Security Automation and Continuous Monitoring (SACM) Q. Lin Internet-Draft L. Xia Intended status: Standards Track Huawei Expires: April 25, 2019 H. Birkholz Fraunhofer SIT October 22, 2018 The Data Model of Network Infrastructure Device Management Plane Security Baseline draft-lin-sacm-nid-mp-security-baseline-04 Abstract This document provides security baseline for network device management plane, which is represented by YANG data model. The corresponding configuration values and status values of the YANG data model can be transported between Security Automation and Continuous Monitoring (SACM) components and used for network device security posture assessment. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 25, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Lin, et al. Expires April 25, 2019 [Page 1] Internet-Draft Network Device Management Plane Security October 2018 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 4 5.1. Administration Security . . . . . . . . . . . . . . . . . 5 5.1.1. Administrative Account Security . . . . . . . . . . . 5 5.1.2. Administrator Access Security . . . . . . . . . . . . 6 5.1.3. AAA . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1.4. Administrator Access Statistics . . . . . . . . . . . 10 5.2. System Management Security . . . . . . . . . . . . . . . 11 5.2.1. SNMP Management Security . . . . . . . . . . . . . . 11 5.2.2. NETCONF Management Security . . . . . . . . . . . . . 13 5.3. Port Management Security . . . . . . . . . . . . . . . . 13 5.4. Log Security . . . . . . . . . . . . . . . . . . . . . . 14 5.5. File Security . . . . . . . . . . . . . . . . . . . . . . 14 6. Network Infrastructure Device Security Baseline Yang Module . 15 6.1. Module 'ietf-admin-account-security' . . . . . . . . . . 15 6.2. Module 'ietf-admin-access-security' . . . . . . . . . . . 18 6.3. Module 'ietf-aaa-security' . . . . . . . . . . . . . . . 28 6.4. Module 'ietf-admin-access-statistics' . . . . . . . . . . 35 6.5. Module 'ietf-snmp-security' . . . . . . . . . . . . . . . 38 6.6. Module 'ietf-netconf-security' . . . . . . . . . . . . . 46 6.7. Module 'ietf-port-management-security' . . . . . . . . . 50 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 52 9. Security Considerations . . . . . . . . . . . . . . . . . . . 52 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 52 10.1. Normative References . . . . . . . . . . . . . . . . . . 52 10.2. Informative References . . . . . . . . . . . . . . . . . 53 Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 1. Introduction Besides user devices and servers, network devices such as routers, switches, and firewalls are crucial to enterprise network security. The security baseline defined in this document refers to a minimal set of security controls that are essential to provide network security. Organizations can define additional security controls based on the security baseline. Then the security posture of network Lin, et al. Expires April 25, 2019 [Page 2] Internet-Draft Network Device Management Plane Security October 2018 devices can be assessed by comparing the configuration values and status values with the required security controls. Network devices typically perform three planes of operation: management plane, control plane and data plane. All the planes should be protected and monitored. This document focuses on security baseline for management plane. Management plane provides configuration and monitoring services to network administrators or device owners. Unauthorized access, insecure access channels, weak cryptographic algorithms are common security issues that break management plane security. A number of security best practices have been proposed to deal with these security issues, such as disabling unused services and ports, discarding insecure access channels, and enforcing strong user authentication and authorization. In this document, we provide a minimal set of security controls that are expected to be widely applicable to common network devices. To assess security posture of network devices, the configurations that are effective on network devices and the current status of the networks devices will be compared with the reference values defined by an organization or a third party. YANG data model is used to describe the security baseline defined in this document. [I-D.birkholz-sacm-yang-content] defines a method to construct the YANG data model scheme for network device security posture assessment by brokering YANG push telemetry through SACM statements. In this document, we follow the same way to define the YANG output for network device security posture based on the [I-D.ietf-sacm-information-model]. Besides management plane, the security baselines for control plane, data plane, and infrastructure layer of network infrastructure devices are described in [I-D.dong-sacm-nid-cp-security-baseline], [I-D.xia-sacm-nid-dp-security-baseline] and [I-D.dong-sacm-nid-infra-security-baseline] respectively. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology This document uses the terms defined in [RFC7950] and [RFC8342]. Lin, et al. Expires April 25, 2019 [Page 3] Internet-Draft Network Device Management Plane Security October 2018 4. Tree Diagrams Tree diagram defined in [RFC8340] is used to represent the YANG data model of network device management plane security. The meaning of the symbols used in the tree diagram and the syntax are as follows: o A module is identified by "module:" followed the module-name. The top-level data nodes defined in the module, offset by 2 spaces. Submodules are represented in the same fashion as modules, but are identified by "submodule:" followed the (sub)module-name. o Groupings, offset by 2 spaces, and identified by the keyword "grouping" followed by the name of the grouping and a colon (":") character. o Each node in the tree is prefaces with "+--". Schema nodes that are children of another node are offset from the parent by 3 spaces. o Brackets "[" and "]" enclose list keys. o Abbreviations before data node names: "rw" means configuration (read-write) and "ro" means state data (read-only), and "-u" indicates the use of a predefined grouping. o Symbols after data node names: "?" means an optional leaf, choice, anydata, or anyxml, "!" means a presence container, and "*" denotes a "list" or "leaf-list". o Parentheses enclose choice and case nodes, and case nodes are also marked with a colon (":"). o At times when the composition of the nodes within a module schema is not important in the context of the presented tree, sibling nodes and their children can be collapsed using the notation "..." in place of the text lines used to represent the summarized nodes. o Curly brackets and a question mark "{...}?" are combined to represent the features that node depends on. 5. Data Model Structure The security baseline defined in this document consists of security configuration and runtime security status for administration, system management, port management, log, files. o Administration security Lin, et al. Expires April 25, 2019 [Page 4] Internet-Draft Network Device Management Plane Security October 2018 o System management security o Port management security o Log security o File security A multitude of YANG modules for network devices and network protocols have been defined in IETF. Several RFCs and drafts model some parts of management plane security. But an overall data model of management plane security is still missing. New modules, groupings, and nodes are defined in this document as supplements. And the existing YANG modules are reused. Appendix A provides a summary of existing YANG modules and the relationship to the security baseline defined in this document. 