| < draft-ietf-netmod-system-mgmt-13.txt | draft-ietf-netmod-system-mgmt-16.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Bierman | Network Working Group A. Bierman | |||
| Internet-Draft YumaWorks | Internet-Draft YumaWorks | |||
| Intended status: Standards Track M. Bjorklund | Intended status: Standards Track M. Bjorklund | |||
| Expires: August 22, 2014 Tail-f Systems | Expires: November 15, 2014 Tail-f Systems | |||
| February 18, 2014 | May 14, 2014 | |||
| A YANG Data Model for System Management | A YANG Data Model for System Management | |||
| draft-ietf-netmod-system-mgmt-13 | draft-ietf-netmod-system-mgmt-16 | |||
| Abstract | Abstract | |||
| This document defines a YANG data model for the configuration and | This document defines a YANG data model for the configuration and | |||
| identification of some common system properties within a device | identification of some common system properties within a device | |||
| containing a NETCONF server. This includes data node definitions for | containing a NETCONF server. This includes data node definitions for | |||
| system identification, time-of-day management, user management, DNS | system identification, time-of-day management, user management, DNS | |||
| resolver configuration, and some protocol operations for system | resolver configuration, and some protocol operations for system | |||
| management. | management. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 22, 2014. | This Internet-Draft will expire on November 15, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 29 ¶ | skipping to change at page 2, line 29 ¶ | |||
| 3.1. System Identification . . . . . . . . . . . . . . . . . . 7 | 3.1. System Identification . . . . . . . . . . . . . . . . . . 7 | |||
| 3.2. System Time Management . . . . . . . . . . . . . . . . . . 7 | 3.2. System Time Management . . . . . . . . . . . . . . . . . . 7 | |||
| 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 | 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 | 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 | 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 | |||
| 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 | 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 | |||
| 3.5.2. Local User Password Authentication . . . . . . . . . . 10 | 3.5.2. Local User Password Authentication . . . . . . . . . . 10 | |||
| 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 | 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 | |||
| 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 | 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 | 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 | |||
| 5. System YANG module . . . . . . . . . . . . . . . . . . . . . . 12 | 5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 | 6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 32 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 34 | |||
| 8.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 8.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 8.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 8.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 8.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 8.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 37 | 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 38 | 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 39 | ||||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 40 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG [RFC6020] data model for the | This document defines a YANG [RFC6020] data model for the | |||
| configuration and identification of some common properties within a | configuration and identification of some common properties within a | |||
| device containing a NETCONF server. | device containing a NETCONF server. | |||
| Devices that are managed by NETCONF and perhaps other mechanisms have | Devices that are managed by NETCONF and perhaps other mechanisms have | |||
| common properties that need to be configured and monitored in a | common properties that need to be configured and monitored in a | |||
| standard way. | standard way. | |||
| skipping to change at page 9, line 12 ¶ | skipping to change at page 9, line 12 ¶ | |||
| New "case" statements can be added over time or augmented to the | New "case" statements can be added over time or augmented to the | |||
| "transport" choice to support other transport protocols. | "transport" choice to support other transport protocols. | |||
| 3.5. User Authentication Model | 3.5. User Authentication Model | |||
| This document defines three authentication methods for use with | This document defines three authentication methods for use with | |||
| NETCONF: | NETCONF: | |||
| o publickey for local users over SSH | o publickey for local users over SSH | |||
| o password for local users over any transport | o password for local users over any secure transport | |||
