUST include a self-signed root + certificate. In the case where the root certificate is + itself the issuer of the client or end-entity certificate, + only one certificate is present. + + This CMS structure MAY (as applicable where this type is + used) also contain suitably fresh (as defined by local + policy) revocation objects with which the device can + verify the revocation status of the certificates. + + This CMS encodes the degenerate form of the SignedData + structure that is commonly used to disseminate X.509 + certificates and revocation objects (RFC 5280)."; + reference + "RFC 5280: + Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile."; + } + + typedef end-entity-cert-cms { + type signed-data-cms; + description + "A CMS SignedData structure that MUST contain the end + entity certificate itself, and MAY contain any number + of intermediate certificates leading up to a trust + anchor certificate. The trust anchor certificate + MAY be included as well. + + The CMS MUST contain a single end entity certificate. + The CMS MUST NOT contain any spurious certificates. + + This CMS structure MAY (as applicable where this type is + used) also contain suitably fresh (as defined by local + policy) revocation objects with which the device can + verify the revocation status of the certificates. + + This CMS encodes the degenerate form of the SignedData + structure that is commonly used to disseminate X.509 + certificates and revocation objects (RFC 5280)."; + reference + "RFC 5280: + Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile."; + } + + /**********************************************/ + /* Groupings for keys and/or certificates */ + /**********************************************/ + + grouping public-key-grouping { + description + "A public key. + + The 'algorithm' and 'public-key' nodes are not + mandatory because they MAY be defined in . + Implementations SHOULD assert that these values are + either configured or that they exist in ."; + leaf algorithm { + nacm:default-deny-write; + type asymmetric-key-algorithm-ref; + must '../public-key'; + description + "Identifies the key's algorithm. More specifically, + this leaf specifies how the 'public-key' binary leaf + is encoded."; + reference + "RFC CCCC: Common YANG Data Types for Cryptography"; + } + leaf public-key { + nacm:default-deny-write; + type binary; + must '../algorithm'; + description + "A binary that contains the value of the public key. The + interpretation of the content is defined by the key + algorithm. For example, a DSA key is an integer, an RSA + key is represented as RSAPublicKey as defined in + RFC 8017, and an Elliptic Curve Cryptography (ECC) key + is represented using the 'publicKey' described in + RFC 5915."; + reference + "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: + RSA Cryptography Specifications Version 2.2. + RFC 5915: Elliptic Curve Private Key Structure."; + } + } + + grouping asymmetric-key-pair-grouping { + description + "A private/public key pair. + The 'algorithm', 'public-key', and 'private-key' nodes are + not mandatory because they MAY be defined in . + Implementations SHOULD assert that these values are either + configured or that they exist in ."; + uses public-key-grouping; + leaf private-key { + nacm:default-deny-all; + type union { + type binary; + type enumeration { + enum permanently-hidden { + description + "The private key is inaccessible due to being + protected by the system (e.g., a cryptographic + hardware module). + + How such keys are backed-up and restored, if + at all, is implementation specific. + + Servers MUST fail any attempt by a client to + configure this value directly. This value is + not set by clients, but rather is set by the + 'generate-hidden-key' and 'install-hidden-key' + actions."; + } + } + } + must '../public-key'; + description + "A binary that contains the value of the private key. The + interpretation of the content is defined by the key + algorithm. For example, a DSA key is an integer, an RSA + key is represented as RSAPrivateKey as defined in + RFC 8017, and an Elliptic Curve Cryptography (ECC) key + is represented as ECPrivateKey as defined in RFC 5915."; + reference + "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: + RSA Cryptography Specifications Version 2.2. + RFC 5915: Elliptic Curve Private Key Structure."; + } // private-key + + action generate-hidden-key { + nacm:default-deny-all; + description + "Requests the device to generate a hidden key using the + specified asymmetric key algorithm. This action is + used to request the system to generate a key that is + 'permanently-hidden', perhaps protected by a cryptographic + hardware module. The resulting asymmetric key values are + considered operational state and hence present only in + and bound to the lifetime of the parent + 'config true' node. Subsequent invocations of this or + the 'install-hidden-key' action are denied with error-tag + 'data-exists'."; + input { + leaf algorithm { + type asymmetric-key-algorithm-ref; + mandatory true; + description + "The algorithm to be used when generating the + asymmetric key."; + reference + "RFC CCCC: Common YANG Data Types for Cryptography"; + } + } + } // generate-hidden-key + + action install-hidden-key { + nacm:default-deny-all; + description + "Requests the device to load the specified values into + a hidden key. The resulting asymmetric key values are + considered operational state and hence present only in + and bound to the lifetime of the parent + 'config true' node. Subsequent invocations of this + or the 'generate-hidden-key' action are denied with + error-tag 'data-exists'."; + input { + leaf algorithm { + type asymmetric-key-algorithm-ref; + mandatory true; + description + "The algorithm to be used when generating the + asymmetric key."; + reference + "RFC CCCC: Common YANG Data Types for Cryptography"; + } + leaf public-key { + type binary; + description + "A binary that contains the value of the public key. + The interpretation of the content is defined by the key + algorithm. For example, a DSA key is an integer, an + RSA key is represented as RSAPublicKey as defined in + RFC 8017, and an Elliptic Curve Cryptography (ECC) key + is represented using the 'publicKey' described in + RFC 5915."; + reference + "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: + RSA Cryptography Specifications Version 2.2. + RFC 5915: Elliptic Curve Private Key Structure."; + } + leaf private-key { + type binary; + description + "A binary that contains the value of the private key. + The interpretation of the content is defined by the key + algorithm. For example, a DSA key is an integer, an RSA + key is represented as RSAPrivateKey as defined in + RFC 8017, and an Elliptic Curve Cryptography (ECC) key + is represented as ECPrivateKey as defined in RFC 5915."; + reference + "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: + RSA Cryptography Specifications Version 2.2. + RFC 5915: Elliptic Curve Private Key Structure."; + } + } + } // install-hidden-key + } // asymmetric-key-pair-grouping + + + grouping trust-anchor-cert-grouping { + description + "A trust anchor certificate, and a notification for when + it is about to (or already has) expire."; + leaf cert { + nacm:default-deny-write; + type trust-anchor-cert-cms; + description + "The binary certificate data for this certificate."; + reference + "RFC YYYY: Common YANG Data Types for Cryptography"; + } + notification certificate-expiration { + description + "A notification indicating that the configured certificate + is either about to expire or has already expired. When to + send notifications is an implementation specific decision, + but it is RECOMMENDED that a notification be sent once a + month for 3 months, then once a week for four weeks, and + then once a day thereafter until the issue is resolved."; + leaf expiration-date { + type yang:date-and-time; + mandatory true; + description + "Identifies the expiration date on the certificate."; + } + } + } + + grouping trust-anchor-certs-grouping { + description + "A list of trust anchor certificates, and a notification + for when one is about to (or already has) expire."; + leaf-list cert { + nacm:default-deny-write; + type trust-anchor-cert-cms; + description + "The binary certificate data for this certificate."; + reference + "RFC YYYY: Common YANG Data Types for Cryptography"; + } + notification certificate-expiration { + description + "A notification indicating that the configured certificate + is either about to expire or has already expired. When to + send notifications is an implementation specific decision, + but it is RECOMMENDED that a notification be sent once a + month for 3 months, then once a week for four weeks, and + then once a day thereafter until the issue is resolved."; + leaf expiration-date { + type yang:date-and-time; + mandatory true; + description + "Identifies the expiration date on the certificate."; + } + } + } + + grouping end-entity-cert-grouping { + description + "An end entity certificate, and a notification for when + it is about to (or already has) expire."; + leaf cert { + nacm:default-deny-write; + type end-entity-cert-cms; + description + "The binary certificate data for this certificate."; + reference + "RFC YYYY: Common YANG Data Types for Cryptography"; + } + notification certificate-expiration { + description + "A notification indicating that the configured certificate + is either about to expire or has already expired. When to + send notifications is an implementation specific decision, + but it is RECOMMENDED that a notification be sent once a + month for 3 months, then once a week for four weeks, and + then once a day thereafter until the issue is resolved."; + leaf expiration-date { + type yang:date-and-time; + mandatory true; + description + "Identifies the expiration date on the