| ietf-sztp-bootstrap-server@2019-03-31.yang | ietf-sztp-bootstrap-server@2019-03-31-formatted.yang | |||
|---|---|---|---|---|
| module ietf-sztp-bootstrap-server { | module ietf-sztp-bootstrap-server { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server"; | namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server"; | |||
| prefix sztp-svr; | prefix sztp-svr; | |||
| organization | organization | |||
| "IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
| contact | contact | |||
| "WG Web: <https://datatracker.ietf.org/wg/netconf/> | "WG Web: <https://datatracker.ietf.org/wg/netconf/> | |||
| WG List: <mailto:netconf@ietf.org> | WG List: <mailto:netconf@ietf.org> | |||
| Author: Kent Watsen <mailto:kwatsen@juniper.net>"; | Author: Kent Watsen <mailto:kwatsen@juniper.net>"; | |||
| description | description | |||
| "This module defines an interface for bootstrap servers, as | "This module defines an interface for bootstrap servers, as | |||
| defined by RFC 8572 ('Secure Zero Touch Provisioning (SZTP)'). | defined by RFC 8572 ('Secure Zero Touch Provisioning (SZTP)'). | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | |||
| are to be interpreted as described in BCP 14 (RFC 2119) | are to be interpreted as described in BCP 14 (RFC 2119) | |||
| (RFC 8174) when, and only when, they appear in all | (RFC 8174) when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| Copyright (c) 2019 IETF Trust and the persons identified as | Copyright (c) 2019 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC 8572; see the | This version of this YANG module is part of RFC 8572; see the | |||
| RFC itself for full legal notices."; | RFC itself for full legal notices."; | |||
| revision 2019-03-31 { | revision 2019-03-31 { | |||
| description | description | |||
| "Initial version"; | "Initial version"; | |||
| reference | reference | |||
| "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; | "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; | |||
| } | } | |||
| // features | // features | |||
| feature redirect-server { | feature redirect-server { | |||
| description | description | |||
| "The server supports being a 'redirect server'."; | "The server supports being a 'redirect server'."; | |||
| } | } | |||
| feature onboarding-server { | feature onboarding-server { | |||
| description | description | |||
| "The server supports being an 'onboarding server'."; | "The server supports being an 'onboarding server'."; | |||
| } | } | |||
| // typedefs | // typedefs | |||
| typedef cms { | typedef cms { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A CMS structure, as specified in RFC 5652, encoded using | "A CMS structure, as specified in RFC 5652, encoded using | |||
| ASN.1 distinguished encoding rules (DER), as specified in | ASN.1 distinguished encoding rules (DER), as specified in | |||
| ITU-T X.690."; | ITU-T X.690."; | |||
| skipping to change at line 147 ¶ | skipping to change at line 146 ¶ | |||
| can dynamically obtain from the manufacturer a | can dynamically obtain from the manufacturer a | |||
| voucher with the nonce value in it, as described | voucher with the nonce value in it, as described | |||
| in RFC 8366."; | in RFC 8366."; | |||
| reference | reference | |||
| "RFC 8366: | "RFC 8366: | |||
| A Voucher Artifact for Bootstrapping Protocols"; | A Voucher Artifact for Bootstrapping Protocols"; | |||
| } | } | |||
| } | } | |||
| output { | output { | |||
| leaf reporting-level { | leaf reporting-level { | |||
| if-feature onboarding-server; | if-feature "onboarding-server"; | |||
| type enumeration { | type enumeration { | |||
| enum standard { | enum standard { | |||
| description | description | |||
| "Send just the progress reports required by RFC 8572."; | "Send just the progress reports required by RFC 8572."; | |||
| reference | reference | |||
| "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; | "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; | |||
| } | } | |||
| enum verbose { | enum verbose { | |||
| description | description | |||
| "Send additional progress reports that might help | "Send additional progress reports that might help | |||
| troubleshooting an SZTP bootstrapping issue."; | troubleshooting an SZTP bootstrapping issue."; | |||
| } | } | |||
| } | } | |||
| default standard; | default "standard"; | |||
| description | description | |||
| "Specifies the reporting level for progress reports the | "Specifies the reporting level for progress reports the | |||
| bootstrap server would like to receive when processing | bootstrap server would like to receive when processing | |||
| onboarding information. Progress reports are not sent | onboarding information. Progress reports are not sent | |||
| when processing redirect information or when the | when processing redirect information or when the | |||
