| < draft-ietf-rtgwg-yang-key-chain-16.txt | draft-ietf-rtgwg-yang-key-chain-17.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 16 ¶ | skipping to change at page 1, line 16 ¶ | |||
| Expires: September 28, 2017 Huawei | Expires: September 28, 2017 Huawei | |||
| D. Yeung | D. Yeung | |||
| Arrcus, Inc | Arrcus, Inc | |||
| I. Chen | I. Chen | |||
| Jabil | Jabil | |||
| J. Zhang | J. Zhang | |||
| Juniper Networks | Juniper Networks | |||
| March 27, 2017 | March 27, 2017 | |||
| Routing Key Chain YANG Data Model | Routing Key Chain YANG Data Model | |||
| draft-ietf-rtgwg-yang-key-chain-16.txt | draft-ietf-rtgwg-yang-key-chain-17.txt | |||
| Abstract | Abstract | |||
| This document describes the key chain YANG data model. Key chains | This document describes the key chain YANG data model. Key chains | |||
| are commonly used for routing protocol authentication and other | are commonly used for routing protocol authentication and other | |||
| applications requiring symmetric keys. A key chain is a list of | applications requiring symmetric keys. A key chain is a list of | |||
| elements each containing a key string, send lifetime, accept | elements each containing a key string, send lifetime, accept | |||
| lifetime, and algorithm (authentication or encryption). By properly | lifetime, and algorithm (authentication or encryption). By properly | |||
| overlapping the send and accept lifetimes of multiple key chain | overlapping the send and accept lifetimes of multiple key chain | |||
| elements, key strings and algorithms may be gracefully updated. By | elements, key strings and algorithms may be gracefully updated. By | |||
| skipping to change at page 18, line 7 ¶ | skipping to change at page 18, line 7 ¶ | |||
| description | description | |||
| "Indicates whether AES Key Wrap encryption is enabled."; | "Indicates whether AES Key Wrap encryption is enabled."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This document enables the automated distribution of industry standard | The YANG module defined in this document is designed to be accessed | |||
| key chains using the NETCONF [NETCONF] protocol. As such, the | via network management protocols such as NETCONF [NETCONF] or | |||
| security considerations for the NETCONF protocol are applicable. The | RESTCONF [RESTCONF]. The lowest NETCONF layer is the secure | |||
| NETCONF protocol mandates confidentiality (section 2.2 of [NETCONF]. | transport layer, and the mandatory-to-implement secure transport is | |||
| Similarily, the RESTCONF protocol also mandates confidentiality | Secure Shell (SSH) [NETCONF-SSH]. The lowest RESTCONF layer is | |||
| (section 1.1 of [RESTCONF]). If a transport not mandating | HTTPS, and the mandatory-to-implement secure transport is TLS [TLS]. | |||
| confidentiality is used, it is RECOMMENDED that the transport | ||||
| communication channel be encrypted. | The NETCONF access control model [NETCONF-ACM] provides the means to | |||
| restrict access for particular NETCONF or RESTCONF users to a pre- | ||||
| configured subset of all available NETCONF or RESTCONF protocol | ||||
| operations and content. | ||||
| When configured, the key-strings can be encrypted using the AES Key | When configured, the key-strings can be encrypted using the AES Key | |||
| Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is | Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is | |||
| not included in the YANG model and must be set or derived independent | not included in the YANG model and must be set or derived independent | |||
| of key-chain configuration. | of key-chain configuration. | |||
| The key strings are not accessible by default and NETCONF Access | The key strings are not accessible by default and NETCONF Access | |||
| Control Mode [NETCONF-ACM] rules are required to configure or | Control Mode [NETCONF-ACM] rules are required to configure or | |||
| retrieve them. | retrieve them. | |||
| skipping to change at page 20, line 10 ¶ | skipping to change at page 20, line 14 ¶ | |||
| [CRYPTO-KEYTABLE] | [CRYPTO-KEYTABLE] | |||
| Housley, R., Polk, T., Hartman, S., and D. Zhang, | Housley, R., Polk, T., Hartman, S., and D. Zhang, | |||
| "Table of Cryptographic Keys", RFC 7210, April 2014. | "Table of Cryptographic Keys", RFC 7210, April 2014. | |||
| [IAB-REPORT] | [IAB-REPORT] | |||
| Andersson, L., Davies, E., and L. Zhang, "Report from the | Andersson, L., Davies, E., and L. Zhang, "Report from the | |||
| IAB workshop on Unwanted Traffic March 9-10, 2006", RFC | IAB workshop on Unwanted Traffic March 9-10, 2006", RFC | |||
| 4948, August 2007. | 4948, August 2007. | |||
| [NETCONF-SSH] | ||||
| Wasserman, M., "NETCONF over SSH", RFC 6242, June 2011. | ||||
| [NTP-PROTO] | [NTP-PROTO] | |||
| Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network | Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network | |||
| Time Protocol Version 4: Protocol and Algorithms | Time Protocol Version 4: Protocol and Algorithms | |||
| Specification", RFC 5905, June 2010. | Specification", RFC 5905, June 2010. | |||
| [OSPFV3-AUTH] | [OSPFV3-AUTH] | |||
| Bhatia, M., Manral, V., and A. Lindem, "Supporting | Bhatia, M., Manral, V., and A. Lindem, "Supporting | |||
| Authentication Trailer for OSPFv3", RFC 7166, March 2014. | Authentication Trailer for OSPFv3", RFC 7166, March 2014. | |||
| [RESTCONF] | [RESTCONF] | |||
| skipping to change at page 20, line 31 ¶ | skipping to change at page 20, line 38 ¶ | |||
| Protocol", RFC 8040, January 2017. | Protocol", RFC 8040, January 2017. | |||
| [TCP-AO] Touch, J., Mankin, A., and R. Bonica, "The TCP | [TCP-AO] Touch, J., Mankin, A., and R. Bonica, "The TCP | |||
| Authentication Option", RFC 5925, June 2010. | Authentication Option", RFC 5925, June 2010. | |||
| [TCP-AO-ALGORITHMS] | [TCP-AO-ALGORITHMS] | |||
| Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms | Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms | |||
| for the TCP Authentication Option (TCP-AO)", RFC 5926, | for the TCP Authentication Option (TCP-AO)", RFC 5926, | |||
| June 2010. | June 2010. | |||
| [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security | ||||
| (TLS) Protocol", RFC 5246, August 2008. | ||||
| [YANG-CRYPTO-KEYTABLE] | [YANG-CRYPTO-KEYTABLE] | |||
| Chen, I., "YANG Data Model for RFC 7210 Key Table", draft- | Chen, I., "YANG Data Model for RFC 7210 Key Table", draft- | |||
| chen-rtg-key-table-yang-00.txt (work in progress), | chen-rtg-key-table-yang-00.txt (work in progress), | |||
| November 2015. | November 2015. | |||
| Appendix A. Examples | Appendix A. Examples | |||
| A.1. Simple Key Chain with Always Valid Single Key | A.1. Simple Key Chain with Always Valid Single Key | |||
| <?xml version="1.0" encoding="utf-8"?> | <?xml version="1.0" encoding="utf-8"?> | |||
| <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||
| End of changes. 4 change blocks. | ||||
| 9 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||