| o password for RADIUS users over any transport | o password for RADIUS users over any secure transport | |||
| Additional methods can be defined by other standard documents or by | Additional methods can be defined by other standard documents or by | |||
| vendors. | vendors. | |||
| This document defines two optional YANG features, "local-users" and | This document defines two optional YANG features, "local-users" and | |||
| "radius-authentication", which the server advertises to indicate | "radius-authentication", which the server advertises to indicate | |||
| support for configuring local users on the device, and support for | support for configuring local users on the device, and support for | |||
| using RADIUS for authentication, respectively. | using RADIUS for authentication, respectively. | |||
| The authentication parameters defined in this document are primarily | The authentication parameters defined in this document are primarily | |||
| skipping to change at page 9, line 36 ¶ | skipping to change at page 9, line 36 ¶ | |||
| used by other interfaces, e.g., a Command Line Interface or a Web- | used by other interfaces, e.g., a Command Line Interface or a Web- | |||
| based User Interface. | based User Interface. | |||
| The data model for user authentication has the following structure: | The data model for user authentication has the following structure: | |||
| +--rw system | +--rw system | |||
| +--rw authentication | +--rw authentication | |||
| +--rw user-authentication-order* identityref | +--rw user-authentication-order* identityref | |||
| +--rw user* [name] | +--rw user* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw password? crypt-hash | +--rw password? ianach:crypt-hash | |||
| +--rw ssh-key* [name] | +--rw authorized-key* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw algorithm string | +--rw algorithm string | |||
| +--rw key-data binary | +--rw key-data binary | |||
| 3.5.1. SSH Public Key Authentication | 3.5.1. SSH Public Key Authentication | |||
| If the NETCONF server advertises the "local-users" feature, | If the NETCONF server advertises the "local-users" feature, | |||
| configuration of local users and their SSH public keys is supported | configuration of local users and their SSH public keys is supported | |||
| in the /system/authentication/user list. | in the /system/authentication/user list. | |||
| skipping to change at page 11, line 9 ¶ | skipping to change at page 11, line 9 ¶ | |||
| Two protocol operations are included to restart or shutdown the | Two protocol operations are included to restart or shutdown the | |||
| system. The 'system-restart' operation can be used to restart the | system. The 'system-restart' operation can be used to restart the | |||
| entire system (not just the NETCONF server). The 'system-shutdown' | entire system (not just the NETCONF server). The 'system-shutdown' | |||
| operation can be used to power off the entire system. | operation can be used to power off the entire system. | |||
| 4. Relationship to the SNMPv2-MIB | 4. Relationship to the SNMPv2-MIB | |||
| If a device implements the SNMPv2-MIB [RFC3418], there are two | If a device implements the SNMPv2-MIB [RFC3418], there are two | |||
| objects that MAY be mapped by the implementation. See the YANG | objects that MAY be mapped by the implementation. See the YANG | |||
| module definition in Section 5 for details. The following table | module definition in Section 6 for details. The following table | |||
| lists the YANG data nodes with corresponding objects in the SNMPv2- | lists the YANG data nodes with corresponding objects in the SNMPv2- | |||
| MIB. | MIB. | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| | YANG data node | SNMPv2-MIB object | | | YANG data node | SNMPv2-MIB object | | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| | contact | sysContact | | | contact | sysContact | | |||
| | location | sysLocation | | | location | sysLocation | | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| YANG interface configuration data nodes and related SNMPv2-MIB | YANG interface configuration data nodes and related SNMPv2-MIB | |||
| objects | objects | |||
| 5. System YANG module | 5. IANA Crypt Hash YANG module | |||
| This YANG module references [RFC1321], [IEEE-1003.1-2008], and | ||||
| [FIPS.180-3.2008]. | ||||
| RFC Ed.: update the date below with the date of RFC publication and | ||||
| remove this note. | ||||
| <CODE BEGINS> file "iana-crypt-hash@2014-04-04.yang" | ||||
| module iana-crypt-hash { | ||||
| namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; | ||||
| prefix ianach; | ||||
| organization "IANA"; | ||||
| contact | ||||
| " Internet Assigned Numbers Authority | ||||
| Postal: ICANN | ||||
| 4676 Admiralty Way, Suite 330 | ||||
| Marina del Rey, CA 90292 | ||||
| Tel: +1 310 823 9358 | ||||
| E-Mail: iana&iana.org"; | ||||
| description | ||||