| bootstrap server is untrusted (e.g., device sent the | bootstrap server is untrusted (e.g., device sent the | |||
| '<signed-data-preferred>' input parameter)."; | '<signed-data-preferred>' input parameter)."; | |||
| } | } | |||
| leaf conveyed-information { | leaf conveyed-information { | |||
| type cms; | type cms; | |||
| skipping to change at line 213 ¶ | skipping to change at line 212 ¶ | |||
| 3.3 of RFC 8572. This leaf is optional because it is | 3.3 of RFC 8572. This leaf is optional because it is | |||
| only needed when the conveyed information artifact is | only needed when the conveyed information artifact is | |||
| signed."; | signed."; | |||
| reference | reference | |||
| "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; | "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| rpc report-progress { | rpc report-progress { | |||
| if-feature onboarding-server; | if-feature "onboarding-server"; | |||
| description | description | |||
| "This RPC enables a device, as identified by the RESTCONF | "This RPC enables a device, as identified by the RESTCONF | |||
| username, to report its bootstrapping progress to the | username, to report its bootstrapping progress to the | |||
| bootstrap server. This RPC is expected to be used when | bootstrap server. This RPC is expected to be used when | |||
| the device obtains onboarding-information from a trusted | the device obtains onboarding-information from a trusted | |||
| bootstrap server."; | bootstrap server."; | |||
| input { | input { | |||
| leaf progress-type { | leaf progress-type { | |||
| type enumeration { | type enumeration { | |||
| enum "bootstrap-initiated" { | enum bootstrap-initiated { | |||
| description | description | |||
| "Indicates that the device just used the | "Indicates that the device just used the | |||
| 'get-bootstrapping-data' RPC. The 'message' node | 'get-bootstrapping-data' RPC. The 'message' node | |||
| below MAY contain any additional information that | below MAY contain any additional information that | |||
| the manufacturer thinks might be useful."; | the manufacturer thinks might be useful."; | |||
| } | } | |||
| enum "parsing-initiated" { | enum parsing-initiated { | |||
| description | description | |||
| "Indicates that the device is about to start parsing | "Indicates that the device is about to start parsing | |||
| the onboarding information. This progress type is | the onboarding information. This progress type is | |||
| only for when parsing is implemented as a distinct | only for when parsing is implemented as a distinct | |||
| step."; | step."; | |||
| } | } | |||
| enum "parsing-warning" { | enum parsing-warning { | |||
| description | description | |||
| "Indicates that the device had a non-fatal error when | "Indicates that the device had a non-fatal error when | |||
| parsing the response from the bootstrap server. The | parsing the response from the bootstrap server. The | |||
| 'message' node below SHOULD indicate the specific | 'message' node below SHOULD indicate the specific | |||
| warning that occurred."; | warning that occurred."; | |||
| } | } | |||
| enum "parsing-error" { | enum parsing-error { | |||
| description | description | |||
| "Indicates that the device encountered a fatal error | "Indicates that the device encountered a fatal error | |||
| when parsing the response from the bootstrap server. | when parsing the response from the bootstrap server. | |||
| For instance, this could be due to malformed encoding, | For instance, this could be due to malformed encoding, | |||
| the device expecting signed data when only unsigned | the device expecting signed data when only unsigned | |||
| data is provided, the ownership voucher not listing | data is provided, the ownership voucher not listing | |||
| the device's serial number, or because the signature | the device's serial number, or because the signature | |||
| didn't match. The 'message' node below SHOULD | didn't match. The 'message' node below SHOULD | |||
| indicate the specific error. This progress type | indicate the specific error. This progress type | |||
| also indicates that the device has abandoned trying | also indicates that the device has abandoned trying | |||
| to bootstrap off this bootstrap server."; | to bootstrap off this bootstrap server."; | |||
| } | } | |||
| enum "parsing-complete" { | enum parsing-complete { | |||
| description | description | |||
| "Indicates that the device successfully completed | "Indicates that the device successfully completed | |||
| parsing the onboarding information. This progress | parsing the onboarding information. This progress | |||
| type is only for when parsing is implemented as a | type is only for when parsing is implemented as a | |||
| distinct step."; | distinct step."; | |||
| } | } | |||
| enum "boot-image-initiated" { | enum boot-image-initiated { | |||
| description | description | |||