5.1. Administration Security 5.1.1. Administrative Account Security In order to provide administrative accounts, security controls on account properties and passwords should be applied. The commonly applied security controls include limiting the length of account name, checking the password complied to the complexity policy, forbidding the use of some strings in password, blocking accounts after several login fails, etc. The following data model illustrates these kinds of security controls. Lin, et al. Expires April 25, 2019 [Page 5] Internet-Draft Network Device Management Plane Security October 2018 module: ietf-admin-account-security +--rw ietf-admin-account-security +--rw account-security-policy {account-security}? | +--rw policy-status? boolean | +--rw account-aging-period? uint64 | +--rw account-name-minlen? uint64 +--rw pwd-security-policy {pwd-security}? | +--rw expire-days? uint64 | +--rw prompt-days? uint64 | +--rw change-check? boolean | +--rw complexity-check? boolean | +--ro history-pwd-num? uint64 | +--rw pwd-minlen? uint64 | +--rw forbidden-word-rules? | +--rw forbidden-word-rule* [forbidden-word] | +--rw forbidden-word string +--rw login-failed-limit {login-failed-block}? +--rw failed-times? uint64 +--rw period? uint64 +--rw reactive-time? uint64 5.1.2. Administrator Access Security Network devices typically can be managed through command line interface (CLI) or web user interface. Insecure access channels (e.g., Telnet), can expose the devices to threats and attacks. Therefore, SSH-based access channels and HTTPS-based web channels should be used. Besides, the right version of the protocols should be chosen. For example, SSHv1 is considered not secure, SSHv2 is recommended. And draft [I-D.ietf-tls-oldversions-deprecate] will formally deprecates Transport Layer Security (TLS) versions 1.0 [RFC2246] and 1.1 [RFC4346] and moves these documents to the historic state. Lin, et al. Expires April 25, 2019 [Page 6] Internet-Draft Network Device Management Plane Security October 2018 module: ietf-admin-access-security +--rw ietf-admin-access-security +--rw console | +--rw auth-mode? auth-mode-type | +--rw privilege-level? uint8 +--rw vtys | +--rw vty* [vty-number] | +--rw vty-number uint8 | +--rw auth-mode auth-mode-type | +--rw privilege-level uint8 | +--rw acl-name-list* string | +--rw ip-block-enable boolean | +--rw ip-block-limit {ip-block-config}? | +--rw failed-times? uint64 | +--rw period? uint64 | +--rw reactive-time? uint64 +--rw ssh | +--rw ssh-enable? boolean | +---u ssh-server-attribute-grouping | +---u ssh-security-harden-grouping | +--rw ip-block-enable boolean | +--rw ip-block-limit {ip-block-config}? | +--rw failed-times? uint64 | +--rw period? uint64 | +--rw reactive-time? uint64 +--rw web {web-interface}? +--rw privilege-level? uint8 +--rw http-server-interface? string +--rw https-ipv4-enable? boolean +--rw https-ipv6-enable? boolean +--rw https-source-port? inet:port-number +--rw https-timeout? uint32 +--rw acl-name-list*? string +--rw ip-block-enable boolean +--rw ip-block-limit {ip-block-config}? | +--rw failed-times? uint64 | +--rw period? uint64 | +--rw reactive-time? uint64 +---u tls-server-attribute-grouping [I-D.ietf-netconf-ssh-client-server] defines "ssh-server-grouping" for configuring SSH server and does not consider the underlying transport parameters. And it reuses the groupings defined in [I-D.ietf-netconf-keystore]. Because this document focuses on the security configurations that are actively in use when the network device acts as a SSH server, the "ssh-server-attribute-grouping" defined here tailors the "private-key" node and the "certificate- Lin, et al. Expires April 25, 2019 [Page 7] Internet-Draft Network Device Management Plane Security October 2018 expiration" notification of "ssh-server-grouping". The tree diagram of grouping "ssh-server-attribute-grouping": grouping ssh-server-attribute-grouping: +--rw server-identity | +--rw host-key* [name] | +--rw name string | +--rw (host-key-type) | +--:(public-key) | | +--rw (local-or-keystore) | | +--:(local) | | | +---u ks:public-key-grouping | | +--:(keystore) {ks:keystore-implemented}? | | +--rw ref? ks:asymmetric-key-certificate-ref | +--:(certificate) {sshcmn:ssh-x509-certs}? | +--rw (local-or-keystore) | +--:(local) | | +---u ks:public-key-grouping | | +---u ks:trust-anchor-cert-grouping | +--:(keystore) {ks:keystore-implemented}? | +--rw ref? ks:asymmetric-key-certificate-ref +--rw client-cert-auth {sshcmn:ssh-x509-certs}? | +--rw pinned-ca-certs? ta:pinned-certificates-ref | +--rw pinned-client-certs? ta:pinned-certificates-ref +--rw transport-params {ssh-server-transport-params-config}? +---u sshcmn:transport-params-grouping Besides the security configurations defined "ssh-server-attribute- grouping", there are several other features related the secure use and configuration of SSH, such as which SSH version is used, whether the network device support to be compatible with earlier SSH versions, whether the port number has been changed, etc. The "ssh- security-harden-grouping" includes these kind of security configurations and state. The tree diagram of grouping "ssh- security-harden-grouping": grouping ssh-security-harden-grouping: +--ro ssh-version uint32 +--rw ssh-server-port? inet:port-number +--rw ssh-rekey-interval? uint32 +--rw ssh-timeout? uint32 +--rw ssh-retry-times? uint32 +--rw ssh1x-compatible? boolean +--rw ssh-server-interface? string [I-D.ietf-netconf-tls-client-server] defines "tls-server-grouping" for configuring TLS server and does not consider the underlying transport parameters. And it reuses the groupings defined in Lin, et al. Expires April 25, 2019 [Page 8] Internet-Draft Network Device Management Plane Security October 2018 [I-D.ietf-netconf-keystore]. Because this document focuses on the security configurations that are actively in use when the network device acts as a web server and build connections through HTTPS, the "tls-server-attribute-grouping" defined here tailors the "private- key" node and the "certificate-expiration" notification of "tls- server-grouping". The tree diagram of grouping "tls-server- attribute-grouping": grouping tls-server-attribute-security-grouping: +--rw server-identity | +--rw (local-or-keystore) | +--:(local) | | +---u ks:public-key-grouping | | +---u ks:trust-anchor-cert-grouping | +--:(keystore) {ks:keystore-implemented}? | +--rw ref? ks:asymmetric-key-certificate-ref +--rw client-auth | +--rw pinned-ca-certs? ta:pinned-certificates-ref | +--rw pinned-client-certs? ta:pinned-certificates-ref +--rw hello-params {tls-server-hello-params-config}? +--rw tls-versions | +--rw tls-version* identityref +--rw cipher-suites +--rw cipher-suite* identityref 5.1.3. AAA Authentication, Authorization, and Accounting (AAA) provides user management for network devices. RADIUS (Remote Authentication Dial In User Service) and TACACS+ (Terminal Access Controller Access Control System) are the commonly used AAA mechanisms. In order to implement AAA, network devices act as AAA clients to communicate with AAA servers. [RFC7317] defined YANG module for client to configure the RADIUS authentication server information. In this document, authentication, authorization and accounting schemes, as well as AAA server lists are all included. Lin, et al. Expires April 25, 2019 [Page 9] Internet-Draft Network Device Management Plane Security October 2018 module: ietf-aaa-security +--rw ietf-aaa-security +--rw authentication-scheme* [authen-scheme-name] | +--rw authen-scheme-name string | +--rw authen-mode* aaa-authen-mode | +--rw authen-type? radius-authen-type | +--rw authen-fail-policy? boolean +--rw authorization-scheme* [author-scheme-name] | +--rw author-scheme-name string | +--rw author-mode* aaa-author-mode | +--rw cmd-author-mode* aaa-cmd-author-mode +--rw accounting-scheme* [account-scheme-name] | +--rw account-scheme-name string | +--rw account-mode? aaa-account-name +--rw radius-security | +--rw radius-authen-servers* [address] | | +--rw address inet:host | | +--rw port? inet:port-number | +--rw radius-author-servers*? [address] | | +--rw address inet:host | | +--rw port? inet:port-number | +--rw radius-account-servers* [address] | +--rw address inet:host | +--rw port? inet:port-number +--rw tacacs-security {tacacs-supported}? +--rw tacacs-authen-servers* [address] | +--rw address inet:host | +--rw port? inet:port-number +--rw tacacs-author-servers*? [address] | +--rw address inet:host | +--rw port? inet:port-number +--rw tacacs-account-servers* [address] +--rw address inet:host +--rw port? inet:port-number 5.1.4. Administrator Access Statistics The statistics of the current online administrators, the failed login attempts and the blocked addresses are useful for the monitoring of network infrastructure devices. Lin, et al. Expires April 25, 2019 [Page 10] Internet-Draft Network Device Management Plane Security October 2018 module: ietf-admin-access-statistics +--ro ietf-admin-access-statistics +--ro online | +--ro total-online-users uint32 | +--ro online-admin-list {display-online-info}? | +--ro online-users* [account-name] | +--ro account-name string | +--ro ip-address inet:ip-address-no-zone | +--ro mac-address yang:mac-address +--ro ip-block-list +--ro blocked-ip* [ip-address] +--ro ip-address inet:ip-address-no-zone +--ro vpn-instance string +--ro state ip-block-state-type +--ro authen-fail-account uint32 5.2. System Management Security 5.2.1. SNMP Management Security Simple Network Management Protocol (SNMP) is a network management standard to monitor network devices. Three SNMP versions are available: SNMPv1, SNMPv2c, and SNMPv3. [RFC7407] defines community- based security model for SNMPv1 and SNMPv2c, view-based access control model and user-based security model, transport security model for SNMPv3. SNMPv1 and SNMPv2c are lack of authentication and message encryption, which could