| "This YANG module defines a typedef for storing passwords | ||||
| using a hash function, and features to indicate which hash | ||||
| functions are supported by an implementation. | ||||
| The latest revision of this YANG module can be obtained from | ||||
| the IANA web site. | ||||
| Requests for new values should be made to IANA via | ||||
| email (iana&iana.org). | ||||
| Copyright (c) 2014 IETF Trust and the persons identified as | ||||
| authors of the code. All rights reserved. | ||||
| Redistribution and use in source and binary forms, with or | ||||
| without modification, is permitted pursuant to, and subject | ||||
| to the license terms contained in, the Simplified BSD License | ||||
| set forth in Section 4.c of the IETF Trust's Legal Provisions | ||||
| Relating to IETF Documents | ||||
| (http://trustee.ietf.org/license-info). | ||||
| The initial version of this YANG module is part of RFC XXXX; | ||||
| see the RFC itself for full legal notices."; | ||||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | ||||
| // note. | ||||
| // RFC Ed.: update the date below with the date of RFC publication | ||||
| // and remove this note. | ||||
| revision 2014-04-04 { | ||||
| description | ||||
| "Initial revision."; | ||||
| reference | ||||
| "RFC XXXX: A YANG Data Model for System Management"; | ||||
| } | ||||
| typedef crypt-hash { | ||||
| type string { | ||||
| pattern | ||||
| '$0$.*' | ||||
| + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' | ||||
| + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' | ||||
| + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; | ||||
| } | ||||
| description | ||||
| "The crypt-hash type is used to store passwords using | ||||
| a hash function. The algorithms for applying the hash | ||||
| function and encoding the result are implemented in | ||||
| various UNIX systems as the function crypt(3). | ||||
| A value of this type matches one of the forms: | ||||
| $0$<clear text password> | ||||
| $<id>$<salt>$<password hash> | ||||
| $<id>$<parameter>$<salt>$<password hash> | ||||
| The '$0$' prefix signals that the value is clear text. When | ||||
| such a value is received by the server, a hash value is | ||||
| calculated, and the string '$<id>$<salt>$' or | ||||
| $<id>$<parameter>$<salt>$ is prepended to the result. This | ||||
| value is stored in the configuration data store. | ||||
| If a value starting with '$<id>$', where <id> is not '0', is | ||||
| received, the server knows that the value already represents a | ||||
| hashed value, and stores it as is in the data store. | ||||
| When a server needs to verify a password given by a user, it | ||||
| finds the stored password hash string for that user, extracts | ||||
| the salt, and calculates the hash with the salt and given | ||||
| password as input. If the calculated hash value is the same | ||||
| as the stored value, the password given by the client is | ||||
| accepted. | ||||
| This type defines the following hash functions: | ||||
| id | hash function | feature | ||||
| ---+---------------+------------------- | ||||
| 1 | MD5 | crypt-hash-md5 | ||||
| 5 | SHA-256 | crypt-hash-sha-256 | ||||
| 6 | SHA-512 | crypt-hash-sha-512 | ||||
| The server indicates support for the different hash functions | ||||
| by advertising the corresponding feature."; | ||||
| reference | ||||
| "IEEE Std 1003.1-2008 - crypt() function | ||||
| RFC 1321: The MD5 Message-Digest Algorithm | ||||
| FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature crypt-hash-md5 { | ||||
| description | ||||
| "Indicates that the device supports the MD5 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "RFC 1321: The MD5 Message-Digest Algorithm"; | ||||
| } | ||||
| feature crypt-hash-sha-256 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-256 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature crypt-hash-sha-512 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-512 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| } | ||||
| <CODE ENDS> | ||||
| 6. System YANG module | ||||
| This YANG module imports YANG extensions from [RFC6536], and imports | This YANG module imports YANG extensions from [RFC6536], and imports | |||
| YANG types from [RFC6991]. It also references [RFC1035], [RFC1321], | YANG types from [RFC6991]. It also references [RFC1035], [RFC2865], | |||
| [RFC2865], [RFC3418], [RFC5607], [RFC5966], [RFC6557], | [RFC3418], [RFC5607], [RFC5966], [RFC6557]. | |||
| [IEEE-1003.1-2008], and [FIPS.180-3.2008]. | ||||
| RFC Ed.: update the date below with the date of RFC publication and | RFC Ed.: update the date below with the date of RFC publication and | |||
| remove this note. | remove this note. | |||
| <CODE BEGINS> file "ietf-system@2014-02-18.yang" | <CODE BEGINS> file "ietf-system@2014-05-14.yang" | |||
| module ietf-system { | module ietf-system { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system"; | namespace "urn:ietf:params:xml:ns:yang:ietf-system"; | |||
