module ietf-zerotouch-device {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-zerotouch-device";
prefix ztd;
import ietf-inet-types {
prefix inet;
reference "RFC 6991: Common YANG Data Types";
}
import ietf-keystore {
prefix ks;
reference 'RFC YYYY: YANG Data Model for a "Keystore" Mechanism';
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen ";
description
"This module defines a data model to enable zerotouch
bootstrapping and discover what parameters are used.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
and 'OPTIONAL' in the module text are to be interpreted as
described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
This version of this YANG module is part of RFC XXXX; see the
RFC itself for full legal notices.";
revision 2017-10-19 {
description
"Initial version";
reference
"RFC XXXX: Zero Touch Provisioning for NETCONF or RESTCONF based
Management";
}
// features
feature bootstrap-servers {
description
"The device supports bootstrapping off bootstrap servers.";
}
feature signed-data {
description
"The device supports bootstrapping off signed data.";
}
// typedefs
typedef pkcs7 {
type binary;
description
"A PKCS #7 SignedData structure, as specified by Section 9.1
in RFC 2315, encoded using ASN.1 distinguished encoding rules
(DER), as specified in ITU-T X.690.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
// protocol accessible nodes
container zerotouch {
description
"Top-level container for zerotouch data model.";
leaf enabled {
type boolean;
default false;
description
"The 'enabled' leaf controls if zerotouch bootstrapping is
enabled or disabled. The default is 'false' so that, when
not enabled, which is most of the time, no configuration
needs to be returned.";
}
leaf devid-certificate {
if-feature bootstrap-servers;
type pkcs7;
config false;
description
"An unsigned PKCS #7 SignedData structure, as specified by
Section 9.1 in RFC 2315, encoded using ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.
This structure contains the IDevID certificate and all
intermediate certificates leading up to the manufacturer's
well-known trust anchor certificate. IDevID certificates
are described in IEEE 802.1AR-2009.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).
IEEE 802.1AR-2009:
IEEE Standard for Local and metropolitan area
networks - Secure Device Identity.";
}
container bootstrap-servers {
if-feature bootstrap-servers;
config false;
description
"Default list of bootstrap servers this device is
configured to reach out to when bootstrapping.";
list bootstrap-server {
key "address";
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
}
}
leaf bootstrap-server-ta-certificates {
if-feature bootstrap-servers;
type leafref {
path "/ks:keystore/ks:pinned-certificates/ks:name";
}
config false;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate bootstrap
servers with.";
}
leaf voucher-ta-certificates {
if-feature signed-data;
type leafref {
path "/ks:keystore/ks:pinned-certificates/ks:name";
}
config false;
description
"A reference to a list of pinned certificate authority (CA)
certificates that the device uses to validate ownership
vouchers with.";
}
}
}