draft-ietf-rtgwg-yang-key-chain-13.txt   draft-ietf-rtgwg-yang-key-chain-14.txt 
Network Working Group A. Lindem, Ed. Network Working Group A. Lindem, Ed.
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track Y. Qu Intended status: Standards Track Y. Qu
Expires: July 23, 2017 Huawei Expires: August 19, 2017 Huawei
D. Yeung D. Yeung
Arrcus, Inc Arrcus, Inc
I. Chen I. Chen
Ericsson Jabil
J. Zhang J. Zhang
Juniper Networks Juniper Networks
Y. Yang Y. Yang
SockRate SockRate
January 19, 2017 February 15, 2017
Routing Key Chain YANG Data Model Routing Key Chain YANG Data Model
draft-ietf-rtgwg-yang-key-chain-13.txt draft-ietf-rtgwg-yang-key-chain-14.txt
Abstract Abstract
This document describes the key chain YANG data model. A key chain This document describes the key chain YANG data model. A key chain
is a list of elements each containing a key, send lifetime, accept is a list of elements each containing a key, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, keys and algorithms may be gracefully updated. By elements, keys and algorithms may be gracefully updated. By
representing them in a YANG data model, key distribution can be representing them in a YANG data model, key distribution can be
automated. Key chains are commonly used for routing protocol automated. Key chains are commonly used for routing protocol
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 23, 2017. This Internet-Draft will expire on August 19, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 33 skipping to change at page 2, line 33
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4 2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4
3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5 3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5
3.1. Key Chain Operational State . . . . . . . . . . . . . . . 5 3.1. Key Chain Operational State . . . . . . . . . . . . . . . 5
3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6 3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6
3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6 3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6
4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 10 4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 5. Security Considerations . . . . . . . . . . . . . . . . . . . 18
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.1. Normative References . . . . . . . . . . . . . . . . . . 21 7.1. Normative References . . . . . . . . . . . . . . . . . . 19
7.2. Informative References . . . . . . . . . . . . . . . . . 22 7.2. Informative References . . . . . . . . . . . . . . . . . 19
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 22 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 20
A.1. Simple Key Chain with Always Valid Single Key . . . . . . 20
A.2. Key Chain with Keys having Different Lifetimes . . . . . 21
A.3. Key Chain with Independent Send and Accept Lifetimes . . 22
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
This document describes the key chain YANG data model. A key chain This document describes the key chain YANG data model. A key chain
is a list of elements each containing a key, send lifetime, accept is a list of elements each containing a key, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, keys and algorithms may be gracefully updated. By elements, keys and algorithms may be gracefully updated. By
representing them in a YANG data model, key distribution can be representing them in a YANG data model, key distribution can be
automated. Key chains are commonly used for routing protocol automated. Key chains are commonly used for routing protocol
authentication and other applications. In some applications, the authentication and other applications. In some applications, the
protocols do not use the key chain element key directly, but rather a protocols do not use the key chain element key directly, but rather a
key derivation function is used to derive a short-lived key from the key derivation function is used to derive a short-lived key from the
key chain element key (e.g., the Master Keys used in [TCP-AO]). key chain element key (e.g., the Master Keys used in [TCP-AO]).
1.1. Requirements Notation 1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC-KEYWORDS]. "OPTIONAL" in this document are to be interpreted as described in
[RFC-KEYWORDS].
1.2. Tree Diagrams 1.2. Tree Diagrams
A simplified graphical representation of the complete data tree is A simplified graphical representation of the complete data tree is
presented in Section 3.3. The following tree notation is used. presented in Section 3.3. The following tree notation is used.
o Brackets "[" and "]" enclose list keys. o Brackets "[" and "]" enclose list keys.
o Curly braces "{" and "}" contain names of optional features that o Curly braces "{" and "}" contain names of optional features that
make the corresponding node conditional. make the corresponding node conditional.
skipping to change at page 3, line 50 skipping to change at page 4, line 9
chains have been implemented and deployed by a large percentage of chains have been implemented and deployed by a large percentage of
network equipment vendors. Providing a standard YANG model will network equipment vendors. Providing a standard YANG model will
facilitate automated key distribution and non-disruptive key facilitate automated key distribution and non-disruptive key
rollover. This will aid in tightening the security of the core rollover. This will aid in tightening the security of the core
routing infrastructure as recommended in [IAB-REPORT]. routing infrastructure as recommended in [IAB-REPORT].
A key chain is a list containing one or more elements containing a A key chain is a list containing one or more elements containing a
Key ID, key, send/accept lifetimes, and the associated authentication Key ID, key, send/accept lifetimes, and the associated authentication
or encryption algorithm. A key chain can be used by any service or or encryption algorithm. A key chain can be used by any service or
application requiring authentication or encryption. In essence, the application requiring authentication or encryption. In essence, the
key-chain is a reusable key policy that can be referenced where ever key-chain is a reusable key policy that can be referenced whereever
it is required. The key-chain construct has been implemented by most it is required. The key-chain construct has been implemented by most
networking vendors and deployed in many networks. networking vendors and deployed in many networks.
The module name was change from ietf-key-chain to ietf-routing-key-
chain to avoid disambiguate it from the ietf-system-keychain module
defined in [NETCONF-SERVER-CONF]. However, due to popular demand,
the module name has been restored to simply ietf-key-chain.
A conceptual representation of a crypto key table is described in A conceptual representation of a crypto key table is described in
[CRYPTO-KEYTABLE]. The crypto key table also includes keys as well [CRYPTO-KEYTABLE]. The crypto key table also includes keys as well
as their corresponding lifetimes and algorithms. Additionally, the as their corresponding lifetimes and algorithms. Additionally, the
key table includes key selection criteria and envisions a deployment key table includes key selection criteria and envisions a deployment
model where the details of the applications or services requiring model where the details of the applications or services requiring
authentication or encryption permeate into the key database. The authentication or encryption permeate into the key database. The
YANG key-chain model described herein doesn't include key selection YANG key-chain model described herein doesn't include key selection
criteria or support this deployment model. At the same time, it does criteria or support this deployment model. At the same time, it does
not preclude it. The draft [YANG-CRYPTO-KEYTABLE] describes not preclude it. The draft [YANG-CRYPTO-KEYTABLE] describes
augmentations to the key chain YANG model in support of key selection augmentations to the key chain YANG model in support of key selection
skipping to change at page 5, line 23 skipping to change at page 5, line 23
domain of the key chain. However, this may be deferred until the domain of the key chain. However, this may be deferred until the
next key rollover. If this is done, the key chain will always next key rollover. If this is done, the key chain will always
include two keys; either the current and future key (during key include two keys; either the current and future key (during key
rollovers) or the current and previous keys (between key rollovers) or the current and previous keys (between key
rollovers). rollovers).