certificate."; + } + } + } + + grouping end-entity-certs-grouping { + description + "A list of end entity certificates, and a notification for + when one is about to (or already has) expire."; + leaf-list cert { + nacm:default-deny-write; + type end-entity-cert-cms; + description + "The binary certificate data for this certificate."; + reference + "RFC YYYY: Common YANG Data Types for Cryptography"; + } + notification certificate-expiration { + description + "A notification indicating that the configured certificate + is either about to expire or has already expired. When to + send notifications is an implementation specific decision, + but it is RECOMMENDED that a notification be sent once a + month for 3 months, then once a week for four weeks, and + then once a day thereafter until the issue is resolved."; + leaf expiration-date { + type yang:date-and-time; + mandatory true; + description + "Identifies the expiration date on the certificate."; + } + } + } + + grouping asymmetric-key-pair-with-cert-grouping { + description + "A private/public key pair and an associated certificate."; + uses asymmetric-key-pair-grouping; + uses end-entity-cert-grouping; + + action generate-certificate-signing-request { + nacm:default-deny-all; + description + "Generates a certificate signing request structure for + the associated asymmetric key using the passed subject + and attribute values. The specified assertions need + to be appropriate for the certificate's use. For + example, an entity certificate for a TLS server + SHOULD have values that enable clients to satisfy + RFC 6125 processing."; + input { + leaf subject { + type binary; + mandatory true; + description + "The 'subject' field per the CertificationRequestInfo + structure as specified by RFC 2986, Section 4.1 + encoded using the ASN.1 distinguished encoding + rules (DER), as specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax + Specification Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + leaf attributes { + type binary; + description + "The 'attributes' field from the structure + CertificationRequestInfo as specified by RFC 2986, + Section 4.1 encoded using the ASN.1 distinguished + encoding rules (DER), as specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax + Specification Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + output { + leaf certificate-signing-request { + type binary; + mandatory true; + description + "A CertificationRequest structure as specified by + RFC 2986, Section 4.2 encoded using the ASN.1 + distinguished encoding rules (DER), as specified + in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax + Specification Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } // generate-certificate-signing-request + } // asymmetric-key-pair-with-cert-grouping + + + grouping asymmetric-key-pair-with-certs-grouping { + description + "A private/public key pair and associated certificates."; + uses asymmetric-key-pair-grouping; + container certificates { + nacm:default-deny-write; + description + "Certificates associated with this asymmetric key. + More than one certificate supports, for instance, + a TPM-protected asymmetric key that has both IDevID + and LDevID certificates associated."; + list certificate { + key "name"; + description + "A certificate for this asymmetric key."; + leaf name { + type string; + description + "An arbitrary name for the certificate. If the name + matches the name of a certificate that exists + independently in (i.e., an IDevID), + then the 'cert' node MUST NOT be configured."; + } + uses end-entity-cert-grouping; + } + } // certificates + + action generate-certificate-signing-request { + nacm:default-deny-all; + description + "Generates a certificate signing request structure for + the associated asymmetric key using the passed subject + and attribute values. The specified assertions need + to be appropriate for the certificate's use. For + example, an entity certificate for a TLS server + SHOULD have values that enable clients to satisfy + RFC 6125 processing."; + input { + leaf subject { + type binary; + mandatory true; + description + "The 'subject' field per the CertificationRequestInfo + structure as specified by RFC 2986, Section 4.1 + encoded using the ASN.1 distinguished encoding + rules (DER), as specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax + Specification Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + leaf attributes { + type binary; + description + "The 'attributes' field from the structure + CertificationRequestInfo as specified by RFC 2986, + Section 4.1 encoded using the ASN.1 distinguished + encoding rules (DER), as specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax + Specification Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + output { + leaf certificate-signing-request { + type binary; + mandatory true; + description + "A CertificationRequest structure as specified by + RFC 2986, Section 4.2 encoded using the ASN.1 + distinguished encoding rules (DER), as specified + in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax + Specification Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } // generate-certificate-signing-request + } // asymmetric-key-pair-with-certs-grouping +} diff --git a/data-model/yang/published/ietf/ietf-dhcpv6-common@2021-01-29.yang b/data-model/yang/published/ietf/ietf-dhcpv6-common@2021-01-29.yang new file mode 100644 index 0000000..8e35a05 --- /dev/null +++ b/data-model/yang/published/ietf/ietf-dhcpv6-common@2021-01-29.yang @@ -0,0 +1,316 @@ +module ietf-dhcpv6-common { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-common"; + prefix "dhcpv6-common"; + + import ietf-yang-types { + prefix yang; + reference + "RFC 6991: Common YANG Data Types"; + } + + organization "DHC WG"; + contact + "yong@csnet1.cs.tsinghua.edu.cn + lh.sunlinh@gmail.com + ian.farrer@telekom.de + sladjana.zechlin@telekom.de + hezihao9512@gmail.com"; + + description "This YANG module defines common components + used for the configuration and management of DHCPv6. + + Copyright (c) 2021 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC 8513; see + the RFC itself for full legal notices."; + + revision 2021-01-29 { + description "Version update for draft -17 publication."; + reference "I-D: draft-ietf-dhc-dhcpv6-yang-17"; + } + + revision 2021-01-06 { + description "Version update for draft -16 publication."; + reference "I-D: draft-ietf-dhc-dhcpv6-yang-16"; + } + + revision 2020-12-22 { + description "Version update for draft -13 publication."; + reference "I-D: draft-ietf-dhc-dhcpv6-yang-15"; + } + + revision 2020-12-10 { + description "Version update for draft -13 publication."; + reference "I-D: draft-ietf-dhc-dhcpv6-yang-13"; + } + + revision 2020-12-01 { + description "Version update for draft -12 publication."; + reference "I-D: draft-ietf-dhc-dhcpv6-yang-12"; + } + + revision 2020-05-26 { + description "Version update for draft -11 publication and + to align revisions across the different modules."; + reference "I-D: draft-ietf-dhc-dhcpv6-yang-11"; + } + + revision 2018-09-04 { + description ""; + reference "I-D: draft-ietf-dhc-dhcpv6-yang"; + } + + revision 2018-01-30 { + description "Initial revision"; + reference "I-D: draft-ietf-dhc-dhcpv6-yang"; + } + + typedef threshold { + type union { + type uint16 { + range 0..100; + } + type enumeration { + enum "disabled" { + description "No threshold"; + } + } + } + description "Threshold value in percent"; + } + + typedef timer-seconds32 { + type uint32 { + range "1..4294967295"; + } + units "seconds"; + description + "Timer value type, in seconds (32-bit range)."; + } + +/* +* Groupings +*/ + + grouping duid { + description "Each server and client has only one DUID (DHCP + Unique Identifier). The DUID here identifies a unique + DHCPv6 server for clients. DUID consists of a two-octet + type field and an arbitrary length (no more than 128 bytes) + content field. Currently there are four defined types of + DUIDs in RFC8415 and RFC6355 - DUID-LLT, DUID-EN, DUID-LL + and DUID-UUID. DUID-unstructured represents DUIDs which + do not follow any of the defined formats."; + reference "RFC8415: Section 11 and RFC6355: Section 4"; + leaf type-code { + type uint16; + default 65535; + description "Type code of this DUID."; + } + choice duid-type { + default duid-unstructured; + description "Selects the format of the DUID."; + case duid-llt { + description "DUID Based on Link-layer Address Plus Time + (Type 1 - DUID-LLT)."; + reference "RFC8415 Section 11.2"; + leaf duid-llt-hardware-type { + type uint16; + description "Hardware type as assigned by IANA (RFC826)."; + } + leaf duid-llt-time { + type yang:timeticks; + description "The time that the DUID is generated + represented in seconds since midnight (UTC), + January 1, 2000, modulo 2^32."; + } + leaf duid-llt-link-layer-address { + type yang:mac-address; + description "Link-layer address as described in RFC2464."; + } + } + case duid-en { + description "DUID Assigned by Vendor Based on Enterprise + Number (Type 2 - DUID-EN)."; + reference "RFC8415 Section 11.3"; + leaf duid-en-enterprise-number { + type uint32; + description "Vendor's registered Private Enterprise Number + as maintained by IANA."; + } + leaf duid-en-identifier { + type string; + description "Identifier, unique to the device."; + } + } + case duid-ll { + description "DUID Based on Link-layer Address + (Type 3 - DUID-LL)."; + reference "RFC8415 Section 11.4"; + leaf duid-ll-hardware-type { + type uint16; + description "Hardware type, as assigned by IANA (RFC826)."; + } + leaf duid-ll-link-layer-address { + type yang:mac-address; + description "Link-layer address, as described in RFC2464"; + } + } + case duid-uuid { + description "DUID Based on Universally Unique Identifier + (Type 4 - DUID-UUID)."; + reference "RFC6335 Definition of the UUID-Based Unique + Identifier"; + leaf