< draft-ietf-rtgwg-yang-key-chain-21.txt   draft-ietf-rtgwg-yang-key-chain-22.txt >
Network Working Group A. Lindem, Ed. Network Working Group A. Lindem, Ed.
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track Y. Qu Intended status: Standards Track Y. Qu
Expires: October 28, 2017 Huawei Expires: October 30, 2017 Huawei
D. Yeung D. Yeung
Arrcus, Inc Arrcus, Inc
I. Chen I. Chen
Jabil Jabil
J. Zhang J. Zhang
Juniper Networks Juniper Networks
April 26, 2017 April 28, 2017
Routing Key Chain YANG Data Model Routing Key Chain YANG Data Model
draft-ietf-rtgwg-yang-key-chain-21.txt draft-ietf-rtgwg-yang-key-chain-22.txt
Abstract Abstract
This document describes the key chain YANG data model. Key chains This document describes the key chain YANG data model. Key chains
are commonly used for routing protocol authentication and other are commonly used for routing protocol authentication and other
applications requiring symmetric keys. A key chain is a list of applications requiring symmetric keys. A key chain is a list of
elements each containing a key string, send lifetime, accept elements each containing a key string, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, key strings and algorithms may be gracefully updated. By elements, key strings and algorithms may be gracefully updated. By
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 28, 2017. This Internet-Draft will expire on October 30, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4 2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4
3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5 3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5
3.1. Key Chain Operational State . . . . . . . . . . . . . . . 6 3.1. Key Chain Operational State . . . . . . . . . . . . . . . 6
3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6 3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6
3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6 3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6
4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 8 4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 16 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1. Normative References . . . . . . . . . . . . . . . . . . 16 8.1. Normative References . . . . . . . . . . . . . . . . . . 17
8.2. Informative References . . . . . . . . . . . . . . . . . 17 8.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 18 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 19
A.1. Simple Key Chain with Always Valid Single Key . . . . . . 19 A.1. Simple Key Chain with Always Valid Single Key . . . . . . 19
A.2. Key Chain with Keys having Different Lifetimes . . . . . 19 A.2. Key Chain with Keys having Different Lifetimes . . . . . 19
A.3. Key Chain with Independent Send and Accept Lifetimes . . 21 A.3. Key Chain with Independent Send and Accept Lifetimes . . 21
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 22 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
This document describes the key chain YANG [YANG] data model. Key This document describes the key chain YANG [YANG] data model. Key
chains are commonly used for routing protocol authentication and chains are commonly used for routing protocol authentication and
skipping to change at page 6, line 31 skipping to change at page 6, line 31
implementations. For example, not all vendors support configuration implementations. For example, not all vendors support configuration
of an acceptance tolerance or configuration of key strings in of an acceptance tolerance or configuration of key strings in
hexadecimal. They are also used to support of security requirements hexadecimal. They are also used to support of security requirements
(e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not yet implemented by (e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not yet implemented by
vendors or only a single vendor. vendors or only a single vendor.
3.3. Key Chain Model Tree 3.3. Key Chain Model Tree
+--rw key-chains +--rw key-chains
+--rw key-chain* [name] +--rw key-chain* [name]
+--rw name string | +--rw name string
+--rw description? string | +--rw description? string
+--rw accept-tolerance {accept-tolerance}? | +--rw accept-tolerance {accept-tolerance}?
| +--rw duration? uint32 | | +--rw duration? uint32
+--ro last-modified-timestamp? yang:date-and-time | +--ro last-modified-timestamp? yang:date-and-time
+--rw key* [key-id] | +--rw key* [key-id]
+--rw key-id uint64 | +--rw key-id uint64
+--rw lifetime | +--rw lifetime
| +--rw (lifetime)? | | +--rw (lifetime)?
| +--:(send-and-accept-lifetime) | | +--:(send-and-accept-lifetime)
| | +--rw send-accept-lifetime | | | +--rw send-accept-lifetime
| | +--rw (lifetime)? | | | +--rw (lifetime)?
