| < draft-ietf-netmod-system-mgmt-10.txt | draft-ietf-netmod-system-mgmt-16.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Bierman | Network Working Group A. Bierman | |||
| Internet-Draft YumaWorks | Internet-Draft YumaWorks | |||
| Intended status: Standards Track M. Bjorklund | Intended status: Standards Track M. Bjorklund | |||
| Expires: June 26, 2014 Tail-f Systems | Expires: November 15, 2014 Tail-f Systems | |||
| December 23, 2013 | May 14, 2014 | |||
| A YANG Data Model for System Management | A YANG Data Model for System Management | |||
| draft-ietf-netmod-system-mgmt-10 | draft-ietf-netmod-system-mgmt-16 | |||
| Abstract | Abstract | |||
| This document defines a YANG data model for the configuration and | This document defines a YANG data model for the configuration and | |||
| identification of some common system properties within a device | identification of some common system properties within a device | |||
| containing a NETCONF server. This includes data node definitions for | containing a NETCONF server. This includes data node definitions for | |||
| system identification, time-of-day management, user management, DNS | system identification, time-of-day management, user management, DNS | |||
| resolver configuration, and some protocol operations for system | resolver configuration, and some protocol operations for system | |||
| management. | management. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 26, 2014. | This Internet-Draft will expire on November 15, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
| 3.1. System Identification . . . . . . . . . . . . . . . . . . 7 | 3.1. System Identification . . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. System Time Management . . . . . . . . . . . . . . . . . . 7 | 3.2. System Time Management . . . . . . . . . . . . . . . . . . 7 | |||
| 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 | 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 | 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 | 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 | |||
| 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 | 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 | |||
| 3.5.2. Local User Password Authentication . . . . . . . . . . 10 | 3.5.2. Local User Password Authentication . . . . . . . . . . 10 | |||
| 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 | 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 | |||
| 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 | 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 | 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 | |||
| 5. System YANG module . . . . . . . . . . . . . . . . . . . . . . 12 | 5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 | 6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 32 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 34 | |||
| 8.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 8.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 8.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 8.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 37 | 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 38 | 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39 | 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 | ||||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 39 | ||||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 40 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG [RFC6020] data model for the | This document defines a YANG [RFC6020] data model for the | |||
| configuration and identification of some common properties within a | configuration and identification of some common properties within a | |||
| device containing a NETCONF server. | device containing a NETCONF server. | |||
| Devices that are managed by NETCONF and perhaps other mechanisms have | Devices that are managed by NETCONF and perhaps other mechanisms have | |||
| common properties that need to be configured and monitored in a | common properties that need to be configured and monitored in a | |||
| standard way. | standard way. | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| o system control operations (shutdown, restart, setting time) | o system control operations (shutdown, restart, setting time) | |||
| 1.1. Terminology | 1.1. Terminology | |||
| The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14, [RFC2119]. | 14, [RFC2119]. | |||
| The following terms are defined in [RFC6241] and are not redefined | ||||
| here: | ||||
| o client | ||||
| o configuration data | ||||
| o server | ||||
| o state data | ||||
| 1.2. Tree Diagrams | 1.2. Tree Diagrams | |||
| A simplified graphical representation of the data model is used in | A simplified graphical representation of the data model is used in | |||
| this document. The meaning of the symbols in these diagrams is as | this document. The meaning of the symbols in these diagrams is as | |||
| follows: | follows: | |||
| o Brackets "[" and "]" enclose list keys. | o Brackets "[" and "]" enclose list keys. | |||
| o Abbreviations before data node names: "rw" means configuration | o Abbreviations before data node names: "rw" means configuration | |||
| (read-write) and "ro" state data (read-only). | (read-write) and "ro" state data (read-only). | |||
| skipping to change at page 5, line 24 ¶ | skipping to change at page 5, line 24 ¶ | |||
| Some user-configurable administrative strings are also provided, such | Some user-configurable administrative strings are also provided, such | |||
| as the system location and description. | as the system location and description. | |||
| 2.2. System Time Management | 2.2. System Time Management | |||
| The management of the date and time used by the system need to be | The management of the date and time used by the system need to be | |||
| supported. Use of one or more NTP servers to automatically set the | supported. Use of one or more NTP servers to automatically set the | |||
| system date and time need to be possible. Utilization of the | system date and time need to be possible. Utilization of the | |||
| Timezone database [RFC6557] also need to be supported. It should be | Timezone database [RFC6557] also need to be supported. It should be | |||
| possible for the server, as well as clients, to configure the system | possible to configure the system to use NTP. | |||
| to use NTP. | ||||
| 2.3. User Authentication | 2.3. User Authentication | |||
| The authentication mechanism need to support password authentication | The authentication mechanism needs to support password authentication | |||
| over RADIUS, to support deployment scenarios with centralized | over RADIUS, to support deployment scenarios with centralized | |||