3. Design of the Key Chain Model 3. Design of the Key Chain Model
The ietf-key-chain module contains a list of one or more keys indexed The ietf-key-chain module contains a list of one or more keys indexed
by a Key ID. For some applications (e.g., OSPFv3 [OSPFV3-AUTH]), the by a Key ID. For some applications (e.g., OSPFv3 [OSPFV3-AUTH]), the
Key-Id is used to identify the key chain entry to be used. In Key ID is used to identify the key chain entry to be used. In
addition to the Key-ID, each key chain entry includes a key-string addition to the Key ID, each key chain entry includes a key-string
and a cryptographic algorithm. Optionally, the key chain entries and a cryptographic algorithm. Optionally, the key chain entries
include send/accept lifetimes. If the send/accept lifetime is include send/accept lifetimes. If the send/accept lifetime is
unspecified, the key is always considered valid. unspecified, the key is always considered valid.
Note that asymmetric keys, i.e., a different key value used for Note that asymmetric keys, i.e., a different key value used for
transmission versus acceptance, may be supported with multiple key transmission versus acceptance, may be supported with multiple key
chain elements where the accept-lifetime or send-lifetime is not chain elements where the accept-lifetime or send-lifetime is not
valid (e.g., has an end-time equal to the start-time). valid (e.g., has an end-time equal to the start-time).
Due to the differences in key chain implementations across various Due to the differences in key chain implementations across various
vendors, some of the data elements are optional. Additionally, the vendors, some of the data elements are optional. Finally, the crypto
key-chain is made a grouping so that an implementation could support algorithm identities are provided for reuse when configuring legacy
scoping other than at the global level. Finally, the crypto- authentication and encryption not using key-chains.
algorithm-types grouping is provided for reuse when configuring
legacy authentication and encryption not using key-chains.
A key-chain is identified by a unique name within the scope of the A key-chain is identified by a unique name within the scope of the
network device. The "key-chain-ref" typedef SHOULD be used by other network device. The "key-chain-ref" typedef SHOULD be used by other
YANG modules when they need to reference a configured key-chain. YANG modules when they need to reference a configured key-chain.
3.1. Key Chain Operational State 3.1. Key Chain Operational State
The key chain operational state is maintained in a separate tree. The key chain operational state is maintained in a separate tree.
The key string itself is omitted from the operational state to The key string itself is omitted from the operational state to
minimize visibility similar to what was done with keys in SNMP MIBs. minimize visibility similar to what was done with keys in SNMP MIBs.
skipping to change at page 6, line 18 skipping to change at page 6, line 16
Features are used to handle differences between vendor Features are used to handle differences between vendor
implementations. For example, not all vendors support configuration implementations. For example, not all vendors support configuration
an acceptance tolerance or configuration of key strings in an acceptance tolerance or configuration of key strings in
hexadecimal. They are also used to support of security requirements hexadecimal. They are also used to support of security requirements
(e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by (e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by
vendors or only a single vendor. vendors or only a single vendor.
3.3. Key Chain Model Tree 3.3. Key Chain Model Tree
+--rw key-chain +--rw key-chains
| +--rw key-chain-list* [name] | +--rw key-chain* [name]
| | +--rw name string | | +--rw name string
| | +--rw description? string | | +--rw description? string
| | +--rw accept-tolerance {accept-tolerance}? | | +--rw accept-tolerance {accept-tolerance}?
| | | +--rw duration? uint32 | | | +--rw duration? uint32
| | +--rw key-chain-entries* [key-id] | | +--rw key-entry* [key-id]
| | +--rw key-id uint64 | | +--rw key-id uint64
| | +--rw lifetime | | +--rw lifetime
| | | +--rw (lifetime)? | | | +--rw (lifetime)?
| | | +--:(send-and-accept-lifetime) | | | +--:(send-and-accept-lifetime)
| | | | +--rw send-accept-lifetime | | | | +--rw send-accept-lifetime
| | | | +--rw (lifetime)? | | | | +--rw (lifetime)?
| | | | +--:(always) | | | | +--:(always)
| | | | | +--rw always? empty | | | | | +--rw always? empty
| | | | +--:(start-end-time) | | | | +--:(start-end-time)
| | | | +--rw start-date-time? | | | | +--rw start-date-time? yang:date-and-time
| | | | | yang:date-and-time
| | | | +--rw (end-time)? | | | | +--rw (end-time)?
| | | | +--:(infinite) | | | | +--:(infinite)
| | | | | +--rw no-end-time? empty | | | | | +--rw no-end-time? empty
| | | | +--:(duration) | | | | +--:(duration)
| | | | | +--rw duration? uint32 | | | | | +--rw duration? uint32
| | | | +--:(end-date-time) | | | | +--:(end-date-time)
| | | | +--rw end-date-time? | | | | +--rw end-date-time?
| | | | yang:date-and-time | | | | yang:date-and-time
| | | +--:(independent-send-accept-lifetime) | | | +--:(independent-send-accept-lifetime)
| | | | {independent-send-accept-lifetime}? | | | | {independent-send-accept-lifetime}?
| | | +--rw send-lifetime | | | +--rw send-lifetime
| | | | +--rw (lifetime)? | | | | +--rw (lifetime)?
| | | | +--:(always) | | | | +--:(always)
| | | | | +--rw always? empty | | | | | +--rw always? empty
| | | | +--:(start-end-time) | | | | +--:(start-end-time)
| | | | +--rw start-date-time? | | | | +--rw start-date-time? yang:date-and-time
| | | | yang:date-and-time
| | | | +--rw (end-time)? | | | | +--rw (end-time)?
