Updated routing passwords, keychains, password complexity, and other miscellaneous changes

Author: mihirra

release/models/bgp/openconfig-bgp-common.yang

@@ -9,6 +9,8 @@ submodule openconfig-bgp-common {
   import openconfig-routing-policy { prefix oc-rpol; }
   import openconfig-types { prefix oc-types; }
   import openconfig-inet-types { prefix oc-inet; }
+  import openconfig-keychain { prefix "oc-keychain"; }
+
 
   // meta
   organization
@@ -24,7 +26,13 @@ submodule openconfig-bgp-common {
     may be application to a subset of global, peer-group or neighbor
     contexts.";
 
-  oc-ext:openconfig-version "9.8.0";
+  oc-ext:openconfig-version "9.9.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "9.9.0";
+  }
 
   revision "2024-09-06" {
     description
@@ -298,6 +306,15 @@ submodule openconfig-bgp-common {
         neighboring devices.";
     }
 
+    leaf key-chain {
+      type leafref {
+        path "/oc-keychain:keychains/oc-keychain:keychain/" +
+           "oc-keychain:name";
+      }
+      description
+        "Configure Key Chain name";
+    }
+
     leaf remove-private-as {
       // could also make this a container with a flag to enable
       // remove-private and separate option.  here, option implies

release/models/firewall/openconfig-fw-high-availability.yang

@@ -272,7 +272,7 @@ module openconfig-fw-high-availability {
     }
 
     leaf ha-key-hashed {
-      type oc-aaa-types:crypt-password-type;
+      type oc-types:crypt-password-type;
         description
           "HA key,used to encrypt & authenticate HA messages between
           the peers, supplied as a hashed value using the notation

release/models/isis/openconfig-isis.yang

@@ -54,7 +54,13 @@ module openconfig-isis {
             +-> { levels config }
             +-> { level adjacencies }";
 
-  oc-ext:openconfig-version "1.7.0";
+  oc-ext:openconfig-version "1.8.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "1.8.0";
+  }
 
   revision "2024-02-28" {
     description
@@ -441,6 +447,15 @@ module openconfig-isis {
         "The authentication key used in the applicable IS-IS PDUs. The key in the
         packet may be encrypted according to the configured authentication type.";
     }
+    
+    leaf key-chain {
+      type leafref {
+        path "/oc-keychain:keychains/oc-keychain:keychain/" +
+           "oc-keychain:name";
+      }
+      description
+        "Configure Key Chain name";
+    }
   }
   grouping isis-metric-style-config {
     description

release/models/keychain/openconfig-keychain.yang

@@ -33,7 +33,13 @@ module openconfig-keychain {
     which may be then referenced by other models such as routing protocol
     management.";
 
-  oc-ext:openconfig-version "0.5.0";
+  oc-ext:openconfig-version "0.6.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "0.6.0";
+  }
 
 revision "2024-05-30" {
     description
@@ -213,10 +219,15 @@ revision "2024-05-30" {
     }
 
     leaf secret-key {
-      type string;
+      type union {
+        type string;
+        type oc-types:unsecure-routing-password;
+      }
       description
-        "Authentication key supplied as an encrypted value.  The system should store and
-        return the key in encrypted form.";
+        "Authentication key supplied as either plaintext or as an encrypted 
+        value.  The system should store and return the key in encrypted form.
+        For key pairs, the key should be encoded as PEM or hex-encoded DER.
+        See the routing-password section for acceptable encryption techniques.";
     }
 
     leaf crypto-algorithm {

release/models/mpls/openconfig-mpls-ldp.yang

@@ -13,6 +13,8 @@ module openconfig-mpls-ldp {
   import openconfig-interfaces { prefix oc-if; }
   import openconfig-yang-types { prefix oc-yang; }
   import openconfig-types { prefix oc-types; }
+  import openconfig-keychain { prefix "oc-keychain"; }
+
 
   // meta
   organization "OpenConfig working group";
@@ -43,7 +45,13 @@ module openconfig-mpls-ldp {
     Section 4.c of the IETF Trust's Legal Provisions Relating
     to IETF Documents (http://trustee.ietf.org/license-info).";
 
-  oc-ext:openconfig-version "3.2.1";
+  oc-ext:openconfig-version "3.3.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "3.3.0";
+  }
 
   revision "2023-02-06" {
     description
@@ -959,6 +967,15 @@ module openconfig-mpls-ldp {
         "RFC1321 The MD5 Message-Digest Algorithm
         RFC5036 LDP Specification";
     }
+
+    leaf key-chain {
+      type leafref {
+        path "/oc-keychain:keychains/oc-keychain:keychain/" +
+           "oc-keychain:name";
+      }
+      description
+        "Configure Key Chain name";
+    }
   }
 
   grouping admin-config {

release/models/mpls/openconfig-mpls-rsvp.yang

@@ -14,6 +14,7 @@ module openconfig-mpls-rsvp {
   import openconfig-types { prefix oc-types; }
   import openconfig-extensions { prefix oc-ext; }
   import openconfig-interfaces { prefix oc-if; }
+  import openconfig-keychain { prefix "oc-keychain"; }
 
