openconfig-keychain

This module describes a YANG model for keychain configuration and management. These keys can be changed frequently to increase s...

  • Version: 2022-03-05

    openconfig-keychain@2022-03-05


    
      module openconfig-keychain {
    
        yang-version 1;
    
        namespace
          "http://openconfig.net/yang/oc-keychain";
    
        prefix oc-keychain;
    
        import openconfig-extensions {
          prefix oc-ext;
        }
        import openconfig-keychain-types {
          prefix oc-keychain-types;
        }
        import openconfig-types {
          prefix oc-types;
        }
    
        organization "OpenConfig working group";
    
        contact
          "OpenConfig working group
    www.openconfig.net";
    
        description
          "This module describes a YANG model for keychain configuration
    and management. These keys can be changed frequently to
    increase security in long-lived connections. A keychain can be used
    for authenticaion in a number of scenarios, including in routing protocols
    (e.g. BGP, IS-IS, OSPF).  A keychain provides a solution for storing
    a number of different keys, each key string value is associated with a
    specific key id, name, the lifetime that the key is valid and an
    encryption algorithm.
    
    This model defines a central location for defining named keychains,
    which may be then referenced by other models such as routing protocol
    management.";
    
        revision "2022-03-05" {
          description
            "Add prefix qualification to keychain-ref";
          reference
            "0.3.0";
    
        }
    
        revision "2021-12-31" {
          description
            "Add keychain-ref type to allow for a resuable reference to a keychain.";
          reference
            "0.2.0";
    
        }
    
        revision "2021-10-01" {
          description
            "Initial revision of keychain model.";
          reference
            "0.1.0";
    
        }
    
        oc-ext:openconfig-version "0.3.0";
    
        typedef keychain-ref {
          type leafref {
            path "/oc-keychain:keychains/oc-keychain:keychain/oc-keychain:config/oc-keychain:name";
          }
          description
            "A reference to a keychain defined on the system that can be used by
    modules that require access to keychains.";
        }
    
        grouping valid-lifetime-config {
          description
            "This grouping defines key begin lifetime parameters.";
          leaf start-time {
            type oc-types:timeticks64;
            description
              "The time at which the key becomes valid for use.
    The value is the timestamp in nanoseconds relative to
    the Unix Epoch (Jan 1, 1970 00:00:00 UTC).";
          }
    
          leaf end-time {
            type oc-types:timeticks64;
            description
              "The time at which the key becomes invalid for use.
    The value is the timestamp in nanoseconds relative to
    the Unix Epoch (Jan 1, 1970 00:00:00 UTC).
    
    Leaving this value unset, or setting it to 0, indicates that
    the key remains valid forever (no end time).";
          }
        }  // grouping valid-lifetime-config
    
        grouping lifetime-symmetry-config {
          description
            "Grouping to define configuration data for managing how
    send and receive lifetime are specified.";
          leaf send-and-receive {
            type boolean;
            default "true";
            description
              "When this is set to true (the default value), the specified
    send lifetime is also used in the receive direction.  When set
    to false, the device should use the specified receive-lifetime
    for the receive direction (asymmetric mode).  If send-and-receive
    is false, and the device does not support asymmetric configuration,
    the config should be rejected as unsupported.";
          }
        }  // grouping lifetime-symmetry-config
    
        grouping lifetime-base {
          description
            "This grouping defines key lifetime parameters.";
          container send-lifetime {
            description
              "Specifies the lifetime of the key for sending authentication
    information to the peer.";
            container config {
              description
                "Configuration data for key send lifetime.";
              uses valid-lifetime-config;
    
              uses lifetime-symmetry-config;
            }  // container config
    
            container state {
              config false;
              description
                "Operational state data for key send lifetime.";
              uses valid-lifetime-config;
    
              uses lifetime-symmetry-config;
            }  // container state
          }  // container send-lifetime
    
          container receive-lifetime {
            description
              "Specify the validity lifetime of the key in the receive direction.
    Some platforms may only support symmetric send and receive lifetimes,
    in which case the receive-lifetime is typically not specified.";
            container config {
              description
                "Configuration data for key receive lifetime.";
              uses valid-lifetime-config;
            }  // container config
    
            container state {
              config false;
              description
                "Operational state data for key receive lifetime.";
              uses valid-lifetime-config;
            }  // container state
          }  // container receive-lifetime
        }  // grouping lifetime-base
    
        grouping keychain-base-config {
          description
            "This grouping defines key-chain parameters.";
          leaf name {
            type string;
            description "Keychain name.";
          }
    
          leaf tolerance {
            type union {
              type enumeration {
                enum "FOREVER" {
                  value 0;
                  description
                    "Receive key does not expire (equivalent to infinite tolerance).";
                }
              }
              type uint32;
            }
            description
              "Tolerance (overlap time) that a receive key should be accepted.  May be
    expressed as range in seconds, or using the FOREVER value to indicate
    that the key does not expire.  The default value should be 0, i.e., no
    tolerance.";
          }
        }  // grouping keychain-base-config
    
        grouping keychain-key-config {
          description
            "This grouping defines key-chain key parameters.";
          leaf key-id {
            type uint64;
            description
              "Identifier for the key within the keychain.";
          }
    
          leaf secret-key {
            type string;
            description
              "Authentication key supplied as an encrypted value.  The system should store and
    return the key in encrypted form.";
          }
    
          leaf crypto-algorithm {
            type identityref {
              base oc-keychain-types:CRYPTO_TYPE;
            }
            description
              "Cryptographic algorithm associated with the key.  Note that not all cryptographic
    algorithms are available in all contexts (e.g., across different protocols).";
          }
        }  // grouping keychain-key-config
    
        grouping keychain-key-base {
          description
            "This grouping defines keychain parameters";
          container keys {
            description
              "list of keys to be stored";
            list key {
              key "key-id";
              description
                "List of configured keys for the keychain.";
              leaf key-id {
                type leafref {
                  path "../config/key-id";
                }
                description
                  "Reference to key id.";
              }
    
              container config {
                description
                  "This container defines keychain key configuration.";
                uses keychain-key-config;
              }  // container config
    
              container state {
                config false;
                description
                  "This container defines keychain key state.";
                uses keychain-key-config;
              }  // container state
    
              uses lifetime-base;
            }  // list key
          }  // container keys
        }  // grouping keychain-key-base
    
        grouping keychain-common-base {
          description
            "This grouping defines keychain parameters";
          container config {
            description
              "This container defines keychain configuration.";
            uses keychain-base-config;
          }  // container config
    
          container state {
            config false;
            description
              "This container defines keychain state information.";
            uses keychain-base-config;
          }  // container state
        }  // grouping keychain-common-base
    
        grouping keychain-top {
          description
            "This grouping define top level structure.";
          container keychains {
            description
              "This container defines keychains.";
            list keychain {
              key "name";
              description
                "List of defined keychains.";
              leaf name {
                type leafref {
                  path "../config/name";
                }
                description
                  "Reference to configured keychain name";
              }
    
              uses keychain-common-base;
    
              uses keychain-key-base;
            }  // list keychain
          }  // container keychains
        }  // grouping keychain-top
    
        uses keychain-top;
      }  // module openconfig-keychain
    

© 2023 YumaWorks, Inc. All rights reserved.