idnits 2.17.1 draft-ietf-netconf-trust-anchors-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 144 has weird spacing: '...ost-key ct:...' -- The document date (September 20, 2018) is 2045 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-netconf-crypto-types-00 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Juniper Networks 4 Intended status: Standards Track September 20, 2018 5 Expires: March 24, 2019 7 YANG Data Model for Global Trust Anchors 8 draft-ietf-netconf-trust-anchors-01 10 Abstract 12 This document defines a YANG 1.1 data model for configuring global 13 sets of X.509 certificates and SSH host-keys that can be referenced 14 by other data models for trust. While the SSH host-keys are uniquely 15 for the SSH protocol, the X.509 certificates may have multiple uses, 16 including authenticating protocol peers and verifying signatures. 18 Editorial Note (To be removed by RFC Editor) 20 This draft contains many placeholder values that need to be replaced 21 with finalized values at the time of publication. This note 22 summarizes all of the substitutions that are needed. No other RFC 23 Editor instructions are specified elsewhere in this document. 25 Artwork in this document contains shorthand references to drafts in 26 progress. Please apply the following replacements: 28 o "XXXX" --> the assigned RFC value for this draft 30 o "YYYY" --> the assigned RFC value for draft-ietf-netconf-crypto- 31 types 33 Artwork in this document contains placeholder values for the date of 34 publication of this draft. Please apply the following replacement: 36 o "2018-09-20" --> the publication date of this draft 38 The following Appendix section is to be removed prior to publication: 40 o Appendix A. Change Log 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on March 24, 2019. 59 Copyright Notice 61 Copyright (c) 2018 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (https://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with respect 69 to this document. Code Components extracted from this document must 70 include Simplified BSD License text as described in Section 4.e of 71 the Trust Legal Provisions and are provided without warranty as 72 described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 77 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 78 1.2. Tree Diagram Notation . . . . . . . . . . . . . . . . . . 3 79 2. The Trust Anchors Model . . . . . . . . . . . . . . . . . . . 3 80 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 81 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 4 82 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 7 83 3. Security Considerations . . . . . . . . . . . . . . . . . . . 12 84 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 85 4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 13 86 4.2. The YANG Module Names Registry . . . . . . . . . . . . . 13 87 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 88 5.1. Normative References . . . . . . . . . . . . . . . . . . 13 89 5.2. Informative References . . . . . . . . . . . . . . . . . 14 90 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 15 91 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 15 92 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 93 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 95 1. Introduction 97 This document defines a YANG 1.1 [RFC7950] data model for configuring 98 global sets of X.509 certificates and SSH host-keys that can be 99 referenced by other data models for trust. While the SSH host-keys 100 are uniquely for the SSH protocol, the X.509 certificates may be used 101 for multiple uses, including authenticating protocol peers and 102 verifying signatures. 104 This document in compliant with Network Management Datastore 105 Architecture (NMDA) [RFC8342]. For instance, to support trust 106 anchors installed during manufacturing, it is expected that such data 107 may appear only in . 109 1.1. Requirements Language 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in BCP 114 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 1.2. Tree Diagram Notation 119 Tree diagrams used in this document follow the notation defined in 120 [RFC8340]. 122 2. The Trust Anchors Model 124 2.1. Tree Diagram 126 The following tree diagram provides an overview of the "ietf-trust- 127 anchors" module. 129 module: ietf-trust-anchors 130 +--rw trust-anchors 131 +--rw pinned-certificates* [name] {x509-certificates}? 132 | +--rw name string 133 | +--rw description? string 134 | +--rw pinned-certificate* [name] 135 | +--rw name string 136 | +--rw cert ct:trust-anchor-cert-cms 137 | +---n certificate-expiration 138 | +-- expiration-date? yang:date-and-time 139 +--rw pinned-host-keys* [name] {ssh-host-keys}? 