-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathexample-device-data-model.yang
147 lines (135 loc) · 4.29 KB
/
example-device-data-model.yang
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
module example-device-data-model {
yang-version 1.1;
namespace "https://example.com/sztp-device-data-model";
prefix sztp-ddm;
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-crypto-types {
prefix ct;
revision-date 2018-06-04;
description
"This revision is defined in the -00 version of
draft-ietf-netconf-crypto-types";
reference
"draft-ietf-netconf-crypto-types:
Common YANG Data Types for Cryptography";
}
import ietf-trust-anchors {
prefix ta;
revision-date 2018-06-04;
description
"This revision is defined in -00 version of
draft-ietf-netconf-trust-anchors.";
reference
"draft-ietf-netconf-trust-anchors:
YANG Data Model for Global Trust Anchors";
}
organization
"Example Corporation";
contact
"Author: Bootstrap Admin <mailto:admin@example.com>";
description
"This module defines a data model to enable SZTP
bootstrapping and discover what parameters are used.
This module assumes the use of an IDevID certificate,
as opposed to any other client certificate, or the
use of an HTTP-based client authentication scheme.";
revision YYYY-MM-DD {
description
"Initial version";
reference
"RFC XXXX: Secure Zero Touch Provisioning (SZTP)";
}
// features
feature bootstrap-servers {
description
"The device supports bootstrapping off bootstrap servers.";
}
feature signed-data {
description
"The device supports bootstrapping off signed data.";
}
// protocol accessible nodes
container sztp {
description
"Top-level container for SZTP data model.";
leaf enabled {
type boolean;
default false;
description
"The 'enabled' leaf controls if SZTP bootstrapping is
enabled or disabled. The default is 'false' so that, when
not enabled, which is most of the time, no configuration
is needed.";
}
leaf idevid-certificate {
if-feature bootstrap-servers;
type ct:end-entity-cert-cms;
config false;
description
"This CMS structure contains the IEEE 802.1AR-2009
IDevID certificate itself, and all intermediate
certificates leading up to, and optionally including,
the manufacturer's well-known trust anchor certificate
for IDevID certificates. The well-known trust anchor
does not have to be a self-signed certificate.";
reference
"IEEE 802.1AR-2009:
IEEE Standard for Local and metropolitan area
networks - Secure Device Identity.";
}
container bootstrap-servers {
if-feature bootstrap-servers;
config false;
description
"List of bootstrap servers this device will attempt
to reach out to when bootstrapping.";
list bootstrap-server {
key "address";
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
}
}
container bootstrap-server-trust-anchors {
if-feature bootstrap-servers;
config false;
description "Container for a list of trust anchor references.";
leaf-list reference {
type ta:pinned-certificates-ref;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate bootstrap
servers with.";
}
}
container voucher-trust-anchors {
if-feature signed-data;
config false;
description "Container for a list of trust anchor references.";
leaf-list reference {
type ta:pinned-certificates-ref;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate ownership
vouchers with.";
}
}
}
}