| authentication servers. Additionally, local users need to be | authentication servers. Additionally, local users need to be | |||
| supported, for scenarios when no centralized authentication server | supported, for scenarios when no centralized authentication server | |||
| exists, or for situations where the centralized authentication server | exists, or for situations where the centralized authentication server | |||
| cannot be reached from the device. | cannot be reached from the device. | |||
| Since the mandatory transport protocol for NETCONF is SSH [RFC6242] | Since the mandatory transport protocol for NETCONF is SSH [RFC6242] | |||
| the authentication model need to support SSH's "publickey" and | the authentication model needs to support SSH's "publickey" and | |||
| "password" authentication methods [RFC4252]. | "password" authentication methods [RFC4252]. | |||
| The model for authentication configuration should be flexible enough | The model for authentication configuration should be flexible enough | |||
| to support authentication methods defined by other standard documents | to support authentication methods defined by other standard documents | |||
| or by vendors. It should be possible for the server, as well as | or by vendors. It should be possible to configure the system | |||
| clients, to configure the system authentication properties. | authentication properties. | |||
| 2.4. DNS Resolver | 2.4. DNS Resolver | |||
| The configuration of the DNS resolver within the system containing | The configuration of the DNS resolver within the system containing | |||
| the NETCONF server is required to control how domain names are | the NETCONF server is required in order to control how domain names | |||
| resolved. | are resolved. | |||
| 2.5. System Control | 2.5. System Control | |||
| A few operations are needed to support common tasks such as | A few operations are needed to support common tasks such as | |||
| restarting the device or setting the system date and time. | restarting the device or setting the system date and time. | |||
| 3. System Data Model | 3. System Data Model | |||
| 3.1. System Identification | 3.1. System Identification | |||
| skipping to change at page 7, line 30 ¶ | skipping to change at page 7, line 30 ¶ | |||
| +--ro machine? string | +--ro machine? string | |||
| 3.2. System Time Management | 3.2. System Time Management | |||
| The data model for system time management has the following | The data model for system time management has the following | |||
| structure: | structure: | |||
| +--rw system | +--rw system | |||
| | +--rw clock | | +--rw clock | |||
| | | +--rw (timezone)? | | | +--rw (timezone)? | |||
| | | +--:(timezone-location) | | | +--:(timezone-name) | |||
| | | | +--rw timezone-location? ianatz:iana-timezone | | | | +--rw timezone-name? timezone-name | |||
| | | +--:(timezone-utc-offset) | | | +--:(timezone-utc-offset) | |||
| | | +--rw timezone-utc-offset? int16 | | | +--rw timezone-utc-offset? int16 | |||
| | +--rw ntp! | | +--rw ntp! | |||
| | +--rw enabled? boolean | | +--rw enabled? boolean | |||
| | +--rw server* [name] | | +--rw server* [name] | |||
| | +--rw name string | | +--rw name string | |||
| | +--rw (transport) | | +--rw (transport) | |||
| | | +--:(udp) | | | +--:(udp) | |||
| | | +--rw udp | | | +--rw udp | |||
| | | +--rw address inet:host | | | +--rw address inet:host | |||
| skipping to change at page 9, line 12 ¶ | skipping to change at page 9, line 12 ¶ | |||
| New "case" statements can be added over time or augmented to the | New "case" statements can be added over time or augmented to the | |||
| "transport" choice to support other transport protocols. | "transport" choice to support other transport protocols. | |||
| 3.5. User Authentication Model | 3.5. User Authentication Model | |||
| This document defines three authentication methods for use with | This document defines three authentication methods for use with | |||
| NETCONF: | NETCONF: | |||
| o publickey for local users over SSH | o publickey for local users over SSH | |||
| o password for local users over any transport | o password for local users over any secure transport | |||
| o password for RADIUS users over any transport | o password for RADIUS users over any secure transport | |||
| Additional methods can be defined by other standard documents or by | Additional methods can be defined by other standard documents or by | |||
| vendors. | vendors. | |||
| This document defines two optional YANG features, "local-users" and | This document defines two optional YANG features, "local-users" and | |||
| "radius-authentication", which the server advertises to indicate | "radius-authentication", which the server advertises to indicate | |||
| support for configuring local users on the device, and support for | support for configuring local users on the device, and support for | |||
| using RADIUS for authentication, respectively. | using RADIUS for authentication, respectively. | |||
| The authentication parameters defined in this document are primarily | The authentication parameters defined in this document are primarily | |||
| skipping to change at page 9, line 36 ¶ | skipping to change at page 9, line 36 ¶ | |||
| used by other interfaces, e.g., a Command Line Interface or a Web- | used by other interfaces, e.g., a Command Line Interface or a Web- | |||
| based User Interface. | based User Interface. | |||
| The data model for user authentication has the following structure: | The data model for user authentication has the following structure: | |||
| +--rw system | +--rw system | |||
| +--rw authentication | +--rw authentication | |||
| +--rw user-authentication-order* identityref | +--rw user-authentication-order* identityref | |||
| +--rw user* [name] | +--rw user* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw password? crypt-hash | +--rw password? ianach:crypt-hash | |||
| +--rw ssh-key* [name] | +--rw authorized-key* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw algorithm string | +--rw algorithm string | |||
| +--rw key-data binary | +--rw key-data binary | |||
| 3.5.1. SSH Public Key Authentication | 3.5.1. SSH Public Key Authentication | |||
| If the NETCONF server advertises the "local-users" feature, | If the NETCONF server advertises the "local-users" feature, | |||
| configuration of local users and their SSH public keys is supported | configuration of local users and their SSH public keys is supported | |||
| in the /system/authentication/user list. | in the /system/authentication/user list. | |||
| skipping to change at page 11, line 9 ¶ | skipping to change at page 11, line 9 ¶ | |||
| Two protocol operations are included to restart or shutdown the | Two protocol operations are included to restart or shutdown the | |||
