draft-ietf-rtgwg-yang-key-chain-19.txt   draft-ietf-rtgwg-yang-key-chain-20.txt 
Network Working Group A. Lindem, Ed. Network Working Group A. Lindem, Ed.
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track Y. Qu Intended status: Standards Track Y. Qu
Expires: October 14, 2017 Huawei Expires: October 20, 2017 Huawei
D. Yeung D. Yeung
Arrcus, Inc Arrcus, Inc
I. Chen I. Chen
Jabil Jabil
J. Zhang J. Zhang
Juniper Networks Juniper Networks
April 12, 2017 April 18, 2017
Routing Key Chain YANG Data Model Routing Key Chain YANG Data Model
draft-ietf-rtgwg-yang-key-chain-19.txt draft-ietf-rtgwg-yang-key-chain-20.txt
Abstract Abstract
This document describes the key chain YANG data model. Key chains This document describes the key chain YANG data model. Key chains
are commonly used for routing protocol authentication and other are commonly used for routing protocol authentication and other
applications requiring symmetric keys. A key chain is a list of applications requiring symmetric keys. A key chain is a list of
elements each containing a key string, send lifetime, accept elements each containing a key string, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, key strings and algorithms may be gracefully updated. By elements, key strings and algorithms may be gracefully updated. By
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 14, 2017. This Internet-Draft will expire on October 20, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Applicability . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4 2.2. Graceful Key Rollover using Key Chains . . . . . . . . . 4
3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5 3. Design of the Key Chain Model . . . . . . . . . . . . . . . . 5
3.1. Key Chain Operational State . . . . . . . . . . . . . . . 6 3.1. Key Chain Operational State . . . . . . . . . . . . . . . 5
3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6 3.2. Key Chain Model Features . . . . . . . . . . . . . . . . 6
3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6 3.3. Key Chain Model Tree . . . . . . . . . . . . . . . . . . 6
4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 9 4. Key Chain YANG Model . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 16
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1. Normative References . . . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . 17
8.2. Informative References . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 21 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 19
A.1. Simple Key Chain with Always Valid Single Key . . . . . . 21 A.1. Simple Key Chain with Always Valid Single Key . . . . . . 19
A.2. Key Chain with Keys having Different Lifetimes . . . . . 22 A.2. Key Chain with Keys having Different Lifetimes . . . . . 19
A.3. Key Chain with Independent Send and Accept Lifetimes . . 24 A.3. Key Chain with Independent Send and Accept Lifetimes . . 21
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 25 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
This document describes the key chain YANG [YANG] data model. Key This document describes the key chain YANG [YANG] data model. Key
chains are commonly used for routing protocol authentication and chains are commonly used for routing protocol authentication and
other applications requiring symmetric keys. A key chain is a list other applications requiring symmetric keys. A key chain is a list
of elements each containing a key string, send lifetime, accept of elements each containing a key string, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, key strings and algorithms may be gracefully updated. By elements, key strings and algorithms may be gracefully updated. By
skipping to change at page 5, line 46 skipping to change at page 5, line 46
lifetime or send-lifetime is not valid (e.g., has an end-time equal lifetime or send-lifetime is not valid (e.g., has an end-time equal
to the start-time). to the start-time).
Due to the differences in key chain implementations across various Due to the differences in key chain implementations across various
vendors, some of the data elements are optional. Finally, the crypto vendors, some of the data elements are optional. Finally, the crypto
algorithm identities are provided for reuse when configuring legacy algorithm identities are provided for reuse when configuring legacy
authentication and encryption not using key-chains. authentication and encryption not using key-chains.
A key-chain is identified by a unique name within the scope of the A key-chain is identified by a unique name within the scope of the
network device. The "key-chain-ref" typedef SHOULD be used by other network device. The "key-chain-ref" typedef SHOULD be used by other
YANG modules when they need to reference a configured key-chain. The YANG modules when they need to reference a configured key-chain.