| | | | +--:(infinite) | | | | +--:(infinite)
| | | | | +--rw no-end-time? empty | | | | | +--rw no-end-time? empty
| | | | +--:(duration) | | | | +--:(duration)
| | | | | +--rw duration? uint32 | | | | | +--rw duration? uint32
| | | | +--:(end-date-time) | | | | +--:(end-date-time)
| | | | +--rw end-date-time? | | | | +--rw end-date-time?
| | | | yang:date-and-time | | | | yang:date-and-time
| | | +--rw accept-lifetime | | | +--rw accept-lifetime
| | | +--rw (lifetime)? | | | +--rw (lifetime)?
| | | +--:(always) | | | +--:(always)
| | | | +--rw always? empty | | | | +--rw always? empty
| | | +--:(start-end-time) | | | +--:(start-end-time)
| | | +--rw start-date-time? | | | +--rw start-date-time? yang:date-and-time
| | | yang:date-and-time
| | | +--rw (end-time)? | | | +--rw (end-time)?
| | | +--:(infinite) | | | +--:(infinite)
| | | | +--rw no-end-time? empty | | | | +--rw no-end-time? empty
| | | +--:(duration) | | | +--:(duration)
| | | | +--rw duration? uint32 | | | | +--rw duration? uint32
| | | +--:(end-date-time) | | | +--:(end-date-time)
| | | +--rw end-date-time? | | | +--rw end-date-time?
| | | yang:date-and-time | | | yang:date-and-time
| | +--rw crypto-algorithm | | +--rw crypto-algorithm identityref
| | | +--rw (algorithm)?
| | | +--:(hmac-sha-1-12) {crypto-hmac-sha-1-12}?
| | | | +--rw hmac-sha1-12? empty
| | | +--:(aes-cmac-prf-128) {aes-cmac-prf-128}?
| | | | +--rw aes-cmac-prf-128? empty
| | | +--:(md5)
| | | | +--rw md5? empty
| | | +--:(sha-1)
| | | | +--rw sha-1? empty
| | | +--:(hmac-sha-1)
| | | | +--rw hmac-sha-1? empty
| | | +--:(hmac-sha-256)
| | | | +--rw hmac-sha-256? empty
| | | +--:(hmac-sha-384)
| | | | +--rw hmac-sha-384? empty
| | | +--:(hmac-sha-512)
| | | | +--rw hmac-sha-512? empty
| | | +--:(clear-text) {clear-text}?
| | | | +--rw clear-text? empty
| | | +--:(replay-protection-only)
| | | {replay-protection-only}?
| | | +--rw replay-protection-only? empty
| | +--rw key-string | | +--rw key-string
| | +--rw (key-string-style)? | | +--rw (key-string-style)?
| | +--:(keystring) | | +--:(keystring)
| | | +--rw keystring? string | | | +--rw keystring? string
| | +--:(hexadecimal) {hex-key-string}? | | +--:(hexadecimal) {hex-key-string}?
| | +--rw hexadecimal-string? yang:hex-string | | +--rw hexadecimal-string? yang:hex-string
| +--rw aes-key-wrap {aes-key-wrap}? | +--rw aes-key-wrap {aes-key-wrap}?
| +--rw enable? boolean | +--rw enable? boolean
+--ro key-chain-state +--ro key-chains-state
+--ro key-chain-list* [name] +--ro key-chain-state* [name]
| +--ro name string | +--ro name string
| +--ro description? string | +--ro description? string
| +--ro accept-tolerance {accept-tolerance}? | +--ro accept-tolerance {accept-tolerance}?
| | +--ro duration? uint32 | | +--ro duration? uint32
| +--ro last-modified-timestamp? yang:date-and-time | +--ro last-modified-timestamp? yang:date-and-time
| +--ro key-chain-entries* [key-id] | +--ro key-entry-state* [key-id]
| +--ro key-id uint64 | +--ro key-id uint64
| +--ro lifetime | +--ro lifetime
| | +--ro (lifetime)? | | +--ro (lifetime)?
| | +--:(send-and-accept-lifetime) | | +--:(send-and-accept-lifetime)
| | | +--ro send-accept-lifetime | | | +--ro send-accept-lifetime
| | | +--ro (lifetime)? | | | +--ro (lifetime)?
| | | +--:(always) | | | +--:(always)
| | | | +--ro always? empty | | | | +--ro always? empty
| | | +--:(start-end-time) | | | +--:(start-end-time)
| | | +--ro start-date-time? | | | +--ro start-date-time? yang:date-and-time
| | | yang:date-and-time
| | | +--ro (end-time)? | | | +--ro (end-time)?
| | | +--:(infinite) | | | +--:(infinite)
| | | | +--ro no-end-time? empty | | | | +--ro no-end-time? empty
| | | +--:(duration) | | | +--:(duration)
| | | | +--ro duration? uint32 | | | | +--ro duration? uint32
| | | +--:(end-date-time) | | | +--:(end-date-time)
| | | +--ro end-date-time? | | | +--ro end-date-time?
| | | yang:date-and-time | | | yang:date-and-time
| | +--:(independent-send-accept-lifetime) | | +--:(independent-send-accept-lifetime)
| | | {independent-send-accept-lifetime}? | | | {independent-send-accept-lifetime}?
| | +--ro send-lifetime | | +--ro send-lifetime
| | | +--ro (lifetime)? | | | +--ro (lifetime)?
| | | +--:(always) | | | +--:(always)
| | | | +--ro always? empty | | | | +--ro always? empty
| | | +--:(start-end-time) | | | +--:(start-end-time)
| | | +--ro start-date-time? | | | +--ro start-date-time? yang:date-and-time
| | | yang:date-and-time
| | | +--ro (end-time)? | | | +--ro (end-time)?
| | | +--:(infinite) | | | +--:(infinite)
| | | | +--ro no-end-time? empty | | | | +--ro no-end-time? empty
| | | +--:(duration) | | | +--:(duration)
| | | | +--ro duration? uint32 | | | | +--ro duration? uint32
| | | +--:(end-date-time) | | | +--:(end-date-time)
| | | +--ro end-date-time? | | | +--ro end-date-time?