facilitate unauthorized access to network devices. SNMPv3 needs to be used to authenticate and encrypt payloads. The "ietf-snmp-security" module defined in this section reuses the definitions in [RFC7407], but some modifications and eliminations are made. As this module only focuses on security controls and status of SNMP, the detailed transport information such as IP address and port are not included, while the transport protocol used is under consideration. And the subtree for key configuration is also not needed for user-based security model, but the authentication protocol or encryption protocol used is included. module: ietf-snmp-security +--rw ietf-snmp-security +--rw snmp-enable? boolean +--rw engine | +--rw enabled? boolean | +--rw listen* [name] | | +--rw name snmp:identifier | | +--rw transport snmp-transport-type | +--rw version snmp-version-type | +--rw enable-authen-traps? boolean +--rw target* [name] Lin, et al. Expires April 25, 2019 [Page 11] Internet-Draft Network Device Management Plane Security October 2018 | +--rw name snmp:identifier | +--rw transport snmp-transport-type | +--rw target-params snmp:identifier +--rw target-params* [name] | +--rw name snmp:identifier | +--rw (params)? | +--:(usm) | | +---u snmp:usm-target-params | +--:(tsm) {snmp:tsm}? | | +---u snmp:tsm-target-params +--rw vacm | +--ro vacm-enable? boolean | +--rw group* [name] | | +--rw name snmp:group-name | | +--rw member* [security-name] | | | +--rw security-name snmp:security-name | | | +--rw security-model* snmp:security-model | | +--rw access* [context security-model security-level] | | +--rw context snmp:context-name | | +--rw context-match? enumeration | | +--rw security-model snmp:security-model-or-any | | +--rw security-level snmp:security-level | | +--rw read-view? snmp:view-name | | +--rw write-view? snmp:view-name | | +--rw notify-view? snmp:view-name | +--rw view* [name] | +--rw name vacm:view-name | +--rw include* snmp:wildcard-object-identifier | +--rw exclude* snmp:wildcard-object-identifier +--rw usm | +--ro usm-enable? boolean | +--rw local | | +---u user-auth-priv | +--rw remote | +---u user-auth-priv +--rw tsm {tsm}? +--ro tsm-enable? boolean The tree diagram of grouping "user-auth-priv": grouping user-auth-priv: +--rw user* [name] +--rw name snmp:identifier +--rw auth-protocol auth-pro-type +--rw priv-protocol priv-pro-type Lin, et al. Expires April 25, 2019 [Page 12] Internet-Draft Network Device Management Plane Security October 2018 5.2.2. NETCONF Management Security The NETCONF server model defined in [I-D.ietf-netconf-netconf-client-server] supports both the SSH and TLS transport protocols. The "ietf-netconf-security" module defined in this section only reused the security related subtrees and replaces the SSH and TLS related groupings with those defined in "ietf-admin-access-security" module. module: ietf-netconf-security +--rw ietf-netconf-security +--rw netconf-enable? boolean +--rw listen {ncs:listen}? | +--rw endpoint* [name] | +--rw name string | +--rw (transport) | +--:(ssh) {ssh-listen}? | | +--rw port inet:port-number | | +---u accsec:ssh-server-attribute-grouping | +--:(tls) {tls-listen}? | +--rw port inet:port-number | +---u accsec:tls-server-attribute-grouping +--rw call-home {call-home}? +--rw netconf-client* [name] +--rw name string +--rw endpoints +--rw endpoint* [name] +--rw name string +--rw (transport) +--:(ssh) {ssh-call-home}? | +--rw port inet:port-number | +---u accsec:ssh-server-attribute-grouping +--:(tls) {tls-call-home}? +--rw port inet:port-number +---u accsec:tls-server-attribute-grouping 5.3. Port Management Security As it is suggested to disable unused service and ports, the current status (open or shut-down) of the ports that are available on the network devices can be retrieved and compared with the communication matrix to check the device security posture. module: ietf-port-management-security +--rw ietf-port-management-security +--rw port-list* [port-number] +--rw port-number inet:port-number +--rw port-status boolean Lin, et al. Expires April 25, 2019 [Page 13] Internet-Draft Network Device Management Plane Security October 2018 5.4. Log Security To monitor the running status and diagnose faults or attacks on network devices, the activities of network administrators, the operations conducted on devices, and the security notification of abnormal events need to be recorded. Besides, policy should be defined to deal with log overflow. Log records can be outputted to console, or stored locally, or outputted to remote Syslog server. The following defined "ietf-log-security" module reuses the security configuration of log remote transfer in [I-D.ietf-netmod-syslog-model], and adds access control for locally stored log files. module: ietf-log-security +--rw ietf-log-security +--rw alert-notification | +--rw login-fail-threshold uint8 | +--rw system-abnormal boolean | +--rw attack boolean | +--rw log-overflow-lost boolean +--rw (log-overflow-action) | +--:(rewrite-when-overflow) boolean | | +--ro rewrite-numbers uint16 | +--:(discard-new-logs) boolean | +--ro discard-numbers uint16 +--rw (log-mode) +--:(file) {file-action}? | +--rw user-level-for-read uint8 | +--rw user-level-for-delete uint8 +--:(remote) {remote-action}? [I-D.ietf-netmod-syslog-model] +--rw destination* [name] +--rw name string +--rw (transport) | ... +--rw signing! {signed-messages}? ... 5.5. File Security Patches, packages, configuration files, password files are critical system files for network infrastructure devices. Only administrators with certain security privilege levels are allowed to access or operate on these files. For file transfer security, secure protocol should be used. Lin, et al. Expires April 25, 2019 [Page 14] Internet-Draft Network Device Management Plane Security October 2018 module: ietf-file-security +--rw ietf-file-security +--rw role-based-access-control boolean +--rw transport-protocol file-pro-type +--rw (transport) | +--:(sftp) {sftp}? | | +--rw sftp-enable boolean | | +--rw sftp-server-port inet:port-number | | +---u accsec:ssh-server-attribute-grouping | | +---u accsec:ssh-security-harden-grouping | +--:(scp) {scp}? | | +--rw scp-enable boolean | | +--rw scp-server-port inet:port-number | | +---u accsec:ssh-server-attribute-grouping | | +---u accsec:ssh-security-harden-grouping | +--:(ftps) {ftps}? | | +--rw ftps-enable boolean | | +--rw ftps-server-port inet:port-number | | +---u accsec:tls-server-attribute-grouping +--rw ip-block-enable boolean +--rw ip-block-limit {ip-block-config}? +--rw failed-times uint64 +--rw period uint64 +--rw reactive-time uint64 6. Network Infrastructure Device Security Baseline Yang Module 6.1. Module 'ietf-admin-account-security' file "ietf-admin-account-security@2018-10-16.yang" module ietf-admin-account-security { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-admin-account-security"; prefix acsec; organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; contact "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; Lin, et al. Expires April 25, 2019 [Page 15] Internet-Draft Network Device Management Plane Security October 2018 description "This YANG module defines ietf-admin-account-security YANG module, which contains configurations that are actively in use for account security control, password security control and administrative account block."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } /* * features */ feature account-security { description "If the network device supports this feature, then several security controls on administrative accounts can be conducted."; } feature pwd-security { description "If the network device supports this feature, then several security controls on password can be conducted."; } feature login-failed-block { description "If the network device supports this feature, an adminstrative account will be blocked for a certain time range when this account login failed several times in a certain period."; } /* * containers */ container account-security-policy { if-feature account-security; leaf policy-status { type boolean; description "The status of account security policy: enabled, or disabled."; } leaf account-aging-period { type uint64; description "The aging period of an administrative account."; } leaf account-name-minlen { type uint64; description "The minimum length of an administrative account name."; } Lin, et al. Expires April 25, 2019 [Page 16] Internet-Draft Network Device Management Plane Security October 2018 description "If the network device supports some security controls on administrative accounts, the configuration that is actively in use will be collected."; } container pwd-security-policy { if-feature pwd-security; leaf expire-days { type uint64; description "The password validity period."; } leaf prompt-days { type