| prefix "sys"; | prefix "sys"; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| } | } | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| } | } | |||
| import iana-crypt-hash { | ||||
| prefix ianach; | ||||
| } | ||||
| organization | organization | |||
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | "WG Web: <http://tools.ietf.org/wg/netmod/> | |||
| WG List: <mailto:netmod@ietf.org> | WG List: <mailto:netmod@ietf.org> | |||
| WG Chair: Thomas Nadeau | WG Chair: Thomas Nadeau | |||
| <mailto:tnadeau@lucidvision.com> | <mailto:tnadeau@lucidvision.com> | |||
| skipping to change at page 13, line 33 ¶ | skipping to change at page 16, line 36 ¶ | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| // RFC Ed.: remove this note | // RFC Ed.: remove this note | |||
| // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt | // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt | |||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision "2014-02-18" { | revision "2014-05-14" { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for System Management"; | "RFC XXXX: A YANG Data Model for System Management"; | |||
| } | } | |||
| /* | /* | |||
| * Typedefs | * Typedefs | |||
| */ | */ | |||
| skipping to change at page 14, line 9 ¶ | skipping to change at page 17, line 12 ¶ | |||
| "A timezone name as used by the Time Zone Database, sometimes | "A timezone name as used by the Time Zone Database, sometimes | |||
| referred to as the 'Olson Database'. | referred to as the 'Olson Database'. | |||
| The exact set of valid values is an implementation-specific | The exact set of valid values is an implementation-specific | |||
| matter. Client discovery of the exact set of time zone names | matter. Client discovery of the exact set of time zone names | |||
| for a particular server is out of scope."; | for a particular server is out of scope."; | |||
| reference | reference | |||
| "RFC 6557: Procedures for Maintaining the Time Zone Database"; | "RFC 6557: Procedures for Maintaining the Time Zone Database"; | |||
| } | } | |||
| typedef crypt-hash { | ||||
| type string { | ||||
| pattern | ||||
| '$0$.*' | ||||
| + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' | ||||
| + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' | ||||
| + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; | ||||
| } | ||||
| description | ||||
| "The crypt-hash type is used to store passwords using | ||||
| a hash function. The algorithms for applying the hash | ||||
| function and encoding the result are implemented in | ||||
| various UNIX systems as the function crypt(3). | ||||
| A value of this type matches one of the forms: | ||||
| $0$<clear text password> | ||||
| $<id>$<salt>$<password hash> | ||||
| $<id>$<parameter>$<salt>$<password hash> | ||||
| The '$0$' prefix signals that the value is clear text. When | ||||
| such a value is received by the server, a hash value is | ||||
| calculated, and the string '$<id>$<salt>$' or | ||||
| $<id>$<parameter>$<salt>$ is prepended to the result. This | ||||
| value is stored in the configuration data store. | ||||
| If a value starting with '$<id>$', where <id> is not '0', is | ||||
| received, the server knows that the value already represents a | ||||
| hashed value, and stores it as is in the data store. | ||||
| When a server needs to verify a password given by a user, it | ||||
| finds the stored password hash string for that user, extracts | ||||
| the salt, and calculates the hash with the salt and given | ||||
| password as input. If the calculated hash value is the same | ||||
| as the stored value, the password given by the client is | ||||
| accepted. | ||||
| This type defines the following hash functions: | ||||
| id | hash function | feature | ||||
| ---+---------------+------------------- | ||||
| 1 | MD5 | crypt-hash-md5 | ||||
| 5 | SHA-256 | crypt-hash-sha-256 | ||||
| 6 | SHA-512 | crypt-hash-sha-512 | ||||
| The server indicates support for the different hash functions | ||||
| by advertising the corresponding feature."; | ||||
| reference | ||||
| "IEEE Std 1003.1-2008 - crypt() function | ||||
| Wikipedia: http://en.wikipedia.org/wiki/Crypt_(C) | ||||
| RFC 1321: The MD5 Message-Digest Algorithm | ||||
| FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| /* | /* | |||
| * Features | * Features | |||
| */ | */ | |||
| feature radius { | feature radius { | |||
| description | description | |||
| "Indicates that the device can be configured as a RADIUS | "Indicates that the device can be configured as a RADIUS | |||
| client."; | client."; | |||
| reference | reference | |||
| "RFC 2865: Remote Authentication Dial In User Service " | "RFC 2865: Remote Authentication Dial In User Service " | |||
| skipping to change at page 16, line 7 ¶ | skipping to change at page 17, line 51 ¶ | |||