140 +--rw name string 141 +--rw description? string 142 +--rw pinned-host-key* [name] 143 +--rw name string 144 +--rw host-key ct:ssh-host-key 146 2.2. Example Usage 148 The following example illustrates trust anchors in as 149 described by Section 5.3 in [RFC8342]. This datastore view 150 illustrates data set by the manufacturing process alongside 151 conventional configuration. This trust anchors instance has six sets 152 of pinned certificates and one set of pinned host keys. 154 158 159 160 manufacturers-root-ca-certs 161 162 Certificates built into the device for authenticating 163 manufacturer-signed objects, such as TLS server certificates, 164 vouchers, etc. Note, though listed here, these are not 165 configurable; any attempt to do so will be denied. 166 167 168 Manufacturer Root CA cert 1 169 base64encodedvalue== 170 171 172 Manufacturer Root CA cert 2 173 base64encodedvalue== 174 175 176 177 178 explicitly-trusted-server-certs 179 180 Specific server authentication certificates for explicitly 181 trusted servers. These are needed for server certificates 182 that are not signed by a pinned CA. 183 184 185 Fred Flintstone 186 base64encodedvalue== 187 188 190 191 192 explicitly-trusted-server-ca-certs 193 194 Trust anchors (i.e. CA certs) that are used to authenticate 195 server connections. Servers are authenticated if their 196 certificate has a chain of trust to one of these CA 197 certificates. 198 199 200 ca.example.com 201 base64encodedvalue== 202 203 205 206 207 explicitly-trusted-client-certs 208 209 Specific client authentication certificates for explicitly 210 trusted clients. These are needed for client certificates 211 that are not signed by a pinned CA. 212 213 214 George Jetson 215 base64encodedvalue== 216 217 219 220 221 explicitly-trusted-client-ca-certs 222 223 Trust anchors (i.e. CA certs) that are used to authenticate 224 client connections. Clients are authenticated if their 225 certificate has a chain of trust to one of these CA 226 certificates. 227 228 229 ca.example.com 230 base64encodedvalue== 231 232 234 235 236 common-ca-certs 237 238 Trusted certificates to authenticate common HTTPS servers. 239 These certificates are similar to those that might be 240 shipped with a web browser. 241 242 243 ex-certificate-authority 244 base64encodedvalue== 245 246 248 249 250 explicitly-trusted-ssh-host-keys 251 252 Trusted SSH host keys used to authenticate SSH servers. 253 These host keys would be analogous to those stored in 254 a known_hosts file in OpenSSH. 255 256 257 corp-fw1 258 base64encodedvalue== 259 260 262 264 The following example illustrates the "certificate-expiration" 265 notification in use with the NETCONF protocol. 267 [Note: '\' line wrapping for formatting only] 269 271 2018-05-25T00:01:00Z 272 274 275 explicitly-trusted-client-certs 276 277 George Jetson 278 279 2018-08-05T14:18:53-05:00 281 282 283 284 285 287 2.3. YANG Module 289 This YANG module imports modules from [RFC6991], [RFC8341], and 290 [I-D.ietf-netconf-crypto-types]. 292 file "ietf-trust-anchors@2018-09-20.yang" 293 module ietf-trust-anchors { 294 yang-version 1.1; 296 namespace "urn:ietf:params:xml:ns:yang:ietf-trust-anchors"; 297 prefix "ta"; 299 import ietf-yang-types { 300 prefix yang; 301 reference 302 "RFC 6991: Common YANG Data Types"; 303 } 305 import ietf-netconf-acm { 306 prefix nacm; 307 reference 308 "RFC 8341: Network Configuration Access Control Model"; 309 } 311 import ietf-crypto-types { 312 prefix ct; 313 reference 314 "RFC YYYY: Common YANG Data Types for Cryptography"; 315 } 317 organization 318 "IETF NETCONF (Network Configuration) Working Group"; 320 contact 321 "WG Web: 322 WG List: 324 Author: Kent Watsen 325 "; 327 description 328 "This module defines a data model for configuring global 329 trust anchors used by other data models. The data model 330 enables the configuration of sets of trust anchors. 331 This data model supports configuring trust anchors for 332 both X.509 certificates and SSH host keys. 334 Copyright (c) 2018 IETF Trust and the persons identified 335 as authors of the code. All rights reserved. 337 Redistribution and use in source and binary forms, with 338 or without modification, is permitted pursuant to, and 339 subject to the license terms contained in, the Simplified 340 BSD License set forth in Section 4.c of the IETF Trust's 341 Legal Provisions Relating to IETF Documents 342 (http://trustee.ietf.org/license-info). 