draft-ietf-rtgwg-yang-key-chain-23.txt   draft-ietf-rtgwg-yang-key-chain-24.txt 
Network Working Group A. Lindem, Ed. Network Working Group A. Lindem, Ed.
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track Y. Qu Intended status: Standards Track Y. Qu
Expires: October 30, 2017 Huawei Expires: October 31, 2017 Huawei
D. Yeung D. Yeung
Arrcus, Inc Arrcus, Inc
I. Chen I. Chen
Jabil Jabil
J. Zhang J. Zhang
Juniper Networks Juniper Networks
April 28, 2017 April 29, 2017
Routing Key Chain YANG Data Model Routing Key Chain YANG Data Model
draft-ietf-rtgwg-yang-key-chain-23.txt draft-ietf-rtgwg-yang-key-chain-24.txt
Abstract Abstract
This document describes the key chain YANG data model. Key chains This document describes the key chain YANG data model. Key chains
are commonly used for routing protocol authentication and other are commonly used for routing protocol authentication and other
applications requiring symmetric keys. A key chain is a list of applications requiring symmetric keys. A key chain is a list of
elements each containing a key string, send lifetime, accept elements each containing a key string, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, key strings and algorithms may be gracefully updated. By elements, key strings and algorithms may be gracefully updated. By
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 30, 2017. This Internet-Draft will expire on October 31, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 48 skipping to change at page 2, line 48
8.2. Informative References . . . . . . . . . . . . . . . . . 18 8.2. Informative References . . . . . . . . . . . . . . . . . 18
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 19 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 19
A.1. Simple Key Chain with Always Valid Single Key . . . . . . 19 A.1. Simple Key Chain with Always Valid Single Key . . . . . . 19
A.2. Key Chain with Keys having Different Lifetimes . . . . . 20 A.2. Key Chain with Keys having Different Lifetimes . . . . . 20
A.3. Key Chain with Independent Send and Accept Lifetimes . . 22 A.3. Key Chain with Independent Send and Accept Lifetimes . . 22
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 23 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
This document describes the key chain YANG [YANG] data model. Key This document describes the key chain YANG [YANG-1.1] data model.
chains are commonly used for routing protocol authentication and Key chains are commonly used for routing protocol authentication and
other applications requiring symmetric keys. A key chain is a list other applications requiring symmetric keys. A key chain is a list
of elements each containing a key string, send lifetime, accept of elements each containing a key string, send lifetime, accept
lifetime, and algorithm (authentication or encryption). By properly lifetime, and algorithm (authentication or encryption). By properly
overlapping the send and accept lifetimes of multiple key chain overlapping the send and accept lifetimes of multiple key chain
elements, key strings and algorithms may be gracefully updated. By elements, key strings and algorithms may be gracefully updated. By
representing them in a YANG data model, key distribution can be representing them in a YANG data model, key distribution can be
automated. automated.
In some applications, the protocols do not use the key chain element In some applications, the protocols do not use the key chain element
key directly, but rather a key derivation function is used to derive key directly, but rather a key derivation function is used to derive
skipping to change at page 3, line 47 skipping to change at page 3, line 47
container with presence, and "*" denotes a "list" or "leaf-list". container with presence, and "*" denotes a "list" or "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not o Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
2. Problem Statement 2. Problem Statement
This document describes a YANG [YANG] data model for key chains. Key This document describes a YANG [YANG-1.1] data model for key chains.
chains have been implemented and deployed by a large percentage of Key chains have been implemented and deployed by a large percentage
network equipment vendors. Providing a standard YANG model will of network equipment vendors. Providing a standard YANG model will
facilitate automated key distribution and non-disruptive key facilitate automated key distribution and non-disruptive key
rollover. This will aid in tightening the security of the core rollover. This will aid in tightening the security of the core
routing infrastructure as recommended in [IAB-REPORT]. routing infrastructure as recommended in [IAB-REPORT].
A key chain is a list containing one or more elements containing a A key chain is a list containing one or more elements containing a
Key ID, key string, send/accept lifetimes, and the associated Key ID, key string, send/accept lifetimes, and the associated
authentication or encryption algorithm. A key chain can be used by authentication or encryption algorithm. A key chain can be used by
any service or application requiring authentication or encryption any service or application requiring authentication or encryption
using symmetric keys. In essence, the key-chain is a reusable key using symmetric keys. In essence, the key-chain is a reusable key
policy that can be referenced wherever it is required. The key-chain policy that can be referenced wherever it is required. The key-chain
skipping to change at page 16, line 27 skipping to change at page 16, line 27
operations and content. The key strings are not accessible by operations and content. The key strings are not accessible by
default and NETCONF Access Control Mode [NETCONF-ACM] rules are default and NETCONF Access Control Mode [NETCONF-ACM] rules are
required to configure or retrieve them. required to configure or retrieve them.