| | | yang:date-and-time | | | yang:date-and-time
| | +--ro accept-lifetime | | +--ro accept-lifetime
| | +--ro (lifetime)? | | +--ro (lifetime)?
| | +--:(always) | | +--:(always)
| | | +--ro always? empty | | | +--ro always? empty
| | +--:(start-end-time) | | +--:(start-end-time)
| | +--ro start-date-time? yang:date-and-time | | +--ro start-date-time? yang:date-and-time
| | +--ro (end-time)? | | +--ro (end-time)?
| | +--:(infinite) | | +--:(infinite)
| | | +--ro no-end-time? empty | | | +--ro no-end-time? empty
| | +--:(duration) | | +--:(duration)
| | | +--ro duration? uint32 | | | +--ro duration? uint32
| | +--:(end-date-time) | | +--:(end-date-time)
| | +--ro end-date-time? | | +--ro end-date-time?
| | yang:date-and-time | | yang:date-and-time
| +--ro crypto-algorithm | +--ro crypto-algorithm identityref
| | +--ro (algorithm)?
| | +--:(hmac-sha-1-12) {crypto-hmac-sha-1-12}?
| | | +--ro hmac-sha1-12? empty
| | +--:(aes-cmac-prf-128) {aes-cmac-prf-128}?
| | | +--ro aes-cmac-prf-128? empty
| | +--:(md5)
| | | +--ro md5? empty
| | +--:(sha-1)
| | | +--ro sha-1? empty
| | +--:(hmac-sha-1)
| | | +--ro hmac-sha-1? empty
| | +--:(hmac-sha-256)
| | | +--ro hmac-sha-256? empty
| | +--:(hmac-sha-384)
| | | +--ro hmac-sha-384? empty
| | +--:(hmac-sha-512)
| | | +--ro hmac-sha-512? empty
| | +--:(clear-text) {clear-text}?
| | | +--ro clear-text? empty
| | +--:(replay-protection-only)
| | | {replay-protection-only}?
| | +--ro replay-protection-only? empty
| +--ro key-string | +--ro key-string
| +--ro (key-string-style)? | | +--ro (key-string-style)?
| +--:(keystring) | | +--:(keystring)
| | +--ro keystring? string | | | +--ro keystring? string
| +--:(hexadecimal) {hex-key-string}? | | +--:(hexadecimal) {hex-key-string}?
| +--ro hexadecimal-string? yang:hex-string | | +--ro hexadecimal-string? yang:hex-string
| +--ro send-lifetime-active? boolean | +--ro send-lifetime-active? boolean
| +--ro accept-lifetime-active? boolean | +--ro accept-lifetime-active? boolean
+--ro aes-key-wrap {aes-key-wrap}? +--ro aes-key-wrap {aes-key-wrap}?
+--ro enable? boolean +--ro enable? boolean
4. Key Chain YANG Model 4. Key Chain YANG Model
<CODE BEGINS> file "ietf-key-chain@2017-01-20.yang" <CODE BEGINS> file "ietf-key-chain@2017-02-15.yang"
module ietf-key-chain { module ietf-key-chain {
namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain"; yang-version 1.1;
// replace with IANA namespace when assigned namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain";
prefix "key-chain"; prefix key-chain;
import ietf-yang-types {
prefix "yang";
}
import ietf-netconf-acm {
prefix "nacm";
}
organization import ietf-yang-types {
"IETF RTG (Routing) Working Group"; prefix yang;
contact }
"Acee Lindem - acee@cisco.com"; import ietf-netconf-acm {
prefix nacm;
}
description organization
"This YANG module defines the generic configuration "IETF RTG (Routing) Working Group";
contact
"Acee Lindem - acee@cisco.com";
description
"This YANG module defines the generic configuration
data for key-chain. It is intended that the module data for key-chain. It is intended that the module
will be extended by vendors to define vendor-specific will be extended by vendors to define vendor-specific
key-chain configuration parameters. key-chain configuration parameters.
Copyright (c) 2015 IETF Trust and the persons identified as Copyright (c) 2015 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-01-20 { revision 2017-02-15 {
description description
"Add support of using NETCONF Access Control for "Replace choice statement with identity for crypto-algorithm.
key-string."; Removed unneeded groupings.
reference Fixed indenations.";
"RFC XXXX: A YANG Data Model for key-chain"; reference "RFC XXXX: A YANG Data Model for key-chain";
} }
revision 2016-11-14 {
description
"Restore last-modified timestamp leaf.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2016-10-27 {
description
"Restructure into separate config and state trees to
match YANG structure.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2016-08-17 {
description
"Add description and last-modified timestamp leaves.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2016-07-01 {
description
"Rename module back to ietf-key-chain.
Added replay-protection-only feature and algorithm.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2016-03-15 {
description
"Rename module from ietf-key-chain to
ietf-routing-key-chain.";
reference
"RFC XXXX: A YANG Data Model for Routing key-chain";
}
revision 2016-02-16 {
description
"Updated version. Added clear-text algorithm as a
feature.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2015-10-15 {
description
"Updated version, organization, and copyright.
