-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathietf-sztp-conveyed-info.yang
291 lines (267 loc) · 10.2 KB
/
ietf-sztp-conveyed-info.yang
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
module ietf-sztp-conveyed-info {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info";
prefix sztp-info;
import ietf-yang-types {
prefix yang;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-restconf {
prefix rc;
reference "RFC 8040: RESTCONF Protocol";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: http://tools.ietf.org/wg/netconf
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kwatsen@juniper.net>";
description
"This module defines the data model for the Conveyed
Information artifact defined in RFC XXXX: Secure Zero Touch
Provisioning (SZTP).
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119,
RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision YYYY-MM-DD {
description
"Initial version";
reference
"RFC XXXX: Secure Zero Touch Provisioning (SZTP)";
}
// identities
identity hash-algorithm {
description
"A base identity for hash algorithm verification";
}
identity sha-256 {
base "hash-algorithm";
description "The SHA-256 algorithm.";
reference "RFC 6234: US Secure Hash Algorithms.";
}
// typedefs
typedef cms {
type binary;
description
"A ContentInfo structure, as specified in RFC 5652,
encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690.";
reference
"RFC 5652:
Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
// yang-data
rc:yang-data "conveyed-information" {
choice information-type {
mandatory true;
description
"This choice statement ensures the response contains
redirect-information or onboarding-information.";
container redirect-information {
description
"Redirect information is described in Section 2.1 in
RFC XXXX. Its purpose is to redirect a device to
another bootstrap server.";
reference
"RFC XXXX: Secure Zero Touch Provisioning (SZTP)";
list bootstrap-server {
key "address";
min-elements 1;
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
leaf trust-anchor {
type cms;
description
"A CMS structure that MUST contain the chain of
X.509 certificates needed to authenticate the TLS
certificate presented by this bootstrap server.
The CMS MUST only contain a single chain of
certificates. The bootstrap server MUST only
authenticate to last intermediate CA certificate
listed in the chain.
In all cases, the chain MUST include a self-signed
root certificate. In the case where the root
certificate is itself the issuer of the bootstrap
server's TLS certificate, only one certificate
is present.
If needed by the device, this CMS structure MAY
also contain suitably fresh revocation objects
with which the device can verify the revocation
status of the certificates.
This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280).";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile.";
}
}
}
container onboarding-information {
description
"Onboarding information is described in Section 2.2 in
RFC XXXX. Its purpose is to provide the device everything
it needs to bootstrap itself.";
reference
"RFC XXXX: Secure Zero Touch Provisioning (SZTP)";
container boot-image {
description
"Specifies criteria for the boot image the device MUST
be running, as well as information enabling the device
to install the required boot image.";
leaf os-name {
type string;
description
"The name of the operating system software the device
MUST be running in order to not require a software
image upgrade (ex. VendorOS).";
}
leaf os-version {
type string;
description
"The version of the operating system software the
device MUST be running in order to not require a
software image upgrade (ex. 17.3R2.1).";
}
leaf-list download-uri {
type inet:uri;
ordered-by user;
description
"An ordered list of URIs to where the same boot image
file may be obtained. How the URI schemes (http, ftp,
etc.) a device supports are known is vendor specific.
If a secure scheme (e.g., https) is provided, a device
MAY establish an untrusted connection to the remote
server, by blindly accepting the server's end-entity
certificate, to obtain the boot image.";
}
list image-verification {
must '../download-uri' {
description
"Download URIs must be provided if an image is to
be verified.";
}
key hash-algorithm;
description
"A list of hash values that a device can use to verify
boot image files with.";
leaf hash-algorithm {
type identityref {
base "hash-algorithm";
}
description
"Identifies the hash algorithm used.";
}
leaf hash-value {
type yang:hex-string;
mandatory true;
description
"The hex-encoded value of the specified hash
algorithm over the contents of the boot image
file.";
}
}
}
leaf configuration-handling {
type enumeration {
enum "merge" {
description
"Merge configuration into the running datastore.";
}
enum "replace" {
description
"Replace the existing running datastore with the
passed configuration.";
}
}
must '../configuration';
description
"This enumeration indicates how the server should process
the provided configuration.";
}
leaf pre-configuration-script {
type script;
description
"A script that, when present, is executed before the
configuration has been processed.";
}
leaf configuration {
type binary;
must '../configuration-handling';
description
"Any configuration known to the device. The use of
the 'binary' type enables e.g., XML-content to be
embedded into a JSON document. The exact encoding
of the content, as with the scripts, is vendor
specific.";
}
leaf post-configuration-script {
type script;
description
"A script that, when present, is executed after the
configuration has been processed.";
}
}
}
}
typedef script {
type binary;
description
"A device specific script that enables the execution of
commands to perform actions not possible thru configuration
alone.
No attempt is made to standardize the contents, running
context, or programming language of the script, other than
that it can indicate if any warnings or errors occurred and
can emit output. The contents of the script are considered
specific to the vendor, product line, and/or model of the
device.
If the script execution indicates that an warning occurred,
then the device MUST assume that the script had a soft error
that the script believes will not affect manageability.
If the script execution indicates that an error occurred,
the device MUST assume the script had a hard error that the
script believes will affect manageability. In this case,
the script is required to gracefully exit, removing any
state that might hinder the device's ability to continue
the bootstrapping sequence (e.g., process onboarding
information obtained from another bootstrap server).";
}
}