uuid { + type yang:uuid; + description "A Universally Unique Identifier in the string + representation, defined in RFC4122. The canonical + representation uses lowercase characters."; + } + } + case duid-unstructured { + description "DUID which does not follow any of the other + structures, expressed as bytes."; + leaf data { + type binary; + description "The bits to be used as the identifier."; + } + } + } + leaf active-duid { + type binary; + config "false"; + description "The DUID which is currently in use."; + } + } + + grouping auth-option-group { + description "OPTION_AUTH (11) Authentication Option."; + reference "RFC8415: Dynamic Host Configuration Protocol + for IPv6 (DHCPv6)"; + container auth-option { + description "OPTION_AUTH (11) Authentication Option + container."; + leaf protocol { + type uint8; + description "The authentication protocol used in this + Authentication option."; + } + leaf algorithm { + type uint8; + description "The algorithm used in the authentication + protocol."; + } + leaf rdm { + type uint8; + description "The replay detection method used + in this Authentication option."; + } + leaf replay-detection { + type uint64; + description "The replay detection information for the RDM."; + } + leaf auth-information { + type string; + description "The authentication information, as specified + by the protocol and algorithm used in this Authentication + option."; + } + } + } + grouping status-code-option-group { + description "OPTION_STATUS_CODE (13) Status Code Option."; + reference "RFC8415: Dynamic Host Configuration Protocol + for IPv6 (DHCPv6)"; + container status-code-option { + description "OPTION_STATUS_CODE (13) Status Code Option + container."; + leaf status-code { + type uint16; + description "The numeric code for the status encoded + in this option. See the Status Codes registry at + + for the current list of status codes."; + } + leaf status-message { + type string; + description "A UTF-8 encoded text string suitable for + display to an end user. MUST NOT be null-terminated."; + } + } + } + + grouping rapid-commit-option-group { + description "OPTION_RAPID_COMMIT (14) Rapid Commit Option."; + reference "RFC8415: Dynamic Host Configuration Protocol for + IPv6 (DHCPv6)"; + container rapid-commit-option { + presence "Enable sending of this option"; + description "OPTION_RAPID_COMMIT (14) Rapid Commit Option + container."; + } + } + + grouping vendor-specific-information-option-group { + description "OPTION_VENDOR_OPTS (17) Vendor-specific + Information Option."; + reference "RFC8415: Dynamic Host Configuration Protocol + for IPv6 (DHCPv6)"; + container vendor-specific-information-option { + description "OPTION_VENDOR_OPTS (17) Vendor-specific + Information Option container."; + list vendor-specific-information-option-instances { + key enterprise-number; + description "The vendor specific information option allows + for multiple instances in a single message. Each list entry + defines the contents of an instance of the option."; + leaf enterprise-number { + type uint32; + description "The vendor's registered Enterprise Number, + as maintained by IANA."; + } + list vendor-option-data { + key sub-option-code; + description "Vendor options, interpreted by vendor-specific + client/server functions."; + leaf sub-option-code { + type uint16; + description "The code for the sub-option."; + } + leaf sub-option-data { + type string; + description "The data area for the sub-option."; + } + } + } + } + } + + grouping reconfigure-accept-option-group { + description "OPTION_RECONF_ACCEPT (20) Reconfigure Accept + Option. + A client uses the Reconfigure Accept option to announce to + the server whether the client is willing to accept Reconfigure + messages, and a server uses this option to tell the client + whether or not to accept Reconfigure messages. In the absence + of this option, the default behavior is that the client is + unwilling to accept Reconfigure messages. The presence node + is used to enable the option."; + reference "RFC8415: Dynamic Host Configuration Protocol + for IPv6 (DHCPv6)"; + container reconfigure-accept-option { + presence "Enable sending of this option"; + description "OPTION_RECONF_ACCEPT (20) Reconfigure Accept + Option container."; + } + } +} diff --git a/data-model/yang/published/ietf/ietf-dhcpv6-types@2018-09-04.yang b/data-model/yang/published/ietf/ietf-dhcpv6-types@2018-09-04.yang new file mode 100644 index 0000000..67bb1f1 --- /dev/null +++ b/data-model/yang/published/ietf/ietf-dhcpv6-types@2018-09-04.yang @@ -0,0 +1,211 @@ +module ietf-dhcpv6-types { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-dhcpv6-types"; + prefix "dhcpv6-types"; + + import ietf-inet-types { + prefix inet; + } + import ietf-yang-types { + prefix yang; + } + + organization "DHC WG"; + contact + "cuiyong@tsinghua.edu.cn + lh.sunlinh@gmail.com + ian.farrer@telekom.de + sladjana.zechlin@telekom.de + hezihao9512@gmail.com"; + + description "This model defines a YANG data model that can be + used to define some commonly used DHCPv6 types"; + + revision 2018-09-04 { + description ""; + reference "I-D: draft-ietf-dhc-dhcpv6-yang"; + } + + revision 2018-01-30 { + description "Initial revision"; + reference "I-D: draft-ietf-dhc-dhcpv6-yang"; + } + + /* + * Grouping + */ + grouping vendor-infor { + description "Vendor information."; + container vendor-info { + description ""; + leaf ent-num { + type uint32; + mandatory true; + description "enterprise number"; + } + leaf-list data { + type string; + description "specific vendor info"; + } + } + } + + grouping duid { + description + "Each server and client has only one DUID (DHCP Unique Identifier). + The DUID here identifies a unique DHCPv6 server for clients. DUID + consists of a two-octet type field and an arbitrary length (no more + than 128 bytes) content field. Currently there are four defined types + of DUIDs in RFC3315 and RFC6355 - DUID-LLT, DUID-EN, DUID-LL and + DUID-UUID. DUID-Unknown represents those unconventional DUIDs."; + reference "RFC3315: Section 9 and RFC6355: Section 4"; + leaf type-code { + type uint16; + default 65535; + description "Type code of this DUID"; + } + choice duid-type { + default duid-unknown; + description "Selects the format for the DUID."; + case duid-llt { + description "DUID Based on Link-layer Address Plus Time + (Type 1 - DUID-LLT)"; + reference "RFC3315 Section 9.2"; + leaf duid-llt-hardware-type { + type uint16; + description "Hardware type as assigned by IANA (RFC826)."; + } + leaf duid-llt-time { + type yang:timeticks; + description "The time value is the time that the DUID is + generated represented in seconds since midnight (UTC), + January 1, 2000, modulo 2^32."; + } + leaf duid-llt-link-layer-addr { + type yang:mac-address; + description "Link-layer address as described in RFC2464"; + } + } + case duid-en { + description "DUID Assigned by Vendor Based on Enterprise Number + (Type 2 - DUID-EN)"; + reference "RFC3315 Section 9.3"; + leaf duid-en-enterprise-number { + type uint32; + description "Vendor's registered Private Enterprise Number as + maintained by IANA"; + } + leaf duid-en-identifier { + type string; + description "Identifier, unique to the device that is + using it"; + } + } + case duid-ll { + description "DUID Based on Link-layer Address (Type 3 - DUID-LL)"; + reference "RFC3315 Section 9.4"; + leaf duid-ll-hardware-type { + type uint16; + description "Hardware type as assigned by IANA (RFC826)."; + } + leaf duid-ll-link-layer-addr { + type yang:mac-address; + description "Link-layer address as described in RFC2464"; + } + } + case duid-uuid { + description "DUID Based on Universally Unique Identifier + (Type 4 - DUID-UUID)"; + reference "RFC6335 Definition of the UUID-Based Unique Identifier"; + leaf uuid { + type yang:uuid; + description "A Universally Unique IDentifier in the string + representation defined in RFC 4122. The canonical + representation uses lowercase characters"; + } + } + case duid-unknown { + description "DUID based on free raw bytes"; + leaf data { + type binary; + description "The bits to be used as the identifier"; + } + } + } + } + + grouping portset-param { + description "portset parameters"; + container port-parameter { + description "port parameter"; + leaf offset { + type uint8; + mandatory true; + description "offset in a port set"; + } + leaf psid-len { + type uint8; + mandatory true; + description "length of a psid"; + } + leaf psid { + type uint16; + mandatory true; + description "psid value"; + } + } + } + + grouping iaid { + description "IA is a construct through which a server and a + client can identify, group, and manage a set of related IPv6 + addresses. The key of the list is a 4-byte number IAID defined + in [RFC3315]."; + list identity-association { + config "false"; + description "IA"; + leaf iaid { + type uint32; + mandatory true; + description "IAID"; + } + leaf ia-type { + type string; + mandatory true; + description "IA type"; + } + leaf-list ipv6-addr { + type inet:ipv6-address; + description "ipv6 address"; + } + leaf-list ipv6-prefix { + type inet:ipv6-prefix; + description "ipv6 prefix"; + } + leaf-list prefix-length { + type uint8; + description "ipv6 prefix length"; + } + leaf t1-time { + type yang:timeticks; + mandatory true; + description "t1 time"; + } + leaf t2-time { + type yang:timeticks; + mandatory true; + description "t2 time"; + } + leaf preferred-lifetime { + type yang:timeticks; + mandatory true; + description "preferred lifetime"; + } + leaf valid-lifetime { + type yang:timeticks; + mandatory true; + description "valid lifetime"; + } + } + } +} diff --git a/data-model/yang/published/ietf/ietf-subscribed-notifications@2019-09-09.yang b/data-model/yang/published/ietf/ietf-subscribed-notifications@2019-09-09.yang new file mode 100644 index 0000000..5c08cc0 --- /dev/null +++ b/data-model/yang/published/ietf/ietf-subscribed-notifications@2019-09-09.yang @@ -0,0 +1,1325 @@ +module ietf-subscribed-notifications { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications"; + prefix sn; + + import ietf-inet-types { + prefix inet; + reference + "RFC 6991: Common YANG Data Types"; + } + import ietf-interfaces { + prefix if; + reference + "RFC 8343: A YANG Data Model for Interface Management"; + } + import ietf-netconf-acm { + prefix nacm; + reference + "RFC 8341: Network Configuration Access Control Model"; + } + import ietf-network-instance { + prefix ni; + reference + "RFC 8529: YANG Data Model for Network Instances"; + } + import ietf-restconf { + prefix rc; + reference + "RFC 8040: RESTCONF Protocol"; + } + import ietf-yang-types { + prefix yang; + reference + "RFC 6991: Common YANG Data Types"; + } + + organization + "IETF NETCONF (Network Configuration) Working Group"; + contact + "WG Web: + WG List: + Author: Alexander Clemm + + Author: Eric Voit + + Author: Alberto Gonzalez Prieto + + Author: Einar Nilsen-Nygaard + + Author: Ambika Prasad Tripathy + "; + description + "This module defines a YANG data model for subscribing to event + records and receiving matching content in notification messages. + The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL + NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', + 'MAY', and 'OPTIONAL' in this document are to be interpreted as + described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, + they appear in all capitals, as shown here. + Copyright (c) 2019 IETF Trust and the persons identified as + authors of the code. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject to + the license terms contained in, the Simplified BSD License set + forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (https://trustee.ietf.org/license-info). + This version of this YANG module is part of RFC 8639; see the + RFC itself for full legal notices."; + + revision 2019-09-09 { + description + "Initial version."; + reference + "RFC 8639: A YANG Data Model for Subscriptions to + Event Notifications"; + } + + /* + * FEATURES + */ + + feature configured { + description + "This feature indicates that configuration of subscriptions is + supported."; + } + + feature dscp { + description + "This feature indicates that a publisher supports the ability + to set the Differentiated Services Code Point (DSCP) value in + outgoing packets."; + } + + feature encode-json { + description + "This feature indicates that JSON encoding of notification + messages is supported."; + } + + feature encode-xml { + description + "This feature indicates that XML encoding of notification + messages is supported."; + } + + feature interface-designation { + description + "This feature indicates that a publisher supports sourcing all + receiver interactions for a configured subscription from a + single designated egress interface."; + } + + feature qos { + description + "This feature indicates that a publisher supports absolute + dependencies of one subscription's traffic over another + as well as weighted bandwidth sharing between subscriptions. + Both of these are Quality of Service (QoS) features that allow + differentiated treatment of notification messages between a + publisher and a specific receiver."; + } + + feature replay { + description + "This feature indicates that historical event record replay is + supported. With replay, it is possible for past event records + to be streamed in chronological order."; + } + + feature subtree { + description + "This feature indicates support for YANG subtree filtering."; + reference + "RFC 6241: Network Configuration Protocol (NETCONF), + Section 6"; + } + + feature supports-vrf { + description + "This feature indicates that a publisher supports VRF + configuration for configured subscriptions. VRF support for + dynamic subscriptions does not require this feature."; + reference + "RFC 8529: YANG Data Model for Network Instances, + Section 6"; + } + + feature xpath { + description + "This feature indicates support for XPath filtering."; + reference + "XML Path Language (XPath) Version 1.0 + (https://www.w3.org/TR/1999/REC-xpath-19991116)"; + } + + /* + * EXTENSIONS + */ + + extension subscription-state-notification { + description + "This statement applies only to notifications. It indicates + that the notification is a subscription state change + notification. Therefore, it does not participate in a regular + event stream and does not need to be specifically subscribed + to in order to be received. This statement can only occur as + a substatement of the YANG 'notification' statement. This + statement is not for use outside of this YANG module."; + } + + /* + * IDENTITIES + */ + /* Identities for RPC and notification errors */ + + identity delete-subscription-error { + description + "Base identity for the problem found while attempting to + fulfill either a 'delete-subscription' RPC request or a + 'kill-subscription' RPC request."; + } + + identity establish-subscription-error { + description + "Base identity for the problem found while attempting to + fulfill an 'establish-subscription' RPC request."; + } + + identity modify-subscription-error { + description + "Base identity for the problem found while attempting to + fulfill a 'modify-subscription' RPC request."; + } + + identity subscription-suspended-reason { + description + "Base identity for the problem condition communicated to a + receiver as part of a 'subscription-suspended' + notification."; + } + + identity subscription-terminated-reason { + description + "Base identity for the problem condition communicated to a + receiver as part of a 'subscription-terminated' + notification."; + } + + identity dscp-unavailable { + base establish-subscription-error; + if-feature "dscp"; + description + "The publisher is unable to mark notification messages with + prioritization information in a way that will be respected + during network transit."; + } + + identity encoding-unsupported { + base establish-subscription-error; + description + "Unable to encode notification messages in the desired + format."; + } + + identity filter-unavailable { + base subscription-terminated-reason; + description + "Referenced filter does not exist. This means a receiver is + referencing a filter that doesn't exist or to which it + does not have access permissions."; + } + + identity filter-unsupported { + base establish-subscription-error; + base modify-subscription-error; + description + "Cannot parse syntax in the filter. This failure can be from + a syntax error or a syntax too complex to be processed by the + publisher."; + } + + identity insufficient-resources { + base establish-subscription-error; + base modify-subscription-error; + base subscription-suspended-reason; + description + "The publisher does not have sufficient resources to support + the requested subscription. An example might be that + allocated CPU is too limited to generate the desired set of + notification messages."; + } + + identity no-such-subscription { + base modify-subscription-error; + base delete-subscription-error; + base subscription-terminated-reason; + description + "Referenced subscription doesn't exist. This may be as a + result of a nonexistent subscription ID, an ID that belongs to + another subscriber, or an ID for a configured subscription."; + } + + identity replay-unsupported { + base establish-subscription-error; + if-feature "replay"; + description + "Replay cannot be performed for this subscription. This means + the publisher will not provide the requested historic + information from the event stream via replay to this + receiver."; + } + + identity stream-unavailable { + base subscription-terminated-reason; + description + "Not a subscribable event stream. This means the referenced + event stream is not available for subscription by the + receiver."; + } + + identity suspension-timeout { + base subscription-terminated-reason; + description + "Termination of a previously suspended subscription. The + publisher has eliminated the subscription, as it exceeded a + time limit for suspension."; + } + + identity unsupportable-volume { + base subscription-suspended-reason; + description + "The publisher does not have the network bandwidth needed to + get the volume of generated information intended for a + receiver."; + } + + /* Identities for encodings */ + + identity configurable-encoding { + description + "If a transport identity derives from this identity, it means + that it supports configurable encodings. An example of a + configurable encoding might be a new identity such as + 'encode-cbor'. Such an identity could use + 'configurable-encoding' as its base. This would allow a + dynamic subscription encoded in JSON (RFC 8259) to request + that notification messages be encoded via the Concise Binary + Object Representation (CBOR) (RFC 7049). Further details for + any specific configurable encoding would be explored in a + transport document based on this specification."; + reference + "RFC 8259: The JavaScript Object Notation (JSON) Data + Interchange Format + RFC 7049: Concise Binary Object Representation (CBOR)"; + } + + identity encoding { + description + "Base identity to represent data encodings."; + } + + identity encode-xml { + base encoding; + if-feature "encode-xml"; + description + "Encode data using XML as described in RFC 7950."; + reference + "RFC 7950: The YANG 1.1 Data Modeling Language"; + } + + identity encode-json { + base encoding; + if-feature "encode-json"; + description + "Encode data using JSON as described in RFC 7951."; + reference + "RFC 7951: JSON Encoding of Data Modeled with YANG"; + } + + /* Identities for transports */ + + identity transport { + description + "An identity that represents the underlying mechanism for + passing notification messages."; + } + + /* + * TYPEDEFs + */ + + typedef