| < draft-ietf-rtgwg-yang-key-chain-09.txt | draft-ietf-rtgwg-yang-key-chain-10.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Lindem, Ed. | Network Working Group A. Lindem, Ed. | |||
| Internet-Draft Y. Qu | Internet-Draft Y. Qu | |||
| Intended status: Standards Track Cisco Systems | Intended status: Standards Track Cisco Systems | |||
| Expires: March 23, 2017 D. Yeung | Expires: April 30, 2017 D. Yeung | |||
| Arrcus, Inc | Arrcus, Inc | |||
| I. Chen | I. Chen | |||
| Ericsson | Ericsson | |||
| J. Zhang | J. Zhang | |||
| Juniper Networks | Juniper Networks | |||
| Y. Yang | Y. Yang | |||
| Cisco Systems | Individual Contributor | |||
| September 19, 2016 | October 27, 2016 | |||
| Routing Key Chain YANG Data Model | Routing Key Chain YANG Data Model | |||
| draft-ietf-rtgwg-yang-key-chain-09.txt | draft-ietf-rtgwg-yang-key-chain-10.txt | |||
| Abstract | Abstract | |||
| This document describes the key chain YANG data model. A key chain | This document describes the key chain YANG data model. A key chain | |||
| is a list of elements each containing a key, send lifetime, accept | is a list of elements each containing a key, send lifetime, accept | |||
| lifetime, and algorithm (authentication or encryption). By properly | lifetime, and algorithm (authentication or encryption). By properly | |||
| overlapping the send and accept lifetimes of multiple key chain | overlapping the send and accept lifetimes of multiple key chain | |||
| elements, keys and algorithms may be gracefully updated. By | elements, keys and algorithms may be gracefully updated. By | |||
| representing them in a YANG data model, key distribution can be | representing them in a YANG data model, key distribution can be | |||
| automated. Key chains are commonly used for routing protocol | automated. Key chains are commonly used for routing protocol | |||
| skipping to change at page 1, line 49 ¶ | skipping to change at page 1, line 49 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 23, 2017. | This Internet-Draft will expire on April 30, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 33 ¶ | skipping to change at page 2, line 33 ¶ | |||
| 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4 | 2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4 | |||
| 3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5 | 3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Key Chain Operational State . . . . . . . . . . . . . . . 5 | 3.1. Key Chain Operational State . . . . . . . . . . . . . . . 5 | |||
| 3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6 | 3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6 | |||
| 3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6 | 3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 9 | 4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 20 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 20 | 7.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 21 | Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes the key chain YANG data model. A key chain | This document describes the key chain YANG data model. A key chain | |||
| is a list of elements each containing a key, send lifetime, accept | is a list of elements each containing a key, send lifetime, accept | |||
| lifetime, and algorithm (authentication or encryption). By properly | lifetime, and algorithm (authentication or encryption). By properly | |||
| overlapping the send and accept lifetimes of multiple key chain | overlapping the send and accept lifetimes of multiple key chain | |||
| elements, keys and algorithms may be gracefully updated. By | elements, keys and algorithms may be gracefully updated. By | |||
| representing them in a YANG data model, key distribution can be | representing them in a YANG data model, key distribution can be | |||
| automated. Key chains are commonly used for routing protocol | automated. Key chains are commonly used for routing protocol | |||
| skipping to change at page 5, line 45 ¶ | skipping to change at page 5, line 45 ¶ | |||
| scoping other than at the global level. Finally, the crypto- | scoping other than at the global level. Finally, the crypto- | |||
| algorithm-types grouping is provided for reuse when configuring | algorithm-types grouping is provided for reuse when configuring | |||
| legacy authentication and encryption not using key-chains. | legacy authentication and encryption not using key-chains. | |||
| A key-chain is identified by a unique name within the scope of the | A key-chain is identified by a unique name within the scope of the | |||
| network device. The "key-chain-ref" typedef SHOULD be used by other | network device. The "key-chain-ref" typedef SHOULD be used by other | |||
| YANG modules when they need to reference a configured key-chain. | YANG modules when they need to reference a configured key-chain. | |||
| 3.1. Key Chain Operational State | 3.1. Key Chain Operational State | |||
| The key chain operational state is maintained in the key-chain | The key chain operational state is maintained in a separate tree. | |||
| entries along with the configuration state. The key string itself is | The key string itself is omitted from the operational state to | |||