| description | description | |||
| "Indicates that the device supports configuration of user | "Indicates that the device supports configuration of user | |||
| authentication over RADIUS."; | authentication over RADIUS."; | |||
| reference | reference | |||
| "RFC 2865: Remote Authentication Dial In User Service (RADIUS) | "RFC 2865: Remote Authentication Dial In User Service (RADIUS) | |||
| RFC 5607: Remote Authentication Dial-In User Service (RADIUS) | RFC 5607: Remote Authentication Dial-In User Service (RADIUS) | |||
| Authorization for Network Access Server (NAS) | Authorization for Network Access Server (NAS) | |||
| Management"; | Management"; | |||
| } | } | |||
| feature crypt-hash-md5 { | ||||
| description | ||||
| "Indicates that the device supports the MD5 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "RFC 1321: The MD5 Message-Digest Algorithm"; | ||||
| } | ||||
| feature crypt-hash-sha-256 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-256 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature crypt-hash-sha-512 { | ||||
| description | ||||
| "Indicates that the device supports the SHA-512 | ||||
| hash function in 'crypt-hash' values"; | ||||
| reference "FIPS.180-3.2008: Secure Hash Standard"; | ||||
| } | ||||
| feature ntp { | feature ntp { | |||
| description | description | |||
| "Indicates that the device can be configured | "Indicates that the device can be configured | |||
| to use one or more NTP servers to set the | to use one or more NTP servers to set the | |||
| system date and time."; | system date and time."; | |||
| } | } | |||
| feature ntp-udp-port { | feature ntp-udp-port { | |||
| if-feature ntp; | ||||
| description | description | |||
| "Indicates that the device supports the configuration of | "Indicates that the device supports the configuration of | |||
| the UDP port for NTP servers. | the UDP port for NTP servers. | |||
| This is a 'feature' since many implementations do not support | This is a 'feature' since many implementations do not support | |||
| any other port than the default port."; | any other port than the default port."; | |||
| } | } | |||
| feature timezone-name { | feature timezone-name { | |||
| description | description | |||
| skipping to change at page 27, line 13 ¶ | skipping to change at page 28, line 36 ¶ | |||
| key name; | key name; | |||
| description | description | |||
| "The list of local users configured on this device."; | "The list of local users configured on this device."; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "The user name string identifying this entry."; | "The user name string identifying this entry."; | |||
| } | } | |||
| leaf password { | leaf password { | |||
| type crypt-hash; | type ianach:crypt-hash; | |||
| description | description | |||
| "The password for this entry."; | "The password for this entry."; | |||
| } | } | |||
| list ssh-key { | list authorized-key { | |||
| key name; | key name; | |||
| description | description | |||
| "A list of public SSH keys for this user."; | "A list of public SSH keys for this user. These keys | |||
| are allowed for SSH authentication, as described in | ||||
| RFC 4253."; | ||||
| reference | reference | |||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||
| Protocol"; | Protocol"; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "An arbitrary name for the ssh key."; | "An arbitrary name for the SSH key."; | |||
| } | } | |||
| leaf algorithm { | leaf algorithm { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The public key algorithm name for this ssh key. | "The public key algorithm name for this SSH key. | |||
| Valid values are the values in the IANA Secure Shell | Valid values are the values in the IANA Secure Shell | |||
| (SSH) Protocol Parameters registry, Public Key | (SSH) Protocol Parameters registry, Public Key | |||
| Algorithm Names"; | Algorithm Names"; | |||
| reference | reference | |||
| "IANA Secure Shell (SSH) Protocol Parameters registry, | "IANA Secure Shell (SSH) Protocol Parameters registry, | |||
| Public Key Algorithm Names"; | Public Key Algorithm Names"; | |||
| } | } | |||
| leaf key-data { | leaf key-data { | |||
| type binary; | type binary; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The binary key data for this ssh key."; | "The binary public key data for this SSH key, as | |||
| specified by RFC 4253, Section 6.6, i.e.,: | ||||
| string certificate or public key format | ||||
| identifier | ||||
| byte[n] key/certificate data | ||||
| "; | ||||
| reference | ||||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | ||||
| Protocol"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * Operational state data nodes | * Operational state data nodes | |||
| */ | */ | |||
| container system-state { | container system-state { | |||
| config false; | config false; | |||
| description | description | |||
