module ietf-sztp-conveyed-info {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-conveyed-info";
prefix sztp-info;
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-restconf {
prefix rc;
reference
"RFC 8040: RESTCONF Protocol";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen ";
description
"This module defines the data model for the conveyed
information artifact defined in RFC 8572 ('Secure Zero Touch
Provisioning (SZTP)').
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 8572; see the
RFC itself for full legal notices.";
revision 2019-04-30 {
description
"Initial version";
reference
"RFC 8572: Secure Zero Touch Provisioning (SZTP)";
}
// identities
identity hash-algorithm {
description
"A base identity for hash algorithm verification.";
}
identity sha-256 {
base hash-algorithm;
description
"The SHA-256 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms";
}
// typedefs
typedef cms {
type binary;
description
"A ContentInfo structure, as specified in RFC 5652,
encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690.";
reference
"RFC 5652:
Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER)";
}
// yang-data
rc:yang-data conveyed-information {
choice information-type {
mandatory true;
description
"This choice statement ensures the response contains
redirect-information or onboarding-information.";
container redirect-information {
description
"Redirect information is described in Section 2.1 of
RFC 8572. Its purpose is to redirect a device to
another bootstrap server.";
reference
"RFC 8572: Secure Zero Touch Provisioning (SZTP)";
list bootstrap-server {
key "address";
min-elements 1;
description
"A bootstrap server entry.";
leaf address {
type inet:host;
mandatory true;
description
"The IP address or hostname of the bootstrap server the
device should redirect to.";
}
leaf port {
type inet:port-number;
default "443";
description
"The port number the bootstrap server listens on. If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
}
leaf trust-anchor {
type cms;
description
"A CMS structure that MUST contain the chain of
X.509 certificates needed to authenticate the TLS
certificate presented by this bootstrap server.
The CMS MUST only contain a single chain of
certificates. The bootstrap server MUST only
authenticate to last intermediate CA certificate
listed in the chain.
In all cases, the chain MUST include a self-signed
root certificate. In the case where the root
certificate is itself the issuer of the bootstrap
server's TLS certificate, only one certificate
is present.
If needed by the device, this CMS structure MAY
also contain suitably fresh revocation objects
with which the device can verify the revocation
status of the certificates.
This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280).";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile";
}
}
}
container onboarding-information {
description
"Onboarding information is described in Section 2.2 of
RFC 8572. Its purpose is to provide the device everything
it needs to bootstrap itself.";
reference
"RFC 8572: Secure Zero Touch Provisioning (SZTP)";
container boot-image {
description
"Specifies criteria for the boot image the device MUST
be running, as well as information enabling the device
to install the required boot image.";
leaf os-name {
type string;
description
"The name of the operating system software the device
MUST be running in order to not require a software
image upgrade (e.g., VendorOS).";
}
leaf os-version {
type string;
description
"The version of the operating system software the
device MUST be running in order to not require a
software image upgrade (e.g., 17.3R2.1).";
}
leaf-list download-uri {
type inet:uri;
ordered-by user;
description
"An ordered list of URIs to where the same boot image
file may be obtained. How the URI schemes (http, ftp,
etc.) a device supports are known is vendor specific.
If a secure scheme (e.g., https) is provided, a device
MAY establish an untrusted connection to the remote
server, by blindly accepting the server's end-entity
certificate, to obtain the boot image.";
}
list image-verification {
must '../download-uri' {
description
"Download URIs must be provided if an image is to
be verified.";
}
key "hash-algorithm";
description
"A list of hash values that a device can use to verify
boot image files with.";
leaf hash-algorithm {
type identityref {
base hash-algorithm;
}
description
"Identifies the hash algorithm used.";
}
leaf hash-value {
type yang:hex-string;
mandatory true;
description
"The hex-encoded value of the specified hash
algorithm over the contents of the boot image
file.";
}
}
}
leaf configuration-handling {
type enumeration {
enum merge {
description
"Merge configuration into the running datastore.";
}
enum replace {
description
"Replace the existing running datastore with the
passed configuration.";
}
}
must '../configuration';
description
"This enumeration indicates how the server should process
the provided configuration.";
}
leaf pre-configuration-script {
type script;
description
"A script that, when present, is executed before the
configuration has been processed.";
}
leaf configuration {
type binary;
must '../configuration-handling';
description
"Any configuration known to the device. The use of
the 'binary' type enables content (e.g., XML) to be
embedded into a JSON document. The exact encoding
of the content, as with the scripts, is vendor
specific.";
}
leaf post-configuration-script {
type script;
description
"A script that, when present, is executed after the
configuration has been processed.";
}
}
}
}
typedef script {
type binary;
description
"A device-specific script that enables the execution of
commands to perform actions not possible thru configuration
alone.
No attempt is made to standardize the contents, running
context, or programming language of the script, other than
that it can indicate if any warnings or errors occurred and
can emit output. The contents of the script are considered
specific to the vendor, product line, and/or model of the
device.
If the script execution indicates that a warning occurred,
then the device MUST assume that the script had a soft error
that the script believes will not affect manageability.
If the script execution indicates that an error occurred,
the device MUST assume the script had a hard error that the
script believes will affect manageability. In this case,
the script is required to gracefully exit, removing any
state that might hinder the device's ability to continue
the bootstrapping sequence (e.g., process onboarding
information obtained from another bootstrap server).";
}
}