uint64; description "The period for warning before the password expires."; } leaf change-check { type boolean; description "Whether it is mandatory to change the password when logining for the first time: enabled, or disabled."; } leaf complexity-check { type boolean; description "The status of password complexity check: enabled, or disabled."; } leaf history-pwd-num { type uint64; config false; description "The newly configured password should not be the same as the several past passwords."; } leaf pwd-minlen { type uint64; description "The minimum length of a password."; } container forbidden-word-rules { list forbidden-word-rule { key "forbidden-word"; leaf forbidden-word { type string; description "A forbidden word in password."; } description "A list of forbidden words that are not allowed to be used in password."; } Lin, et al. Expires April 25, 2019 [Page 17] Internet-Draft Network Device Management Plane Security October 2018 description "Password blacklist."; } description "If the network device supports some security controls on administrative passwords, the configuration that is actively in use will be collected."; } container login-failed-limit { if-feature login-failed-block; leaf failed-times { type uint64; description "The failed time in a certain period."; } leaf peroid { type uint64; description "The certain period in which the failed times are counted."; } leaf reactive-time { type uint64; description "The reactive time after which the account is not blocked."; } description "If the network device suppor this feature, an account will be blocked for a certain time range when it failed to login for several times in a certain period."; } } 6.2. Module 'ietf-admin-access-security' module ietf-admin-access-security { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-admin-access-security"; prefix accsec; import ietf-inet-types { prefix inet; reference "RFC 6991 - Common YANG Data Types."; } import ietf-ssh-common { prefix sshcmn; reference "draft-ietf-netconf-ssh-client-server - YANG Groupings for SSH Clients and SSH Servers"; } Lin, et al. Expires April 25, 2019 [Page 18] Internet-Draft Network Device Management Plane Security October 2018 import ietf-tls-common { prefix tlscmn; reference "draft-ietf-netconf-tls-client-server - YANG Groupings for TLS Clients and SSH Servers"; } import ietf-keystore { prefix ks; reference "draft-ietf-netconf-keystore - YANG Data Model for a Centralized Keystore Mechanism"; } import ietf-trust-anchors { prefix ta; reference "draft-ietf-netconf-trust-anchors - YANG Data Model for Global Trust Anchors"; } organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; contact "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; description "This YANG module defines ietf-admin-access-security YANG module, which contains security configurations that are actively in use for different access channels."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } /* * features */ feature web-interface { description "If the network device supports web interface for administration, then administrative account can access this device through web interface."; } Lin, et al. Expires April 25, 2019 [Page 19] Internet-Draft Network Device Management Plane Security October 2018 feature ip-block-config { description "If the network device supports the configuration of ip block function, then it can be configured to block the access from a list of IP addresses."; } feature ssh-server-transport-params-config { description "SSH transport layer parameters are configurable on an SSH server."; } feature tls-server-hello-params-config { description "TLS hello message parameters are configurable on a TLS server."; } /* * typedefs */ typedef auth-mode-type { type enumeration { enum "none" { description "Authentication mode: none."; } enum "password" { description "Authentication mode: password."; } enum "aaa" { description "Authentication mode: aaa."; } } description "The Authentication mode of console and vty interface."; } /* * groupings */ grouping ssh-server-attribute-grouping { container server-identity { list host-key { key "name"; leaf name { type string; description "The name of the host-key."; Lin, et al. Expires April 25, 2019 [Page 20] Internet-Draft Network Device Management Plane Security October 2018 } choice host-key-type { mandatory true; case public-key { choice local-or-keystore { case local { uses ks:public-key-grouping; description "The public key and the corresponding algorithm."; } case keystore { if-feature ks:keystore-implemented; leaf ref { type ks:asymmetric-key-certificate-ref; description "A reference to a value that exists in the keystore."; } description "The reference of the key pair that stored in the keystore. "; } description "The key pair is locally stored or can be referenced from the keystore."; } description "The host key type is asymmetric key pair."; } case certificate { if-feature sshcmn:ssh-x509-certs; choice local-or-keystore { case local { uses ks:public-key-grouping; uses ks:trust-anchor-cert-grouping; description "The certificate and the corresponding public key are stored locally."; } case keystore { if-feature ks:keystore-implemented; leaf ref { type ks:asymmetric-key-certificate-ref; description "The certificate is referenced by a value that exists in the keystore."; } description "The reference of the certificate that stored in the keystore."; } description "The certificate is stored locally or can be referenced from the keystore."; } Lin, et al. Expires April 25, 2019 [Page 21] Internet-Draft Network Device Management Plane Security October 2018 description "The host key type is certificate."; } description "Two types of host key: asymmetric key pair, certificate."; } description "A list of host keys of the network device"; } description "The list of host keys the network device (acts as SSH server) will use to construct its list of algorithms, when sending its SSH-MSG-KEXINIT message, ase defined in Section 7.1 of RFC 4253."; } container client-cert-auth { if-feature sshcmn:ssh-x509-certs; leaf pinned-ca-certs { type ta:pinned-certificates-ref; description "A reference to a list of certificate authority (CA) certificates used by the SSH server to authenticate SSH client certificates."; reference "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; } leaf pinned-client-certs { type ta:pinned-certificates-ref; description "A reference to a list of client certificates used by the SSH server to authenticate SSH client certificates."; reference "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; } description "A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates."; } container transport-params { if-feature ssh-server-transport-params-config; uses sshcmn:transport-params-grouping; description "Configurable parameters of the SSH transport layer."; } description "A reusable grouping of configurations that are actively in use for network devices which act as SSH servers."; } grouping ssh-security-harden-grouping { leaf ssh-version { type uint32; config false; mandatory true; description "The SSH version that the network device supports."; Lin, et al. Expires April 25, 2019 [Page 22] Internet-Draft Network Device Management Plane Security October 2018 } leaf ssh-server-port { type inet:port-number; description "The port number of SSH server."; } leaf ssh-rekey-interval { type uint32; description "The interval for updating the key pair of the SSH server."; } leaf ssh-timeout { type uint32; description "The authentication timeout period of SSH."; } leaf ssh-retry-times { type uint32; description "The authentication retry times."; } leaf ssh1x-compatible { type boolean; description "The status of version-compatible function on the SSH server: enabled, disabled."; } leaf ssh-server-interface { type string; description "The source interface of SSH server."; } description "A set of SSH configuration status to enhance security."; } grouping tls-server-attribute-grouping { container server-identity { choice local-or-keystore { case local { uses ks:public-key-grouping; uses ks:trust-anchor-cert-grouping; description "The certificate and the corresponding public key are stored locally."; } case keystore { if-feature ks:keystore-implemented; leaf ref { type ks:asymmetric-key-certificate-ref; Lin, et al. Expires April 25, 2019 [Page 23] Internet-Draft Network Device Management Plane Security October 2018 description "The certificate is referenced by a value that exists in the keystore."; } description "The reference of the certificate that stored in the keystore."; } description "The certificate is stored locally or can be referenced from the keystore."; } description "A locally-defined or referenced end-entity certificate, including any configured intermediate certificates, the TLS server will present when establishing