| omitted from the operational state to minimize visibility similar to | minimize visibility similar to what was done with keys in SNMP MIBs. | |||
| what was done with keys in SNMP MIBs. The timestamp of the last key- | The timestamp of the last key-chain modification is also maintained | |||
| chain modification is also maintained in the operational state. | in the operational state. Additionally, the operational state | |||
| Additionally, the operational state includes an indication of whether | includes an indication of whether or not a key chain entry is valid | |||
| or not a key chain entry is valid for sending or acceptance. | for sending or acceptance. | |||
| 3.2. Key Chain Model Features | 3.2. Key Chain Model Features | |||
| Features are used to handle differences between vendor | Features are used to handle differences between vendor | |||
| implementations. For example, not all vendors support configuration | implementations. For example, not all vendors support configuration | |||
| an acceptance tolerance or configuration of key strings in | an acceptance tolerance or configuration of key strings in | |||
| hexadecimal. They are also used to support of security requirements | hexadecimal. They are also used to support of security requirements | |||
| (e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by | (e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by | |||
| vendors or only a single vendor. | vendors or only a single vendor. | |||
| 3.3. Key Chain Model Tree | 3.3. Key Chain Model Tree | |||
| module: ietf-key-chain | +--rw key-chain | |||
| +--rw key-chains | | +--rw key-chain-list* [name] | |||
| +--rw key-chain-list* [name] | | | +--rw name string | |||
| | +--rw name string | | | +--rw description? string | |||
| | +--ro name-state? string | | | +--rw accept-tolerance {accept-tolerance}? | |||
| | +--rw description? string | | | | +--rw duration? uint32 | |||
| | +--rw accept-tolerance {accept-tolerance}? | | | +--rw key-chain-entries* [key-id] | |||
| | | +--rw duration? uint32 | | | +--rw key-id uint64 | |||
| | +--ro accept-tolerance-state | | | +--rw lifetime | |||
| | | +--ro duration? uint32 | | | | +--rw (lifetime)? | |||
| | +--ro last-modified-timestamp? yang:date-and-time | | | | +--:(send-and-accept-lifetime) | |||
| | +--rw key-chain-entry* [key-id] | | | | | +--rw send-accept-lifetime | |||
| | +--rw key-id uint64 | | | | | +--rw (lifetime)? | |||
| | +--ro key-id-state? uint64 | | | | | +--:(always) | |||
| | +--rw key-string | | | | | | +--rw always? empty | |||
| | | +--rw (key-string-style)? | | | | | +--:(start-end-time) | |||
| | | +--:(keystring) | | | | | +--rw start-date-time? | |||
| | | | +--rw keystring? string | | | | | | yang:date-and-time | |||
| | | +--:(hexadecimal) {hex-key-string}? | | | | | +--rw (end-time)? | |||
| | | +--rw hexadecimal-string? yang:hex-string | | | | | +--:(infinite) | |||
| | +--rw lifetime | | | | | | +--rw no-end-time? empty | |||
| | | +--rw (lifetime)? | | | | | +--:(duration) | |||
| | | +--:(send-and-accept-lifetime) | | | | | | +--rw duration? uint32 | |||
| | | | +--rw send-accept-lifetime | | | | | +--:(end-date-time) | |||
| | | | +--rw (lifetime)? | | | | | +--rw end-date-time? | |||
| | | | +--:(always) | | | | | yang:date-and-time | |||
| | | | | +--rw always? empty | | | | +--:(independent-send-accept-lifetime) | |||
| | | | +--:(start-end-time) | | | | {independent-send-accept-lifetime}? | |||
| | | | +--rw start-date-time? yang:date-and-time | | | | +--rw send-lifetime | |||
| | | | +--rw (end-time)? | | | | | +--rw (lifetime)? | |||
| | | | +--:(infinite) | | | | | +--:(always) | |||
| | | | | +--rw no-end-time? empty | | | | | | +--rw always? empty | |||
| | | | +--:(duration) | | | | | +--:(start-end-time) | |||
| | | | | +--rw duration? uint32 | | | | | +--rw start-date-time? | |||
| | | | +--:(end-date-time) | | | | | yang:date-and-time | |||
| | | | +--rw end-date-time? | | | | | +--rw (end-time)? | |||
| | | | yang:date-and-time | | | | | +--:(infinite) | |||
| | | +--:(independent-send-accept-lifetime) | | | | | | +--rw no-end-time? empty | |||
| | | {independent-send-accept-lifetime}? | | | | | +--:(duration) | |||
| | | +--rw send-lifetime | | | | | | +--rw duration? uint32 | |||
| | | | +--rw (lifetime)? | | | | | +--:(end-date-time) | |||
| | | | +--:(always) | | | | | +--rw end-date-time? | |||
| | | | | +--rw always? empty | | | | | yang:date-and-time | |||
| | | | +--:(start-end-time) | | | | +--rw accept-lifetime | |||
| | | | +--rw start-date-time? yang:date-and-time | | | | +--rw (lifetime)? | |||
| | | | +--rw (end-time)? | | | | +--:(always) | |||
| | | | +--:(infinite) | | | | | +--rw always? empty | |||
| | | | | +--rw no-end-time? empty | | | | +--:(start-end-time) | |||
| | | | +--:(duration) | | | | +--rw start-date-time? | |||
| | | | | +--rw duration? uint32 | | | | | yang:date-and-time | |||
| | | | +--:(end-date-time) | | | | +--rw (end-time)? | |||
| | | | +--rw end-date-time? | | | | +--:(infinite) | |||
| | | | yang:date-and-time | | | | | +--rw no-end-time? empty | |||
| | | +--rw accept-lifetime | | | | +--:(duration) | |||
| | | +--rw (lifetime)? | | | | | +--rw duration? uint32 | |||
| | | +--:(always) | | | | +--:(end-date-time) | |||
| | | | +--rw always? empty | | | | +--rw end-date-time? | |||
| | | +--:(start-end-time) | | | | yang:date-and-time | |||