| "System group operational state."; | "System group operational state."; | |||
| skipping to change at page 30, line 18 ¶ | skipping to change at page 32, line 4 ¶ | |||
| rpc system-shutdown { | rpc system-shutdown { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| description | description | |||
| "Request that the entire system be shut down immediately. | "Request that the entire system be shut down immediately. | |||
| A server SHOULD send an rpc reply to the client before | A server SHOULD send an rpc reply to the client before | |||
| shutting down the system."; | shutting down the system."; | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 6. IANA Considerations | 7. IANA Considerations | |||
| This document registers one URI in the IETF XML registry [RFC3688]. | IANA is requested to create an IANA-maintained YANG Module called | |||
| Following the format in RFC 3688, the following registration is | "iana-crypt-hash", based on the contents of Section 5, which will | |||
| allow for new hash algorithms to be added to the type "crypt-hash". | ||||
| The registration procedure will be Expert Review, as defined by | ||||
| [RFC5226]. | ||||
| This document registers two URIs in the IETF XML registry [RFC3688]. | ||||
| Following the format in RFC 3688, the following registrations are | ||||
| requested to be made. | requested to be made. | |||
| URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash | ||||
| Registrant Contact: The IESG. | ||||
| XML: N/A, the requested URI is an XML namespace. | ||||
| URI: urn:ietf:params:xml:ns:yang:ietf-system | URI: urn:ietf:params:xml:ns:yang:ietf-system | |||
| Registrant Contact: The NETMOD WG of the IETF. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| This document registers one YANG module in the YANG Module Names | This document registers two YANG modules in the YANG Module Names | |||
| registry [RFC6020]. | registry [RFC6020]. | |||
| name: iana-crypt-hash | ||||
| namespace: urn:ietf:params:xml:ns:yang:iana-crypt-hash | ||||
| prefix: ianach | ||||
| reference: RFC XXXX | ||||
| name: ietf-system | name: ietf-system | |||
| namespace: urn:ietf:params:xml:ns:yang:ietf-system | namespace: urn:ietf:params:xml:ns:yang:ietf-system | |||
| prefix: sys | prefix: sys | |||
| reference: RFC XXXX | reference: RFC XXXX | |||
| 7. Security Considerations | 8. Security Considerations | |||
| The YANG module defined in this memo is designed to be accessed via | The YANG modules defined in this memo are designed to be accessed via | |||
| the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the | the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the | |||
| secure transport layer and the mandatory-to-implement secure | secure transport layer and the mandatory-to-implement secure | |||
| transport is SSH [RFC6242]. Authorization for access to specific | transport is SSH [RFC6242]. Authorization for access to specific | |||
| portions of conceptual data and operations within this module is | portions of conceptual data and operations within this module is | |||
| provided by the NETCONF access control model (NACM) [RFC6536]. | provided by the NETCONF access control model (NACM) [RFC6536]. | |||
| There are a number of data nodes defined in this YANG module which | There are a number of data nodes defined in the "ietf-system" YANG | |||
| are writable/creatable/deletable (i.e., config true, which is the | module which are writable/creatable/deletable (i.e., config true, | |||
| default). These data nodes may be considered sensitive or vulnerable | which is the default). These data nodes may be considered sensitive | |||
| in some network environments. Write operations to these data nodes | or vulnerable in some network environments. Write operations to | |||
| can have a negative effect on network operations. It is thus | these data nodes can have a negative effect on network operations. | |||
| important to control write access (e.g., via edit-config) to these | It is thus important to control write access (e.g., via edit-config) | |||
| data nodes. These are the subtrees and data nodes and their | to these data nodes. These are the subtrees and data nodes and their | |||
| sensitivity/vulnerability: | sensitivity/vulnerability: | |||
| o /system/clock/timezone: This choice contains the objects used to | o /system/clock/timezone: This choice contains the objects used to | |||
| control the timezone used by the device. | control the timezone used by the device. | |||
| o /system/ntp: This container contains the objects used to control | o /system/ntp: This container contains the objects used to control | |||
| the Network Time Protocol servers used by the device. | the Network Time Protocol servers used by the device. | |||
| o /system/dns-resolver: This container contains the objects used to | o /system/dns-resolver: This container contains the objects used to | |||