"key-chain-state=ref" typedef SHOULD be used by other YANG modules
when they need to reference operational state for a configured key-
chain.
3.1. Key Chain Operational State 3.1. Key Chain Operational State
The key chain operational state is maintained in a separate tree. The key chain operational state is included in the same tree as key
The key string itself is omitted from the operational state to chain configuration consistent with [NMDA]. The timestamp of the
minimize visibility similar to what was done with keys in SNMP MIBs. last key chain modification is also maintained in the operational
The timestamp of the last key-chain modification is also maintained state. Additionally, the operational state includes an indication of
in the operational state. Additionally, the operational state whether or not a key chain key is valid for sending or acceptance.
includes an indication of whether or not a key chain key is valid for
sending or acceptance.
3.2. Key Chain Model Features 3.2. Key Chain Model Features
Features are used to handle differences between vendor Features are used to handle differences between vendor
implementations. For example, not all vendors support configuration implementations. For example, not all vendors support configuration
of an acceptance tolerance or configuration of key strings in of an acceptance tolerance or configuration of key strings in
hexadecimal. They are also used to support of security requirements hexadecimal. They are also used to support of security requirements
(e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by (e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by
vendors or only a single vendor. vendors or only a single vendor.
3.3. Key Chain Model Tree 3.3. Key Chain Model Tree
+--rw key-chains +--rw key-chains
| +--rw key-chain* [name] +--rw key-chain* [name]
| | +--rw name string | +--rw name string
| | +--rw description? string | +--rw description? string
| | +--rw accept-tolerance {accept-tolerance}? | +--rw accept-tolerance {accept-tolerance}?
| | | +--rw duration? uint32 | | +--rw duration? uint32
| | +--rw key* [key-id]
| | +--rw key-id uint64
| | +--rw lifetime
| | | +--rw (lifetime)?
| | | +--:(send-and-accept-lifetime)
| | | | +--rw send-accept-lifetime
| | | | +--rw (lifetime)?
| | | | +--:(always)
| | | | | +--rw always? empty
| | | | +--:(start-end-time)
| | | | +--rw start-date-time? yang:date-and-time
| | | | +--rw (end-time)?
| | | | +--:(infinite)
| | | | | +--rw no-end-time? empty
| | | | +--:(duration)
| | | | | +--rw duration? uint32
| | | | +--:(end-date-time)
| | | | +--rw end-date-time?
| | | | yang:date-and-time
| | | +--:(independent-send-accept-lifetime)
| | | | {independent-send-accept-lifetime}?
| | | +--rw send-lifetime
| | | | +--rw (lifetime)?
| | | | +--:(always)
| | | | | +--rw always? empty
| | | | +--:(start-end-time)
| | | | +--rw start-date-time? yang:date-and-time
| | | | +--rw (end-time)?
| | | | +--:(infinite)
| | | | | +--rw no-end-time? empty
| | | | +--:(duration)
| | | | | +--rw duration? uint32
| | | | +--:(end-date-time)
| | | | +--rw end-date-time?
| | | | yang:date-and-time
| | | +--rw accept-lifetime
| | | +--rw (lifetime)?
| | | +--:(always)
| | | | +--rw always? empty
| | | +--:(start-end-time)
| | | +--rw start-date-time? yang:date-and-time
| | | +--rw (end-time)?
| | | +--:(infinite)
| | | | +--rw no-end-time? empty
| | | +--:(duration)
| | | | +--rw duration? uint32
| | | +--:(end-date-time)
| | | +--rw end-date-time?
| | | yang:date-and-time
| | +--rw crypto-algorithm identityref
| | +--rw key-string
| | +--rw (key-string-style)?
| | +--:(keystring)
| | | +--rw keystring? string
| | +--:(hexadecimal) {hex-key-string}?
| | +--rw hexadecimal-string? yang:hex-string
| +--rw aes-key-wrap {aes-key-wrap}?