| | | +--rw start-date-time? yang:date-and-time | | | +--rw crypto-algorithm | |||
| | | +--rw (end-time)? | | | | +--rw (algorithm)? | |||
| | | +--:(infinite) | | | | +--:(hmac-sha-1-12) {crypto-hmac-sha-1-12}? | |||
| | | | +--rw no-end-time? empty | | | | | +--rw hmac-sha1-12? empty | |||
| | | +--:(duration) | | | | +--:(aes-cmac-prf-128) {aes-cmac-prf-128}? | |||
| | | | +--rw duration? uint32 | | | | | +--rw aes-cmac-prf-128? empty | |||
| | | +--:(end-date-time) | | | | +--:(md5) | |||
| | | +--rw end-date-time? | | | | | +--rw md5? empty | |||
| | | yang:date-and-time | | | | +--:(sha-1) | |||
| | +--ro lifetime-state | | | | | +--rw sha-1? empty | |||
| | | +--ro send-lifetime | | | | +--:(hmac-sha-1) | |||
| | | | +--ro (lifetime)? | | | | | +--rw hmac-sha-1? empty | |||
| | | | +--:(always) | | | | +--:(hmac-sha-256) | |||
| | | | | +--ro always? empty | | | | | +--rw hmac-sha-256? empty | |||
| | | | +--:(start-end-time) | | | | +--:(hmac-sha-384) | |||
| | | | +--ro start-date-time? yang:date-and-time | | | | | +--rw hmac-sha-384? empty | |||
| | | | +--ro (end-time)? | | | | +--:(hmac-sha-512) | |||
| | | | +--:(infinite) | | | | | +--rw hmac-sha-512? empty | |||
| | | | | +--ro no-end-time? empty | | | | +--:(clear-text) {clear-text}? | |||
| | | | +--:(duration) | | | | | +--rw clear-text? empty | |||
| | | | | +--ro duration? uint32 | | | | +--:(replay-protection-only) {replay-protection-only}? | |||
| | | | +--:(end-date-time) | | | | +--rw replay-protection-only? empty | |||
| | | | +--ro end-date-time? yang:date-and-time | | | +--rw key-string | |||
| | | +--ro send-valid? boolean | | | +--rw (key-string-style)? | |||
| | | +--ro accept-lifetime | | | +--:(keystring) | |||
| | | | +--ro (lifetime)? | | | | +--rw keystring? string | |||
| | | | +--:(always) | | | +--:(hexadecimal) {hex-key-string}? | |||
| | | | | +--ro always? empty | | | +--rw hexadecimal-string? yang:hex-string | |||
| | | | +--:(start-end-time) | | +--rw aes-key-wrap {aes-key-wrap}? | |||
| | | | +--ro start-date-time? yang:date-and-time | | +--rw enable? boolean | |||
| | | | +--ro (end-time)? | +--ro key-chain-state | |||
| | | | +--:(infinite) | +--ro key-chain-list* [name] | |||
| | | | | +--ro no-end-time? empty | | +--ro name string | |||
| | | | +--:(duration) | | +--ro description? string | |||
| | | | | +--ro duration? uint32 | | +--ro accept-tolerance {accept-tolerance}? | |||
| | | | +--:(end-date-time) | | | +--ro duration? uint32 | |||
| | | | +--ro end-date-time? yang:date-and-time | | +--ro key-chain-entries* [key-id] | |||
| | | +--ro accept-valid? boolean | | +--ro key-id uint64 | |||
| | +--rw crypto-algorithm | | +--ro lifetime | |||
| | | +--rw (algorithm)? | | | +--ro (lifetime)? | |||
| | | +--:(hmac-sha-1-12) {crypto-hmac-sha-1-12}? | | | +--:(send-and-accept-lifetime) | |||
| | | | +--rw hmac-sha1-12? empty | | | | +--ro send-accept-lifetime | |||
| | | +--:(aes-cmac-prf-128) {aes-cmac-prf-128}? | | | | +--ro (lifetime)? | |||
| | | | +--rw aes-cmac-prf-128? empty | | | | +--:(always) | |||
| | | +--:(md5) | | | | | +--ro always? empty | |||
| | | | +--rw md5? empty | | | | +--:(start-end-time) | |||
| | | +--:(sha-1) | | | | +--ro start-date-time? | |||
| | | | +--rw sha-1? empty | | | | | yang:date-and-time | |||
| | | +--:(hmac-sha-1) | | | | +--ro (end-time)? | |||
| | | | +--rw hmac-sha-1? empty | | | | +--:(infinite) | |||
| | | +--:(hmac-sha-256) | | | | | +--ro no-end-time? empty | |||
| | | | +--rw hmac-sha-256? empty | | | | +--:(duration) | |||
| | | +--:(hmac-sha-384) | | | | | +--ro duration? uint32 | |||
| | | | +--rw hmac-sha-384? empty | | | | +--:(end-date-time) | |||
| | | +--:(hmac-sha-512) | | | | +--ro end-date-time? | |||
| | | | +--rw hmac-sha-512? empty | | | | yang:date-and-time | |||
| | | +--:(clear-text) {clear-text}? | | | +--:(independent-send-accept-lifetime) | |||
| | | | +--rw clear-text? empty | | | {independent-send-accept-lifetime}? | |||
| | | +--:(replay-protection-only) {replay-protection-only}? | | | +--ro send-lifetime | |||
| | | +--rw replay-protection-only? empty | | | | +--ro (lifetime)? | |||
| | +--ro crypto-algorithm-state | | | | +--:(always) | |||
| | +--ro (algorithm)? | | | | | +--ro always? empty | |||
| | +--:(hmac-sha-1-12) {crypto-hmac-sha-1-12}? | | | | +--:(start-end-time) | |||
| | | +--ro hmac-sha1-12? empty | | | | +--ro start-date-time? | |||
| | +--:(aes-cmac-prf-128) {aes-cmac-prf-128}? | | | | yang:date-and-time | |||
| | | +--ro aes-cmac-prf-128? empty | | | | +--ro (end-time)? | |||
| | +--:(md5) | | | | +--:(infinite) | |||
| | | +--ro md5? empty | | | | | +--ro no-end-time? empty | |||
| | +--:(sha-1) | | | | +--:(duration) | |||
| | | +--ro sha-1? empty | | | | | +--ro duration? uint32 | |||
| | +--:(hmac-sha-1) | | | | +--:(end-date-time) | |||
| | | +--ro hmac-sha-1? empty | | | | +--ro end-date-time? | |||
| | +--:(hmac-sha-256) | | | | yang:date-and-time | |||
| | | +--ro hmac-sha-256? empty | | | +--ro accept-lifetime | |||
| | +--:(hmac-sha-384) | | | +--ro (lifetime)? | |||
| | | +--ro hmac-sha-384? empty | | | +--:(always) | |||
| | +--:(hmac-sha-512) | | | | +--ro always? empty | |||
| | | +--ro hmac-sha-512? empty | | | +--:(start-end-time) | |||