| "Indicates that the device is about to start | "Indicates that the device is about to start | |||
| processing the boot-image information."; | processing the boot-image information."; | |||
| } | } | |||
| enum "boot-image-warning" { | enum boot-image-warning { | |||
| description | description | |||
| "Indicates that the device encountered a non-fatal | "Indicates that the device encountered a non-fatal | |||
| error condition when trying to install a boot-image. | error condition when trying to install a boot-image. | |||
| A possible reason might include a need to reformat a | A possible reason might include a need to reformat a | |||
| partition causing loss of data. The 'message' node | partition causing loss of data. The 'message' node | |||
| below SHOULD indicate any warning messages that were | below SHOULD indicate any warning messages that were | |||
| generated."; | generated."; | |||
| } | } | |||
| enum "boot-image-error" { | enum boot-image-error { | |||
| description | description | |||
| "Indicates that the device encountered an error when | "Indicates that the device encountered an error when | |||
| trying to install a boot-image, which could be for | trying to install a boot-image, which could be for | |||
| reasons such as a file server being unreachable, | reasons such as a file server being unreachable, | |||
| file not found, signature mismatch, etc. The | file not found, signature mismatch, etc. The | |||
| 'message' node SHOULD indicate the specific error | 'message' node SHOULD indicate the specific error | |||
| that occurred. This progress type also indicates | that occurred. This progress type also indicates | |||
| that the device has abandoned trying to bootstrap | that the device has abandoned trying to bootstrap | |||
| off this bootstrap server."; | off this bootstrap server."; | |||
| } | } | |||
| enum "boot-image-mismatch" { | enum boot-image-mismatch { | |||
| description | description | |||
| "Indicates that the device has determined that | "Indicates that the device has determined that | |||
| it is not running the correct boot image. This | it is not running the correct boot image. This | |||
| message SHOULD precipitate trying to download | message SHOULD precipitate trying to download | |||
| a boot image."; | a boot image."; | |||
| } | } | |||
| enum "boot-image-installed-rebooting" { | enum boot-image-installed-rebooting { | |||
| description | description | |||
| "Indicates that the device successfully installed | "Indicates that the device successfully installed | |||
| a new boot image and is about to reboot. After | a new boot image and is about to reboot. After | |||
| sending this progress type, the device is not | sending this progress type, the device is not | |||
| expected to access the bootstrap server again | expected to access the bootstrap server again | |||
| for this bootstrapping attempt."; | for this bootstrapping attempt."; | |||
| } | } | |||
| enum "boot-image-complete" { | enum boot-image-complete { | |||
| description | description | |||
| "Indicates that the device believes that it is | "Indicates that the device believes that it is | |||
| running the correct boot-image."; | running the correct boot-image."; | |||
| } | } | |||
| enum "pre-script-initiated" { | enum pre-script-initiated { | |||
| description | description | |||
| "Indicates that the device is about to execute the | "Indicates that the device is about to execute the | |||
| 'pre-configuration-script'."; | 'pre-configuration-script'."; | |||
| } | } | |||
| enum "pre-script-warning" { | enum pre-script-warning { | |||
| description | description | |||
| "Indicates that the device obtained a warning from the | "Indicates that the device obtained a warning from the | |||
| 'pre-configuration-script' when it was executed. The | 'pre-configuration-script' when it was executed. The | |||
| 'message' node below SHOULD capture any output the | 'message' node below SHOULD capture any output the | |||
| script produces."; | script produces."; | |||
| } | } | |||
| enum "pre-script-error" { | enum pre-script-error { | |||
| description | description | |||
| "Indicates that the device obtained an error from the | "Indicates that the device obtained an error from the | |||
| 'pre-configuration-script' when it was executed. The | 'pre-configuration-script' when it was executed. The | |||
| 'message' node below SHOULD capture any output the | 'message' node below SHOULD capture any output the | |||
| script produces. This progress type also indicates | script produces. This progress type also indicates | |||
| that the device has abandoned trying to bootstrap | that the device has abandoned trying to bootstrap | |||
| off this bootstrap server."; | off this bootstrap server."; | |||
| } | } | |||
| enum "pre-script-complete" { | enum pre-script-complete { | |||
| description | description | |||