encoding { + type identityref { + base encoding; + } + description + "Specifies a data encoding, e.g., for a data subscription."; + } + + typedef stream-filter-ref { + type leafref { + path "/sn:filters/sn:stream-filter/sn:name"; + } + description + "This type is used to reference an event stream filter."; + } + + typedef stream-ref { + type leafref { + path "/sn:streams/sn:stream/sn:name"; + } + description + "This type is used to reference a system-provided + event stream."; + } + + typedef subscription-id { + type uint32; + description + "A type for subscription identifiers."; + } + + typedef transport { + type identityref { + base transport; + } + description + "Specifies the transport used to send notification messages + to a receiver."; + } + + /* + * GROUPINGS + */ + + grouping stream-filter-elements { + description + "This grouping defines the base for filters applied to event + streams."; + choice filter-spec { + description + "The content filter specification for this request."; + anydata stream-subtree-filter { + if-feature "subtree"; + description + "Event stream evaluation criteria encoded in the syntax of + a subtree filter as defined in RFC 6241, Section 6. + The subtree filter is applied to the representation of + individual, delineated event records as contained in the + event stream. + If the subtree filter returns a non-empty node set, the + filter matches the event record, and the event record is + included in the notification message sent to the + receivers."; + reference + "RFC 6241: Network Configuration Protocol (NETCONF), + Section 6"; + } + leaf stream-xpath-filter { + if-feature "xpath"; + type yang:xpath1.0; + description + "Event stream evaluation criteria encoded in the syntax of + an XPath 1.0 expression. + The XPath expression is evaluated on the representation of + individual, delineated event records as contained in + the event stream. + The result of the XPath expression is converted to a + boolean value using the standard XPath 1.0 rules. If the + boolean value is 'true', the filter matches the event + record, and the event record is included in the + notification message sent to the receivers. + The expression is evaluated in the following XPath + context: + o The set of namespace declarations is the set of + prefix and namespace pairs for all YANG modules + implemented by the server, where the prefix is the + YANG module name and the namespace is as defined by + the 'namespace' statement in the YANG module. + If the leaf is encoded in XML, all namespace + declarations in scope on the 'stream-xpath-filter' + leaf element are added to the set of namespace + declarations. If a prefix found in the XML is + already present in the set of namespace + declarations, the namespace in the XML is used. + o The set of variable bindings is empty. + o The function library is comprised of the core + function library and the XPath functions defined in + Section 10 in RFC 7950. + o The context node is the root node."; + reference + "XML Path Language (XPath) Version 1.0 + (https://www.w3.org/TR/1999/REC-xpath-19991116) + RFC 7950: The YANG 1.1 Data Modeling Language, + Section 10"; + } + } + } + + grouping update-qos { + description + "This grouping describes QoS information concerning a + subscription. This information is passed to lower layers + for transport prioritization and treatment."; + leaf dscp { + if-feature "dscp"; + type inet:dscp; + default "0"; + description + "The desired network transport priority level. This is the + priority set on notification messages encapsulating the + results of the subscription. This transport priority is + shared for all receivers of a given subscription."; + } + leaf weighting { + if-feature "qos"; + type uint8 { + range "0 .. 255"; + } + description + "Relative weighting for a subscription. Larger weights get + more resources. Allows an underlying transport layer to + perform informed load-balance allocations between various + subscriptions."; + reference + "RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2), + Section 5.3.2"; + } + leaf dependency { + if-feature "qos"; + type subscription-id; + description + "Provides the 'subscription-id' of a parent subscription. + The parent subscription has absolute precedence should + that parent have push updates ready to egress the publisher. + In other words, there should be no streaming of objects from + the current subscription if the parent has something ready + to push. + If a dependency is asserted via configuration or via an RPC + but the referenced 'subscription-id' does not exist, the + dependency is silently discarded. If a referenced + subscription is deleted, this dependency is removed."; + reference + "RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2), + Section 5.3.1"; + } + } + + grouping subscription-policy-modifiable { + description + "This grouping describes all objects that may be changed + in a subscription."; + choice target { + mandatory true; + description + "Identifies the source of information against which a + subscription is being applied as well as specifics on the + subset of information desired from that source."; + case stream { + choice stream-filter { + description + "An event stream filter can be applied to a subscription. + That filter will either come referenced from a global + list or be provided in the subscription itself."; + case by-reference { + description + "Apply a filter that has been configured separately."; + leaf stream-filter-name { + type stream-filter-ref; + mandatory true; + description + "References an existing event stream filter that is + to be applied to an event stream for the + subscription."; + } + } + case within-subscription { + description + "A local definition allows a filter to have the same + lifecycle as the subscription."; + uses stream-filter-elements; + } + } + } + } + leaf stop-time { + type yang:date-and-time; + description + "Identifies a time after which notification messages for a + subscription should not be sent. If 'stop-time' is not + present, the notification messages will continue until the + subscription is terminated. If 'replay-start-time' exists, + 'stop-time' must be for a subsequent time. If + 'replay-start-time' doesn't exist, 'stop-time', when + established, must be for a future time."; + } + } + + grouping subscription-policy-dynamic { + description + "This grouping describes the only information concerning a + subscription that can be passed over the RPCs defined in this + data model."; + uses subscription-policy-modifiable { + augment "target/stream" { + description + "Adds additional objects that can be modified by an RPC."; + leaf stream { + type stream-ref { + require-instance false; + } + mandatory true; + description + "Indicates the event stream to be considered for + this subscription."; + } + leaf replay-start-time { + if-feature "replay"; + type yang:date-and-time; + config false; + description + "Used to trigger the 'replay' feature for a dynamic + subscription, where event records that are selected + need to be at or after the specified starting time. If + 'replay-start-time' is not present, this is not a replay + subscription and event record push should start + immediately. It is never valid to specify start times + that are later than or equal to the current time."; + } + } + } + uses update-qos; + } + + grouping subscription-policy { + description + "This grouping describes the full set of policy information + concerning both dynamic and configured subscriptions, with the + exclusion of both receivers and networking information + specific to the publisher, such as what interface should be + used to transmit notification messages."; + uses subscription-policy-dynamic; + leaf transport { + if-feature "configured"; + type transport; + description + "For a configured subscription, this leaf specifies the + transport used to deliver messages destined for all + receivers of that subscription."; + } + leaf encoding { + when 'not(../transport) or derived-from(../transport, + "sn:configurable-encoding")'; + type encoding; + description + "The type of encoding for notification messages. For a + dynamic subscription, if not included as part of an + 'establish-subscription' RPC, the encoding will be populated + with the encoding used by that RPC. For a configured + subscription, if not explicitly configured, the encoding + will be the default encoding for an underlying transport."; + } + leaf purpose { + if-feature "configured"; + type string; + description + "Open text allowing a configuring entity to embed the + originator or other specifics of this subscription."; + } + } + + /* + * RPCs + */ + + rpc establish-subscription { + description + "This RPC allows a subscriber to create (and possibly + negotiate) a subscription on its own behalf. If successful, + the subscription remains in effect for the duration of the + subscriber's association with the publisher or until the + subscription is terminated. If an error occurs or the + publisher cannot meet the terms of a subscription, an RPC + error is returned, and the subscription is not created. + In that case, the RPC reply's 'error-info' MAY include + suggested parameter settings that would have a higher + likelihood of succeeding in a subsequent + 'establish-subscription' request."; + input { + uses subscription-policy-dynamic; + leaf encoding { + type encoding; + description + "The type of encoding for the subscribed data. If not + included as part of the RPC, the encoding MUST be set by + the publisher to be the encoding used by this RPC."; + } + } + output { + leaf id { + type subscription-id; + mandatory true; + description + "Identifier used for this subscription."; + } + leaf replay-start-time-revision { + if-feature "replay"; + type yang:date-and-time; + description + "If a replay has been requested, this object represents + the