| | +--:(clear-text) {clear-text}? | | | +--ro start-date-time? | |||
| | | +--ro clear-text? empty | | | | yang:date-and-time | |||
| | +--:(replay-protection-only) {replay-protection-only}? | | | +--ro (end-time)? | |||
| | +--ro replay-protection-only? empty | | | +--:(infinite) | |||
| +--rw aes-key-wrap {aes-key-wrap}? | | | | +--ro no-end-time? empty | |||
| | +--rw enable? boolean | | | +--:(duration) | |||
| +--ro aes-key-wrap-state {aes-key-wrap}? | | | | +--ro duration? uint32 | |||
| +--ro enable? boolean | | | +--:(end-date-time) | |||
| | | +--ro end-date-time? | ||||
| | | yang:date-and-time | ||||
| | +--ro crypto-algorithm | ||||
| | | +--ro (algorithm)? | ||||
| | | +--:(hmac-sha-1-12) {crypto-hmac-sha-1-12}? | ||||
| | | | +--ro hmac-sha1-12? empty | ||||
| | | +--:(aes-cmac-prf-128) {aes-cmac-prf-128}? | ||||
| | | | +--ro aes-cmac-prf-128? empty | ||||
| | | +--:(md5) | ||||
| | | | +--ro md5? empty | ||||
| | | +--:(sha-1) | ||||
| | | | +--ro sha-1? empty | ||||
| | | +--:(hmac-sha-1) | ||||
| | | | +--ro hmac-sha-1? empty | ||||
| | | +--:(hmac-sha-256) | ||||
| | | | +--ro hmac-sha-256? empty | ||||
| | | +--:(hmac-sha-384) | ||||
| | | | +--ro hmac-sha-384? empty | ||||
| | | +--:(hmac-sha-512) | ||||
| | | | +--ro hmac-sha-512? empty | ||||
| | | +--:(clear-text) {clear-text}? | ||||
| | | | +--ro clear-text? empty | ||||
| | | +--:(replay-protection-only) {replay-protection-only}? | ||||
| | | +--ro replay-protection-only? empty | ||||
| | +--ro send-lifetime-active? boolean | ||||
| | +--ro accept-lifetime-active? boolean | ||||
| +--ro aes-key-wrap {aes-key-wrap}? | ||||
| +--ro enable? boolean | ||||
| 4. Key Chain YANG Model | 4. Key Chain YANG Model | |||
| <CODE BEGINS> file "ietf-key-chain@2016-08-17.yang" | <CODE BEGINS> file "ietf-key-chain@2016-10-27.yang" | |||
| module ietf-key-chain { | module ietf-key-chain { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain"; | namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain"; | |||
| // replace with IANA namespace when assigned | // replace with IANA namespace when assigned | |||
| prefix "key-chain"; | prefix "key-chain"; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix "yang"; | prefix "yang"; | |||
| } | } | |||
| organization | organization | |||
| "IETF RTG (Routing) Working Group"; | "IETF RTG (Routing) Working Group"; | |||
| contact | contact | |||
| "Acee Lindem - acee@cisco.com"; | "Acee Lindem - acee@cisco.com"; | |||
| description | description | |||
| "This YANG module defines the generic configuration | "This YANG module defines the generic configuration | |||
| data for key-chain. It is intended that the module | data for key-chain. It is intended that the module | |||
| will be extended by vendors to define vendor-specific | will be extended by vendors to define vendor-specific | |||
| key-chain configuration parameters. | key-chain configuration parameters. | |||
| Copyright (c) 2015 IETF Trust and the persons identified as | Copyright (c) 2015 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| revision 2016-08-17 { | revision 2016-10-27 { | |||
| description | description | |||
| "Add description and last-modified timestamp leaves."; | "Restructure into separate config and state trees to | |||
| reference | match YANG structure."; | |||
| "RFC XXXX: A YANG Data Model for key-chain"; | reference | |||
| } | "RFC XXXX: A YANG Data Model for key-chain"; | |||
| revision 2016-07-01 { | } | |||
| description | revision 2016-08-17 { | |||
| "Rename module back to ietf-key-chain. | description | |||
| Added replay-protection-only feature and algorithm."; | "Add description and last-modified timestamp leaves."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for key-chain"; | "RFC XXXX: A YANG Data Model for key-chain"; | |||
| } | } | |||
| revision 2016-03-15 { | revision 2016-07-01 { | |||
| description | description | |||
| "Rename module from ietf-key-chain to | "Rename module back to ietf-key-chain. | |||
| Added replay-protection-only feature and algorithm."; | ||||
| reference | ||||
| "RFC XXXX: A YANG Data Model for key-chain"; | ||||
| } | ||||
| revision 2016-03-15 { | ||||
| description | ||||
| "Rename module from ietf-key-chain to | ||||
| ietf-routing-key-chain."; | ietf-routing-key-chain."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for Routing key-chain"; | "RFC XXXX: A YANG Data Model for Routing key-chain"; | |||
| } | } | |||
| revision 2016-02-16 { | revision 2016-02-16 { | |||
| description | description | |||
| "Updated version. Added clear-text algorithm as a | "Updated version. Added clear-text algorithm as a | |||
| feature."; | feature."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for key-chain"; | "RFC XXXX: A YANG Data Model for key-chain"; | |||
| } | } | |||
| revision 2015-10-15 { | revision 2015-10-15 { | |||
| description | description | |||
| "Updated version, organization, and copyright. | "Updated version, organization, and copyright. | |||
| Added aes-cmac-prf-128 and aes-key-wrap features."; | Added aes-cmac-prf-128 and aes-key-wrap features."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for key-chain"; | "RFC XXXX: A YANG Data Model for key-chain"; | |||
| } | } | |||
| revision 2015-06-29 { | revision 2015-06-29 { | |||
| description | description | |||