| "Indicates that the device successfully executed the | "Indicates that the device successfully executed the | |||
| 'pre-configuration-script'."; | 'pre-configuration-script'."; | |||
| } | } | |||
| enum "config-initiated" { | enum config-initiated { | |||
| description | description | |||
| "Indicates that the device is about to commit the | "Indicates that the device is about to commit the | |||
| initial configuration."; | initial configuration."; | |||
| } | } | |||
| enum "config-warning" { | enum config-warning { | |||
| description | description | |||
| "Indicates that the device obtained warning messages | "Indicates that the device obtained warning messages | |||
| when it committed the initial configuration. The | when it committed the initial configuration. The | |||
| 'message' node below SHOULD indicate any warning | 'message' node below SHOULD indicate any warning | |||
| messages that were generated."; | messages that were generated."; | |||
| } | } | |||
| enum "config-error" { | enum config-error { | |||
| description | description | |||
| "Indicates that the device obtained error messages | "Indicates that the device obtained error messages | |||
| when it committed the initial configuration. The | when it committed the initial configuration. The | |||
| 'message' node below SHOULD indicate the error | 'message' node below SHOULD indicate the error | |||
| messages that were generated. This progress type | messages that were generated. This progress type | |||
| also indicates that the device has abandoned trying | also indicates that the device has abandoned trying | |||
| to bootstrap off this bootstrap server."; | to bootstrap off this bootstrap server."; | |||
| } | } | |||
| enum "config-complete" { | enum config-complete { | |||
| description | description | |||
| "Indicates that the device successfully committed | "Indicates that the device successfully committed | |||
| the initial configuration."; | the initial configuration."; | |||
| } | } | |||
| enum "post-script-initiated" { | enum post-script-initiated { | |||
| description | description | |||
| "Indicates that the device is about to execute the | "Indicates that the device is about to execute the | |||
| 'post-configuration-script'."; | 'post-configuration-script'."; | |||
| } | } | |||
| enum "post-script-warning" { | enum post-script-warning { | |||
| description | description | |||
| "Indicates that the device obtained a warning from the | "Indicates that the device obtained a warning from the | |||
| 'post-configuration-script' when it was executed. The | 'post-configuration-script' when it was executed. The | |||
| 'message' node below SHOULD capture any output the | 'message' node below SHOULD capture any output the | |||
| script produces."; | script produces."; | |||
| } | } | |||
| enum "post-script-error" { | enum post-script-error { | |||
| description | description | |||
| "Indicates that the device obtained an error from the | "Indicates that the device obtained an error from the | |||
| 'post-configuration-script' when it was executed. The | 'post-configuration-script' when it was executed. The | |||
| 'message' node below SHOULD capture any output the | 'message' node below SHOULD capture any output the | |||
| script produces. This progress type also indicates | script produces. This progress type also indicates | |||
| that the device has abandoned trying to bootstrap | that the device has abandoned trying to bootstrap | |||
| off this bootstrap server."; | off this bootstrap server."; | |||
| } | } | |||
| enum "post-script-complete" { | enum post-script-complete { | |||
| description | description | |||
| "Indicates that the device successfully executed the | "Indicates that the device successfully executed the | |||
| 'post-configuration-script'."; | 'post-configuration-script'."; | |||
| } | } | |||
| enum "bootstrap-warning" { | enum bootstrap-warning { | |||
| description | description | |||
| "Indicates that a warning condition occurred for which | "Indicates that a warning condition occurred for which | |||
| no other 'progress-type' enumeration is deemed | no other 'progress-type' enumeration is deemed | |||
| suitable. The 'message' node below SHOULD describe | suitable. The 'message' node below SHOULD describe | |||
| the warning."; | the warning."; | |||
| } | } | |||
| enum "bootstrap-error" { | enum bootstrap-error { | |||
| description | description | |||
| "Indicates that an error condition occurred for which | "Indicates that an error condition occurred for which | |||
| no other 'progress-type' enumeration is deemed | no other 'progress-type' enumeration is deemed | |||
| suitable. The 'message' node below SHOULD describe | suitable. The 'message' node below SHOULD describe | |||
| the error. This progress type also indicates that | the error. This progress type also indicates that | |||