| system. The 'system-restart' operation can be used to restart the | system. The 'system-restart' operation can be used to restart the | |||
| entire system (not just the NETCONF server). The 'system-shutdown' | entire system (not just the NETCONF server). The 'system-shutdown' | |||
| operation can be used to power off the entire system. | operation can be used to power off the entire system. | |||
| 4. Relationship to the SNMPv2-MIB | 4. Relationship to the SNMPv2-MIB | |||
| If a device implements the SNMPv2-MIB [RFC3418], there are two | If a device implements the SNMPv2-MIB [RFC3418], there are two | |||
| objects that MAY be mapped by the implementation. See the YANG | objects that MAY be mapped by the implementation. See the YANG | |||
| module definition in Section 5 for details. The following table | module definition in Section 6 for details. The following table | |||
| lists the YANG data nodes with corresponding objects in the SNMPv2- | lists the YANG data nodes with corresponding objects in the SNMPv2- | |||
| MIB. | MIB. | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| | YANG data node | SNMPv2-MIB object | | | YANG data node | SNMPv2-MIB object | | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| | contact | sysContact | | | contact | sysContact | | |||
| | location | sysLocation | | | location | sysLocation | | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| YANG interface configuration data nodes and related SNMPv2-MIB | YANG interface configuration data nodes and related SNMPv2-MIB | |||
| objects | objects | |||
| 5. System YANG module | 5. IANA Crypt Hash YANG module | |||
| This YANG module imports YANG extensions from [RFC6536], and imports | This YANG module references [RFC1321], [IEEE-1003.1-2008], and | |||
| YANG types from [RFC6991] and [I-D.ietf-netmod-iana-timezones]. It | [FIPS.180-3.2008]. | |||
| also references [RFC1035], [RFC1321], [RFC2865], [RFC3418], | ||||
| [RFC5607], [RFC5966], [IEEE-1003.1-2008], and [FIPS.180-3.2008]. | ||||
| RFC Ed.: update the date below with the date of RFC publication and | RFC Ed.: update the date below with the date of RFC publication and | |||
| remove this note. | remove this note. | |||
| <CODE BEGINS> file "ietf-system@2013-12-23.yang" | <CODE BEGINS> file "iana-crypt-hash@2014-04-04.yang" | |||
| module ietf-system { | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system"; | ||||
| prefix "sys"; | ||||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| import ietf-inet-types { | ||||
| prefix inet; | ||||
| } | ||||
| import ietf-netconf-acm { | ||||
| prefix nacm; | ||||
| } | ||||
| import iana-timezones { | ||||
| prefix ianatz; | ||||
| } | ||||
| organization | module iana-crypt-hash { | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; | |||
| prefix ianach; | ||||
| organization "IANA"; | ||||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | " Internet Assigned Numbers Authority | |||
| WG List: <mailto:netmod@ietf.org> | ||||
| WG Chair: David Kessens | ||||
| <mailto:david.kessens@nsn.com> | ||||
| WG Chair: Juergen Schoenwaelder | Postal: ICANN | |||
| <mailto:j.schoenwaelder@jacobs-university.de> | 4676 Admiralty Way, Suite 330 | |||
| Marina del Rey, CA 90292 | ||||
| Editor: Andy Bierman | Tel: +1 310 823 9358 | |||
| <mailto:andy@yumaworks.com> | E-Mail: iana&iana.org"; | |||
| description | ||||
| "This YANG module defines a typedef for storing passwords | ||||
| using a hash function, and features to indicate which hash | ||||
| functions are supported by an implementation. | ||||
| Editor: Martin Bjorklund | The latest revision of this YANG module can be obtained from | |||
| <mailto:mbj@tail-f.com>"; | the IANA web site. | |||
| description | Requests for new values should be made to IANA via | |||
| "This module contains a collection of YANG definitions for the | email (iana&iana.org). | |||
| configuration and identification of some common system | ||||
| properties within a device containing a NETCONF server. This | ||||
| includes data node definitions for system identification, | ||||
| time-of-day management, user management, DNS resolver | ||||
| configuration, and some protocol operations for system | ||||
| management. | ||||
| Copyright (c) 2013 IETF Trust and the persons identified as | Copyright (c) 2014 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject | without modification, is permitted pursuant to, and subject | |||
| to the license terms contained in, the Simplified BSD License | to the license terms contained in, the Simplified BSD License | |||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | set forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC XXXX; see | The initial version of this YANG module is part of RFC XXXX; | |||
| the RFC itself for full legal notices."; | see the RFC itself for full legal notices."; | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| // RFC Ed.: remove this note | ||||
| // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt | ||||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision "2013-12-23" { | revision 2014-04-04 { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for System Management"; | "RFC XXXX: A YANG Data Model for System Management"; | |||
| } | } | |||
| /* | ||||
| * Typedefs | ||||
| */ | ||||
| typedef crypt-hash { | typedef crypt-hash { | |||
| type string { | type string { | |||
| pattern | pattern | |||
| '$0$.*' | '$0$.*' | |||
| + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' | + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' | |||
| + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' | + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' | |||
| + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; | + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; | |||
| } | } | |||
| description | description | |||
| "The crypt-hash type is used to store passwords using | "The crypt-hash type is used to store passwords using | |||
| a hash function. The algorithms for applying the hash | a hash function. The algorithms for applying the hash | |||
| function and encoding the result are implemented in | function and encoding the result are implemented in | |||
| various UNIX systems as the function crypt(3). | various UNIX systems as the function crypt(3). | |||
| skipping to change at page 14, line 50 ¶ | skipping to change at page 14, line 17 ¶ | |||
| id | hash function | feature | id | hash function | feature | |||
| ---+---------------+------------------- | ---+---------------+------------------- | |||
| 1 | MD5 | crypt-hash-md5 | 1 | MD5 | crypt-hash-md5 | |||
| 5 | SHA-256 | crypt-hash-sha-256 | 5 | SHA-256 | crypt-hash-sha-256 | |||
| 6 | SHA-512 | crypt-hash-sha-512 | 6 | SHA-512 | crypt-hash-sha-512 | |||
| The server indicates support for the different hash functions | The server indicates support for the different hash functions | |||