| control the Domain Name System servers used by the device. | control the Domain Name System servers used by the device. | |||
| skipping to change at page 32, line 42 ¶ | skipping to change at page 34, line 42 ¶ | |||
| o /system/radius: This container contains the objects used to | o /system/radius: This container contains the objects used to | |||
| control the Remote Authentication Dial-In User Service servers | control the Remote Authentication Dial-In User Service servers | |||
| used by the device. | used by the device. | |||
| o /system/authentication/user-authentication-order: This leaf | o /system/authentication/user-authentication-order: This leaf | |||
| controls how user login attempts are authenticated by the device. | controls how user login attempts are authenticated by the device. | |||
| o /system/authentication/user: This list contains the local users | o /system/authentication/user: This list contains the local users | |||
| enabled on the system. | enabled on the system. | |||
| Some of the readable data nodes in this YANG module may be considered | Some of the readable data nodes in the "ietf-system" YANG module may | |||
| sensitive or vulnerable in some network environments. It is thus | be considered sensitive or vulnerable in some network environments. | |||
| important to control read access (e.g., via get, get-config, or | It is thus important to control read access (e.g., via get, get- | |||
| notification) to these data nodes. These are the subtrees and data | config, or notification) to these data nodes. These are the subtrees | |||
| nodes and their sensitivity/vulnerability: | and data nodes and their sensitivity/vulnerability: | |||
| o /system/platform: This container has objects which may help | o /system/platform: This container has objects which may help | |||
| identify the specific NETCONF server and/or operating system | identify the specific NETCONF server and/or operating system | |||
| implementation used on the device. | implementation used on the device. | |||
| o /system/authentication/user: This list has objects that may help | o /system/authentication/user: This list has objects that may help | |||
| identify the specific user names and password information in use | identify the specific user names and password information in use | |||
| on the device. | on the device. | |||
| Some of the remote procedure call (RPC) operations in this YANG | Some of the remote procedure call (RPC) operations in the | |||
| module may be considered sensitive or vulnerable in some network | "ietf-system" YANG module may be considered sensitive or vulnerable | |||
| environments. It is thus important to control access to these | in some network environments. It is thus important to control access | |||
| operations. These are the operations and their sensitivity/ | to these operations. These are the operations and their sensitivity/ | |||
| vulnerability: | vulnerability: | |||
| o set-current-datetime: Changes the current date and time on the | o set-current-datetime: Changes the current date and time on the | |||
| device. | device. | |||
| o system-restart: Reboots the device. | o system-restart: Reboots the device. | |||
| o system-shutdown: Shuts down the device. | o system-shutdown: Shuts down the device. | |||
| This YANG model defines a type "crypt-hash" that can be used to store | Since this document describes the use of RADIUS for purposes of | |||
| MD5 hashes. [RFC6151] discusses security considerations for MD5. | authentication, it is vulnerable to all of the threats that are | |||
| The usage of MD5 is NOT RECOMMENDED. | present in other RADIUS applications. For a discussion of such | |||
| threats, see [RFC2865] and [RFC3162], and section 4 of [RFC3579]. | ||||
| 8. Change Log | This document provides configuration parameters for SSH's "publickey" | |||
| and "password" authentication mechanisms. Section 9.4 of [RFC4251] | ||||
| and section 11 of [RFC4252] discuss security considerations for these | ||||
| mechanisms. | ||||
| The "iana-crypt-hash" YANG module defines a type "crypt-hash" that | ||||
| can be used to store MD5 hashes. [RFC6151] discusses security | ||||
| considerations for MD5. The usage of MD5 is NOT RECOMMENDED. | ||||
| 9. Change Log | ||||
| -- RFC Ed.: remove this section before publication. | -- RFC Ed.: remove this section before publication. | |||
| 8.1. 00-01 | 9.1. 00-01 | |||
| o added configuration-source identities | o added configuration-source identities | |||
| o added configuration-source leaf to ntp and dns (via grouping) to | o added configuration-source leaf to ntp and dns (via grouping) to | |||
| choose configuration source | choose configuration source | |||
| o added association-type, iburst, prefer, and true leafs to the ntp- | o added association-type, iburst, prefer, and true leafs to the ntp- | |||
| server list | server list | |||