| the device has abandoned trying to bootstrap off | the device has abandoned trying to bootstrap off | |||
| this bootstrap server."; | this bootstrap server."; | |||
| } | } | |||
| enum "bootstrap-complete" { | enum bootstrap-complete { | |||
| description | description | |||
| "Indicates that the device successfully processed | "Indicates that the device successfully processed | |||
| all 'onboarding-information' provided and that it | all 'onboarding-information' provided and that it | |||
| is ready to be managed. The 'message' node below | is ready to be managed. The 'message' node below | |||
| MAY contain any additional information that the | MAY contain any additional information that the | |||
| manufacturer thinks might be useful. After sending | manufacturer thinks might be useful. After sending | |||
| this progress type, the device is not expected to | this progress type, the device is not expected to | |||
| access the bootstrap server again."; | access the bootstrap server again."; | |||
| } | } | |||
| enum "informational" { | enum informational { | |||
| description | description | |||
| "Indicates any additional information not captured | "Indicates any additional information not captured | |||
| by any of the other progress types. For instance, | by any of the other progress types. For instance, | |||
| a message indicating that the device is about to | a message indicating that the device is about to | |||
| reboot after having installed a boot-image could | reboot after having installed a boot-image could | |||
| be provided. The 'message' node below SHOULD | be provided. The 'message' node below SHOULD | |||
| contain information that the manufacturer thinks | contain information that the manufacturer thinks | |||
| might be useful."; | might be useful."; | |||
| } | } | |||
| } | } | |||
| skipping to change at line 502 ¶ | skipping to change at line 501 ¶ | |||
| to this device (e.g., restconf-tls, netconf-tls, or | to this device (e.g., restconf-tls, netconf-tls, or | |||
| even netconf-ssh with X.509 support from RFC 6187). | even netconf-ssh with X.509 support from RFC 6187). | |||
| In practice, trust anchors for IDevID certificates do | In practice, trust anchors for IDevID certificates do | |||
| not need to be conveyed using this mechanism."; | not need to be conveyed using this mechanism."; | |||
| reference | reference | |||
| "RFC 6187: X.509v3 Certificates for Secure Shell | "RFC 6187: X.509v3 Certificates for Secure Shell | |||
| Authentication"; | Authentication"; | |||
| leaf-list trust-anchor-cert { | leaf-list trust-anchor-cert { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose topmost content type MUST be the | "A CMS structure whose topmost content type MUST be the | |||
| signed-data content type, as described by Section 5 of | signed-data content type, as described by Section 5 of | |||
| RFC 5652. | RFC 5652. | |||
| The CMS MUST contain the chain of X.509 certificates | The CMS MUST contain the chain of X.509 certificates | |||
| needed to authenticate the certificate presented by | needed to authenticate the certificate presented by | |||
| the device. | the device. | |||
| The CMS MUST contain only a single chain of | The CMS MUST contain only a single chain of | |||
| certificates. The last certificate in the chain | certificates. The last certificate in the chain | |||
| MUST be the issuer for the device's end-entity | MUST be the issuer for the device's end-entity | |||
| certificate. | certificate. | |||
| In all cases, the chain MUST include a self-signed | In all cases, the chain MUST include a self-signed | |||
| root certificate. In the case where the root | root certificate. In the case where the root | |||
| certificate is itself the issuer of the device's | certificate is itself the issuer of the device's | |||
| end-entity certificate, only one certificate is | end-entity certificate, only one certificate is | |||
| present. | present. | |||
| This CMS encodes the degenerate form of the SignedData | This CMS encodes the degenerate form of the SignedData | |||
| structure that is commonly used to disseminate X.509 | structure that is commonly used to disseminate X.509 | |||
| certificates and revocation objects (RFC 5280)."; | certificates and revocation objects (RFC 5280)."; | |||
| reference | reference | |||
| "RFC 5280: Internet X.509 Public Key Infrastructure | "RFC 5280: Internet X.509 Public Key Infrastructure | |||
| Certificate and Certificate Revocation List | Certificate and Certificate Revocation List | |||
| (CRL) Profile | (CRL) Profile | |||
| RFC 5652: Cryptographic Message Syntax (CMS)"; | RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| End of changes. 45 change blocks. | ||||
| 82 lines changed or deleted | 81 lines changed or added | |||
| This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||