| +--rw enable? boolean
+--ro key-chains-state
+--ro key-chain* [name]
| +--ro name string
| +--ro description? string
| +--ro accept-tolerance {accept-tolerance}?
| | +--ro duration? uint32
| +--ro last-modified-timestamp? yang:date-and-time | +--ro last-modified-timestamp? yang:date-and-time
| +--ro key* [key-id] | +--rw key* [key-id]
| +--ro key-id uint64 | +--rw key-id uint64
| +--ro lifetime | +--rw lifetime
| | +--ro (lifetime)? | | +--rw (lifetime)?
| | +--:(send-and-accept-lifetime) | | +--:(send-and-accept-lifetime)
| | | +--ro send-accept-lifetime | | | +--rw send-accept-lifetime
| | | +--ro (lifetime)? | | | +--rw (lifetime)?
| | | +--:(always) | | | +--:(always)
| | | | +--ro always? empty | | | | +--rw always? empty
| | | +--:(start-end-time) | | | +--:(start-end-time)
| | | +--ro start-date-time? yang:date-and-time | | | +--rw start-date-time?
| | | +--ro (end-time)? | | | | yang:date-and-time
| | | +--rw (end-time)?
| | | +--:(infinite) | | | +--:(infinite)
| | | | +--ro no-end-time? empty | | | | +--rw no-end-time? empty
| | | +--:(duration) | | | +--:(duration)
| | | | +--ro duration? uint32 | | | | +--rw duration? uint32
| | | +--:(end-date-time) | | | +--:(end-date-time)
| | | +--ro end-date-time? | | | +--rw end-date-time?
| | | yang:date-and-time | | | yang:date-and-time
| | +--:(independent-send-accept-lifetime) | | +--:(independent-send-accept-lifetime)
| | {independent-send-accept-lifetime}? | | | {independent-send-accept-lifetime}?
| | +--ro send-lifetime | | +--rw send-lifetime
| | | +--ro (lifetime)? | | | +--rw (lifetime)?
| | | +--:(always) | | | +--:(always)
| | | | +--ro always? empty | | | | +--rw always? empty
| | | +--:(start-end-time) | | | +--:(start-end-time)
| | | +--ro start-date-time? yang:date-and-time | | | +--rw start-date-time?
| | | +--ro (end-time)? | | | | yang:date-and-time
| | | +--rw (end-time)?
| | | +--:(infinite) | | | +--:(infinite)
| | | | +--ro no-end-time? empty | | | | +--rw no-end-time? empty
| | | +--:(duration) | | | +--:(duration)
| | | | +--ro duration? uint32 | | | | +--rw duration? uint32
| | | +--:(end-date-time) | | | +--:(end-date-time)
| | | +--ro end-date-time? | | | +--rw end-date-time?
| | | yang:date-and-time | | | yang:date-and-time
| | +--ro accept-lifetime | | +--rw accept-lifetime
| | +--ro (lifetime)? | | +--rw (lifetime)?
| | +--:(always) | | +--:(always)
| | | +--ro always? empty | | | +--rw always? empty
| | +--:(start-end-time) | | +--:(start-end-time)
| | +--ro start-date-time? yang:date-and-time | | +--rw start-date-time?
| | +--ro (end-time)? | | | yang:date-and-time
| | +--rw (end-time)?
| | +--:(infinite) | | +--:(infinite)
| | | +--ro no-end-time? empty | | | +--rw no-end-time? empty
| | +--:(duration) | | +--:(duration)
| | | +--ro duration? uint32 | | | +--rw duration? uint32
| | +--:(end-date-time) | | +--:(end-date-time)
| | +--ro end-date-time? | | +--rw end-date-time?
| | yang:date-and-time | | yang:date-and-time
| +--ro crypto-algorithm identityref | +--rw crypto-algorithm identityref
| +--ro key-string | +--rw key-string
| | +--ro (key-string-style)? | | +--rw (key-string-style)?
| | +--:(keystring) | | +--:(keystring)
| | | +--ro keystring? string | | | +--rw keystring? string
| | +--:(hexadecimal) {hex-key-string}? | | +--:(hexadecimal) {hex-key-string}?
| | +--ro hexadecimal-string? yang:hex-string | | +--rw hexadecimal-string? yang:hex-string
| +--ro send-lifetime-active? boolean | +--ro send-lifetime-active? boolean
| +--ro accept-lifetime-active? boolean | +--ro accept-lifetime-active? boolean
+--ro aes-key-wrap {aes-key-wrap}? +--rw aes-key-wrap {aes-key-wrap}?