a TLS connection in its Certificate message, as defined in Section 7.4.2 in RFC5246."; } container client-auth { leaf pinned-ca-certs { type ta:pinned-certificates-ref; description "A reference to a list of certificate authority (CA) certificates used by the TLS server to authenticate TLS client certificates."; reference "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; } leaf pinned-client-certs { type ta:pinned-certificates-ref; description "A reference to a list of client certificates used by the TLS server to authenticate TLS client certificates."; reference "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; } description "A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates."; } container hello-params { if-feature tls-server-hello-params-config; uses tlscmn:hello-params-grouping; description "Configurable parameters for the TLS hello message."; } description "A reusable grouping of configurations that are actively in use for network devices which act as TLS servers."; } /* * containers */ container console { leaf auth-mode { type auth-mode-type; description Lin, et al. Expires April 25, 2019 [Page 24] Internet-Draft Network Device Management Plane Security October 2018 "The authentication mode used when administrative accounts login through console interface: none, password, AAA."; } leaf privilege-level { type uint8; description "User privilege level."; } description "Security configurations that are actively in use for console interface."; } container vtys { list vty { key "vty-number"; leaf vty-number { type uint8; description "The number of the vty interface."; } leaf auth-mode { type auth-mode-type; mandatory true; description "The authentication mode used when administrator login through vty interface: none, password, AAA."; } leaf privilege-level { type uint8; mandatory true; description "User privilege level."; } leaf-list acl-name-list { type string; description "The name of the acl."; } leaf ip-block-enable { type boolean; mandatory true; description "The status of ip block function: enabled, or disabled."; } container ip-block-limit { if-feature ip-block-config; leaf failed-times { type uint64; description "The failed times in a certain perid."; Lin, et al. Expires April 25, 2019 [Page 25] Internet-Draft Network Device Management Plane Security October 2018 } leaf peroid { type uint64; description "The certain period in which the failed times are counted."; } leaf reactive-time { type uint64; description "The reactive time after which the address is not blocked."; } description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; } description "Security configurations that are actively in use for a vty interface."; } description "A list of security configurations that are actively in use for each vty interface."; } container ssh { uses ssh-server-attribute-grouping; uses ssh-security-harden-grouping; leaf ssh-enable { type boolean; description "The status of SSH server: enabled, or disabled."; } leaf ip-block-enable { type boolean; description "The status of ip block function: enabled, or disabled."; } container ip-block-limit { if-feature ip-block-config; leaf failed-times { type uint64; description "The failed times in a certain perid."; } leaf peroid { type uint64; description "The certain period in which the failed times are counted."; } leaf reactive-time { type uint64; Lin, et al. Expires April 25, 2019 [Page 26] Internet-Draft Network Device Management Plane Security October 2018 description "The reactive time after which the address is not blocked."; } description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; } description "Security configurations that are actively in use for SSH-based access channel."; } container web { if-feature web-interface; uses tls-server-attribute-grouping; leaf auth-mode { type auth-mode-type; description "The authentication mode used when administrator login through web interface: none, password, AAA."; } leaf privilege-level { type uint8; description "User privilege level."; } leaf http-server-interface { type string; description "The source interface of web server."; } leaf https-ipv4-enable { type boolean; description "The status of ipv4 https server: enabled, disabled."; } leaf https-ipv6-enable { type boolean; description "The status of ipv6 https server: enabled, disabled."; } leaf https-source-port { type inet:port-number; description "The port number of web server."; } leaf https-timeout { type uint32; description "The authentication timeout period of https."; } Lin, et al. Expires April 25, 2019 [Page 27] Internet-Draft Network Device Management Plane Security October 2018 leaf ip-block-enable { type boolean; description "The status of ip block function: enabled, or disabled."; } container ip-block-limit { if-feature ip-block-config; leaf failed-times { type uint64; description "The failed times in a certain perid."; } leaf peroid { type uint64; description "The certain period in which the failed times are counted."; } leaf reactive-time { type uint64; description "The reactive time after which the address is not blocked."; } description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; } description "If the network device supports web interface. The configuration status of the web server."; } } 6.3. Module 'ietf-aaa-security' file "ietf-aaa-security@2018-10-16.yang" module ietf-aaa-security { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-aaa-security"; prefix aaasec; import ietf-inet-types { prefix inet; reference "RFC 6991 - Common YANG Data Types."; } organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; contact Lin, et al. Expires April 25, 2019 [Page 28] Internet-Draft Network Device Management Plane Security October 2018 "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; description "This YANG module defines ietf-aaa-security YANG module, which contains configurations of AAA."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } /* * features */ feature tacacs-supported { description "Whether the device supports TACACS+ based Authentication, Authorization, and Accounting."; } /* * typedefs */ typedef aaa-authen-mode { type enumeration { enum "invalid" { description "Invalid authentication mode."; } enum "local" { description "Local authentication mode."; } enum "tacacs" { description "TACACS authentication mode. "; } enum "radius" { description "RADIUS authentication mode. "; } Lin, et al. Expires April 25, 2019 [Page 29] Internet-Draft Network Device Management Plane Security October 2018 enum "none" { description "In this mode, users can pass with authentication."; } enum "radius-proxy" { description "RADIUS proxy authentication mode."; } } description "Diffrent types of authentication modes."; } typedef radius-authen-type { type enumeration { enum "pap" { description "PAP authentication."; } enum "chap" { description "CHAP authentication."; } } description "Different authentication types of RADIUS authentication."; } typedef aaa-author-mode { type enumeration { enum "invalid" { description "Invalid authorization mode."; } enum "local" { description "Local authorization mode."; } enum "tacacs" { description "TACACS authorization mode."; } enum "if-authenticated" { description "If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed."; } enum "none" { description Lin, et al. Expires April 25, 2019 [Page 30] Internet-Draft Network Device Management Plane Security October 2018 "Users can pass without authorization."; } } description "Different types of AAA authorization modes."; } typedef aaa-cmd-author-mode { type enumeration { enum "invalid" { description "Invalid command line authorization mode."; } enum "local" { description "Local command line authorization mode."; } enum "tacacs" { description "Specifies that the TACACS mode is applied."; } } description "Different types of command line authorization modes."; } typedef aaa-account-mode { type enumeration { enum "invalid" { description "invalid accounting mode."; } enum "radius" { description "RADIUS accounting mode. "; } enum "tacacs" { description "TACACS accounting mode. "; } enum "none" { description "In this mode, users do not be accounting."; } } description "Different types of accounting modes."; } Lin, et al. Expires April 25, 2019 [Page 31] Internet-Draft Network Device Management Plane Security October 2018 /* * lists & containers */ list authentication-scheme { key "authen-scheme-name"; leaf authen-scheme-name { type string; description "The name of the authentication scheme."; } leaf-list authen-mode { type aaa-authen-mode; description "A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond."; } leaf authen-type { type radius-authen-type; description "Authentication type of RADIUS: PAP, CHAP."; } leaf authen-fail-policy { type boolean; description "The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control."; } description "Authentication scheme list."; } list authorization-scheme { key "author-scheme-name"; leaf author-scheme-name { type string; description "The name of the authorization scheme."; } leaf-list auhtor-mode { type aaa-author-mode; description "A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond."; } leaf-list cmd-auhtor-mode { type aaa-cmd-author-mode; description "A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond."; } description "Authorization scheme list."; Lin, et al. Expires April 25, 2019 [Page 32] Internet-Draft Network Device Management Plane Security October 2018 } list accounting-scheme { key "account-scheme-name"; leaf account-scheme-name { type string; description "The name of the accounting scheme."; } leaf account-mode { type aaa-account-mode; description "Accounting mode."; } description "Accounting scheme list."; } container radius-security { list radius-authen-servers { key "address"; leaf address { type inet:host; description "The ip address of the authentication server."; } leaf port { type inet:port-number; description "The port number of the authentication server."; } description "A list of RADIUS authentication servers"; } list radius-author-servers { key "address"; leaf address { type inet:host; description "The ip address of the authorization server."; } leaf port { type inet:port-number; description "The port number of the authorization server."; } description "A list of RADIUS authorization servers"; Lin, et al. Expires April 25, 2019 [Page 33] Internet-Draft Network Device Management Plane Security October 2018 } list radius-account-servers { key "address"; leaf address { type inet:host; description "The ip address of the accounting server."; } leaf port { type inet:port-number; description "The port number of the accounting server."; } description "A list of RADIUS accounting servers"; } description "RADIUS authentication servers, authorization servers and accounting servers."; } container tacacs-security { if-feature tacacs-supported; list tacacs-authen-servers { key "address"; leaf address { type inet:host; description "The ip address of the authentication server."; } leaf port { type inet:port-number; description "The port number of the authentication server."; } description "A list of TACACS+ and TACACS+ compatible authentication servers"; } list tacacs-author-servers { key "address"; leaf address { type inet:host; description "The ip address of the authorization server."; } leaf port { type inet:port-number; description "The port number of the authorization server."; Lin, et al. Expires April 25, 2019 [Page 34] Internet-Draft Network Device Management Plane Security October 2018 } description "A list of TACACS+ and TACACS+ compatible authorization servers"; } list tacacs-account-servers { key "address"; leaf address { type inet:host; description "The ip address of the accounting server."; } leaf port { type inet:port-number; description "The port number of the accounting server."; } description "A list of TACACS+ and TACACS+ compatible accounting servers"; } description "TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers."; } } 6.4. Module 'ietf-admin-access-statistics' file "ietf-admin-access-statistics@2018-10-16.yang" module ietf-admin-access-statistics { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-admin-access-statistics"; prefix stat; import ietf-inet-types { prefix inet; reference "RFC 6991 - Common YANG Data Types."; } import ietf-yang-types { prefix yang; reference "RFC 6991 - Common YANG Data Types."; } organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; Lin, et al. Expires April 25, 2019 [Page 35] Internet-Draft Network Device Management Plane Security October 2018 contact "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; description "This YANG module defines ietf-admin-access-statistics YANG module, which contains online administrator lists, ip addresses authentication failure or blocked ip addresses."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } /* * features */ feature display-online-info { description "If the device supports reporting the details of administrative accounts that are currenlty online."; } /* * typedef */ typedef ip-block-state-type { type enumeration { enum "authenfail" { description "Authentication fialed State"; } enum "blocked" { description "BLOCKED State"; } } description "The status of an login failed IP address."; } /* * containers Lin, et al. Expires April 25, 2019 [Page 36] Internet-Draft Network Device Management Plane Security October 2018 */ container online { leaf total-online-users { type uint32; config false; description "The number of administrators that are current online."; } container online-admin-list { if-feature display-online-info; list online-users { key "account-name"; leaf account-name { type string; description "The account name of the online account."; } leaf ip-address { type inet:ip-address-no-zone; config false; description "The ip address of the online account."; } leaf mac-address { type yang:mac-address; config false; description "The MAC address of the online account."; } description "Online adminstrator list."; } description "If the device supports providing information of online administrators, a list of account details are provided."; } description "Online administrator statistics and details."; } container ip-block-list { list blocked-ip { key "ip-address"; leaf ip-address { type inet:ip-address-no-zone; description "The blocked IP address."; } leaf vpn-instance { Lin, et al. Expires April 25, 2019 [Page 37] Internet-Draft Network Device Management Plane Security October 2018 type string; config false; description "The VPN instance of the blocked IP address."; } leaf state { type ip-block-state-type; config false; description "The status of an login failed IP address."; } leaf authen-fail-account { type uint32; config false; description "The number of the login failed attempts."; } description "The list of blocked IP addresses and related information."; } description "The information of blocked IP addresses and related information."; } } 6.5. Module 'ietf-snmp-security' file "ietf-snmp-security@2018-10-16.yang" module ietf-snmp-security { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-snmp-security"; prefix snmpsec; import ietf-snmp { prefix snmp; reference "RFC 7407."; } organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; contact "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin Lin, et al. Expires April 25, 2019 [Page 38] Internet-Draft Network Device Management Plane Security October 2018 linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; description "This YANG module defines ietf-snmp-security YANG module."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } feature tsm { description "Whether the network device supports Transport Security Model for SNMP."; } /* * typedef */ typedef snmp-transport-type { type enumeration { enum "udp" { description "SNMP over UDP."; } enum "ssh" { description "SNMP over SSH."; } enum "tls" { description "SNMP over TLS."; } enum "dtls" { description "SNMP over DTLS."; } } description "The transport channels on which the SNMP engine listens."; } typedef snmp-version-type { type enumeration { Lin, et al. Expires April 25, 2019 [Page 39] Internet-Draft Network Device Management Plane Security October 2018 enum "v1" { description "SNMPv1"; } enum "v2c" { description "SNMPv2c"; } enum "v3" { description "SNMPv3"; } } description "The version of SNMP protocol"; } typedef auth-pro-type { type enumeration { enum "none" { description "Do not enable the authentication of messages sent on behalf of the user."; } enum "md5" { description "HMAC-MD5-96 authentication protocol"; } enum "sha" { description "HMAC-SHA-96 authentication protocol"; } } description "An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol which is used: MD5, SHA."; reference "RFC 3414"; } typedef priv-pro-type { type enumeration { enum "none" { description "Do not enable the encryption of messages sent on behalf of the user."; } enum "des" { description "DES is used to encrypt messages sent on behalf of the user."; } Lin, et al. Expires April 25, 2019 [Page 40] Internet-Draft Network Device Management Plane Security October 2018 enum "aes" { description "AES is used to encrypt messages sent on behalf of the user."; } } description "An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used: EDS, AES."; reference "RFC 3414 & RFC 3826"; } /* * grouping */ grouping user-auth-priv { list user { key "name"; leaf name { type snmp:identifier; description "The identifier that represents a user."; } leaf auth-protocol { type auth-pro-type; description "The type of authentication protocol: none, md5, sha."; } leaf priv-protocol { type