344 This version of this YANG module is part of RFC XXXX; see 345 the RFC itself for full legal notices."; 347 revision "2018-09-20" { 348 description 349 "Initial version"; 350 reference 351 "RFC XXXX: YANG Data Model for Global Trust Anchors"; 352 } 354 /************************************************************/ 355 /* Typedefs for leafrefs to commonly referenced objects */ 356 /************************************************************/ 358 feature x509-certificates { 359 description 360 "The 'x509-certificates' feature indicates that the server 361 implements the /trust-anchors/pinned-certificates subtree."; 362 } 364 feature ssh-host-keys { 365 description 366 "The 'ssh-host-keys' feature indicates that the server 367 implements the /trust-anchors/pinned-host-keys subtree."; 368 } 370 /************************************************************/ 371 /* Typedefs for leafrefs to commonly referenced objects */ 372 /************************************************************/ 374 typedef pinned-certificates-ref { 375 type leafref { 376 path "/ta:trust-anchors/ta:pinned-certificates/ta:name"; 377 require-instance false; 378 } 379 description 380 "This typedef enables importing modules to easily define a 381 leafref to a 'pinned-certificates' object. The require 382 instance attribute is false to enable the referencing of 383 pinned certificates that exist only in ."; 384 reference 385 "RFC 8342: Network Management Datastore Architecture (NMDA)"; 386 } 388 typedef pinned-host-keys-ref { 389 type leafref { 390 path "/ta:trust-anchors/ta:pinned-host-keys/ta:name"; 391 require-instance false; 392 } 393 description 394 "This typedef enables importing modules to easily define a 395 leafref to a 'pinned-host-keys' object. The require 396 instance attribute is false to enable the referencing of 397 pinned host keys that exist only in ."; 398 reference 399 "RFC 8342: Network Management Datastore Architecture (NMDA)"; 400 } 402 /*********************************/ 403 /* Protocol accessible nodes */ 404 /*********************************/ 405 container trust-anchors { 406 nacm:default-deny-write; 408 description 409 "Contains sets of X.509 certificates and SSH host keys."; 411 list pinned-certificates { 412 if-feature "x509-certificates"; 413 key name; 414 description 415 "A list of pinned certificates. These certificates can be 416 used by a server to authenticate clients, or by a client 417 to authenticate servers. Each list of pinned certificates 418 SHOULD be specific to a purpose, as the list as a whole 419 may be referenced by other modules. For instance, a 420 NETCONF server's configuration might use a specific list 421 of pinned certificates for when authenticating NETCONF 422 client connections."; 423 leaf name { 424 type string; 425 description 426 "An arbitrary name for this list of pinned 427 certificates."; 428 } 429 leaf description { 430 type string; 431 description 432 "An arbitrary description for this list of pinned 433 certificates."; 434 } 435 list pinned-certificate { 436 key name; 437 description 438 "A pinned certificate."; 439 leaf name { 440 type string; 441 description 442 "An arbitrary name for this pinned certificate. The 443 name must be unique across all lists of pinned 444 certificates (not just this list) so that leafrefs 445 from another module can resolve to unique values."; 446 } 447 leaf cert { 448 type ct:trust-anchor-cert-cms; 449 mandatory true; 450 description 451 "The binary certificate data for this pinned 452 certificate."; 454 reference 455 "RFC YYYY: Common YANG Data Types for Cryptography"; 456 } 457 notification certificate-expiration { 458 description 459 "A notification indicating that the configured trust 460 anchor is either about to expire or has already expired. 461 When to send notifications is an implementation specific 462 decision, but it is RECOMMENDED that a notification be 463 sent once a month for 3 months, then once a week for 464 four weeks, and then once a day thereafter until the 465 issue is resolved."; 466 leaf expiration-date { 467 type yang:date-and-time; 468 // https://github.com/CESNET/libyang/issues/512 469 //mandatory true; 470 description 471 "Identifies the expiration date on the certificate."; 472 } 473 } 475 } 476 } 477 list pinned-host-keys { 478 if-feature "ssh-host-keys"; 479 key name; 480 description 481 "A list of pinned host keys. These pinned host-keys can 482 be used by clients to authenticate SSH servers. Each 483 list of pinned host keys SHOULD be specific to a purpose, 484 so the list as a whole may be referenced by other modules. 485 For instance, a NETCONF client's configuration might 486 point to a specific list of pinned host keys for when 487 authenticating specific SSH servers."; 488 leaf name { 489 type string; 490 description 491 "An arbitrary name for this list of pinned SSH 492 host keys."; 493 } 494 leaf description { 495 type string; 496 description 497 "An arbitrary description for this list of pinned SSH 498 host keys."; 499 } 500 list pinned-host-key { 501 key name; 502 description 503 "A pinned host key."; 504 leaf name { 505 type string; 506 description 507 "An arbitrary name for this pinned host-key. Must be 508 unique across all lists of pinned host-keys (not just 509 this list) so that a leafref to it from another module 510 can resolve to unique values."; 511 } 512 leaf host-key { 513 type ct:ssh-host-key; 514 mandatory true; 515 description 516 "The binary public key data for this pinned host key."; 517 reference 518 "RFC YYYY: Common YANG Data Types for Cryptography"; 519 } 520 } 521 } 522 } 524 } 525 527 3. Security Considerations 529 The YANG module defined in this document is designed to be accessed 530 via YANG based management protocols, such as NETCONF [RFC6241] and 531 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 532 implement secure transport layers (e.g., SSH, TLS) with mutual 533 authentication. 