Added aes-cmac-prf-128 and aes-key-wrap features.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2015-06-29 {
description
"Updated version. Added Operation State following
draft-openconfig-netmod-opstate-00.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
revision 2015-02-24 {
description
"Initial revision.";
reference
"RFC XXXX: A YANG Data Model for key-chain";
}
typedef key-chain-ref { feature hex-key-string {
type leafref { description
path "/key-chain:key-chain/key-chain:key-chain-list/" "Support hexadecimal key string.";
+ "key-chain:name";
}
description
"This type is used by data models that need to reference
configured key-chains.";
}
/* feature list */ }
feature hex-key-string {
description
"Support hexadecimal key string.";
}
feature accept-tolerance { feature accept-tolerance {
description description
"To specify the tolerance or acceptance limit."; "To specify the tolerance or acceptance limit.";
} }
feature independent-send-accept-lifetime { feature independent-send-accept-lifetime {
description description
"Support for independent send and accept key lifetimes."; "Support for independent send and accept key lifetimes.";
} }
feature crypto-hmac-sha-1-12 { feature crypto-hmac-sha-1-12 {
description description
"Support for TCP HMAC-SHA-1 12 byte digest hack."; "Support for TCP HMAC-SHA-1 12 byte digest hack.";
} }
feature clear-text { feature clear-text {
description description
"Support for clear-text algorithm. Usage is "Support for clear-text algorithm. Usage is
NOT RECOMMENDED."; NOT RECOMMENDED.";
}
} feature aes-cmac-prf-128 {
description
"Support for AES Cipher based Message Authentication
Code Pseudo Random Function.";
}
feature aes-cmac-prf-128 { feature aes-key-wrap {
description description
"Support for AES Cipher based Message Authentication "Support for Advanced Encryption Standard (AES) Key Wrap.";
Code Pseudo Random Function."; }
}
feature aes-key-wrap { feature replay-protection-only {
description description
"Support for Advanced Encryption Standard (AES) "Provide replay-protection without any authentication
Key Wrap."; as required by protocols such as Bidirectional
} Forwarding Detection (BFD).";
}
feature replay-protection-only { identity crypto-algorithm {
description description
"Provide replay-protection without any authentication "Base identity of cryptographic algorithm options.";
as required by protocols such as Bidirectional }
Forwarding Detection (BFD).";
}
/* groupings */ identity hmac-sha-1-12 {
grouping lifetime { base crypto-algorithm;
description if-feature "crypto-hmac-sha-1-12";
"Key lifetime specification."; description
choice lifetime { "The HMAC-SHA1-12 algorithm.";
default always; }
description
"Options for specifying key accept or send identity aes-cmac-prf-128 {
lifetimes"; base crypto-algorithm;
case always { if-feature "aes-cmac-prf-128";
leaf always { description
type empty; "The AES-CMAC-PRF-128 algorithm - required by
description RFC 5926 for TCP-AO key derivation functions.";
"Indicates key lifetime is always valid."; }
}
} identity md5 {
case start-end-time { base crypto-algorithm;
leaf start-date-time { description
type yang:date-and-time; "The MD5 algorithm.";
description "Start time."; }
}
choice end-time { identity sha-1 {
default infinite; base crypto-algorithm;
description description
"End-time setting."; "The SHA-1 algorithm.";
case infinite { }
leaf no-end-time {
type empty; identity hmac-sha-1 {
description base crypto-algorithm;
"Indicates key lifetime end-time in description
infinite."; "HMAC-SHA-1 authentication algorithm.";
} }
}
case duration { identity hmac-sha-256 {
leaf duration { base crypto-algorithm;
type uint32 { description
range "1..2147483646"; "HMAC-SHA-256 authentication algorithm.";
} }
units seconds;
description "Key lifetime duration, identity hmac-sha-384 {
in seconds"; base crypto-algorithm;
} description
} "HMAC-SHA-384 authentication algorithm.";
case end-date-time { }
leaf end-date-time {
type yang:date-and-time; identity hmac-sha-512 {
description "End time."; base crypto-algorithm;
} description
} "HMAC-SHA-512 authentication algorithm.";
} }
} identity clear-text {
} base crypto-algorithm;
if-feature "clear-text";
description
"Clear text.";
}
identity replay-protection-only {
base crypto-algorithm;
if-feature "replay-protection-only";
description
"Provide replay-protection without any authentication as
required by protocols such as Bidirectional Forwarding
Detection (BFD).";
}
typedef key-chain-ref {
type leafref {
path
"/key-chain:key-chains/key-chain:key-chain/key-chain:name";
} }
description
"This type is used by data models that need to reference
configured key-chains.";
}
grouping crypto-algorithm-types { grouping lifetime {
description "Cryptographic algorithm types."; description
choice algorithm { "Key lifetime specification.";
description choice lifetime {
"Options for cryptographic algorithm specification."; default "always";
case hmac-sha-1-12 { description
if-feature crypto-hmac-sha-1-12; "Options for specifying key accept or send lifetimes";
leaf hmac-sha1-12 { case always {
type empty; leaf always {
description "The HMAC-SHA1-12 algorithm."; type empty;
} description
} "Indicates key lifetime is always valid.";
case aes-cmac-prf-128 { }
if-feature aes-cmac-prf-128; }
leaf aes-cmac-prf-128 { case start-end-time {
type empty; leaf start-date-time {
description "The AES-CMAC-PRF-128 algorithm - type yang:date-and-time;
required by RFC 5926 for TCP-AO key description
derivation functions."; "Start time.";
} }
} choice end-time {
case md5 { default "infinite";
leaf md5 { description
type empty; "End-time setting.";
description "The MD5 algorithm."; case infinite {
} leaf no-end-time {
} type empty;
case sha-1 { description
leaf sha-1 { "Indicates key lifetime end-time in infinite.";
type empty;
description "The SHA-1 algorithm.";
}
}
case hmac-sha-1 {
leaf hmac-sha-1 {
type empty;
description
"HMAC-SHA-1 authentication algorithm.";
}
}
case hmac-sha-256 {
leaf hmac-sha-256 {
type empty;
description
"HMAC-SHA-256 authentication algorithm.";
}
}
case hmac-sha-384 {
leaf hmac-sha-384 {
type empty;
description
"HMAC-SHA-384 authentication algorithm.";
}
}
case hmac-sha-512 {
leaf hmac-sha-512 {
type empty;
description
"HMAC-SHA-512 authentication algorithm.";
}
} }
case clear-text { }
if-feature clear-text; case duration {
leaf clear-text { leaf duration {
type empty; type uint32 {
description "Clear text."; range "1..2147483646";
} }
units "seconds";
description
"Key lifetime duration, in seconds";
} }
case replay-protection-only { }
if-feature replay-protection-only; case end-date-time {
leaf replay-protection-only { leaf end-date-time {
type empty; type yang:date-and-time;
description description
"Provide replay-protection without any "End time.";
authentication as required by protocols
such as Bidirectional Forwarding
Detection (BFD).";
}
} }
}
} }
}
} }
}
grouping key-chain-common-entry { grouping key-common-entry {
description "Key-chain entry data nodes common to description
configuration and state."; "Key-chain entry data nodes common to
container lifetime { configuration and state.";
description "Specify a key's lifetime."; container lifetime {
choice lifetime { description
description "Specify a key's lifetime.";
"Options for specification of send and accept choice lifetime {
lifetimes."; description
case send-and-accept-lifetime { "Options for specification of send and accept lifetimes.";
description case send-and-accept-lifetime {