+--ro enable? boolean +--rw enable? boolean
4. Key Chain YANG Model 4. Key Chain YANG Model
<CODE BEGINS> file "ietf-key-chain@2017-02-16.yang" <CODE BEGINS> file "ietf-key-chain@2017-04-18.yang"
module ietf-key-chain { module ietf-key-chain {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain"; namespace "urn:ietf:params:xml:ns:yang:ietf-key-chain";
prefix key-chain; prefix key-chain;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
} }
organization organization
"IETF RTG (Routing) Working Group"; "IETF RTG (Routing) Working Group";
contact contact
"Acee Lindem - acee@cisco.com"; "Acee Lindem - acee@cisco.com";
description description
skipping to change at page 9, line 50 skipping to change at page 8, line 32
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-02-16 { revision 2017-04-18 {
description description
"Initial RFC Revision"; "Initial RFC Revision";
reference "RFC XXXX: A YANG Data Model for key-chain"; reference "RFC XXXX: A YANG Data Model for key-chain";
} }
feature hex-key-string { feature hex-key-string {
description description
"Support hexadecimal key string."; "Support hexadecimal key string.";
} }
skipping to change at page 12, line 39 skipping to change at page 11, line 18
typedef key-chain-ref { typedef key-chain-ref {
type leafref { type leafref {
path path
"/key-chain:key-chains/key-chain:key-chain/key-chain:name"; "/key-chain:key-chains/key-chain:key-chain/key-chain:name";
} }
description description
"This type is used by data models that need to reference "This type is used by data models that need to reference
configured key-chains."; configured key-chains.";
} }
typedef key-chain-state-ref {
type leafref {
path "/key-chain:key-chains-state/key-chain:key-chain/"+
"key-chain:name";
}
description
"This type is used by data models that need to reference
operational state for a configured key-chain.";
}
grouping lifetime { grouping lifetime {
description description
"Key lifetime specification."; "Key lifetime specification.";
choice lifetime { choice lifetime {
default "always"; default "always";
description description
"Options for specifying key accept or send lifetimes"; "Options for specifying key accept or send lifetimes";
case always { case always {
leaf always { leaf always {
type empty; type empty;
skipping to change at page 14, line 8 skipping to change at page 12, line 26
} }
} }
} }
} }
} }
} }
grouping key-common { grouping key-common {
description description
"Key-chain key data nodes common to "Key-chain key data nodes common to
configuration and state."; configuration and state.";
container lifetime {
description
"Specify a key's lifetime.";
choice lifetime {
description
"Options for specification of send and accept lifetimes.";
case send-and-accept-lifetime {
description
"Send and accept key have the same lifetime.";
container send-accept-lifetime {
description
"Single lifetime specification for both
send and accept lifetimes.";
uses lifetime;
}
}
case independent-send-accept-lifetime {
if-feature "independent-send-accept-lifetime";
description
"Independent send and accept key lifetimes.";
container send-lifetime {
description
"Separate lifetime specification for send lifetime.";
uses lifetime;
}
container accept-lifetime {
description
"Separate lifetime specification for accept lifetime.";
uses lifetime;
}
}
}
}
leaf crypto-algorithm {
type identityref {
base crypto-algorithm;
}
mandatory true;
description
"Cryptographic algorithm associated with key.";
}
container key-string {
description
"The key string.";
nacm:default-deny-all;
choice key-string-style {
description
"Key string styles";
case keystring {
leaf keystring {
type string;
description
"Key string in ASCII format.";
}
}
case hexadecimal {
if-feature "hex-key-string";
leaf hexadecimal-string {
type yang:hex-string;
description
"Key in hexadecimal string format. When compared
to ASCII, specification in hexadecimal affords