535 The NETCONF access control model (NACM) [RFC8341] provides the means 536 to restrict access for particular users to a pre-configured subset of 537 all available protocol operations and content. 539 There are a number of data nodes defined in this YANG module that are 540 writable/creatable/deletable (i.e., config true, which is the 541 default). These data nodes may be considered sensitive or vulnerable 542 in some network environments. Write operations (e.g., edit-config) 543 to these data nodes without proper protection can have a negative 544 effect on network operations. These are the subtrees and data nodes 545 and their sensitivity/vulnerability: 547 /: The entire data tree defined by this module is sensitive to 548 write operations. For instance, the addition or removal of any 549 trust anchor may dramatically alter the implemented security 550 policy. For this reason, the NACM extension "default-deny- 551 write" has been set for the entire data tree. 553 None of the readable data nodes in this YANG module are considered 554 sensitive or vulnerable in network environments. 556 This module does not define any RPCs, actions, or notifications, and 557 thus the security consideration for such is not provided here. 559 4. IANA Considerations 561 4.1. The IETF XML Registry 563 This document registers one URI in the "ns" subregistry of the IETF 564 XML Registry [RFC3688]. Following the format in [RFC3688], the 565 following registration is requested: 567 URI: urn:ietf:params:xml:ns:yang:ietf-trust-anchors 568 Registrant Contact: The NETCONF WG of the IETF. 569 XML: N/A, the requested URI is an XML namespace. 571 4.2. The YANG Module Names Registry 573 This document registers one YANG module in the YANG Module Names 574 registry [RFC6020]. Following the format in [RFC6020], the the 575 following registration is requested: 577 name: ietf-trust-anchors 578 namespace: urn:ietf:params:xml:ns:yang:ietf-trust-anchors 579 prefix: ta 580 reference: RFC XXXX 582 5. References 584 5.1. Normative References 586 [I-D.ietf-netconf-crypto-types] 587 Watsen, K., "Common YANG Data Types for Cryptography", 588 draft-ietf-netconf-crypto-types-00 (work in progress), 589 June 2018. 591 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 592 Requirement Levels", BCP 14, RFC 2119, 593 DOI 10.17487/RFC2119, March 1997, 594 . 596 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 597 RFC 6991, DOI 10.17487/RFC6991, July 2013, 598 . 600 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 601 RFC 7950, DOI 10.17487/RFC7950, August 2016, 602 . 604 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 605 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 606 May 2017, . 608 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 609 Access Control Model", STD 91, RFC 8341, 610 DOI 10.17487/RFC8341, March 2018, 611 . 613 5.2. Informative References 615 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 616 DOI 10.17487/RFC3688, January 2004, 617 . 619 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 620 the Network Configuration Protocol (NETCONF)", RFC 6020, 621 DOI 10.17487/RFC6020, October 2010, 622 . 624 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 625 and A. Bierman, Ed., "Network Configuration Protocol 626 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 627 . 629 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 630 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 631 . 633 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 634 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 635 . 637 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 638 and R. Wilton, "Network Management Datastore Architecture 639 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 640 . 642 Appendix A. Change Log 644 A.1. 00 to 01 646 o Added features "x509-certificates" and "ssh-host-keys". 648 o Added nacm:default-deny-write to "trust-anchors" container. 650 Acknowledgements 652 The authors would like to thank for following for lively discussions 653 on list and in the halls (ordered by last name): Martin Bjorklund, 654 Balazs Kovacs, Eric Voit, and Liang Xia. 656 Author's Address 658 Kent Watsen 659 Juniper Networks 661 EMail: kwatsen@juniper.net