When configured, the key-strings can be encrypted using the AES Key When configured, the key-strings can be encrypted using the AES Key
Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is Wrap algorithm [AES-KEY-WRAP]. The AES key-encryption key (KEK) is
not included in the YANG model and must be set or derived independent not included in the YANG model and must be set or derived independent
of key-chain configuration. When AES key-encryption is used, the of key-chain configuration. When AES key-encryption is used, the
hex-key-string feature is also required since the encrypted keys will hex-key-string feature is also required since the encrypted keys will
contain characters that are not representable in the YANG string contain characters that are not representable in the YANG string
built-in type [YANG]. It is RECOMMENDED that key-strings be built-in type [YANG-1.1]. It is RECOMMENDED that key-strings be
encrypted using AES key-encryption to prevent key-chains from being encrypted using AES key-encryption to prevent key-chains from being
retrieved and stored with the key-strings in clear text. This retrieved and stored with the key-strings in clear text. This
recommendation is independent of the access protection that is recommendation is independent of the access protection that is
availed from the NETCONF Access Control Model (NACM) [NETCONF-ACM]. availed from the NETCONF Access Control Model (NACM) [NETCONF-ACM].
The clear-text algorithm is included as a YANG feature. Usage is NOT The clear-text algorithm is included as a YANG feature. Usage is NOT
RECOMMENDED except in cases where the application and device have no RECOMMENDED except in cases where the application and device have no
other alternative (e.g., a legacy network device that must other alternative (e.g., a legacy network device that must
authenticate packets at intervals of 10 milliseconds or less for many authenticate packets at intervals of 10 milliseconds or less for many
peers using Bidirectional Forwarding Detection [BFD]). Keys used peers using Bidirectional Forwarding Detection [BFD]). Keys used
skipping to change at page 17, line 16 skipping to change at page 17, line 16
This document registers a URI in the IETF XML registry This document registers a URI in the IETF XML registry
[XML-REGISTRY]. Following the format in [XML-REGISTRY], the [XML-REGISTRY]. Following the format in [XML-REGISTRY], the
following registration is requested to be made: following registration is requested to be made:
URI: urn:ietf:params:xml:ns:yang:ietf-key-chain URI: urn:ietf:params:xml:ns:yang:ietf-key-chain
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names This document registers a YANG module in the YANG Module Names
registry [YANG]. registry [YANG-1.0].
name: ietf-key-chain name: ietf-key-chain
namespace: urn:ietf:params:xml:ns:yang:ietf-key-chain namespace: urn:ietf:params:xml:ns:yang:ietf-key-chain
prefix: key-chain prefix: key-chain
reference: RFC XXXX reference: RFC XXXX
7. Contributors 7. Contributors
Contributors' Addresses Contributors' Addresses
skipping to change at page 18, line 5 skipping to change at page 18, line 5
2012. 2012.
[RFC-KEYWORDS] [RFC-KEYWORDS]
Bradner, S., "Key words for use in RFC's to Indicate Bradner, S., "Key words for use in RFC's to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[XML-REGISTRY] [XML-REGISTRY]
Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004.
[YANG] Bjorklund, M., "The YANG 1.1 Data Modeling Language", RFC [YANG-1.0]
Bjorklund, M., "YANG - A Data Modeling Language for
Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010.
[YANG-1.1]
Bjorklund, M., "The YANG 1.1 Data Modeling Language", RFC
7950, August 2016. 7950, August 2016.
8.2. Informative References 8.2. Informative References
[AES-KEY-WRAP] [AES-KEY-WRAP]
Schaad, J. and R. Housley, "Advanced Encryption Standard Schaad, J. and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 5649, August 2009. (AES) Key Wrap Algorithm", RFC 5649, August 2009.
[BFD] Katz, D. and D. Ward, "Bidirectional Forwarding Detection [BFD] Katz, D. and D. Ward, "Bidirectional Forwarding Detection
(BFD)", RFC 5880, June 2010. (BFD)", RFC 5880, June 2010.
 End of changes. 9 change blocks. 
12 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/