| by advertising the corresponding feature."; | by advertising the corresponding feature."; | |||
| reference | reference | |||
| "IEEE Std 1003.1-2008 - crypt() function | "IEEE Std 1003.1-2008 - crypt() function | |||
| Wikipedia: http://en.wikipedia.org/wiki/Crypt_(C) | ||||
| RFC 1321: The MD5 Message-Digest Algorithm | RFC 1321: The MD5 Message-Digest Algorithm | |||
| FIPS.180-3.2008: Secure Hash Standard"; | FIPS.180-3.2008: Secure Hash Standard"; | |||
| } | ||||
| feature crypt-hash-md5 { | ||||
| description | ||||
| "Indicates that the device supports the MD5 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "RFC 1321: The MD5 Message-Digest Algorithm"; | ||||
| } | ||||
| feature crypt-hash-sha-256 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-256 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature crypt-hash-sha-512 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-512 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| 6. System YANG module | ||||
| This YANG module imports YANG extensions from [RFC6536], and imports | ||||
| YANG types from [RFC6991]. It also references [RFC1035], [RFC2865], | ||||
| [RFC3418], [RFC5607], [RFC5966], [RFC6557]. | ||||
| RFC Ed.: update the date below with the date of RFC publication and | ||||
| remove this note. | ||||
| <CODE BEGINS> file "ietf-system@2014-05-14.yang" | ||||
| module ietf-system { | ||||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system"; | ||||
| prefix "sys"; | ||||
| import ietf-yang-types { | ||||
| prefix yang; | ||||
| } | ||||
| import ietf-inet-types { | ||||
| prefix inet; | ||||
| } | ||||
| import ietf-netconf-acm { | ||||
| prefix nacm; | ||||
| } | ||||
| import iana-crypt-hash { | ||||
| prefix ianach; | ||||
| } | ||||
| organization | ||||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | ||||
| contact | ||||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | ||||
| WG List: <mailto:netmod@ietf.org> | ||||
| WG Chair: Thomas Nadeau | ||||
| <mailto:tnadeau@lucidvision.com> | ||||
| WG Chair: Juergen Schoenwaelder | ||||
| <mailto:j.schoenwaelder@jacobs-university.de> | ||||
| Editor: Andy Bierman | ||||
| <mailto:andy@yumaworks.com> | ||||
| Editor: Martin Bjorklund | ||||
| <mailto:mbj@tail-f.com>"; | ||||
| description | ||||
| "This module contains a collection of YANG definitions for the | ||||
| configuration and identification of some common system | ||||
| properties within a device containing a NETCONF server. This | ||||
| includes data node definitions for system identification, | ||||
| time-of-day management, user management, DNS resolver | ||||
| configuration, and some protocol operations for system | ||||
| management. | ||||
| Copyright (c) 2014 IETF Trust and the persons identified as | ||||
| authors of the code. All rights reserved. | ||||
| Redistribution and use in source and binary forms, with or | ||||
| without modification, is permitted pursuant to, and subject | ||||
| to the license terms contained in, the Simplified BSD License | ||||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | ||||
| Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info). | ||||
| This version of this YANG module is part of RFC XXXX; see | ||||
| the RFC itself for full legal notices."; | ||||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | ||||
| // note. | ||||
| // RFC Ed.: remove this note | ||||
| // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt | ||||
| // RFC Ed.: update the date below with the date of RFC publication | ||||
| // and remove this note. | ||||
| revision "2014-05-14" { | ||||
| description | ||||
| "Initial revision."; | ||||
| reference | ||||
| "RFC XXXX: A YANG Data Model for System Management"; | ||||
| } | } | |||
| /* | /* | |||
| * Typedefs | ||||
| */ | ||||
| typedef timezone-name { | ||||
| type string; | ||||
| description | ||||
| "A timezone name as used by the Time Zone Database, sometimes | ||||
| referred to as the 'Olson Database'. | ||||
| The exact set of valid values is an implementation-specific | ||||
| matter. Client discovery of the exact set of time zone names | ||||
| for a particular server is out of scope."; | ||||
| reference | ||||
| "RFC 6557: Procedures for Maintaining the Time Zone Database"; | ||||
| } | ||||
| /* | ||||
| * Features | * Features | |||
| */ | */ | |||
| feature radius { | feature radius { | |||
| description | description | |||
| "Indicates that the device can be configured as a RADIUS | "Indicates that the device can be configured as a RADIUS | |||
| client."; | client."; | |||
| reference | reference | |||
| "RFC 2865: Remote Authentication Dial In User Service " | "RFC 2865: Remote Authentication Dial In User Service " | |||
| + "(RADIUS)"; | + "(RADIUS)"; | |||
| skipping to change at page 15, line 46 ¶ | skipping to change at page 17, line 51 ¶ | |||
| description | description | |||
| "Indicates that the device supports configuration of user | "Indicates that the device supports configuration of user | |||
| authentication over RADIUS."; | authentication over RADIUS."; | |||
| reference | reference | |||
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS) | "RFC 2865: Remote Authentication Dial In User Service (RADIUS) | |||
| RFC 5607: Remote Authentication Dial-In User Service (RADIUS) | RFC 5607: Remote Authentication Dial-In User Service (RADIUS) | |||
| Authorization for Network Access Server (NAS) | Authorization for Network Access Server (NAS) | |||
| Management"; | Management"; | |||
| } | } | |||
| feature crypt-hash-md5 { | ||||
| description | ||||
| "Indicates that the device supports the MD5 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "RFC 1321: The MD5 Message-Digest Algorithm"; | ||||
| } | ||||
| feature crypt-hash-sha-256 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-256 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature crypt-hash-sha-512 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-512 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature ntp { | feature ntp { | |||
| description | description | |||
| "Indicates that the device can be configured | "Indicates that the device can be configured | |||
| to use one or more NTP servers to set the | to use one or more NTP servers to set the | |||
| system date and time."; | system date and time."; | |||
| } | } | |||
| feature ntp-udp-port { | feature ntp-udp-port { | |||
| if-feature ntp; | ||||
| description | description | |||
| "Indicates that the device supports the configuration of | "Indicates that the device supports the configuration of | |||
| the UDP port for NTP servers. | the UDP port for NTP servers. | |||
| This is a 'feature' since many implementations do not support | This is a 'feature' since many implementations do not support | |||