| "Updated version. Added Operation State following | "Updated version. Added Operation State following | |||
| draft-openconfig-netmod-opstate-00."; | draft-openconfig-netmod-opstate-00."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for key-chain"; | "RFC XXXX: A YANG Data Model for key-chain"; | |||
| } | } | |||
| revision 2015-02-24 { | revision 2015-02-24 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for key-chain"; | "RFC XXXX: A YANG Data Model for key-chain"; | |||
| } | } | |||
| typedef key-chain-ref { | typedef key-chain-ref { | |||
| type leafref { | type leafref { | |||
| path "/key-chain:key-chains/key-chain:key-chain-list/" | path "/key-chain:key-chain/key-chain:key-chain-list/" | |||
| + "key-chain:name"; | + "key-chain:name"; | |||
| } | ||||
| description | ||||
| "This type is used by data models that need to reference | ||||
| configured key-chains."; | ||||
| } | } | |||
| description | ||||
| "This type is used by data models that need to reference | ||||
| configured key-chains."; | ||||
| } | ||||
| /* feature list */ | /* feature list */ | |||
| feature hex-key-string { | feature hex-key-string { | |||
| description | description | |||
| "Support hexadecimal key string."; | "Support hexadecimal key string."; | |||
| } | ||||
| feature accept-tolerance { | } | |||
| description | ||||
| "To specify the tolerance or acceptance limit."; | ||||
| } | ||||
| feature independent-send-accept-lifetime { | feature accept-tolerance { | |||
| description | description | |||
| "Support for independent send and accept key lifetimes."; | "To specify the tolerance or acceptance limit."; | |||
| } | } | |||
| feature crypto-hmac-sha-1-12 { | feature independent-send-accept-lifetime { | |||
| description | description | |||
| "Support for TCP HMAC-SHA-1 12 byte digest hack."; | "Support for independent send and accept key lifetimes."; | |||
| } | } | |||
| feature clear-text { | feature crypto-hmac-sha-1-12 { | |||
| description | description | |||
| "Support for clear-text algorithm. Usage is NOT RECOMMENDED."; | "Support for TCP HMAC-SHA-1 12 byte digest hack."; | |||
| } | } | |||
| feature aes-cmac-prf-128 { | feature clear-text { | |||
| description | description | |||
| "Support for AES Cipher based Message Authentication Code | "Support for clear-text algorithm. Usage is | |||
| Pseudo Random Function."; | NOT RECOMMENDED."; | |||
| } | } | |||
| feature aes-key-wrap { | feature aes-cmac-prf-128 { | |||
| description | description | |||
| "Support for Advanced Encryption Standard (AES) Key Wrap."; | "Support for AES Cipher based Message Authentication | |||
| } | Code Pseudo Random Function."; | |||
| } | ||||
| feature replay-protection-only { | feature aes-key-wrap { | |||
| description | description | |||
| "Provide replay-protection without any authentication | "Support for Advanced Encryption Standard (AES) | |||
| as required by protocols such as Bidirectional | Key Wrap."; | |||
| Forwarding Detection (BFD)."; | } | |||
| } | ||||
| /* groupings */ | feature replay-protection-only { | |||
| grouping lifetime { | description | |||
| description | "Provide replay-protection without any authentication | |||
| "Key lifetime specification."; | as required by protocols such as Bidirectional | |||
| choice lifetime { | Forwarding Detection (BFD)."; | |||
| default always; | } | |||
| description | ||||
| "Options for specifying key accept or send lifetimes"; | /* groupings */ | |||
| case always { | grouping lifetime { | |||
| leaf always { | description | |||
| type empty; | "Key lifetime specification."; | |||
| choice lifetime { | ||||
| default always; | ||||
| description | description | |||
| "Indicates key lifetime is always valid."; | "Options for specifying key accept or send | |||
| } | lifetimes"; | |||
| } | case always { | |||
| case start-end-time { | leaf always { | |||
| leaf start-date-time { | type empty; | |||
| type yang:date-and-time; | description | |||
| description "Start time."; | "Indicates key lifetime is always valid."; | |||
| } | ||||
| } | ||||
| case start-end-time { | ||||
| leaf start-date-time { | ||||
| type yang:date-and-time; | ||||
| description "Start time."; | ||||
| } | ||||
| choice end-time { | ||||
| default infinite; | ||||
| description | ||||
| "End-time setting."; | ||||
| case infinite { | ||||
| leaf no-end-time { | ||||
| type empty; | ||||
| description | ||||
| "Indicates key lifetime end-time in | ||||
| infinite."; | ||||
| } | ||||
| } | ||||
| case duration { | ||||
| leaf duration { | ||||
| type uint32 { | ||||
| range "1..2147483646"; | ||||
| } | ||||
| units seconds; | ||||
| description "Key lifetime duration, | ||||
| in seconds"; | ||||
| } | ||||
| } | ||||
| case end-date-time { | ||||
| leaf end-date-time { | ||||
| type yang:date-and-time; | ||||
| description "End time."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | } | |||
| choice end-time { | } | |||
| default infinite; | grouping crypto-algorithm-types { | |||
| description | description "Cryptographic algorithm types."; | |||
| "End-time setting."; | choice algorithm { | |||
| case infinite { | ||||
| leaf no-end-time { | ||||
| type empty; | ||||
| description | description | |||
| "Indicates key lifetime end-time in infinite."; | "Options for cryptographic algorithm specification."; | |||