greater key entropy with the same number of
octets. Additionally, it discourages usage of
well-known words or numbers.";
}
}
}
}
}
grouping key-chain-common {
description
"key-chain common grouping.";
leaf name {
type string;
description
"Name of the key-chain.";
}
leaf description {
type string;
description
"A description of the key-chain";
}
container accept-tolerance {
if-feature "accept-tolerance";
description
"Tolerance for key lifetime acceptance (seconds).";
leaf duration {
type uint32;
units "seconds";
default "0";
description
"Tolerance range, in seconds.";
}
}
} }
container key-chains { container key-chains {
description description
"All configured key-chains on the device."; "All configured key-chains on the device.";
list key-chain { list key-chain {
key "name"; key "name";
description description
"List of key-chains."; "List of key-chains.";
uses key-chain-common; leaf name {
list key { type string;
key "key-id";
description description
"Single key in key chain."; "Name of the key-chain.";
leaf key-id {
type uint64;
description
"Numeric value uniquely identifying the key";
}
uses key-common;
} }
} leaf description {
container aes-key-wrap { type string;
if-feature "aes-key-wrap";
description
"AES Key Wrap password encryption.";
leaf enable {
type boolean;
default "false";
description description
"Enable AES Key Wrap encryption."; "A description of the key-chain";
}
container accept-tolerance {
if-feature "accept-tolerance";
description
"Tolerance for key lifetime acceptance (seconds).";
leaf duration {
type uint32;
units "seconds";
default "0";
description
"Tolerance range, in seconds.";
}
} }
}
}
container key-chains-state {
config false;
description
"State for all configured key-chains on the device.";
list key-chain {
key "name";
description
"List of key-chains and operational state.";
uses key-chain-common;
leaf last-modified-timestamp { leaf last-modified-timestamp {
type yang:date-and-time; type yang:date-and-time;
config false;
description description
"Timestamp of the most recent update to the key-chain"; "Timestamp of the most recent update to the key-chain";
} }
list key { list key {
key "key-id"; key "key-id";
description description
"Single key in key chain."; "Single key in key chain.";
leaf key-id { leaf key-id {
type uint64; type uint64;
description description
"Numeric value uniquely identifying the key"; "Numeric value uniquely identifying the key";
} }
uses key-common; container lifetime {
description
"Specify a key's lifetime.";
choice lifetime {
description
"Options for specification of send and accept
lifetimes.";
case send-and-accept-lifetime {
description
"Send and accept key have the same lifetime.";
container send-accept-lifetime {
description
"Single lifetime specification for both
send and accept lifetimes.";
uses lifetime;
}
}
case independent-send-accept-lifetime {
if-feature "independent-send-accept-lifetime";
description
"Independent send and accept key lifetimes.";
container send-lifetime {
description
"Separate lifetime specification for send
lifetime.";
uses lifetime;
}
container accept-lifetime {
description
"Separate lifetime specification for accept
lifetime.";
uses lifetime;
}
}
}
}
leaf crypto-algorithm {
type identityref {
base crypto-algorithm;
}
mandatory true;
description
"Cryptographic algorithm associated with key.";
}
container key-string {
description
"The key string.";
nacm:default-deny-all;
choice key-string-style {
description
"Key string styles";
case keystring {
leaf keystring {
type string;
description
"Key string in ASCII format.";
}
}
case hexadecimal {
if-feature "hex-key-string";
leaf hexadecimal-string {
type yang:hex-string;
description
"Key in hexadecimal string format. When compared
to ASCII, specification in hexadecimal affords
greater key entropy with the same number of
octets. Additionally, it discourages usage of
well-known words or numbers.";
}
}
}