| any other port than the default port."; | any other port than the default port."; | |||
| } | } | |||
| feature timezone-location { | feature timezone-name { | |||
| description | description | |||
| "Indicates that the local timezone on the device | "Indicates that the local timezone on the device | |||
| can be configured to use the TZ database | can be configured to use the TZ database | |||
| to set the timezone and manage daylight savings time."; | to set the timezone and manage daylight savings time."; | |||
| reference | reference | |||
| "TZ Database http://www.twinsun.com/tz/tz-link.htm | "RFC 6557: Procedures for Maintaining the Time Zone Database"; | |||
| Maintaining the Timezone Database | ||||
| RFC 6557 (BCP 175)"; | ||||
| } | } | |||
| feature dns-udp-tcp-port { | feature dns-udp-tcp-port { | |||
| description | description | |||
| "Indicates that the device supports the configuration of | "Indicates that the device supports the configuration of | |||
| the UDP and TCP port for DNS servers. | the UDP and TCP port for DNS servers. | |||
| This is a 'feature' since many implementations do not support | This is a 'feature' since many implementations do not support | |||
| any other port than the default port."; | any other port than the default port."; | |||
| } | } | |||
| /* | /* | |||
| * Identities | * Identities | |||
| */ | */ | |||
| identity authentication-method { | identity authentication-method { | |||
| description | description | |||
| "Base identity for user authentication methods."; | "Base identity for user authentication methods."; | |||
| } | } | |||
| skipping to change at page 19, line 4 ¶ | skipping to change at page 20, line 36 ¶ | |||
| A server implementation MAY map this leaf to the sysLocation | A server implementation MAY map this leaf to the sysLocation | |||
| MIB object. Such an implementation needs to use some | MIB object. Such an implementation needs to use some | |||
| mechanism to handle the differences in size and characters | mechanism to handle the differences in size and characters | |||
| allowed between this leaf and sysLocation. The definition | allowed between this leaf and sysLocation. The definition | |||
| of such a mechanism is outside the scope of this document."; | of such a mechanism is outside the scope of this document."; | |||
| reference | reference | |||
| "RFC 3418: Management Information Base (MIB) for the | "RFC 3418: Management Information Base (MIB) for the | |||
| Simple Network Management Protocol (SNMP) | Simple Network Management Protocol (SNMP) | |||
| SNMPv2-MIB.sysLocation"; | SNMPv2-MIB.sysLocation"; | |||
| } | } | |||
| container clock { | container clock { | |||
| description | description | |||
| "Configuration of the system date and time properties."; | "Configuration of the system date and time properties."; | |||
| choice timezone { | choice timezone { | |||
| description | description | |||
| "The system timezone information."; | "The system timezone information."; | |||
| case timezone-location { | case timezone-name { | |||
| if-feature timezone-location; | if-feature timezone-name; | |||
| leaf timezone-location { | leaf timezone-name { | |||
| type ianatz:iana-timezone; | type timezone-name; | |||
| description | description | |||
| "The TZ database location identifier string | "The TZ database name to use for the system, such | |||
| to use for the system, such as 'Europe/Stockholm'."; | as 'Europe/Stockholm'."; | |||
| } | } | |||
| } | } | |||
| case timezone-utc-offset { | case timezone-utc-offset { | |||
| leaf timezone-utc-offset { | leaf timezone-utc-offset { | |||
| type int16 { | type int16 { | |||
| range "-1500 .. 1500"; | range "-1500 .. 1500"; | |||
| } | } | |||
| units "minutes"; | units "minutes"; | |||
| description | description | |||
| "The number of minutes to add to UTC time to | "The number of minutes to add to UTC time to | |||
| identify the timezone for this system. For example, | identify the timezone for this system. For example, | |||
| skipping to change at page 26, line 20 ¶ | skipping to change at page 28, line 4 ¶ | |||
| } | } | |||
| must '(. != "sys:radius" or ../../radius/server)' { | must '(. != "sys:radius" or ../../radius/server)' { | |||
| error-message | error-message | |||
| "When 'radius' is used, a RADIUS server" | "When 'radius' is used, a RADIUS server" | |||
| + " must be configured."; | + " must be configured."; | |||
| description | description | |||
| "When 'radius' is used as an authentication method, | "When 'radius' is used as an authentication method, | |||
| a RADIUS server must be configured."; | a RADIUS server must be configured."; | |||
| } | } | |||
| ordered-by user; | ordered-by user; | |||
| description | description | |||
| "When the device authenticates a user with | "When the device authenticates a user with a password, | |||
| a password, it tries the authentication methods in this | it tries the authentication methods in this leaf-list in | |||
| leaf-list in order. If authentication with one method | order. If authentication with one method fails, the next | |||
| fails, the next method is used. If no method succeeds, | method is used. If no method succeeds, the user is | |||
| the user is denied access. | denied access. | |||
| An empty user-authentication-order leaf-list still allows | ||||
| authentication of users using mechanisms that do not | ||||
| involve a password. | ||||
| If the 'radius-authentication' feature is advertised by | If the 'radius-authentication' feature is advertised by | |||
| the NETCONF server, the 'radius' identity can be added to | the NETCONF server, the 'radius' identity can be added to | |||
| this list. | this list. | |||
| If the 'local-users' feature is advertised by the | If the 'local-users' feature is advertised by the | |||
| NETCONF server, the 'local-users' identity can be | NETCONF server, the 'local-users' identity can be | |||
| added to this list."; | added to this list."; | |||
| } | } | |||
| skipping to change at page 26, line 49 ¶ | skipping to change at page 28, line 36 ¶ | |||
| key name; | key name; | |||
| description | description | |||
| "The list of local users configured on this device."; | "The list of local users configured on this device."; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "The user name string identifying this entry."; | "The user name string identifying this entry."; | |||
| } | } | |||
| leaf password { | leaf password { | |||
| type crypt-hash; | type ianach:crypt-hash; | |||
| description | description | |||
| "The password for this entry."; | "The password for this entry."; | |||
| } | } | |||
| list ssh-key { | list authorized-key { | |||
| key name; | key name; | |||
| description | description | |||