"Send and accept key have the same description
lifetime."; "Send and accept key have the same lifetime.";
container send-accept-lifetime { container send-accept-lifetime {
uses lifetime; description
description "Single lifetime specification for both
"Single lifetime specification for both send and accept lifetimes.";
send and accept lifetimes.";
}
}
case independent-send-accept-lifetime {
if-feature independent-send-accept-lifetime;
description
"Independent send and accept key lifetimes.";
container send-lifetime {
uses lifetime;
description
"Separate lifetime specification for send
lifetime.";
}
container accept-lifetime {
uses lifetime;
description
"Separate lifetime specification for
accept lifetime.";
} uses lifetime;
} }
}
} }
container crypto-algorithm { case independent-send-accept-lifetime {
uses crypto-algorithm-types; if-feature "independent-send-accept-lifetime";
description
"Independent send and accept key lifetimes.";
container send-lifetime {
description description
"Cryptographic algorithm associated with key."; "Separate lifetime specification for send lifetime.";
} uses lifetime;
container key-string { }
description "The key string."; container accept-lifetime {
nacm:default-deny-all; description
choice key-string-style { "Separate lifetime specification for accept lifetime.";
description uses lifetime;
"Key string styles"; }
case keystring {
leaf keystring {
type string;
description
"Key string in ASCII format.";
}
}
case hexadecimal {
if-feature hex-key-string;
leaf hexadecimal-string {
type yang:hex-string;
description
"Key in hexadecimal string format.";
}
}
}
} }
}
} }
leaf crypto-algorithm {
grouping key-chain-config-entry { type identityref {
description "Key-chain configuration entry."; base crypto-algorithm;
uses key-chain-common-entry; }
mandatory true;
description
"Cryptographic algorithm associated with key.";
} }
grouping key-chain-state-entry { container key-string {
description "Key-chain state entry."; description
uses key-chain-common-entry; "The key string.";
leaf send-lifetime-active { nacm:default-deny-all;
type boolean; choice key-string-style {
config false; description
"Key string styles";
case keystring {
leaf keystring {
type string;
description description
"Indicates if the send lifetime of the "Key string in ASCII format.";
key-chain entry is currently active."; }
} }
leaf accept-lifetime-active { case hexadecimal {
type boolean; if-feature "hex-key-string";
config false; leaf hexadecimal-string {
type yang:hex-string;
description description
"Indicates if the accept lifetime of the "Key in hexadecimal string format. When compared
key-chain entry is currently active."; to ASCII, specification in hexadecimal affords
greater key entropy with the same number of
octets. Additionally, it discourages usage of
well-known words or numbers.";
}
} }
}
} }
}
grouping key-chain-common { grouping key-state-entry {
description description
"key-chain common grouping."; "Key state entry.";
leaf name { uses key-common-entry;
type string; leaf send-lifetime-active {
description "Name of the key-chain."; type boolean;
} config false;
leaf description { description
type string; "Indicates if the send lifetime of the
description "A description of the key-chain"; key-chain entry is currently active.";
}
container accept-tolerance {
if-feature accept-tolerance;
description
"Tolerance for key lifetime acceptance (seconds).";
leaf duration {
type uint32;
units seconds;
default "0";
description
"Tolerance range, in seconds.";
}
}
} }
leaf accept-lifetime-active {
type boolean;
config false;
description
"Indicates if the accept lifetime of the
key-chain entry is currently active.";
}
}
grouping key-chain-config { grouping key-chain-common {
description description
"key-chain configuration grouping."; "key-chain common grouping.";
uses key-chain-common; leaf name {
list key-chain-entries { type string;
key "key-id"; description
description "One key."; "Name of the key-chain.";
leaf key-id {
type uint64;
description "Key ID.";
}
uses key-chain-config-entry;
}
} }
grouping key-chain-state { leaf description {
type string;
description
"A description of the key-chain";
}
container accept-tolerance {
if-feature "accept-tolerance";
description
"Tolerance for key lifetime acceptance (seconds).";
leaf duration {
type uint32;
units "seconds";
default "0";
description description
"key-chain state grouping."; "Tolerance range, in seconds.";
uses key-chain-common; }
leaf last-modified-timestamp {
type yang:date-and-time;
description "Timestamp of the most recent update
to the key-chain";
}
list key-chain-entries {
key "key-id";
description "One key.";
leaf key-id {
type uint64;
description "Key ID.";
}
uses key-chain-state-entry;
}
} }
}
container key-chain { grouping key-chain-config {
list key-chain-list { description
key "name"; "key-chain configuration grouping.";
description uses key-chain-common;
"List of key-chains."; list key-entry {
uses key-chain-config; key "key-id";
} description
"One key.";
container aes-key-wrap { leaf key-id {
if-feature aes-key-wrap; type uint64;
description description
"AES Key Wrap password encryption."; "Key ID.";
leaf enable { }
type boolean; uses key-common-entry;
default false;
description
"Enable AES Key Wrap encryption.";
}
}
description "All configured key-chains
on the device.";
} }
}
container key-chain-state { grouping key-chain-state {
config false; description
list key-chain-list { "key-chain state grouping.";
key "name"; uses key-chain-common;
description leaf last-modified-timestamp {
"List of key-chains and operational state."; type yang:date-and-time;
uses key-chain-state; description
} "Timestamp of the most recent update to the key-chain";
container aes-key-wrap { }
if-feature aes-key-wrap; list key-entry-state {
description key "key-id";
"AES Key Wrap password encryption."; description
leaf enable { "One key.";
type boolean; leaf key-id {
description type uint64;
"Indicates whether AES Key Wrap encryption description
is enabled."; "Key ID.";
} }
} uses key-state-entry;
description "State for all configured key-chains }
on the device."; }
container key-chains {
description
"All configured key-chains on the device.";
list key-chain {
key "name";
description
"List of key-chains.";
uses key-chain-config;
}
container aes-key-wrap {
if-feature "aes-key-wrap";
description
"AES Key Wrap password encryption.";
leaf enable {
type boolean;
default "false";
description
"Enable AES Key Wrap encryption.";
}
}
}
container key-chains-state {
config false;
description
"State for all configured key-chains on the device.";
list key-chain-state {
key "name";
description
"List of key-chains and operational state.";
uses key-chain-state;
}
container aes-key-wrap {
if-feature "aes-key-wrap";
description
"AES Key Wrap password encryption.";
leaf enable {
type boolean;
description
"Indicates whether AES Key Wrap encryption is enabled.";
}
} }
}
} }
<CODE ENDS> <CODE ENDS>
5. Security Considerations 5. Security Considerations
This document enables the automated distribution of industry standard This document enables the automated distribution of industry standard
key chains using the NETCONF [NETCONF] protocol. As such, the key chains using the NETCONF [NETCONF] protocol. As such, the
security considerations for the NETCONF protocol are applicable. security considerations for the NETCONF protocol are applicable. The
Given that the key chains themselves are sensitive data, it is NETCONF protocol mandates confidentiality (section 2.2 of [NETCONF].