priv-pro-type; description "The type of encryption protocol: none, des, aes."; } description "A list of users and their corresponding authProtocol, privProtocol."; } description "A grouping that represents a list of users and their corresponding authProtocol, privProtocol."; reference "RFC 3414"; } leaf snmp-enable { type boolean; description "whether SNMP is used."; } /* Lin, et al. Expires April 25, 2019 [Page 41] Internet-Draft Network Device Management Plane Security October 2018 * containers */ container engine { leaf enabled { type boolean; description "The status of the SNMP engine: enabled, disabled."; } list listen { key "name"; leaf name { type snmp:identifier; description "The name of a transport channel on which the SNMP engine listens."; } leaf transport { type snmp-transport-type; description "The transport protocol that SNMP uses."; } description "A list of transport channels on which the SNMP engine listens."; } leaf version { type snmp-version-type; description "SNMP version used by the SNMP engine."; } leaf enable-authen-traps { type boolean; description "Whether the SNMP entity is permitted to generate authenticationFailure traps."; reference "RFC 3418: Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) SNMPv2-MIB.snmpEnableAuthenTraps"; } description "The security configurations for SNMP engine."; } list target { key name; leaf name { type snmp:identifier; description "The name identifies the target."; } leaf transport { type snmp-transport-type; Lin, et al. Expires April 25, 2019 [Page 42] Internet-Draft Network Device Management Plane Security October 2018 description "The transport protocol used."; } leaf target-parmas { type snmp:identifier; description "Parameters for the target."; } description "The list of targets."; reference "RFC 3413 & RFC 7407"; } list target-params { key name; leaf name { type snmp:identifier; description "The name identifies the target params."; } choice params { case usm { uses snmp:usm-target-params; description "Reuse the grouping defined in ietf-snmp-usm"; } case tsm { if-feature snmp:tsm; uses snmp:tsm-target-params; description "Reuse the grouping defined in ietf-snmp-tsm"; } description "The parameters specific to each security model."; } description "List of target parameters."; } container vacm { leaf vacm-enable { type boolean; config false; description "Whether VACM based security configurations are used."; } list group { Lin, et al. Expires April 25, 2019 [Page 43] Internet-Draft Network Device Management Plane Security October 2018 key name; leaf name { type snmp:group-name; description "The name of this VACM group."; } list member { key "security-name"; leaf security-name { type snmp:security-name; description "The securityName of a group member."; } leaf-list security-model { type snmp:security-model; min-elements 1; description "The security models under which this security-name is a member of this group."; } description "A member of this VACM group."; } list access { key "context security-model security-level"; leaf context { type snmp:context-name; description "The context under which the access rights apply."; } leaf context-match { type enumeration { enum exact { value 1; description "The context match type: exact."; } enum prefix { value 2; description "The context match type: prefix"; } } description "The match type of the context."; } leaf security-model { type snmp:security-model-or-any; description Lin, et al. Expires April 25, 2019 [Page 44] Internet-Draft Network Device Management Plane Security October 2018 "The security model under which the access rights apply."; } leaf security-level { type snmp:security-level; description "The minimum security level under which the access rights apply."; } leaf read-view { type snmp:view-name; description "The name of the MIB view of the SNMP context authorizing read access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessReadViewName."; } leaf wirte-view { type snmp:view-name; description "The name of the MIB view of the SNMP context authorizing write access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessWriteViewName."; } leaf notify-view { type snmp:view-name; description "The name of the MIB view of the SNMP context authorizing notify access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessNotifyViewName."; } description "Definition of access right for groups."; } description "VACM groups"; reference "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)"; } list view { key name; leaf name { type snmp:view-name; description "The name of this MIB view."; } leaf-list include { type snmp:wildcard-object-identifier; description "A family of subtrees included in this MIB view."; } leaf-list exclude { type snmp:wildcard-object-identifier; description "A family of subtrees excluded in this MIB view."; } description Lin, et al. Expires April 25, 2019 [Page 45] Internet-Draft Network Device Management Plane Security October 2018 "Definition of MIB views."; } description "The security configurations for View-based Access Control Model (VACM)."; } container usm { leaf usm-enable { type boolean; config false; description "Whether USM based security configurations are used."; } container local { uses user-auth-priv; description "A list of local users and their corresponding authentication and privacy protocols."; } container remote { uses user-auth-priv; description "A list of remote users and their corresponding authentication and privacy protocols."; } description "Configuration of the User-based Security Model."; } container tsm { if-feature tsm; leaf tsm-enable { type boolean; config false; description "Whether TSM based security configurations are used."; } description "Configuration of Transport Security Model."; } } 6.6. Module 'ietf-netconf-security' module ietf-netconf-security { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-security"; prefix netsec; Lin, et al. Expires April 25, 2019 [Page 46] Internet-Draft Network Device Management Plane Security October 2018 import ietf-admin-access-security { prefix accsec; } import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; contact "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; description "This YANG module defines ietf-netconf-security YANG module."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } /* * features */ feature listen { description "The 'listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF client connections using at least one transport (e.g., SSH, TLS, etc.)."; } feature ssh-listen { description "The 'ssh-listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF over SSH client connections."; reference "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; } Lin, et al. Expires April 25, 2019 [Page 47] Internet-Draft Network Device Management Plane Security October 2018 feature tls-listen { description "The 'tls-listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF over TLS client connections."; reference "RFC 7589: Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication"; } feature call-home { description "The 'call-home' feature indicates that the NETCONF server supports initiating NETCONF call home connections to NETCONF clients using at least one transport (e.g., SSH, TLS, etc.)."; reference "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; } feature ssh-call-home { description "The 'ssh-call-home' feature indicates that the NETCONF server supports initiating a NETCONF over SSH call home connection to NETCONF clients."; reference "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; } feature tls-call-home { description "The 'tls-call-home' feature indicates that the NETCONF server supports initiating a NETCONF over TLS call home connection to NETCONF clients."; reference "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; } /* * leaf & containers */ leaf netconf-enable { type boolean; description "Whether the NETCONF protocol is used."; } container listen { if-feature listen; list endpoint { key name; leaf name { type string; description "The name of the NETCONF listen endpoint."; } choice transport { Lin, et al. Expires April 25, 2019 [Page 48] Internet-Draft Network Device Management Plane Security October 2018 case ssh { if-feature ssh-listen; leaf port { type inet:port-number; description "The local port number to listen on."; } uses accsec:ssh-server-attribute-grouping; description "SSH based listening."; } case tls { if-feature tls-listen; leaf port { type inet:port-number; description "The local port number to listen on."; } uses accsec:tls-server-attribute-grouping; description "TLS based listening."; } description "The transport protocol used."; } description "List of endpoints to listen for NETCONF connections."; } description "Configurations related the listen behavior."; } container call-home { if-feature