| "A list of public SSH keys for this user."; | "A list of public SSH keys for this user. These keys | |||
| are allowed for SSH authentication, as described in | ||||
| RFC 4253."; | ||||
| reference | reference | |||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||
| Protocol"; | Protocol"; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "An arbitrary name for the ssh key."; | "An arbitrary name for the SSH key."; | |||
| } | } | |||
| leaf algorithm { | leaf algorithm { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The public key algorithm name for this ssh key. | "The public key algorithm name for this SSH key. | |||
| Valid values are the values in the IANA Secure Shell | Valid values are the values in the IANA Secure Shell | |||
| (SSH) Protocol Parameters registry, Public Key | (SSH) Protocol Parameters registry, Public Key | |||
| Algorithm Names"; | Algorithm Names"; | |||
| reference | reference | |||
| "IANA Secure Shell (SSH) Protocol Parameters registry, | "IANA Secure Shell (SSH) Protocol Parameters registry, | |||
| Public Key Algorithm Names"; | Public Key Algorithm Names"; | |||
| } | } | |||
| leaf key-data { | leaf key-data { | |||
| type binary; | type binary; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The binary key data for this ssh key."; | "The binary public key data for this SSH key, as | |||
| specified by RFC 4253, Section 6.6, i.e.,: | ||||
| string certificate or public key format | ||||
| identifier | ||||
| byte[n] key/certificate data | ||||
| "; | ||||
| reference | ||||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | ||||
| Protocol"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * Operational state data nodes | * Operational state data nodes | |||
| */ | */ | |||
| skipping to change at page 30, line 6 ¶ | skipping to change at page 32, line 4 ¶ | |||
| rpc system-shutdown { | rpc system-shutdown { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| description | description | |||
| "Request that the entire system be shut down immediately. | "Request that the entire system be shut down immediately. | |||
| A server SHOULD send an rpc reply to the client before | A server SHOULD send an rpc reply to the client before | |||
| shutting down the system."; | shutting down the system."; | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 6. IANA Considerations | 7. IANA Considerations | |||
| This document registers one URI in the IETF XML registry [RFC3688]. | IANA is requested to create an IANA-maintained YANG Module called | |||
| Following the format in RFC 3688, the following registration is | "iana-crypt-hash", based on the contents of Section 5, which will | |||
| allow for new hash algorithms to be added to the type "crypt-hash". | ||||
| The registration procedure will be Expert Review, as defined by | ||||
| [RFC5226]. | ||||
| This document registers two URIs in the IETF XML registry [RFC3688]. | ||||
| Following the format in RFC 3688, the following registrations are | ||||
| requested to be made. | requested to be made. | |||
| URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash | ||||
| Registrant Contact: The IESG. | ||||
| XML: N/A, the requested URI is an XML namespace. | ||||
| URI: urn:ietf:params:xml:ns:yang:ietf-system | URI: urn:ietf:params:xml:ns:yang:ietf-system | |||
| Registrant Contact: The NETMOD WG of the IETF. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| This document registers one YANG module in the YANG Module Names | This document registers two YANG modules in the YANG Module Names | |||
| registry [RFC6020]. | registry [RFC6020]. | |||
| name: iana-crypt-hash | ||||
| namespace: urn:ietf:params:xml:ns:yang:iana-crypt-hash | ||||
| prefix: ianach | ||||
| reference: RFC XXXX | ||||
| name: ietf-system | name: ietf-system | |||
| namespace: urn:ietf:params:xml:ns:yang:ietf-system | namespace: urn:ietf:params:xml:ns:yang:ietf-system | |||
| prefix: sys | prefix: sys | |||
| reference: RFC XXXX | reference: RFC XXXX | |||
| 7. Security Considerations | 8. Security Considerations | |||
| The YANG module defined in this memo is designed to be accessed via | The YANG modules defined in this memo are designed to be accessed via | |||
| the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the | the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the | |||
| secure transport layer and the mandatory-to-implement secure | secure transport layer and the mandatory-to-implement secure | |||
| transport is SSH [RFC6242]. Authorization for access to specific | transport is SSH [RFC6242]. Authorization for access to specific | |||
| portions of conceptual data and operations within this module is | portions of conceptual data and operations within this module is | |||
| provided by the NETCONF access control model (NACM) [RFC6536]. | provided by the NETCONF access control model (NACM) [RFC6536]. | |||
| There are a number of data nodes defined in this YANG module which | There are a number of data nodes defined in the "ietf-system" YANG | |||
| are writable/creatable/deletable (i.e., config true, which is the | module which are writable/creatable/deletable (i.e., config true, | |||
| default). These data nodes may be considered sensitive or vulnerable | which is the default). These data nodes may be considered sensitive | |||
| in some network environments. Write operations (e.g., edit-config) | or vulnerable in some network environments. Write operations to | |||
| to these data nodes without proper protection can have a negative | these data nodes can have a negative effect on network operations. | |||
| effect on network operations. These are the subtrees and data nodes | It is thus important to control write access (e.g., via edit-config) | |||
| and their sensitivity/vulnerability: | to these data nodes. These are the subtrees and data nodes and their | |||
| sensitivity/vulnerability: | ||||
| o /system/clock/timezone: This choice contains the objects used to | o /system/clock/timezone: This choice contains the objects used to | |||
| control the timezone used by the device. | control the timezone used by the device. | |||
| o /system/ntp: This container contains the objects used to control | o /system/ntp: This container contains the objects used to control | |||
| the Network Time Protocol servers used by the device. | the Network Time Protocol servers used by the device. | |||
| o /system/dns-resolver: This container contains the objects used to | o /system/dns-resolver: This container contains the objects used to | |||
| control the Domain Name System servers used by the device. | control the Domain Name System servers used by the device. | |||
| o /system/radius: This container contains the objects used to | o /system/radius: This container contains the objects used to | |||