| | +--:(always) | | | +--:(always)
| | | +--rw always? empty | | | | +--rw always? empty
| | +--:(start-end-time) | | | +--:(start-end-time)
| | +--rw start-date-time? | | | +--rw start-date-time?
| | | yang:date-and-time | | | | yang:date-and-time
| | +--rw (end-time)? | | | +--rw (end-time)?
| | +--:(infinite) | | | +--:(infinite)
| | | +--rw no-end-time? empty | | | | +--rw no-end-time? empty
| | +--:(duration) | | | +--:(duration)
| | | +--rw duration? uint32 | | | | +--rw duration? uint32
| | +--:(end-date-time) | | | +--:(end-date-time)
| | +--rw end-date-time? | | | +--rw end-date-time?
| | yang:date-and-time | | | yang:date-and-time
| +--:(independent-send-accept-lifetime) | | +--:(independent-send-accept-lifetime)
| | {independent-send-accept-lifetime}? | | | {independent-send-accept-lifetime}?
| +--rw send-lifetime | | +--rw send-lifetime
| | +--rw (lifetime)? | | | +--rw (lifetime)?
| | +--:(always) | | | +--:(always)
| | | +--rw always? empty | | | | +--rw always? empty
| | +--:(start-end-time) | | | +--:(start-end-time)
| | +--rw start-date-time? | | | +--rw start-date-time?
| | yang:date-and-time | | | | yang:date-and-time
| | +--rw (end-time)? | | | +--rw (end-time)?
| | +--:(infinite) | | | +--:(infinite)
| | | +--rw no-end-time? empty | | | | +--rw no-end-time? empty
| | +--:(duration) | | | +--:(duration)
| | | +--rw duration? uint32 | | | | +--rw duration? uint32
| | +--:(end-date-time) | | | +--:(end-date-time)
| | +--rw end-date-time? | | | +--rw end-date-time?
| | yang:date-and-time | | | yang:date-and-time
| +--rw accept-lifetime | | +--rw accept-lifetime
| +--rw (lifetime)? | | +--rw (lifetime)?
| +--:(always) | | +--:(always)
| | +--rw always? empty | | | +--rw always? empty
| +--:(start-end-time) | | +--:(start-end-time)
| +--rw start-date-time? | | +--rw start-date-time?
| | yang:date-and-time | | | yang:date-and-time
| +--rw (end-time)? | | +--rw (end-time)?
| +--:(infinite) | | +--:(infinite)
| | +--rw no-end-time? empty | | | +--rw no-end-time? empty
| +--:(duration) | | +--:(duration)
| | +--rw duration? uint32 | | | +--rw duration? uint32
| +--:(end-date-time) | | +--:(end-date-time)
| +--rw end-date-time? | | +--rw end-date-time?
| yang:date-and-time | | yang:date-and-time
+--rw crypto-algorithm identityref | +--rw crypto-algorithm identityref
+--rw key-string | +--rw key-string
| +--rw (key-string-style)? | | +--rw (key-string-style)?
| +--:(keystring) | | +--:(keystring)
| | +--rw keystring? string | | | +--rw keystring? string
| +--:(hexadecimal) {hex-key-string}? | | +--:(hexadecimal) {hex-key-string}?
| +--rw hexadecimal-string? yang:hex-string | | +--rw hexadecimal-string? yang:hex-string
+--ro send-lifetime-active? boolean | +--ro send-lifetime-active? boolean
+--ro accept-lifetime-active? boolean | +--ro accept-lifetime-active? boolean
+--rw aes-key-wrap {aes-key-wrap}?