call-home; list netconf-client { key name; leaf name { type string; description "The name of the remote NETCONF client."; } container endpoints { list endpoint { key name; leaf name { type string; description "The name for this endpoint."; Lin, et al. Expires April 25, 2019 [Page 49] Internet-Draft Network Device Management Plane Security October 2018 } choice transport { case ssh { if-feature ssh-call-home; leaf port { type inet:port-number; description "The IP port for this endpoint."; } uses accsec:ssh-server-attribute-grouping; description "SSH based call-home."; } case tls { if-feature tls-call-home; leaf port { type inet:port-number; description "The IP port for this endpoint."; } uses accsec:tls-server-attribute-grouping; description "TLS based call-home."; } description "The used transport protocol."; } description "A list of endpoints for this NETCONF server to try to connect in sequence."; } description "List of endpoints"; } description "List of NETCONF clients the NETCONF server is to initiate call-home connections to in parallel."; } description "Configurations related to call-home behavior."; } } 6.7. Module 'ietf-port-management-security' file "ietf-port-management-security@2018-10-16.yang" module ietf-port-management-security { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-port-management-security"; prefix acsec; Lin, et al. Expires April 25, 2019 [Page 50] Internet-Draft Network Device Management Plane Security October 2018 import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types"; } organization "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; contact "WG Web: http://tools.ietf.org/wg/sacm/ WG List: sacm@ietf.org Editor: Qiushi Lin linqiushi@huawei.com; Editor: Liang Xia frank.xialiang@huawei.com Editor: Henk Birkholz henk.birkholz@sit.fraunhofer.de"; description "This YANG module defines ietf-port-management-security YANG module."; revision 2018-10-16 { description "Initial version."; reference "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; } list port-list { key port-number; leaf port-number { type inet:port-number; description "The port number."; } leaf port-status { type boolean; description "The status of the port: open or shut-down."; } description "The status of all the ports in the device."; } } Lin, et al. Expires April 25, 2019 [Page 51] Internet-Draft Network Device Management Plane Security October 2018 7. Acknowledgements 8. IANA Considerations This document requires no IANA actions. 9. Security Considerations Secure transport should be used to retrieve the current status of management plane security baseline. 10. References 10.1. Normative References [I-D.birkholz-sacm-yang-content] Birkholz, H. and N. Cam-Winget, "YANG subscribed notifications via SACM Statements", draft-birkholz-sacm- yang-content-01 (work in progress), January 2018. [I-D.dong-sacm-nid-cp-security-baseline] Dong, Y. and L. Xia, "The Data Model of Network Infrastructure Device Control Plane Security Baseline", draft-dong-sacm-nid-cp-security-baseline-00 (work in progress), September 2017. [I-D.dong-sacm-nid-infra-security-baseline] Dong, Y. and L. Xia, "The Data Model of Network Infrastructure Device Infrastructure Layer Security Baseline", draft-dong-sacm-nid-infra-security-baseline-01 (work in progress), May 2018. [I-D.ietf-netconf-keystore] Watsen, K., "YANG Data Model for a Centralized Keystore Mechanism", draft-ietf-netconf-keystore-06 (work in progress), September 2018. [I-D.ietf-netconf-netconf-client-server] Watsen, K., "NETCONF Client and Server Models", draft- ietf-netconf-netconf-client-server-07 (work in progress), September 2018. [I-D.ietf-netconf-ssh-client-server] Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and SSH Servers", draft-ietf-netconf-ssh-client-server-07 (work in progress), September 2018. Lin, et al. Expires April 25, 2019 [Page 52] Internet-Draft Network Device Management Plane Security October 2018 [I-D.ietf-netconf-tls-client-server] Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and TLS Servers", draft-ietf-netconf-tls-client-server-07 (work in progress), September 2018. [I-D.ietf-netmod-acl-model] Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, "Network Access Control List (ACL) YANG Data Model", draft-ietf-netmod-acl-model-20 (work in progress), October 2018. [I-D.ietf-netmod-syslog-model] Wildes, C. and K. Koushik, "A YANG Data Model for Syslog Configuration", draft-ietf-netmod-syslog-model-26 (work in progress), March 2018. [I-D.ietf-sacm-information-model] Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, M., Haynes, D., and H. Birkholz, "SACM Information Model", draft-ietf-sacm-information-model-10 (work in progress), April 2017. [I-D.xia-sacm-nid-dp-security-baseline] Xia, L. and G. Zheng, "The Data Model of Network Infrastructure Device Data Plane Security Baseline", draft-xia-sacm-nid-dp-security-baseline-02 (work in progress), June 2018. [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for System Management", RFC 7317, DOI 10.17487/RFC7317, August 2014, . [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, December 2014, . 10.2. Informative References [I-D.ietf-tls-oldversions-deprecate] Moriarty, K. and S. Farrell, "Deprecating TLSv1.0 and TLSv1.1", draft-ietf-tls-oldversions-deprecate-00 (work in progress), September 2018. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Lin, et al. Expires April 25, 2019 [Page 53] Internet-Draft Network Device Management Plane Security October 2018 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, . [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "Network Management Datastore Architecture (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . Appendix A. The following is the whole structure of the YANG tree diagram for network infrastructure device management plane. The existed RFCs and drafts that related this document are listed at the right side. Lin, et al. Expires April 25, 2019 [Page 54] Internet-Draft Network Device Management Plane Security October 2018 +----------------+--------------------------------------------------+ | Modules | Related RFCs/Drafts | +----------------+--------------------------------------------------+ | ietf-admin- | None | | account- | | | security | | | | | | ietf-admin- | draft-ietf-netconf-keystore,draft-ietf-netconf- | | access- | ssh-client-server,draft-ietf-netconf-tls-client- | | security | server | | | | | ietf-aaa- | RFC7317 | | security | | | | | | ietf-admin- | None | | access- | | | statistics | | | | | | ietf-snmp- | RFC7407 | | security | | | | | | ietf-netconf- | draft-ietf-netconf-netconf-client-server,draft- | | security | ietf-netconf-keystore | | | | | ietf-port- | None | | management- | | | security | | | | | | ietf-log- | draft-ietf-netmod-syslog-model | | security | | | | | | ietf-file- | draft-ietf-netconf-keystore,draft-ietf-netconf- | | security | ssh-client-server,draft-ietf-netconf-tls-client- | | | server | +----------------+--------------------------------------------------+ The modules defined in this document and related RFCs/drafts Draft [I-D.ietf-netconf-tls-client-server] and draft [I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS- specific configuration and SSH-specific configuration respectively. The transport-level configuration, such as what ports to listen-on or connect-to, is not included. Besides, as these grouping focus on configurations, the configuration of private-key and "certificate- expiration" notification are not needed. Draft [I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model based on the data models defined in the above two documents. Lin, et al. Expires April 25, 2019 [Page 55] Internet-Draft Network Device Management Plane Security October 2018 [RFC7317] defines a YANG data model for system management of device containing a NETCONF sever. It summarizes data modules for NETCONF user authentication, and defined YANG module for client to configure the RADIUS authentication server information. Three methods are defined for user authentication: public key for local users over SSH, password for local users over any secure transport, password for RADIUS users over any secure transport. [RFC7407] defines a YANG model for SNMP configuration it is not limited security related configurations and status. Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog configuration, including TLS based transport security and syslog messages signing. Authors' Addresses Qiushi Lin Huawei Huawei Industrial Base Shenzhen, Guangdong 518129 China Email: linqiushi@huawei.com Liang Xia Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu 210012 China Email: Frank.xialiang@huawei.com Henk Birkholz Fraunhofer SIT Rheinstrasse 75 Darmstadt 64295 Germany Email: henk.birkholz@sit.fraunhofer.de Lin, et al. Expires April 25, 2019 [Page 56]