| case hmac-sha-1-12 { | ||||
| if-feature crypto-hmac-sha-1-12; | ||||
| leaf hmac-sha1-12 { | ||||
| type empty; | ||||
| description "The HMAC-SHA1-12 algorithm."; | ||||
| } | ||||
| } | } | |||
| } | case aes-cmac-prf-128 { | |||
| case duration { | if-feature aes-cmac-prf-128; | |||
| leaf duration { | leaf aes-cmac-prf-128 { | |||
| type uint32 { | type empty; | |||
| range "1..2147483646"; | description "The AES-CMAC-PRF-128 algorithm - | |||
| } | required by RFC 5926 for TCP-AO key | |||
| units seconds; | derivation functions."; | |||
| description "Key lifetime duration, in seconds"; | } | |||
| } | } | |||
| } | case md5 { | |||
| case end-date-time { | leaf md5 { | |||
| leaf end-date-time { | type empty; | |||
| type yang:date-and-time; | description "The MD5 algorithm."; | |||
| description "End time."; | } | |||
| } | ||||
| case sha-1 { | ||||
| leaf sha-1 { | ||||
| type empty; | ||||
| description "The SHA-1 algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-1 { | ||||
| leaf hmac-sha-1 { | ||||
| type empty; | ||||
| description | ||||
| "HMAC-SHA-1 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-256 { | ||||
| leaf hmac-sha-256 { | ||||
| type empty; | ||||
| description | ||||
| "HMAC-SHA-256 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-384 { | ||||
| leaf hmac-sha-384 { | ||||
| type empty; | ||||
| description | ||||
| "HMAC-SHA-384 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-512 { | ||||
| leaf hmac-sha-512 { | ||||
| type empty; | ||||
| description | ||||
| "HMAC-SHA-512 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case clear-text { | ||||
| if-feature clear-text; | ||||
| leaf clear-text { | ||||
| type empty; | ||||
| description "Clear text."; | ||||
| } | ||||
| } | ||||
| case replay-protection-only { | ||||
| if-feature replay-protection-only; | ||||
| leaf replay-protection-only { | ||||
| type empty; | ||||
| description | ||||
| "Provide replay-protection without any | ||||
| authentication as required by protocols | ||||
| such as Bidirectional Forwarding | ||||
| Detection (BFD)."; | ||||
| } | ||||
| } | } | |||
| } | ||||
| } | } | |||
| } | ||||
| } | } | |||
| } | ||||
| grouping crypto-algorithm-types { | ||||
| description "Cryptographic algorithm types."; | ||||
| choice algorithm { | ||||
| description | ||||
| "Options for cryptographic algorithm specification."; | ||||
| case hmac-sha-1-12 { | ||||
| if-feature crypto-hmac-sha-1-12; | ||||
| leaf hmac-sha1-12 { | ||||
| type empty; | ||||
| description "The HMAC-SHA1-12 algorithm."; | ||||
| } | ||||
| } | ||||
| case aes-cmac-prf-128 { | ||||
| if-feature aes-cmac-prf-128; | ||||
| leaf aes-cmac-prf-128 { | ||||
| type empty; | ||||
| description "The AES-CMAC-PRF-128 algorithm - required | ||||
| by RFC 5926 for TCP-AO key derivation | ||||
| functions."; | ||||
| } | ||||
| } | ||||
| case md5 { | ||||
| leaf md5 { | ||||
| type empty; | ||||
| description "The MD5 algorithm."; | ||||
| } | ||||
| } | ||||
| case sha-1 { | ||||
| leaf sha-1 { | ||||
| type empty; | ||||
| description "The SHA-1 algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-1 { | ||||
| leaf hmac-sha-1 { | ||||
| type empty; | ||||
| description "HMAC-SHA-1 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-256 { | ||||
| leaf hmac-sha-256 { | ||||
| type empty; | ||||
| description "HMAC-SHA-256 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-384 { | ||||
| leaf hmac-sha-384 { | ||||
| type empty; | ||||
| description "HMAC-SHA-384 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case hmac-sha-512 { | ||||
| leaf hmac-sha-512 { | ||||
| type empty; | ||||
| description "HMAC-SHA-512 authentication algorithm."; | ||||
| } | ||||
| } | ||||
| case clear-text { | ||||
| if-feature clear-text; | ||||
| leaf clear-text { | ||||
| type empty; | ||||
| description "Clear text."; | ||||
| } | ||||
| } | ||||
| case replay-protection-only { | ||||
| if-feature replay-protection-only; | ||||
| leaf replay-protection-only { | ||||
| type empty; | ||||
| description | ||||
| "Provide replay-protection without any authentication | ||||
| as required by protocols such as Bidirectional | ||||
| Forwarding Detection (BFD)."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| grouping key-chain { | grouping key-chain-common-entry { | |||
| description | description "Key-chain entry data nodes common to | |||
| "key-chain specification grouping."; | configuration and state."; | |||
| leaf name { | container lifetime { | |||
| type string; | description "Specify a key's lifetime."; | |||
| description "Name of the key-chain."; | choice lifetime { | |||
| description | ||||
| "Options for specification of send and accept | ||||
| lifetimes."; | ||||
| case send-and-accept-lifetime { | ||||
| description | ||||
| "Send and accept key have the same | ||||
| lifetime."; | ||||
| container send-accept-lifetime { | ||||
| uses lifetime; | ||||
| description | ||||
| "Single lifetime specification for both | ||||
| send and accept lifetimes."; | ||||
| } | ||||
| } | ||||
| case independent-send-accept-lifetime { | ||||
| if-feature independent-send-accept-lifetime; | ||||
| description | ||||
| "Independent send and accept key lifetimes."; | ||||
