netconfcentral logo

ietf-zerotouch-information@2018-12-20



  module ietf-zerotouch-information {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-zerotouch-information";

    prefix zti;

    import ietf-yang-types {
      prefix yang;
      reference
        "RFC 6991: Common YANG Data Types";


    }
    import ietf-inet-types {
      prefix inet;
      reference
        "RFC 6991: Common YANG Data Types";


    }
    import ietf-yang-data-ext {
      prefix yd;
      reference
        "I-D.ietf-netmod-yang-data-ext: YANG Data Extensions";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   http://tools.ietf.org/wg/netconf
     WG List:  <mailto:netconf@ietf.org>
     Author:   Kent Watsen <mailto:kwatsen@juniper.net>";

    description
      "This module defines the data model for the Zero Touch
    Information artifact defined in RFC XXXX: Zero Touch
    Provisioning for Networking Devices.

    The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
    'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
    'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
    are to be interpreted as described in BCP 14 [RFC2119]
    [RFC8174] when, and only when, they appear in all
    capitals, as shown here.
    Copyright (c) 2019 IETF Trust and the persons identified as
    authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD License
    set forth in Section 4.c of the IETF Trust's Legal Provisions
    Relating to IETF Documents (http://trustee.ietf.org/license-info)

    This version of this YANG module is part of RFC XXXX; see the
    RFC itself for full legal notices.";

    revision "2018-12-20" {
      description "Initial version";
      reference
        "RFC XXXX: Zero Touch Provisioning for Networking Devices";

    }

    yd:yang-data "zerotouch-information" {
      choice "information-type" {
        mandatory "true";
        description "This choice statement ensures the response contains
redirect-information or onboarding-information.";
        container "redirect-information" {
          description "Redirect information is described in Section 2.1 in
RFC XXXX.  Its purpose is to redirect a device to
another bootstrap server.";
          reference "RFC XXXX: Zero Touch Provisioning for Networking Devices";
          list "bootstrap-server" {
            key "address";
            min-elements "1";
            description "A bootstrap server entry.";
            leaf "address" {
              type "inet:host";
              mandatory "true";
              description "The IP address or hostname of the bootstrap server the
device should redirect to.";
            }
            leaf "port" {
              type "inet:port-number";
              default "443";
              description "The port number the bootstrap server listens on.  If no
port is specified, the IANA-assigned port for 'https'
(443) is used.";
            }
            leaf "trust-anchor" {
              type "cms";
              description "A CMS structure that MUST contain the chain of
X.509 certificates needed to authenticate the TLS
certificate presented by this bootstrap server.

The CMS MUST only contain a single chain of
certificates.  The bootstrap server MUST only
authenticate to last intermediate CA certificate
listed in the chain.
In all cases, the chain MUST include a self-signed
root certificate.  In the case where the root
certificate is itself the issuer of the bootstrap
server's TLS certificate, only one certificate
is present.

If needed by the device, this CMS structure MAY
also contain suitably fresh revocation objects
with which the device can verify the revocation
status of the certificates.

This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280).";
              reference "RFC 5280:
  Internet X.509 Public Key Infrastructure Certificate
  and Certificate Revocation List (CRL) Profile.";
            }
          }
        }
        container "onboarding-information" {
          description "Onboarding information is described in Section 2.2 in
RFC XXXX.  Its purpose is to provide the device everything
it needs to bootstrap itself.";
          reference "RFC XXXX: Zero Touch Provisioning for Networking Devices";
          container "boot-image" {
            description "Specifies criteria for the boot image the device MUST
be running, as well as information enabling the device
to install the required boot image.";
            leaf "os-name" {
              type "string";
              description "The name of the operating system software the device
MUST be running in order to not require a software
image upgrade (ex. VendorOS).";
            }
            leaf "os-version" {
              type "string";
              description "The version of the operating system software the
device MUST be running in order to not require a
software image upgrade (ex. 17.3R2.1).";
            }
            leaf-list "download-uri" {
              type "inet:uri";
              ordered-by "user";
              description "An ordered list of URIs to where the same boot image
file may be obtained.  How the URI schemes (http, ftp,
etc.) a device supports are known is vendor specific.
If a secure scheme (e.g., https) is provided, a device
MAY establish an untrusted connection to the remote
server, by blindly accepting the server's end-entity
certificate, to obtain the boot image.";
            }
            list "image-verification" {
              must "../download-uri" {
                description "Download URIs must be provided if an image is to
be verified.";
              }
              key "hash-algorithm";
              description "A list of hash values that a device can use to verify
boot image files with.";
              leaf "hash-algorithm" {
                type "identityref" {
                  base "hash-algorithm";
                }
                description "Identifies the hash algorithm used.";
              }
              leaf "hash-value" {
                type "yang:hex-string";
                mandatory "true";
                description "The hex-encoded value of the specified hash
algorithm over the contents of the boot image
file.";
              }
            }
          }
          leaf "configuration-handling" {
            type "enumeration" {
              enum "merge" {
                description "Merge configuration into the running datastore.";
              }
              enum "replace" {
                description "Replace the existing running datastore with the
passed configuration.";
              }
            }
            must "../configuration";
            description "This enumeration indicates how the server should process
the provided configuration.";
          }
          leaf "pre-configuration-script" {
            type "script";
            description "A script that, when present, is executed before the
configuration has been processed.";
          }
          leaf "configuration" {
            type "binary";
            must "../configuration-handling";
            description "Any configuration known to the device.  The use of
the 'binary' type enables e.g., XML-content to be
embedded into a JSON document.  The exact encoding
of the content, as with the scripts, is vendor
specific.";
          }
          leaf "post-configuration-script" {
            type "script";
            description "A script that, when present, is executed after the
configuration has been processed.";
          }
        }
      }
    }

    identity hash-algorithm {
      base 
      description
        "A base identity for hash algorithm verification";
    }

    identity sha-256 {
      base hash-algorithm;
      description "The SHA-256 algorithm.";
      reference
        "RFC 6234: US Secure Hash Algorithms.";

    }

    typedef cms {
      type binary;
      description
        "A ContentInfo structure, as specified in RFC 5652,
       encoded using ASN.1 distinguished encoding rules (DER),
       as specified in ITU-T X.690.";
      reference
        "RFC 5652:
          Cryptographic Message Syntax (CMS)
        ITU-T X.690:
          Information technology - ASN.1 encoding rules:
          Specification of Basic Encoding Rules (BER),
          Canonical Encoding Rules (CER) and Distinguished
          Encoding Rules (DER).";

    }

    typedef script {
      type binary;
      description
        "A device specific script that enables the execution of
       commands to perform actions not possible thru configuration
       alone.

       No attempt is made to standardize the contents, running
       context, or programming language of the script, other than
       that it can indicate if any warnings or errors occurred and
       can emit output.  The contents of the script are considered
       specific to the vendor, product line, and/or model of the
       device.

       If the script execution indicates that an warning occurred,
       then the device MUST assume that the script had a soft error
       that the script believes will not affect manageability.

       If the script execution indicates that an error occurred,
       the device MUST assume the script had a hard error that the
       script believes will affect manageability.  In this case,
       the script is required to gracefully exit, removing any
       state that might hinder the device's ability to continue
       the bootstrapping sequence (e.g., process onboarding
       information obtained from another bootstrap server).";
    }
  }  // module ietf-zerotouch-information