earliest time covered by the event buffer for the + requested event stream. The value of this object is the + 'replay-log-aged-time' if it exists. Otherwise, it is + the 'replay-log-creation-time'. All buffered event + records after this time will be replayed to a receiver. + This object will only be sent if the starting time has + been revised to be later than the time requested by the + subscriber."; + } + } + } + + rc:yang-data establish-subscription-stream-error-info { + container establish-subscription-stream-error-info { + description + "If any 'establish-subscription' RPC parameters are + unsupportable against the event stream, a subscription + is not created and the RPC error response MUST indicate the + reason why the subscription failed to be created. This + yang-data MAY be inserted as structured data in a + subscription's RPC error response to indicate the reason for + the failure. This yang-data MUST be inserted if hints are + to be provided back to the subscriber."; + leaf reason { + type identityref { + base establish-subscription-error; + } + description + "Indicates the reason why the subscription has failed to + be created to a targeted event stream."; + } + leaf filter-failure-hint { + type string; + description + "Information describing where and/or why a provided + filter was unsupportable for a subscription. The + syntax and semantics of this hint are + implementation specific."; + } + } + } + + rpc modify-subscription { + description + "This RPC allows a subscriber to modify a dynamic + subscription's parameters. If successful, the changed + subscription parameters remain in effect for the duration of + the subscription, until the subscription is again modified, or + until the subscription is terminated. In the case of an error + or an inability to meet the modified parameters, the + subscription is not modified and the original subscription + parameters remain in effect. In that case, the RPC error MAY + include 'error-info' suggested parameter hints that would have + a high likelihood of succeeding in a subsequent + 'modify-subscription' request. A successful + 'modify-subscription' will return a suspended subscription to + the 'active' state."; + input { + leaf id { + type subscription-id; + mandatory true; + description + "Identifier to use for this subscription."; + } + uses subscription-policy-modifiable; + } + } + + rc:yang-data modify-subscription-stream-error-info { + container modify-subscription-stream-error-info { + description + "This yang-data MAY be provided as part of a subscription's + RPC error response when there is a failure of a + 'modify-subscription' RPC that has been made against an + event stream. This yang-data MUST be used if hints are to + be provided back to the subscriber."; + leaf reason { + type identityref { + base modify-subscription-error; + } + description + "Information in a 'modify-subscription' RPC error response + that indicates the reason why the subscription to an event + stream has failed to be modified."; + } + leaf filter-failure-hint { + type string; + description + "Information describing where and/or why a provided + filter was unsupportable for a subscription. The syntax + and semantics of this hint are + implementation specific."; + } + } + } + + rpc delete-subscription { + description + "This RPC allows a subscriber to delete a subscription that + was previously created by that same subscriber using the + 'establish-subscription' RPC. + If an error occurs, the server replies with an 'rpc-error' + where the 'error-info' field MAY contain a + 'delete-subscription-error-info' structure."; + input { + leaf id { + type subscription-id; + mandatory true; + description + "Identifier of the subscription that is to be deleted. + Only subscriptions that were created using + 'establish-subscription' from the same origin as this RPC + can be deleted via this RPC."; + } + } + } + + rpc kill-subscription { + nacm:default-deny-all; + description + "This RPC allows an operator to delete a dynamic subscription + without restrictions on the originating subscriber or + underlying transport session. + If an error occurs, the server replies with an 'rpc-error' + where the 'error-info' field MAY contain a + 'delete-subscription-error-info' structure."; + input { + leaf id { + type subscription-id; + mandatory true; + description + "Identifier of the subscription that is to be deleted. + Only subscriptions that were created using + 'establish-subscription' can be deleted via this RPC."; + } + } + } + + rc:yang-data delete-subscription-error-info { + container delete-subscription-error-info { + description + "If a 'delete-subscription' RPC or a 'kill-subscription' RPC + fails, the subscription is not deleted and the RPC error + response MUST indicate the reason for this failure. This + yang-data MAY be inserted as structured data in a + subscription's RPC error response to indicate the reason + for the failure."; + leaf reason { + type identityref { + base delete-subscription-error; + } + mandatory true; + description + "Indicates the reason why the subscription has failed to be + deleted."; + } + } + } + + /* + * NOTIFICATIONS + */ + + notification replay-completed { + sn:subscription-state-notification; + if-feature "replay"; + description + "This notification is sent to indicate that all of the replay + notifications have been sent."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the affected subscription."; + } + } + + notification subscription-completed { + sn:subscription-state-notification; + if-feature "configured"; + description + "This notification is sent to indicate that a subscription has + finished passing event records, as the 'stop-time' has been + reached."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the gracefully completed subscription."; + } + } + + notification subscription-modified { + sn:subscription-state-notification; + description + "This notification indicates that a subscription has been + modified. Notification messages sent from this point on will + conform to the modified terms of the subscription. For + completeness, this subscription state change notification + includes both modified and unmodified aspects of a + subscription."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the affected subscription."; + } + uses subscription-policy { + refine "target/stream/stream-filter/within-subscription" { + description + "Filter applied to the subscription. If the + 'stream-filter-name' is populated, the filter in the + subscription came from the 'filters' container. + Otherwise, it is populated in-line as part of the + subscription."; + } + } + } + + notification subscription-resumed { + sn:subscription-state-notification; + description + "This notification indicates that a subscription that had + previously been suspended has resumed. Notifications will + once again be sent. In addition, a 'subscription-resumed' + indicates that no modification of parameters has occurred + since the last time event records have been sent."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the affected subscription."; + } + } + + notification subscription-started { + sn:subscription-state-notification; + if-feature "configured"; + description + "This notification indicates that a subscription has started + and notifications will now be sent."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the affected subscription."; + } + uses subscription-policy { + refine "target/stream/replay-start-time" { + description + "Indicates the time that a replay is using for the + streaming of buffered event records. This will be + populated with the most recent of the following: + the event time of the previous event record sent to a + receiver, the 'replay-log-creation-time', the + 'replay-log-aged-time', or the most recent publisher + boot time."; + } + refine "target/stream/stream-filter/within-subscription" { + description + "Filter applied to the subscription. If the + 'stream-filter-name' is populated, the filter in the + subscription came from the 'filters' container. + Otherwise, it is populated in-line as part of the + subscription."; + } + augment "target/stream" { + description + "This augmentation adds additional parameters specific to a + 'subscription-started' notification."; + leaf replay-previous-event-time { + when '../replay-start-time'; + if-feature "replay"; + type yang:date-and-time; + description + "If there is at least one event in the replay buffer + prior to 'replay-start-time', this gives the time of + the event generated immediately prior to the + 'replay-start-time'. + If a receiver previously received event records for + this configured subscription, it can compare this time + to the last event record previously received. If the + two are not the same (perhaps due to a reboot), then a + dynamic replay can be initiated to acquire any missing + event records."; + } + } + } + } + + notification subscription-suspended { + sn:subscription-state-notification; + description + "This notification indicates that a suspension of the + subscription by the publisher has occurred. No further + notifications will be sent until the subscription resumes. + This notification shall only be sent to receivers of a + subscription; it does not constitute a general-purpose + notification."