RECOMMENDED that the NETCONF communication channel be encrypted. One Similarily, the RESTCONF protocol also mandates confidentiality
way to do accomplish this would be to invoke and run NETCONF over SSH (section 1.1 of [RESTCONF]). If a transport not mandating
as described in [NETCONF-SSH]. confidentiality is used, it is RECOMMENDED that the transport
communication channel be encrypted.
When configured, the key-strings can be encrypted using the AES Key When configured, the key-strings can be encrypted using the AES Key
Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is
not included in the YANG model and must be set or derived independent not included in the YANG model and must be set or derived independent
of key-chain configuration. of key-chain configuration.
The key strings are not accessible by default and NETCONF Access The key strings are not accessible by default and NETCONF Access
Control Mode [NETCONF-ACM] rules are required to configure or Control Mode [NETCONF-ACM] rules are required to configure or
retrieve them. retrieve them.
The clear-text algorithm is included as a YANG feature. Usage is NOT The clear-text algorithm is included as a YANG feature. Usage is NOT
RECOMMENDED except in cases where the application and device have no RECOMMENDED except in cases where the application and device have no
other alternative (e.g., a legacy network device that must other alternative (e.g., a legacy network device that must
authenticate packets at intervals of 10 milliseconds or less for many authenticate packets at intervals of 10 milliseconds or less for many
peers using Bidirectional Forwarding Detection [BFD]). Keys used peers using Bidirectional Forwarding Detection [BFD]). Keys used
with the clear-text algorithm are considered insecure and SHOULD NOT with the clear-text algorithm are considered insecure and SHOULD NOT
be reused with more secure algorithms. be reused with more secure algorithms.
It is RECOMMENDED that keys be encrypted or otherwise obfuscated when
stored internally on a network device supporting this specification.
6. IANA Considerations 6. IANA Considerations
This document registers a URI in the IETF XML registry This document registers a URI in the IETF XML registry
[XML-REGISTRY]. Following the format in [XML-REGISTRY], the [XML-REGISTRY]. Following the format in [XML-REGISTRY], the
following registration is requested to be made: following registration is requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-key-chain URI: urn:ietf:params:xml:ns:yang:ietf-key-chain
Registrant Contact: The IESG. Registrant Contact: The IESG.
skipping to change at page 21, line 36 skipping to change at page 19, line 18
[NETCONF] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. [NETCONF] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
Bierman, "Network Configuration Protocol (NETCONF)", RFC Bierman, "Network Configuration Protocol (NETCONF)", RFC
6241, June 2011. 6241, June 2011.
[NETCONF-ACM] [NETCONF-ACM]
Bierman, A. and M. Bjorklund, "Network Configuration Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, March Protocol (NETCONF) Access Control Model", RFC 6536, March
2012. 2012.
[NETCONF-SSH]
Wasserman, M., "Using NETCONF Protocol over Secure Shell
(SSH)", RFC 6242, June 2011.
[RFC-KEYWORDS] [RFC-KEYWORDS]
Bradner, S., "Key words for use in RFC's to Indicate Bradner, S., "Key words for use in RFC's to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[XML-REGISTRY] [XML-REGISTRY]
Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004.
[YANG] Bjorklund, M., "YANG - A Data Modeling Language for the [YANG] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, Network Configuration Protocol (NETCONF)", RFC 6020,
skipping to change at page 22, line 24 skipping to change at page 19, line 49
[CRYPTO-KEYTABLE] [CRYPTO-KEYTABLE]
Housley, R., Polk, T., Hartman, S., and D. Zhang, Housley, R., Polk, T., Hartman, S., and D. Zhang,
"Table of Cryptographic Keys", RFC 7210, April 2014. "Table of Cryptographic Keys", RFC 7210, April 2014.
[IAB-REPORT] [IAB-REPORT]
Andersson, L., Davies, E., and L. Zhang, "Report from the Andersson, L., Davies, E., and L. Zhang, "Report from the
IAB workshop on Unwanted Traffic March 9-10, 2006", RFC IAB workshop on Unwanted Traffic March 9-10, 2006", RFC
4948, August 2007. 4948, August 2007.
[NETCONF-SERVER-CONF]
Watsen, K. and J. Schoenwaelder, "NETCONF Server and
RESTCONF Server Configuration Models", draft-ietf-netconf-
server-model-08.txt (work in progress), October 2015.
[NTP-PROTO] [NTP-PROTO]
Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, June 2010. Specification", RFC 5905, June 2010.
[OSPFV3-AUTH] [OSPFV3-AUTH]
Bhatia, M., Manral, V., and A. Lindem, "Supporting Bhatia, M., Manral, V., and A. Lindem, "Supporting
Authentication Trailer for OSPFv3", RFC 7166, March 2014. Authentication Trailer for OSPFv3", RFC 7166, March 2014.
[RESTCONF]
Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, January 2017.
[TCP-AO] Touch, J., Mankin, A., and R. Bonica, "The TCP [TCP-AO] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010. Authentication Option", RFC 5925, June 2010.