| container send-lifetime { | ||||
| uses lifetime; | ||||
| description | ||||
| "Separate lifetime specification for send | ||||
| lifetime."; | ||||
| } | ||||
| container accept-lifetime { | ||||
| uses lifetime; | ||||
| description | ||||
| "Separate lifetime specification for | ||||
| accept lifetime."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| container crypto-algorithm { | ||||
| uses crypto-algorithm-types; | ||||
| description | ||||
| "Cryptographic algorithm associated with key."; | ||||
| } | ||||
| } | } | |||
| leaf name-state { | grouping key-chain-config-entry { | |||
| type string; | description "Key-chain configuration entry."; | |||
| config false; | uses key-chain-common-entry; | |||
| description "Configured name of the key-chain."; | container key-string { | |||
| description "The key string."; | ||||
| choice key-string-style { | ||||
| description | ||||
| "Key string styles"; | ||||
| case keystring { | ||||
| leaf keystring { | ||||
| type string; | ||||
| description | ||||
| "Key string in ASCII format."; | ||||
| } | ||||
| } | ||||
| case hexadecimal { | ||||
| if-feature hex-key-string; | ||||
| leaf hexadecimal-string { | ||||
| type yang:hex-string; | ||||
| description | ||||
| "Key in hexadecimal string format."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| } | } | |||
| leaf description { | grouping key-chain-state-entry { | |||
| type string; | description "Key-chain state entry."; | |||
| description "A description of the key-chain"; | uses key-chain-common-entry; | |||
| leaf send-lifetime-active { | ||||
| type boolean; | ||||
| config false; | ||||
| description | ||||
| "Indicates if the send lifetime of the | ||||
| key-chain entry is currently active."; | ||||
| } | ||||
| leaf accept-lifetime-active { | ||||
| type boolean; | ||||
| config false; | ||||
| description | ||||
| "Indicates if the accept lifetime of the | ||||
| key-chain entry is currently active."; | ||||
| } | ||||
| } | } | |||
| container accept-tolerance { | grouping key-chain-common { | |||
| if-feature accept-tolerance; | ||||
| description | ||||
| "Tolerance for key lifetime acceptance (seconds)."; | ||||
| leaf duration { | ||||
| type uint32; | ||||
| units seconds; | ||||
| default "0"; | ||||
| description | description | |||
| "Tolerance range, in seconds."; | "key-chain common grouping."; | |||
| } | leaf name { | |||
| type string; | ||||
| description "Name of the key-chain."; | ||||
| } | ||||
| leaf description { | ||||
| type string; | ||||
| description "A description of the key-chain"; | ||||
| } | ||||
| container accept-tolerance { | ||||
| if-feature accept-tolerance; | ||||
| description | ||||
| "Tolerance for key lifetime acceptance (seconds)."; | ||||
| leaf duration { | ||||
| type uint32; | ||||
| units seconds; | ||||
| default "0"; | ||||
| description | ||||
| "Tolerance range, in seconds."; | ||||
| } | ||||
| } | ||||
| } | } | |||
| container accept-tolerance-state { | grouping key-chain-config { | |||
| config false; | ||||
| description | ||||
| "Configured tolerance for key lifetime | ||||
| acceptance (seconds)."; | ||||
| leaf duration { | ||||
| type uint32; | ||||
| description | description | |||
| "Configured tolerance range, in seconds."; | "key-chain configuration grouping."; | |||
| } | uses key-chain-common; | |||
| list key-chain-entries { | ||||
| key "key-id"; | ||||
| description "One key."; | ||||
| leaf key-id { | ||||
| type uint64; | ||||
| description "Key ID."; | ||||
| } | ||||
| uses key-chain-config-entry; | ||||
| } | ||||
| } | } | |||
| leaf last-modified-timestamp { | grouping key-chain-state { | |||
| type yang:date-and-time; | description | |||
| config false; | "key-chain state grouping."; | |||
| description "Timestamp of the most recent update | uses key-chain-common; | |||
| to the key-chain"; | list key-chain-entries { | |||
| key "key-id"; | ||||
| description "One key."; | ||||
| leaf key-id { | ||||
| type uint64; | ||||
| description "Key ID."; | ||||
| } | ||||
| uses key-chain-state-entry; | ||||
| } | ||||
| } | } | |||
| list key-chain-entry { | container key-chain { | |||
| key "key-id"; | list key-chain-list { | |||
| description "One key."; | key "name"; | |||
| leaf key-id { | ||||
| type uint64; | ||||
| description "Key ID."; | ||||
| } | ||||
| leaf key-id-state { | ||||
| type uint64; | ||||
| config false; | ||||
| description "Configured Key ID."; | ||||
| } | ||||
| container key-string { | ||||
| description "The key string."; | ||||
| choice key-string-style { | ||||
| description | ||||
| "Key string styles"; | ||||
| case keystring { | ||||
| leaf keystring { | ||||
| type string; | ||||
| description "Key string in ASCII format."; | ||||
| } | ||||
| } | ||||
| case hexadecimal { | ||||
| if-feature hex-key-string; | ||||
| leaf hexadecimal-string { | ||||
| type yang:hex-string; | ||||
| description | ||||
| "Key in hexadecimal string format."; | ||||
| } | ||||
| } | ||||
| } | ||||
| } | ||||
| container lifetime { | ||||
| description "Specify a key's lifetime."; | ||||
| choice lifetime { | ||||
| description | ||||
| "Options for specification of send and accept | ||||
| lifetimes."; | ||||
| case send-and-accept-lifetime { | ||||
| description | description | |||