+--rw enable? boolean
4. Key Chain YANG Model 4. Key Chain YANG Model
<CODE BEGINS> file "ietf-key-chain@2017-04-18.yang" <CODE BEGINS> file "ietf-key-chain@2017-04-18.yang"
module ietf-key-chain { module ietf-key-chain {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain"; namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain";
prefix key-chain; prefix key-chain;
import ietf-yang-types { import ietf-yang-types {
skipping to change at page 9, line 31 skipping to change at page 9, line 31
"Support for clear-text algorithm. Usage is "Support for clear-text algorithm. Usage is
NOT RECOMMENDED."; NOT RECOMMENDED.";
} }
feature aes-cmac-prf-128 { feature aes-cmac-prf-128 {
description description
"Support for AES Cipher based Message Authentication "Support for AES Cipher based Message Authentication
Code Pseudo Random Function."; Code Pseudo Random Function.";
} }
feature aes-key-wrap {
description
"Support for Advanced Encryption Standard (AES) Key Wrap.";
}
feature replay-protection-only { feature replay-protection-only {
description description
"Provide replay-protection without any authentication "Provide replay-protection without any authentication
as required by protocols such as Bidirectional as required by protocols such as Bidirectional
Forwarding Detection (BFD)."; Forwarding Detection (BFD).";
} }
identity crypto-algorithm { identity crypto-algorithm {
description description
"Base identity of cryptographic algorithm options."; "Base identity of cryptographic algorithm options.";
} }
skipping to change at page 15, line 4 skipping to change at page 15, line 9
type yang:hex-string; type yang:hex-string;
description description
"Key in hexadecimal string format. When compared "Key in hexadecimal string format. When compared
to ASCII, specification in hexadecimal affords to ASCII, specification in hexadecimal affords
greater key entropy with the same number of greater key entropy with the same number of
internal key-string octets. Additionally, it internal key-string octets. Additionally, it
discourages usage of well-known words or discourages usage of well-known words or
numbers."; numbers.";
} }
} }
} }
} }
leaf send-lifetime-active { leaf send-lifetime-active {
type boolean; type boolean;
config false; config false;
description description
"Indicates if the send lifetime of the "Indicates if the send lifetime of the
key-chain key is currently active."; key-chain key is currently active.";
} }
leaf accept-lifetime-active { leaf accept-lifetime-active {
type boolean; type boolean;
config false; config false;
description description
"Indicates if the accept lifetime of the "Indicates if the accept lifetime of the
key-chain key is currently active."; key-chain key is currently active.";
} }
} }
} }
container aes-key-wrap {
if-feature "aes-key-wrap";
description
"AES Key Wrap encryption for key-chain key-strings. The
encrypted key-strings are encoded as hexadecimal key
strings using the hex-key-string leaf.";
leaf enable {
type boolean;
default "false";
description
"Enable AES Key Wrap encryption.";
}
}
} }
} }
<CODE ENDS> <CODE ENDS>
5. Security Considerations 5. Security Considerations
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [NETCONF] or via network management protocols such as NETCONF [NETCONF] or
RESTCONF [RESTCONF]. The lowest NETCONF layer is the secure RESTCONF [RESTCONF]. The lowest NETCONF layer is the secure
transport layer, and the mandatory-to-implement secure transport is transport layer, and the mandatory-to-implement secure transport is
Secure Shell (SSH) [NETCONF-SSH]. The lowest RESTCONF layer is Secure Shell (SSH) [NETCONF-SSH]. The lowest RESTCONF layer is
HTTPS, and the mandatory-to-implement secure transport is TLS [TLS]. HTTPS, and the mandatory-to-implement secure transport is TLS [TLS].
The NETCONF access control model [NETCONF-ACM] provides the means to The NETCONF access control model [NETCONF-ACM] provides the means to
restrict access for particular NETCONF or RESTCONF users to a pre- restrict access for particular NETCONF or RESTCONF users to a pre-
configured subset of all available NETCONF or RESTCONF protocol configured subset of all available NETCONF or RESTCONF protocol
operations and content. The key strings are not accessible by operations and content. The key strings are not accessible by
default and NETCONF Access Control Mode [NETCONF-ACM] rules are default and NETCONF Access Control Mode [NETCONF-ACM] rules are
required to configure or retrieve them. required to configure or retrieve them.