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the affected subscription."; + } + leaf reason { + type identityref { + base subscription-suspended-reason; + } + mandatory true; + description + "Identifies the condition that resulted in the suspension."; + } + } + + notification subscription-terminated { + sn:subscription-state-notification; + description + "This notification indicates that a subscription has been + terminated."; + leaf id { + type subscription-id; + mandatory true; + description + "This references the affected subscription."; + } + leaf reason { + type identityref { + base subscription-terminated-reason; + } + mandatory true; + description + "Identifies the condition that resulted in the termination."; + } + } + + /* + * DATA NODES + */ + + container streams { + config false; + description + "Contains information on the built-in event streams provided by + the publisher."; + list stream { + key "name"; + description + "Identifies the built-in event streams that are supported by + the publisher."; + leaf name { + type string; + description + "A handle for a system-provided event stream made up of a + sequential set of event records, each of which is + characterized by its own domain and semantics."; + } + leaf description { + type string; + description + "A description of the event stream, including such + information as the type of event records that are + available in this event stream."; + } + leaf replay-support { + if-feature "replay"; + type empty; + description + "Indicates that event record replay is available on this + event stream."; + } + leaf replay-log-creation-time { + when '../replay-support'; + if-feature "replay"; + type yang:date-and-time; + mandatory true; + description + "The timestamp of the creation of the log used to support + the replay function on this event stream. This time + might be earlier than the earliest available information + contained in the log. This object is updated if the log + resets for some reason."; + } + leaf replay-log-aged-time { + when '../replay-support'; + if-feature "replay"; + type yang:date-and-time; + description + "The timestamp associated with the last event record that + has been aged out of the log. This timestamp identifies + how far back in history this replay log extends, if it + doesn't extend back to the 'replay-log-creation-time'. + This object MUST be present if replay is supported and any + event records have been aged out of the log."; + } + } + } + container filters { + description + "Contains a list of configurable filters that can be applied to + subscriptions. This facilitates the reuse of complex filters + once defined."; + list stream-filter { + key "name"; + description + "A list of preconfigured filters that can be applied to + subscriptions."; + leaf name { + type string; + description + "A name to differentiate between filters."; + } + uses stream-filter-elements; + } + } + container subscriptions { + description + "Contains the list of currently active subscriptions, i.e., + subscriptions that are currently in effect, used for + subscription management and monitoring purposes. This + includes subscriptions that have been set up via + RPC primitives as well as subscriptions that have been + established via configuration."; + list subscription { + key "id"; + description + "The identity and specific parameters of a subscription. + Subscriptions in this list can be created using a control + channel or RPC or can be established through configuration. + If the 'kill-subscription' RPC or configuration operations + are used to delete a subscription, a + 'subscription-terminated' message is sent to any active or + suspended receivers."; + leaf id { + type subscription-id; + description + "Identifier of a subscription; unique in a given + publisher."; + } + uses subscription-policy { + refine "target/stream/stream" { + description + "Indicates the event stream to be considered for this + subscription. If an event stream has been removed + and can no longer be referenced by an active + subscription, send a 'subscription-terminated' + notification with 'stream-unavailable' as the reason. + If a configured subscription refers to a nonexistent + event stream, move that subscription to the + 'invalid' state."; + } + refine "transport" { + description + "For a configured subscription, this leaf specifies the + transport used to deliver messages destined for all + receivers of that subscription. This object is + mandatory for subscriptions in the configuration + datastore. This object (1) is not mandatory for dynamic + subscriptions in the operational state datastore and + (2) should not be present for other types of dynamic + subscriptions."; + } + augment "target/stream" { + description + "Enables objects to be added to a configured stream + subscription."; + leaf configured-replay { + if-feature "configured"; + if-feature "replay"; + type empty; + description + "The presence of this leaf indicates that replay for + the configured subscription should start at the + earliest time in the event log or at the publisher + boot time, whichever is later."; + } + } + } + choice notification-message-origin { + if-feature "configured"; + description + "Identifies the egress interface on the publisher + from which notification messages are to be sent."; + case interface-originated { + description + "When notification messages are to egress a specific, + designated interface on the publisher."; + leaf source-interface { + if-feature "interface-designation"; + type if:interface-ref; + description + "References the interface for notification messages."; + } + } + case address-originated { + description + "When notification messages are to depart from a + publisher using a specific originating address and/or + routing context information."; + leaf source-vrf { + if-feature "supports-vrf"; + type leafref { + path "/ni:network-instances/ni:network-instance/ni:name"; + } + description + "VRF from which notification messages should egress a + publisher."; + } + leaf source-address { + type inet:ip-address-no-zone; + description + "The source address for the notification messages. + If a source VRF exists but this object doesn't, a + publisher's default address for that VRF must + be used."; + } + } + } + leaf configured-subscription-state { + if-feature "configured"; + type enumeration { + enum valid { + value 1; + description + "The subscription is supportable with its current + parameters."; + } + enum invalid { + value 2; + description + "The subscription as a whole is unsupportable with its + current parameters."; + } + enum concluded { + value 3; + description + "A subscription is inactive, as it has hit a + stop time. It no longer has receivers in the + 'active' or 'suspended' state, but the subscription + has not yet been removed from configuration."; + } + } + config false; + description + "The presence of this leaf indicates that the subscription + originated from configuration, not through a control + channel or RPC. The value indicates the state of the + subscription as established by the publisher."; + } + container receivers { + description + "Set of receivers in a subscription."; + list receiver { + key "name"; + min-elements 1; + description + "A host intended as a recipient for the notification + messages of a subscription. For configured + subscriptions, transport-specific network parameters + (or a leafref to those parameters) may be augmented to a + specific receiver in this list."; + leaf name { + type string; + description + "Identifies a unique receiver for a subscription."; + } + leaf sent-event-records { + type yang:zero-based-counter64; + config false; + description + "The number of event records sent to the receiver. The + count is initialized when a dynamic subscription is + established or when a configured receiver + transitions to the 'valid' state."; + } + leaf excluded-event-records { + type yang:zero-based-counter64; + config false; + description + "The number of event records explicitly removed via + either an event stream filter or an access control + filter so that they are not passed to a receiver. + This count is set to zero each time + 'sent-event-records' is initialized."; + } + leaf state { + type enumeration { + enum active { + value 1; + description + "The receiver is currently being sent any + applicable notification messages for the + subscription."; + } + enum suspended { + value 2; + description + "The receiver state is 'suspended', so the + publisher is currently unable to provide + notification messages for the subscription."; + } + enum connecting { + value 3; + if-feature "configured"; + description + "A subscription has been configured, but a + 'subscription-started' subscription state change + notification needs to be successfully received + before notification messages are sent. + If the 'reset' action is invoked for a receiver of + an active configured subscription, the state + must be moved to 'connecting'."; + } + enum disconnected { + value 4; + if-feature "configured"; + description + "A subscription has failed to send a + 'subscription-started' state change to the + receiver. Additional connection attempts are not + currently being made."; + } + } + config false; + mandatory true; + description + "Specifies the state of a subscription from the + perspective of a particular receiver. With this + information, it is possible to determine whether a + publisher is currently generating notification + messages intended for that receiver."; + } + action reset { + if-feature "configured"; + description + "Allows the reset of this configured subscription's + receiver to the 'connecting' state. This enables the + connection process to be reinitiated."; + output { + leaf time { + type yang:date-and-time; + mandatory true; + description + "Time at which a publisher returned the receiver to + the 'connecting' state."; + } + } + } + } + } + } + } +} diff --git a/data-model/yang/published/ietf/ietf-x509-cert-to-name@2014-12-10.yang b/data-model/yang/published/ietf/ietf-x509-cert-to-name@2014-12-10.yang new file mode 100644 index 0000000..cbc9be2 --- /dev/null +++ b/data-model/yang/published/ietf/ietf-x509-cert-to-name@2014-12-10.yang @@ -0,0 +1,303 @@ +module ietf-x509-cert-to-name { + + namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; + prefix x509c2n; + + import ietf-yang-types { + prefix yang; + } + + organization + "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; + + contact + "WG Web: + WG List: + + WG Chair: Thomas Nadeau + + + WG Chair: Juergen Schoenwaelder + + + Editor: Martin Bjorklund + + + Editor: Juergen Schoenwaelder + "; + + description + "This module contains a collection of YANG definitions for + extracting a name from an X.509 certificate. + The algorithm used to extract a name from an X.509 certificate + was first defined in RFC 6353. + + Copyright (c) 2014 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD License + set forth in Section 4.c of the IETF Trust's Legal Provisions + Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC 7407; see + the RFC itself for full legal notices."; + + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model for + the Simple Network Management Protocol (SNMP)"; + + revision 2014-12-10 { + description + "Initial revision."; + reference + "RFC 7407: A YANG Data Model for SNMP Configuration"; + + } + + typedef tls-fingerprint { + type yang:hex-string { + pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; + } + description + "A fingerprint value that can be used to uniquely reference + other data of potentially arbitrary length. + + A tls-fingerprint value is composed of a 1-octet hashing + algorithm identifier followed by the fingerprint value. The + first octet value identifying the hashing algorithm is taken + from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The + remaining octets are filled using the results of the hashing + algorithm."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; + } + + /* Identities */ + + identity cert-to-name { + description + "Base identity for algorithms to derive a name from a + certificate."; + } + + identity specified { + base cert-to-name; + description + "Directly specifies the name to be used for the certificate. + The value of the leaf 'name' in the cert-to-name list is + used."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; + } + + identity san-rfc822-name { + base cert-to-name; + description + "Maps a subjectAltName's rfc822Name to a name. The local part + of the rfc822Name is passed unaltered, but the host-part of + the name must be passed in lowercase. For example, the + rfc822Name field FooBar@Example.COM is mapped to name + FooBar@example.com."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; + } + + identity san-dns-name { + base cert-to-name; + description + "Maps a subjectAltName's dNSName to a name after first + converting it to all lowercase (RFC 5280 does not specify + converting to lowercase, so this involves an extra step). + This mapping results in a 1:1 correspondence between + subjectAltName dNSName values and the name values."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; + } + + identity san-ip-address { + base cert-to-name; + description + "Maps a subjectAltName's iPAddress to a name by + transforming the binary-encoded address as follows: + + 1) for IPv4, the value is converted into a + decimal-dotted quad address (e.g., '192.0.2.1'). + + 2) for IPv6 addresses, the value is converted into a + 32-character, all-lowercase hexadecimal string + without any colon separators. + + This mapping results in a 1:1 correspondence between + subjectAltName iPAddress values and the name values."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; + } + + identity san-any { + base cert-to-name; + description + "Maps any of the following fields using the corresponding + mapping algorithms: + + +------------+-----------------+ + | Type | Algorithm | + |------------+-----------------| + | rfc822Name | san-rfc822-name | + | dNSName | san-dns-name | + | iPAddress | san-ip-address | + +------------+-----------------+ + + The first matching subjectAltName value found in the + certificate of the above types MUST be used when deriving + the name. The mapping algorithm specified in the + 'Algorithm' column MUST be used to derive the name. + + This mapping results in a 1:1 correspondence between + subjectAltName values and name values. The three sub-mapping + algorithms produced by this combined algorithm cannot produce + conflicting results between themselves."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; + } + + identity common-name { + base cert-to-name; + description + "Maps a certificate's CommonName to a name after converting + it to a UTF-8 encoding. The usage of CommonNames is + deprecated, and users are encouraged to use subjectAltName + mapping methods instead. This mapping results in a 1:1 + correspondence between certificate CommonName values and name + values."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; + } + + /* + * Groupings + */ + + grouping cert-to-name { + description + "Defines nodes for mapping certificates to names. Modules + that use this grouping should describe how the resulting + name is used."; + + list cert-to-name { + key id; + description + "This list defines how certificates are mapped to names. + The name is derived by considering each cert-to-name + list entry in order. The cert-to-name entry's fingerprint + determines whether the list entry is a match: + + 1) If the cert-to-name list entry's fingerprint value + matches that of the presented certificate, then consider + the list entry a successful match. + + 2) If the cert-to-name list entry's fingerprint value + matches that of a locally held copy of a trusted CA + certificate, and that CA certificate was part of the CA + certificate chain to the presented certificate, then + consider the list entry a successful match. + + Once a matching cert-to-name list entry has been found, the + map-type is used to determine how the name associated with + the certificate should be determined. See the map-type + leaf's description for details on determining the name value. + If it is impossible to determine a name from the cert-to-name + list entry's data combined with the data presented in the + certificate, then additional cert-to-name list entries MUST + be searched to look for another potential match. + + Security administrators are encouraged to make use of + certificates with subjectAltName fields that can be mapped to + names so that a single root CA certificate can allow all + child certificates' subjectAltName fields to map directly to + a name via a 1:1 transformation."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; + + leaf id { + type uint32; + description + "The id specifies the order in which the entries in the + cert-to-name list are searched. Entries with lower + numbers are searched first."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; + } + + leaf fingerprint { + type x509c2n:tls-fingerprint; + mandatory true; + description + "Specifies a value with which the fingerprint of the + full certificate presented by the peer is compared. If + the fingerprint of the full certificate presented by the + peer does not match the fingerprint configured, then the + entry is skipped, and the search for a match continues."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; + } + + leaf map-type { + type identityref { + base cert-to-name; + } + mandatory true; + description + "Specifies the algorithm used to map the certificate + presented by the peer to a name. + + Mappings that need additional configuration objects should + use the 'when' statement to make them conditional based on + the map-type."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; + } + + leaf name { + when "../map-type = 'x509c2n:specified'"; + type string; + mandatory true; + description + "Directly specifies the NETCONF username when the + map-type is 'specified'."; + reference + "RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; + } + } + } +} diff --git a/data-model/yang/published/o-ran/ru-fh/ietf-crypto-types.yang b/data-model/yang/published/o-ran/ru-fh/ietf-crypto-types.yang new file mode 120000 index 0000000..eb6dd73 --- /dev/null +++ b/data-model/yang/published/o-ran/ru-fh/ietf-crypto-types.yang @@ -0,0 +1 @@ +../../ietf/ietf-crypto-types@2019-04-29.yang \ No newline at end of file diff --git a/data-model/yang/published/o-ran/ru-fh/ietf-dhcpv6-common.yang b/data-model/yang/published/o-ran/ru-fh/ietf-dhcpv6-common.yang new file mode 120000 index 0000000..06f6e9a --- /dev/null +++ b/data-model/yang/published/o-ran/ru-fh/ietf-dhcpv6-common.yang @@ -0,0 +1 @@ +../../ietf/ietf-dhcpv6-common@2021-01-29.yang \ No newline at end of file diff --git a/data-model/yang/published/o-ran/ru-fh/ietf-dhcpv6-types.yang b/data-model/yang/published/o-ran/ru-fh/ietf-dhcpv6-types.yang new file mode 120000 index 0000000..1cda54b --- /dev/null +++ b/data-model/yang/published/o-ran/ru-fh/ietf-dhcpv6-types.yang @@ -0,0 +1 @@ +../../ietf/ietf-dhcpv6-types@2018-09-04.yang \ No newline at end of file diff --git a/data-model/yang/published/o-ran/ru-fh/ietf-netconf-monitoring.yang b/data-model/yang/published/o-ran/ru-fh/ietf-netconf-monitoring.yang new file mode 120000 index 0000000..659c2de --- /dev/null +++ b/data-model/yang/published/o-ran/ru-fh/ietf-netconf-monitoring.yang @@ -0,0 +1 @@ +../../ietf/ietf-netconf-monitoring@2010-10-04.yang \ No newline at end of file diff --git a/data-model/yang/published/o-ran/ru-fh/ietf-subscribed-notifications.yang b/data-model/yang/published/o-ran/ru-fh/ietf-subscribed-notifications.yang new file mode 120000 index 0000000..5229b12 --- /dev/null +++ b/data-model/yang/published/o-ran/ru-fh/ietf-subscribed-notifications.yang @@ -0,0 +1 @@ +../../ietf/ietf-subscribed-notifications@2019-09-09.yang \ No newline at end of file diff --git a/data-model/yang/published/o-ran/ru-fh/ietf-x509-cert-to-name.yang b/data-model/yang/published/o-ran/ru-fh/ietf-x509-cert-to-name.yang new file mode 120000 index 0000000..17178bd --- /dev/null +++ b/data-model/yang/published/o-ran/ru-fh/ietf-x509-cert-to-name.yang @@ -0,0 +1 @@ +../../ietf/ietf-x509-cert-to-name@2014-12-10.yang \ No newline at end of file