| "Send and accept key have the same lifetime."; | "List of key-chains."; | |||
| container send-accept-lifetime { | uses key-chain-config; | |||
| uses lifetime; | } | |||
| description | ||||
| "Single lifetime specification for both send and | container aes-key-wrap { | |||
| accept lifetimes."; | if-feature aes-key-wrap; | |||
| } | ||||
| } | ||||
| case independent-send-accept-lifetime { | ||||
| if-feature independent-send-accept-lifetime; | ||||
| description | description | |||
| "Independent send and accept key lifetimes."; | "AES Key Wrap password encryption."; | |||
| container send-lifetime { | leaf enable { | |||
| uses lifetime; | type boolean; | |||
| description | default false; | |||
| "Separate lifetime specification for send | description | |||
| lifetime."; | "Enable AES Key Wrap encryption."; | |||
| } | ||||
| container accept-lifetime { | ||||
| uses lifetime; | ||||
| description | ||||
| "Separate lifetime specification for accept | ||||
| lifetime."; | ||||
| } | } | |||
| } | ||||
| } | } | |||
| } | description "All configured key-chains | |||
| container lifetime-state { | on the device."; | |||
| } | ||||
| container key-chain-state { | ||||
| config false; | config false; | |||
| description "Configured key's lifetime."; | list key-chain-list { | |||
| container send-lifetime { | key "name"; | |||
| uses lifetime; | description | |||
| description | "List of key-chains and operational state."; | |||
| "Configured send-lifetime."; | uses key-chain-state; | |||
| } | ||||
| leaf send-valid { | ||||
| type boolean; | ||||
| description | ||||
| "Status of send-lifetime."; | ||||
| } | ||||
| container accept-lifetime { | ||||
| uses lifetime; | ||||
| description | ||||
| "Configured accept-lifetime."; | ||||
| } | } | |||
| leaf accept-valid { | container aes-key-wrap { | |||
| type boolean; | if-feature aes-key-wrap; | |||
| description | description | |||
| "Status of accept-lifetime."; | "AES Key Wrap password encryption."; | |||
| leaf enable { | ||||
| type boolean; | ||||
| description | ||||
| "Indicates whether AES Key Wrap encryption | ||||
| is enabled."; | ||||
| } | ||||
| } | } | |||
| } | description "State for all configured key-chains | |||
| container crypto-algorithm { | on the device."; | |||
| uses crypto-algorithm-types; | ||||
| description "Cryptographic algorithm associated with key."; | ||||
| } | ||||
| container crypto-algorithm-state { | ||||
| config false; | ||||
| uses crypto-algorithm-types; | ||||
| description "Configured cryptographic algorithm."; | ||||
| } | ||||
| } | ||||
| } | ||||
| container key-chains { | ||||
| list key-chain-list { | ||||
| key "name"; | ||||
| description | ||||
| "List of key-chains."; | ||||
| uses key-chain; | ||||
| } | ||||
| container aes-key-wrap { | ||||
| if-feature aes-key-wrap; | ||||
| leaf enable { | ||||
| type boolean; | ||||
| default false; | ||||
| description | ||||
| "Enable AES Key Wrap encryption."; | ||||
| } | ||||
| description | ||||
| "AES Key Wrap password encryption."; | ||||
| } | ||||
| container aes-key-wrap-state { | ||||
| if-feature aes-key-wrap; | ||||
| config false; | ||||
| leaf enable { | ||||
| type boolean; | ||||
| description "AES Key Wrap state."; | ||||
| } | ||||
| description "Status of AES Key Wrap."; | ||||
| } | } | |||
| description "All configured key-chains for the device."; | ||||
| } | ||||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This document enables the automated distribution of industry standard | This document enables the automated distribution of industry standard | |||
| key chains using the NETCONF [NETCONF] protocol. As such, the | key chains using the NETCONF [NETCONF] protocol. As such, the | |||
| security considerations for the NETCONF protocol are applicable. | security considerations for the NETCONF protocol are applicable. | |||
| Given that the key chains themselves are sensitive data, it is | Given that the key chains themselves are sensitive data, it is | |||
| RECOMMENDED that the NETCONF communication channel be encrypted. One | RECOMMENDED that the NETCONF communication channel be encrypted. One | |||
| skipping to change at page 21, line 41 ¶ | skipping to change at page 23, line 4 ¶ | |||
| 170 West Tasman Drive | 170 West Tasman Drive | |||
| San Jose, CA 95134 | San Jose, CA 95134 | |||
| USA | USA | |||
| Email: yiqu@cisco.com | Email: yiqu@cisco.com | |||
| Derek Yeung | Derek Yeung | |||
| Arrcus, Inc | Arrcus, Inc | |||
| Email: derek@arrcus.com | Email: derek@arrcus.com | |||
| Ing-Wher Chen | Ing-Wher Chen | |||
| Ericsson | Ericsson | |||
| Email: ichen@kuatrotech.com | Email: ichen@kuatrotech.com | |||
| Jeffrey Zhang | Jeffrey Zhang | |||
| Juniper Networks | Juniper Networks | |||
| 10 Technology Park Drive | 10 Technology Park Drive | |||
| Westford, MA 01886 | Westford, MA 01886 | |||
| USA | USA | |||
| Email: zzhang@juniper.net | Email: zzhang@juniper.net | |||
| Yi Yang | Yi Yang | |||
| Cisco Systems | Individual Contributor | |||
| 7025 Kit Creek Road | ||||
| Research Triangle Park, NC 27709 | ||||
| USA | ||||
| Email: yiya@cisco.com | Email: yiyang1998@gmail.com | |||
| End of changes. 55 change blocks. | ||||
| 550 lines changed or deleted | 601 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||