 
   // meta
@@ -28,7 +29,13 @@ module openconfig-mpls-rsvp {
      parameters and LSP-specific configuration for constrained-path
      LSPs";
 
-  oc-ext:openconfig-version "4.0.1";
+  oc-ext:openconfig-version "4.1.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "4.1.0";
+  }
 
   revision "2023-02-06" {
     description
@@ -377,6 +384,15 @@ module openconfig-mpls-rsvp {
       reference
         "RFC 2747: RSVP Cryptographic Authentication";
     }
+
+    leaf key-chain {
+      type leafref {
+        path "/oc-keychain:keychains/oc-keychain:keychain/" +
+           "oc-keychain:name";
+      }
+      description
+        "Configure Key Chain name";
+    }
   }
 
   grouping mpls-rsvp-authentication {

release/models/system/openconfig-aaa-radius.yang

@@ -12,6 +12,7 @@ submodule openconfig-aaa-radius {
   import openconfig-aaa-types { prefix oc-aaa-types; }
   import openconfig-types { prefix oc-types; }
   import openconfig-yang-types { prefix oc-yang; }
+  import openconfig-keychain { prefix "oc-keychain"; }
 
 
   // meta
@@ -26,7 +27,13 @@ submodule openconfig-aaa-radius {
     related to the RADIUS protocol for authentication,
     authorization, and accounting.";
 
-  oc-ext:openconfig-version "1.0.0";
+  oc-ext:openconfig-version "1.1.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "1.1.0";
+  }
 
   revision "2022-07-29" {
     description
@@ -110,8 +117,17 @@ submodule openconfig-aaa-radius {
         server and the device.";
     }
 
+    leaf key-chain {
+      type leafref {
+        path "/oc-keychain:keychains/oc-keychain:keychain/" +
+           "oc-keychain:name";
+      }
+      description
+        "Configure Key Chain name";
+    }
+
     leaf secret-key-hashed {
-      type oc-aaa-types:crypt-password-type;
+      type oc-types:crypt-password-type;
       description
         "The hashed shared key used between the authentication
         server and the device.";

release/models/system/openconfig-aaa-tacacs.yang

@@ -11,6 +11,7 @@ submodule openconfig-aaa-tacacs {
   import openconfig-extensions { prefix oc-ext; }
   import openconfig-aaa-types { prefix oc-aaa-types; }
   import openconfig-types { prefix oc-types; }
+  import openconfig-keychain { prefix "oc-keychain"; }
 
 
   // meta
@@ -25,7 +26,13 @@ submodule openconfig-aaa-tacacs {
     related to the TACACS+ protocol for authentication,
     authorization, and accounting.";
 
-  oc-ext:openconfig-version "1.0.0";
+  oc-ext:openconfig-version "1.1.0";
+
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "1.1.0";
+  }
 
   revision "2022-07-29" {
     description
@@ -103,8 +110,17 @@ submodule openconfig-aaa-tacacs {
         server and the device.";
     }
 
+    leaf key-chain {
+      type leafref {
+        path "/oc-keychain:keychains/oc-keychain:keychain/" +
+           "oc-keychain:name";
+      }
+      description
+        "Configure Key Chain name";
+    }
+
     leaf secret-key-hashed {
-      type oc-aaa-types:crypt-password-type;
+      type oc-types:crypt-password-type;
       description
         "The hashed shared key used between the authentication
         server and the device.";

release/models/system/openconfig-aaa-types.yang

@@ -146,27 +146,4 @@ module openconfig-aaa-types {
 
   // typedef statements
 
-  typedef crypt-password-type {
-    type string;
-    description
-      "A password that is hashed based on the hash algorithm
-      indicated by the prefix in the string.  The string
-      takes the following form, based on the Unix crypt function:
-
-      $<id>[$<param>=<value>(,<param>=<value>)*][$<salt>[$<hash>]]
-
-      Common hash functions include:
-
-      id  | hash function
-       ---+---------------
-        1 | MD5
-        2a| Blowfish
-        2y| Blowfish (correct handling of 8-bit chars)
-        5 | SHA-256
-        6 | SHA-512
-
-      These may not all be supported by a target device.";
-  }
-
-
 }

release/models/system/openconfig-system-grpc.yang

@@ -23,10 +23,16 @@ module openconfig-system-grpc {
     to be included in the list.";
 
 
-  oc-ext:openconfig-version "1.1.0";
+  oc-ext:openconfig-version "1.2.0";
   oc-ext:catalog-organization "openconfig";
   oc-ext:origin "openconfig";
 
+  revision "2025-04-13" {
+    description
+      "Add additional security features.";
+    reference "1.2.0";
+  }
+
   revision "2024-05-29" {
     description
       "Add support for gRPC connections.";
@@ -63,6 +69,14 @@ module openconfig-system-grpc {
       "gNMI: gRPC Network Management Interface";
   }
 
+  identity GNOI {
+    base GRPC_SERVICE;
+    description
+      "gNOI: gRPC Network Operations Interface (Must at least support 
+      Certificate Management and File Transfer, which is used to 
+      upload the database of weak passwords)";
+  }
+
   grouping grpc-service-structural {
     description
       "Structural grouping for gRPC services that can be enabled on