When configured, the key-strings can be encrypted using the AES Key
Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is
not included in the YANG model and must be set or derived independent
of key-chain configuration. When AES key-encryption is used, the
hex-key-string feature is also required since the encrypted keys will
contain characters that are not representable in the YANG string
built-in type [YANG]. It is RECOMMENDED that key-strings be
encrypted using AES key-encryption to prevent key-chains from being
retrieved and stored with the key-strings in clear text. This
recommendation is independent of the access protection that is
availed from the NETCONF Access Control Model (NACM) [NETCONF-ACM].
The clear-text algorithm is included as a YANG feature. Usage is NOT The clear-text algorithm is included as a YANG feature. Usage is NOT
RECOMMENDED except in cases where the application and device have no RECOMMENDED except in cases where the application and device have no
other alternative (e.g., a legacy network device that must other alternative (e.g., a legacy network device that must
authenticate packets at intervals of 10 milliseconds or less for many authenticate packets at intervals of 10 milliseconds or less for many
peers using Bidirectional Forwarding Detection [BFD]). Keys used peers using Bidirectional Forwarding Detection [BFD]). Keys used
with the clear-text algorithm are considered insecure and SHOULD NOT with the clear-text algorithm are considered insecure and SHOULD NOT
be reused with more secure algorithms. be reused with more secure algorithms.
Similarly, the MD5 and SHA-1 algorithms have been proven to be Similarly, the MD5 and SHA-1 algorithms have been proven to be
insecure ([Dobb96a], [Dobb96b], and [SHA-SEC-CON]) and usage is NOT insecure ([Dobb96a], [Dobb96b], and [SHA-SEC-CON]) and usage is NOT
RECOMMENDED. Usage should be confined to deployments where it is RECOMMENDED. Usage should be confined to deployments where it is
required for backward compatibility. required for backward compatibility.
It is RECOMMENDED that keys be encrypted or otherwise obfuscated when
stored internally on a network device supporting this specification.
6. IANA Considerations 6. IANA Considerations
This document registers a URI in the IETF XML registry This document registers a URI in the IETF XML registry
[XML-REGISTRY]. Following the format in [XML-REGISTRY], the [XML-REGISTRY]. Following the format in [XML-REGISTRY], the
following registration is requested to be made: following registration is requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-key-chain URI: urn:ietf:params:xml:ns:yang:ietf-key-chain
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [YANG]. registry [YANG].
name: ietf-key-chain name: key-chain
namespace: urn:ietf:params:xml:ns:yang:ietf-key-chain namespace: urn:ietf:params:xml:ns:yang:ietf-key-chain
prefix: key-chain prefix: key-chain
reference: RFC XXXX reference: RFC XXXX
7. Contributors 7. Contributors
Contributors' Addresses Contributors' Addresses
Yi Yang Yi Yang
SockRate SockRate
skipping to change at page 17, line 18 skipping to change at page 17, line 45
[XML-REGISTRY] [XML-REGISTRY]
Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004.
[YANG] Bjorklund, M., "The YANG 1.1 Data Modeling Language", RFC [YANG] Bjorklund, M., "The YANG 1.1 Data Modeling Language", RFC
7950, August 2016. 7950, August 2016.
8.2. Informative References 8.2. Informative References
[AES-KEY-WRAP]
Schaad, J. and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 5649, August 2009.
[BFD] Katz, D. and D. Ward, "Bidirectional Forwarding Detection [BFD] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD)", RFC 5880, June 2010. (BFD)", RFC 5880, June 2010.
[CRYPTO-KEYTABLE] [CRYPTO-KEYTABLE]
Housley, R., Polk, T., Hartman, S., and D. Zhang, Housley, R., Polk, T., Hartman, S., and D. Zhang,
"Table of Cryptographic Keys", RFC 7210, April 2014. "Table of Cryptographic Keys", RFC 7210, April 2014.