}
leaf send-lifetime-active { leaf send-lifetime-active {
type boolean; type boolean;
config false; config false;
description description
"Indicates if the send lifetime of the "Indicates if the send lifetime of the
key-chain key is currently active."; key-chain key is currently active.";
} }
leaf accept-lifetime-active { leaf accept-lifetime-active {
type boolean; type boolean;
config false; config false;
skipping to change at page 17, line 41 skipping to change at page 15, line 22
key-chain key is currently active."; key-chain key is currently active.";
} }
} }
} }
container aes-key-wrap { container aes-key-wrap {
if-feature "aes-key-wrap"; if-feature "aes-key-wrap";
description description
"AES Key Wrap password encryption."; "AES Key Wrap password encryption.";
leaf enable { leaf enable {
type boolean; type boolean;
default "false";
description description
"Indicates whether AES Key Wrap encryption is enabled."; "Enable AES Key Wrap encryption.";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
5. Security Considerations 5. Security Considerations
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [NETCONF] or via network management protocols such as NETCONF [NETCONF] or
skipping to change at page 19, line 6 skipping to change at page 16, line 34
It is RECOMMENDED that keys be encrypted or otherwise obfuscated when It is RECOMMENDED that keys be encrypted or otherwise obfuscated when
stored internally on a network device supporting this specification. stored internally on a network device supporting this specification.
6. IANA Considerations 6. IANA Considerations
This document registers a URI in the IETF XML registry This document registers a URI in the IETF XML registry
[XML-REGISTRY]. Following the format in [XML-REGISTRY], the [XML-REGISTRY]. Following the format in [XML-REGISTRY], the
following registration is requested to be made: following registration is requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-key-chain URI: urn:ietf:params:xml:ns:yang:ietf-key-chain
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [YANG]. registry [YANG].
name: ietf-key-chain namespace: urn:ietf:params:xml:ns:yang:ietf- name: ietf-key-chain
key-chain prefix: ietf-key-chain reference: RFC XXXX namespace: urn:ietf:params:xml:ns:yang:ietf-key-chain
prefix: ietf-key-chain
reference: RFC XXXX
7. Contributors 7. Contributors
Contributors' Addresses Contributors' Addresses
Yi Yang Yi Yang
SockRate SockRate
Email: yi.yang@sockrate.com Email: yi.yang@sockrate.com
8. References 8. References
8.1. Normative References 8.1. Normative References
skipping to change at page 20, line 34 skipping to change at page 18, line 16
CryptoBytes Vol. 2, No. 2, Summer 1996. CryptoBytes Vol. 2, No. 2, Summer 1996.
[IAB-REPORT] [IAB-REPORT]
Andersson, L., Davies, E., and L. Zhang, "Report from the Andersson, L., Davies, E., and L. Zhang, "Report from the
IAB workshop on Unwanted Traffic March 9-10, 2006", RFC IAB workshop on Unwanted Traffic March 9-10, 2006", RFC
4948, August 2007. 4948, August 2007.
[NETCONF-SSH] [NETCONF-SSH]
Wasserman, M., "NETCONF over SSH", RFC 6242, June 2011. Wasserman, M., "NETCONF over SSH", RFC 6242, June 2011.
[NMDA] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watson, K.,
and R. Wilton, "Network Management Datastore
Architecture", draft-ietf-netmod-revised-datastores-01.txt
(work in progress), March 2017.
[NTP-PROTO] [NTP-PROTO]
Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, June 2010. Specification", RFC 5905, June 2010.
[OSPFV3-AUTH] [OSPFV3-AUTH]
Bhatia, M., Manral, V., and A. Lindem, "Supporting Bhatia, M., Manral, V., and A. Lindem, "Supporting
Authentication Trailer for OSPFv3", RFC 7166, March 2014. Authentication Trailer for OSPFv3", RFC 7166, March 2014.
[RESTCONF] [RESTCONF]
 End of changes. 53 change blocks. 
284 lines changed or deleted 176 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/