[TCP-AO-ALGORITHMS] [TCP-AO-ALGORITHMS]
Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms
for the TCP Authentication Option (TCP-AO)", RFC 5926, for the TCP Authentication Option (TCP-AO)", RFC 5926,
June 2010. June 2010.
[YANG-CRYPTO-KEYTABLE] [YANG-CRYPTO-KEYTABLE]
Chen, I., "YANG Data Model for RFC 7210 Key Table", draft- Chen, I., "YANG Data Model for RFC 7210 Key Table", draft-
chen-rtg-key-table-yang-02.txt (work in progress), chen-rtg-key-table-yang-00.txt (work in progress),
November 2015. November 2015.
Appendix A. Acknowledgments Appendix A. Examples
A.1. Simple Key Chain with Always Valid Single Key
<?xml version="1.0" encoding="utf-8"?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain>
<name>keychain-no-end-time</name>
<description>
A key chain with a single key that is always valid for tx/rx
</description>
<key-entry>
<key-id>100</key-id>
<lifetime>
<send-accept-lifetime>
<always/>
</send-accept-lifetime>
</lifetime>
<crypto-algorithm>md5</crypto-algorithm>
<key-string>
<keystring>keystring_in_ascii_100</keystring>
</key-string>
</key-entry>
</key-chain>
</key-chains>
</data>
A.2. Key Chain with Keys having Different Lifetimes
<?xml version="1.0" encoding="utf-8"?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain>
<name>keychain2</name>
<description>
A key chain where each key contains different send time
and accept time
</description>
<key-entry>
<key-id>35</key-id>
<lifetime>
<send-lifetime>
<start-date-time>2017-01-01T00:00:00Z</start-date-time>
<end-date-time>2017-02-01T00:00:00Z</end-date-time>
</send-lifetime>
<accept-lifetime>
<start-date-time>2016-12-31T23:59:55Z</start-date-time>
<end-date-time>2017-02-01T00:00:05Z</end-date-time>
</accept-lifetime>
</lifetime>
<crypto-algorithm>hmac-sha-1</crypto-algorithm>
<key-string>
<keystring>keystring_in_ascii_35</keystring>
</key-string>
</key-entry>
<key-entry>
<key-id>36</key-id>
<lifetime>
<send-lifetime>
<start-date-time>2017-02-01T00:00:00Z</start-date-time>
<end-date-time>2017-03-01T00:00:00Z</end-date-time>
</send-lifetime>
<accept-lifetime>
<start-date-time>2017-01-31T23:59:55Z</start-date-time>
<end-date-time>2017-03-01T00:00:05Z</end-date-time>
</accept-lifetime>
</lifetime>
<crypto-algorithm>hmac-sha-1</crypto-algorithm>
<key-string>
<hexadecimal-string>fe:ed:be:af:36</hexadecimal-string>
</key-string>
</key-entry>
</key-chain>
</key-chains>
</data>
A.3. Key Chain with Independent Send and Accept Lifetimes
<?xml version="1.0" encoding="utf-8"?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
<key-chain>
<name>keychain2</name>
<description>
A key chain where each key contains different send time
and accept time
</description>
<key-entry>
<key-id>35</key-id>
<lifetime>
<send-lifetime>
<start-date-time>2017-01-01T00:00:00Z</start-date-time>
<end-date-time>2017-02-01T00:00:00Z</end-date-time>
</send-lifetime>
<accept-lifetime>
<start-date-time>2016-12-31T23:59:55Z</start-date-time>
<end-date-time>2017-02-01T00:00:05Z</end-date-time>
</accept-lifetime>
</lifetime>
<crypto-algorithm>hmac-sha-1</crypto-algorithm>
<key-string>
<keystring>keystring_in_ascii_35</keystring>
</key-string>
</key-entry>
<key-entry>
<key-id>36</key-id>
<lifetime>
<send-lifetime>
<start-date-time>2017-02-01T00:00:00Z</start-date-time>
<end-date-time>2017-03-01T00:00:00Z</end-date-time>
</send-lifetime>
<accept-lifetime>
<start-date-time>2017-01-31T23:59:55Z</start-date-time>
<end-date-time>2017-03-01T00:00:05Z</end-date-time>
</accept-lifetime>
</lifetime>
<crypto-algorithm>hmac-sha-1</crypto-algorithm>
<key-string>
<hexadecimal-string>fe:ed:be:af:36</hexadecimal-string>
</key-string>
</key-entry>
</key-chain>
</key-chains>
</data>
Appendix B. Acknowledgments
The RFC text was produced using Marshall Rose's xml2rfc tool. The RFC text was produced using Marshall Rose's xml2rfc tool.
Thanks to Brian Weis for fruitful discussions on security Thanks to Brian Weis for fruitful discussions on security
requirements. requirements.
Thanks to Ines Robles for Routing Directorate QA review comments. Thanks to Ines Robles for Routing Directorate QA review comments.
Thanks to Ladislav Lhotka for YANG Doctor comments.
Thanks to Martin Bjorklund for additional YANG Doctor comments.
Authors' Addresses Authors' Addresses
Acee Lindem (editor) Acee Lindem (editor)
Cisco Systems Cisco Systems
301 Midenhall Way 301 Midenhall Way
Cary, NC 27513 Cary, NC 27513
USA USA
Email: acee@cisco.com Email: acee@cisco.com
skipping to change at page 23, line 32 skipping to change at page 23, line 39
Huawei Huawei
Email: yingzhen.qu@huawei.com Email: yingzhen.qu@huawei.com
Derek Yeung Derek Yeung
Arrcus, Inc Arrcus, Inc
Email: derek@arrcus.com Email: derek@arrcus.com
Ing-Wher Chen Ing-Wher Chen
Ericsson Jabil
Email: ichen@kuatrotech.com
Email: ing-wher_chen@jabil.com
Jeffrey Zhang Jeffrey Zhang
Juniper Networks Juniper Networks
10 Technology Park Drive 10 Technology Park Drive
Westford, MA 01886 Westford, MA 01886
USA USA
Email: zzhang@juniper.net Email: zzhang@juniper.net
Yi Yang Yi Yang
SockRate SockRate
Email: yi.yang@sockrate.com Email: yi.yang@sockrate.com
 End of changes. 82 change blocks. 
553 lines changed or deleted 563 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/