submodule ietf-netconf-tls {
belongs-to ietf-netconf-config {
prefix ncconf;
}
import ietf-yang-types {
prefix yang;
}
import ietf-netconf-acm {
prefix nacm;
}
import ietf-x509-cert-to-name {
prefix x509c2n;
}
include ietf-netconf-common;
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
WG Chair: Mehmet Ersue
WG Chair: Bert Wijnen
Editor: Mohamad Badra
Alan Luchuk
Juergen Schoenwaelder
";
description
"This submodule applies to NETCONF over TLS. It specifies how
NETCONF servers transform X.509 certificates presented by
NETCONF clients into NETCONF usernames. It also specifies
how NETCONF servers transform pre-shared TLS keys into NETCONF
usernames.
Copyright (c) 2013 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and
// remove this note
// RFC Ed.: please update the date to the date of publication
revision "2013-05-07" {
description
"Initial version";
reference
"RFC XXXX: NETCONF over Transport Layer Security (TLS)";
}
feature tls {
description
"A server implements this feature if it supports NETCONF
over Transport Layer Security (TLS).";
reference
"RFC XXXX: NETCONF over Transport Layer Security (TLS)";
}
feature tls-map-certificates {
description
"The tls-map-certificates feature indicates that the
server implements mapping X.509 certificates to NETCONF
usernames.";
}
feature tls-map-pre-shared-keys {
description
"The tls-map-pre-shared-keys feature indicates that the
server implements mapping TLS pre-shared keys to NETCONF
usernames.";
}
augment /ncconf:netconf {
if-feature tls;
container tls {
leaf enabled {
type boolean;
default "false";
description
"Enables NETCONF over Transport Layer Security (TLS).";
}
// Objects for deriving NETCONF usernames from X.509
// certificates.
container cert-maps {
if-feature tls-map-certificates;
uses x509c2n:cert-to-name;
description
"The cert-maps container is used by a NETCONF server to
map the NETCONF client's presented X.509 certificate to
a NETCONF username.
If no matching and valid cert-to-name list entry can be
found, then the NETCONF server MUST close the connection,
and MUST NOT accept NETCONF messages over it.";
}
// Objects for deriving NETCONF usernames from TLS
// pre-shared keys.
container psk-maps {
if-feature tls-map-pre-shared-keys;
description
"During the TLS Handshake, the client indicates which
key to use by including a PSK identity in the TLS
ClientKeyExchange message. On the server side, this
PSK identity is used to look up an entry in the psk-map
list. If such an entry is found, and the pre-shared keys
match, then the client is authenticated. The server uses
the value from the user-name leaf in the psk-map list as
the NETCONF username. If the server cannot find an entry
in the psk-map list, or if the pre-shared keys do not
match, then the server terminates the connection.";
reference
"RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer
Security (TLS)";
list psk-map {
key psk-identity;
leaf psk-identity {
type string;
description
"The PSK identity encoded as a UTF-8 string. For
details on how the PSK identity MAY be encoded in
UTF-8, see section 5.1. of RFC 4279.";
reference
"RFC 4279: Pre-Shared Key Ciphersuites for Transport
Layer Security (TLS)";
}
leaf user-name {
type nacm:user-name-type;
mandatory true;
description
"The NETCONF username associated with this PSK
identity.";
}
leaf not-valid-before {
type yang:date-and-time;
description
"This PSK identity is not valid before the given date
and time.";
}
leaf not-valid-after {
type yang:date-and-time;
description
"This PSK identity is not valid before the given date
and time.";
}
leaf key {
type yang:hex-string;
mandatory true;
nacm:default-deny-all;
description
"The key associated with the PSK identity";
reference
"RFC 4279: Pre-Shared Key Ciphersuites for Transport
Layer Security (TLS)";
}
} // list psk-map
} // container psk-maps
}
}
}