[Dobb96a] Dobbertin, H., "Cryptanalysis of MD5 Compress", Technical [Dobb96a] Dobbertin, H., "Cryptanalysis of MD5 Compress", Technical
Report (Presented at the RUMP Session of EuroCrypt 1996), Report (Presented at the RUMP Session of EuroCrypt 1996),
2 May 1996. 2 May 1996.
skipping to change at page 19, line 4 skipping to change at page 19, line 19
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol", RFC 5246, August 2008. (TLS) Protocol", RFC 5246, August 2008.
[YANG-CRYPTO-KEYTABLE] [YANG-CRYPTO-KEYTABLE]
Chen, I., "YANG Data Model for RFC 7210 Key Table", draft- Chen, I., "YANG Data Model for RFC 7210 Key Table", draft-
chen-rtg-key-table-yang-00.txt (work in progress), chen-rtg-key-table-yang-00.txt (work in progress),
November 2015. November 2015.
Appendix A. Examples Appendix A. Examples
A.1. Simple Key Chain with Always Valid Single Key A.1. Simple Key Chain with Always Valid Single Key
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> <key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain> <key-chain>
<name>keychain-no-end-time</name> <name>keychain-no-end-time</name>
<description> <description>
A key chain with a single key that is always valid for tx/rx A key chain with a single key that is always valid for
transmission and reception.
</description> </description>
<key> <key>
<key-id>100</key-id> <key-id>100</key-id>
<lifetime> <lifetime>
<send-accept-lifetime> <send-accept-lifetime>
<always/> <always/>
</send-accept-lifetime> </send-accept-lifetime>
</lifetime> </lifetime>
<crypto-algorithm>hmac-sha-256</crypto-algorithm> <crypto-algorithm>hmac-sha-256</crypto-algorithm>
<key-string> <key-string>
skipping to change at page 20, line 10 skipping to change at page 20, line 10
</key-chains> </key-chains>
</data> </data>
A.2. Key Chain with Keys having Different Lifetimes A.2. Key Chain with Keys having Different Lifetimes
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> <key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain> <key-chain>
<name>keychain2</name> <name>keychain2</name>
<description> <description>
A key chain where each key contains a different send time A key chain where each key contains different send time
and accept time and a different algorithm illustrating and accept time and a different algorithm illustrating
algorithm agility algorithm agility.
</description> </description>
<key> <key>
<key-id>35</key-id> <key-id>35</key-id>
<lifetime> <lifetime>
<send-lifetime> <send-lifetime>
<start-date-time>2017-01-01T00:00:00Z</start-date-time> <start-date-time>2017-01-01T00:00:00Z</start-date-time>
<end-date-time>2017-02-01T00:00:00Z</end-date-time> <end-date-time>2017-02-01T00:00:00Z</end-date-time>
</send-lifetime> </send-lifetime>
<accept-lifetime> <accept-lifetime>
<start-date-time>2016-12-31T23:59:55Z</start-date-time> <start-date-time>2016-12-31T23:59:55Z</start-date-time>
skipping to change at page 21, line 14 skipping to change at page 21, line 14
A.3. Key Chain with Independent Send and Accept Lifetimes A.3. Key Chain with Independent Send and Accept Lifetimes
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> <key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain> <key-chain>
<name>keychain2</name> <name>keychain2</name>
<description> <description>
A key chain where each key contains different send time A key chain where each key contains different send time
and accept time and accept times.
</description> </description>
<key> <key>
<key-id>35</key-id> <key-id>35</key-id>
<lifetime> <lifetime>
<send-lifetime> <send-lifetime>
<start-date-time>2017-01-01T00:00:00Z</start-date-time> <start-date-time>2017-01-01T00:00:00Z</start-date-time>
<end-date-time>2017-02-01T00:00:00Z</end-date-time> <end-date-time>2017-02-01T00:00:00Z</end-date-time>
</send-lifetime> </send-lifetime>
<accept-lifetime> <accept-lifetime>
<start-date-time>2016-12-31T23:59:55Z</start-date-time> <start-date-time>2016-12-31T23:59:55Z</start-date-time>
 End of changes. 19 change blocks. 
83 lines changed or deleted 117 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/