| control the Remote Authentication Dial-In User Service servers | control the Remote Authentication Dial-In User Service servers | |||
| used by the device. | used by the device. | |||
| o /system/authentication/user-authentication-order: This leaf | o /system/authentication/user-authentication-order: This leaf | |||
| controls how user login attempts are authenticated by the device. | controls how user login attempts are authenticated by the device. | |||
| o /system/authentication/user: This list contains the local users | o /system/authentication/user: This list contains the local users | |||
| enabled on the system. | enabled on the system. | |||
| Some of the readable data nodes in this YANG module may be considered | Some of the readable data nodes in the "ietf-system" YANG module may | |||
| sensitive or vulnerable in some network environments. It is thus | be considered sensitive or vulnerable in some network environments. | |||
| important to control read access (e.g., via get, get-config, or | It is thus important to control read access (e.g., via get, get- | |||
| notification) to these data nodes. These are the subtrees and data | config, or notification) to these data nodes. These are the subtrees | |||
| nodes and their sensitivity/vulnerability: | and data nodes and their sensitivity/vulnerability: | |||
| o /system/platform: This container has objects which may help | o /system/platform: This container has objects which may help | |||
| identify the specific NETCONF server and/or operating system | identify the specific NETCONF server and/or operating system | |||
| implementation used on the device. | implementation used on the device. | |||
| o /system/authentication/user: This list has objects that may help | o /system/authentication/user: This list has objects that may help | |||
| identify the specific user names and password information in use | identify the specific user names and password information in use | |||
| on the device. | on the device. | |||
| Some of the RPC operations in this YANG module may be considered | Some of the remote procedure call (RPC) operations in the | |||
| sensitive or vulnerable in some network environments. It is thus | "ietf-system" YANG module may be considered sensitive or vulnerable | |||
| important to control access to these operations. These are the | in some network environments. It is thus important to control access | |||
| operations and their sensitivity/vulnerability: | to these operations. These are the operations and their sensitivity/ | |||
| vulnerability: | ||||
| o set-current-datetime: Changes the current date and time on the | o set-current-datetime: Changes the current date and time on the | |||
| device. | device. | |||
| o system-restart: Reboots the device. | o system-restart: Reboots the device. | |||
| o system-shutdown: Shuts down the device. | o system-shutdown: Shuts down the device. | |||
| This YANG model defines a type "crypt-hash" that can be used to store | Since this document describes the use of RADIUS for purposes of | |||
| MD5 hashes. [RFC6151] discusses security considerations for MD5. | authentication, it is vulnerable to all of the threats that are | |||
| present in other RADIUS applications. For a discussion of such | ||||
| threats, see [RFC2865] and [RFC3162], and section 4 of [RFC3579]. | ||||
| 8. Change Log | This document provides configuration parameters for SSH's "publickey" | |||
| and "password" authentication mechanisms. Section 9.4 of [RFC4251] | ||||
| and section 11 of [RFC4252] discuss security considerations for these | ||||
| mechanisms. | ||||
| The "iana-crypt-hash" YANG module defines a type "crypt-hash" that | ||||
| can be used to store MD5 hashes. [RFC6151] discusses security | ||||
| considerations for MD5. The usage of MD5 is NOT RECOMMENDED. | ||||
| 9. Change Log | ||||
| -- RFC Ed.: remove this section before publication. | -- RFC Ed.: remove this section before publication. | |||
| 8.1. 00-01 | 9.1. 00-01 | |||
| o added configuration-source identities | o added configuration-source identities | |||
| o added configuration-source leaf to ntp and dns (via grouping) to | o added configuration-source leaf to ntp and dns (via grouping) to | |||
| choose configuration source | choose configuration source | |||
| o added association-type, iburst, prefer, and true leafs to the ntp- | o added association-type, iburst, prefer, and true leafs to the ntp- | |||
| server list | server list | |||
| o extended the ssh keys for a user to a list of keys. support all | o extended the ssh keys for a user to a list of keys. support all | |||
| defined key algorithms, not just dsa and rsa | defined key algorithms, not just dsa and rsa | |||
| o clarified timezone-utc-offset description-stmt | o clarified timezone-utc-offset description-stmt | |||
| o removed '/system/ntp/server/true' leaf from data model | o removed '/system/ntp/server/true' leaf from data model | |||
| 8.2. 01-02 | 9.2. 01-02 | |||
| o added default-stmts to ntp-server/iburst and ntp-server/prefer | o added default-stmts to ntp-server/iburst and ntp-server/prefer | |||
| leafs | leafs | |||
| o changed timezone-location leaf to use iana-timezone typedef | o changed timezone-location leaf to use iana-timezone typedef | |||
| instead of a string | instead of a string | |||
| 8.3. 02-03 | 9.3. 02-03 | |||
| o removed configuration-source identities and leafs | o removed configuration-source identities and leafs | |||
| 8.4. 03-04 | 9.4. 03-04 | |||
| o removed ndots dns resolver option | o removed ndots dns resolver option | |||
| o added radius-authentication-type identity, and identities for pap | o added radius-authentication-type identity, and identities for pap | |||
| and chap, and a leaf to control which authentication type to use | and chap, and a leaf to control which authentication type to use | |||
| when communicating with the radius server | when communicating with the radius server | |||
| o made 0 an invalid value for timeouts and attempts | o made 0 an invalid value for timeouts and attempts | |||
| 8.5. 04-05 | 9.5. 04-05 | |||
| o updated tree diagram explanation text | o updated tree diagram explanation text | |||
| 8.6. 05-06 | 9.6. 05-06 | |||
| o changed ntp/use-ntp to ntp/enabled | o changed ntp/use-ntp to ntp/enabled | |||
| o changed ntp/ntp-server to ntp/server | o changed ntp/ntp-server to ntp/server | |||
| o removed /system/platform/nodename leaf | o removed /system/platform/nodename leaf | |||
| o changed /system/name to /system/hostname | o changed /system/name to /system/hostname | |||
| o simplified must expression in user-authentication-order | o simplified must expression in user-authentication-order | |||
| skipping to change at page 35, line 46 ¶ | skipping to change at page 37, line 46 ¶ | |||
