This YANG module defines a component that augments the IETF description of an access list to allow (D)TLS profiles as matching c...
Version: 2025-04-18
module ietf-acl-tls { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-acl-tls"; prefix acl-tls; import iana-tls-profile { prefix ianatp; reference "RFC 9761: Manufacturer Usage Description (MUD) for TLS and DTLS Profiles for Internet of Things (IoT) Devices"; } import ietf-crypto-types { prefix ct; reference "RFC 9640: YANG Data Types and Groupings for Cryptography"; } import ietf-access-control-list { prefix acl; reference "RFC 8519: YANG Data Model for Network Access Control Lists (ACLs)"; } organization "IETF OPSAWG (Operations and Management Area Working Group)"; contact "WG Web: <https://datatracker.ietf.org/wg/opsawg/> WG List: opsawg@ietf.org Author: Tirumaleswar Reddy.K kondtir@gmail.com Author: Dan Wing danwing@gmail.com Author: Blake Anderson blake.anderson@cisco.com "; description "This YANG module defines a component that augments the IETF description of an access list to allow (D)TLS profiles as matching criteria. Copyright (c) 2025 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9761; see the RFC itself for full legal notices."; revision "2025-04-18" { description "Initial revision."; reference "RFC 9761: Manufacturer Usage Description (MUD) for TLS and DTLS Profiles for Internet of Things (IoT) Devices"; } feature tls12 { description "TLS Protocol Version 1.2 is supported."; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } feature tls13 { description "TLS Protocol Version 1.3 is supported."; reference "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3"; } feature dtls12 { description "DTLS Protocol Version 1.2 is supported."; reference "RFC 6347: Datagram Transport Layer Security Version 1.2"; } feature dtls13 { description "DTLS Protocol Version 1.3 is supported."; reference "RFC 9147: Datagram Transport Layer Security 1.3"; } feature match-on-tls-dtls { description "The networking device can support matching on (D)TLS parameters."; } typedef spki-pin-set { type binary; description "Subject Public Key Info pin set as discussed in Section 2.4 of RFC 7469."; } typedef certificate-authority { type string; description "Distinguished Name of Certificate authority as discussed in Section 4.2.4 of RFC 8446."; } augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches { if-feature match-on-tls-dtls; description "(D)TLS specific matches."; container client-profiles { description "A grouping for (D)TLS profiles."; list tls-dtls-profile { key "name"; description "A list of (D)TLS version profiles supported by the client."; leaf name { type string { length "1..64"; } description "The name of (D)TLS profile; space and special characters are not allowed."; } leaf-list supported-tls-version { type ianatp:tls-version; description "TLS versions supported by the client."; } leaf-list supported-dtls-version { type ianatp:dtls-version; description "DTLS versions supported by the client."; } leaf-list cipher-suite { type ianatp:cipher-algorithm; description "A list of cipher suites supported by the client."; } leaf-list extension-type { type ianatp:extension-type; description "A list of Extension Types supported by the client."; } leaf-list accept-list-ta-cert { type ct:trust-anchor-cert-cms; description "A list of trust anchor certificates used by the client."; } leaf-list psk-key-exchange-mode { if-feature tls13 or dtls13; type ianatp:psk-key-exchange-mode; description "pre-shared key exchange modes."; } leaf-list supported-group { type ianatp:supported-group; description "A list of named groups supported by the client."; } leaf-list signature-algorithm-cert { if-feature tls13 or dtls13; type ianatp:signature-algorithm; description "A list signature algorithms the client can validate in X.509 certificates."; } leaf-list signature-algorithm { type ianatp:signature-algorithm; description "A list signature algorithms the client can validate in the CertificateVerify message."; } leaf-list application-protocol { type ianatp:application-protocol; description "A list application protocols supported by the client."; } leaf-list cert-compression-algorithm { if-feature tls13 or dtls13; type ianatp:cert-compression-algorithm; description "A list certificate compression algorithms supported by the client."; } leaf-list certificate-authorities { if-feature tls13 or dtls13; type certificate-authority; description "A list of the distinguished names of certificate authorities acceptable to the client."; } } // list tls-dtls-profile } // container client-profiles } } // module ietf-acl-tls
© 2024 YumaWorks, Inc. All rights reserved.