| o changed /system/platform/nodename to /system/platform/hostname | o changed /system/platform/nodename to /system/platform/hostname | |||
| o changed /system/radius/server/{leafs} to be within a choice and | o changed /system/radius/server/{leafs} to be within a choice and | |||
| 'udp' case statement so other transport specific parameters can | 'udp' case statement so other transport specific parameters can | |||
| augment this list or they can be added by the WG to a future | augment this list or they can be added by the WG to a future | |||
| version of this module. {leafs} are authentication-port and | version of this module. {leafs} are authentication-port and | |||
| shared-secret. | shared-secret. | |||
| o updated YANG tree diagrams for objects added in -05 and -06 | o updated YANG tree diagrams for objects added in -05 and -06 | |||
| 8.7. 06-07 | 9.7. 06-07 | |||
| o updated the Abstract and Introduction | o updated the Abstract and Introduction | |||
| o updated Tree diagram notation | o updated Tree diagram notation | |||
| o identify all external servers (dns, ntp, radius) by name instead | o identify all external servers (dns, ntp, radius) by name instead | |||
| of address, in order to make the data model extensible for | of address, in order to make the data model extensible for | |||
| additional transport protocol. | additional transport protocol. | |||
| o updated the Security Considerations section with a reference to | o updated the Security Considerations section with a reference to | |||
| NACM. | NACM. | |||
| 8.8. 07-08 | 9.8. 07-08 | |||
| o renamed the DNS transport to 'udp-and-tcp' and added references. | o renamed the DNS transport to 'udp-and-tcp' and added references. | |||
| o moved the operational state nodes into /system-state. | o moved the operational state nodes into /system-state. | |||
| 8.9. 08-09 | 9.9. 08-09 | |||
| o made "ntp" node a presence container | o made "ntp" node a presence container | |||
| o added reference to RFC 6151 | o added reference to RFC 6151 | |||
| o updated reference from 6021-bis to RFC 6991 | o updated reference from 6021-bis to RFC 6991 | |||
| o cleaned up usage of config false in the YANG module | o cleaned up usage of config false in the YANG module | |||
| 8.10. 09-10 | 9.10. 09-10 | |||
| o clarified relationship with SNMPv2-MIB | o clarified relationship with SNMPv2-MIB | |||
| 9. References | 9.11. 11-12 | |||
| 9.1. Normative References | o added typedef "timezone-name", and removed reference to | |||
| draft-ietf-netmod-iana-timezones | ||||
| 9.12. 13-14 | ||||
| o moved the "crypt-hash" typedef to an IANA maintained module. | ||||
| o updated security considerations to mention RADIUS threats. | ||||
| 9.13. 14-15 | ||||
| o updated security considerations to mention SSH authentication | ||||
| method threats. | ||||
| 10. References | ||||
| 10.1. Normative References | ||||
| [FIPS.180-3.2008] | [FIPS.180-3.2008] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-3, October 2008, <http:// | Hash Standard", FIPS PUB 180-3, October 2008, <http:// | |||
| csrc.nist.gov/publications/fips/fips180-3/ | csrc.nist.gov/publications/fips/fips180-3/ | |||
| fips180-3_final.pdf>. | fips180-3_final.pdf>. | |||
| [I-D.ietf-netmod-iana-timezones] | ||||
| Lange, J., "IANA Timezone Database YANG Module", | ||||
| draft-ietf-netmod-iana-timezones-00 (work in progress), | ||||
| July 2012. | ||||
| [IEEE-1003.1-2008] | [IEEE-1003.1-2008] | |||
| Institute of Electrical and Electronics Engineers, | Institute of Electrical and Electronics Engineers, | |||
| "POSIX.1-2008", IEEE Standard 1003.1, March 2008. | "POSIX.1-2008", IEEE Standard 1003.1, March 2008. | |||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
| [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | |||
| April 1992. | April 1992. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
| "Remote Authentication Dial In User Service (RADIUS)", | "Remote Authentication Dial In User Service (RADIUS)", | |||
| RFC 2865, June 2000. | RFC 2865, June 2000. | |||
| [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", | ||||
| RFC 3162, August 2001. | ||||
| [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3418, December 2002. | RFC 3418, December 2002. | |||
| [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | ||||
| Protocol Architecture", RFC 4251, January 2006. | ||||
| [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | |||
| Authentication Protocol", RFC 4252, January 2006. | Authentication Protocol", RFC 4252, January 2006. | |||
| [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | |||
| Transport Layer Protocol", RFC 4253, January 2006. | Transport Layer Protocol", RFC 4253, January 2006. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | ||||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | ||||
| May 2008. | ||||
| [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In | [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In | |||
| User Service (RADIUS) Authorization for Network Access | User Service (RADIUS) Authorization for Network Access | |||
| Server (NAS) Management", RFC 5607, July 2009. | Server (NAS) Management", RFC 5607, July 2009. | |||
| [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation | [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation | |||
| Requirements", RFC 5966, August 2010. | Requirements", RFC 5966, August 2010. | |||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| skipping to change at page 38, line 27 ¶ | skipping to change at page 40, line 32 ¶ | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | |||
| Shell (SSH)", RFC 6242, June 2011. | Shell (SSH)", RFC 6242, June 2011. | |||
| [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Protocol (NETCONF) Access Control Model", RFC 6536, | Protocol (NETCONF) Access Control Model", RFC 6536, | |||
| March 2012. | March 2012. | |||
| [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, | [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, | |||
| July 2013. | July 2013. | |||
| 9.2. Informative References | 10.2. Informative References | |||
| [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication | ||||
| Dial In User Service) Support For Extensible | ||||
| Authentication Protocol (EAP)", RFC 3579, September 2003. | ||||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| January 2004. | January 2004. | |||
| [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the | [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the | |||
| Time Zone Database", BCP 175, RFC 6557, February 2012. | Time Zone Database", BCP 175, RFC 6557, February 2012. | |||
| Authors' Addresses | Authors' Addresses | |||
| Andy Bierman | Andy Bierman | |||
| End of changes. 85 change blocks. | ||||
| 188 lines changed or deleted | 340 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||