| o extended the ssh keys for a user to a list of keys. support all | o extended the ssh keys for a user to a list of keys. support all | |||
| defined key algorithms, not just dsa and rsa | defined key algorithms, not just dsa and rsa | |||
| o clarified timezone-utc-offset description-stmt | o clarified timezone-utc-offset description-stmt | |||
| o removed '/system/ntp/server/true' leaf from data model | o removed '/system/ntp/server/true' leaf from data model | |||
| 8.2. 01-02 | 9.2. 01-02 | |||
| o added default-stmts to ntp-server/iburst and ntp-server/prefer | o added default-stmts to ntp-server/iburst and ntp-server/prefer | |||
| leafs | leafs | |||
| o changed timezone-location leaf to use iana-timezone typedef | o changed timezone-location leaf to use iana-timezone typedef | |||
| instead of a string | instead of a string | |||
| 8.3. 02-03 | 9.3. 02-03 | |||
| o removed configuration-source identities and leafs | o removed configuration-source identities and leafs | |||
| 8.4. 03-04 | 9.4. 03-04 | |||
| o removed ndots dns resolver option | o removed ndots dns resolver option | |||
| o added radius-authentication-type identity, and identities for pap | o added radius-authentication-type identity, and identities for pap | |||
| and chap, and a leaf to control which authentication type to use | and chap, and a leaf to control which authentication type to use | |||
| when communicating with the radius server | when communicating with the radius server | |||
| o made 0 an invalid value for timeouts and attempts | o made 0 an invalid value for timeouts and attempts | |||
| 8.5. 04-05 | 9.5. 04-05 | |||
| o updated tree diagram explanation text | o updated tree diagram explanation text | |||
| 8.6. 05-06 | 9.6. 05-06 | |||
| o changed ntp/use-ntp to ntp/enabled | o changed ntp/use-ntp to ntp/enabled | |||
| o changed ntp/ntp-server to ntp/server | o changed ntp/ntp-server to ntp/server | |||
| o removed /system/platform/nodename leaf | o removed /system/platform/nodename leaf | |||
| o changed /system/name to /system/hostname | o changed /system/name to /system/hostname | |||
| o simplified must expression in user-authentication-order | o simplified must expression in user-authentication-order | |||
| skipping to change at page 35, line 46 ¶ | skipping to change at page 37, line 46 ¶ | |||
| o changed /system/platform/nodename to /system/platform/hostname | o changed /system/platform/nodename to /system/platform/hostname | |||
| o changed /system/radius/server/{leafs} to be within a choice and | o changed /system/radius/server/{leafs} to be within a choice and | |||
| 'udp' case statement so other transport specific parameters can | 'udp' case statement so other transport specific parameters can | |||
| augment this list or they can be added by the WG to a future | augment this list or they can be added by the WG to a future | |||
| version of this module. {leafs} are authentication-port and | version of this module. {leafs} are authentication-port and | |||
| shared-secret. | shared-secret. | |||
| o updated YANG tree diagrams for objects added in -05 and -06 | o updated YANG tree diagrams for objects added in -05 and -06 | |||
| 8.7. 06-07 | 9.7. 06-07 | |||
| o updated the Abstract and Introduction | o updated the Abstract and Introduction | |||
| o updated Tree diagram notation | o updated Tree diagram notation | |||
| o identify all external servers (dns, ntp, radius) by name instead | o identify all external servers (dns, ntp, radius) by name instead | |||
| of address, in order to make the data model extensible for | of address, in order to make the data model extensible for | |||
| additional transport protocol. | additional transport protocol. | |||
| o updated the Security Considerations section with a reference to | o updated the Security Considerations section with a reference to | |||
| NACM. | NACM. | |||
| 8.8. 07-08 | 9.8. 07-08 | |||
| o renamed the DNS transport to 'udp-and-tcp' and added references. | o renamed the DNS transport to 'udp-and-tcp' and added references. | |||
| o moved the operational state nodes into /system-state. | o moved the operational state nodes into /system-state. | |||
| 8.9. 08-09 | 9.9. 08-09 | |||
| o made "ntp" node a presence container | o made "ntp" node a presence container | |||
| o added reference to RFC 6151 | o added reference to RFC 6151 | |||
| o updated reference from 6021-bis to RFC 6991 | o updated reference from 6021-bis to RFC 6991 | |||
| o cleaned up usage of config false in the YANG module | o cleaned up usage of config false in the YANG module | |||
| 8.10. 09-10 | 9.10. 09-10 | |||
| o clarified relationship with SNMPv2-MIB | o clarified relationship with SNMPv2-MIB | |||
| 8.11. 11-12 | 9.11. 11-12 | |||
| o added typedef "timezone-name", and removed reference to | o added typedef "timezone-name", and removed reference to | |||
| draft-ietf-netmod-iana-timezones | draft-ietf-netmod-iana-timezones | |||
| 9. References | 9.12. 13-14 | |||
| 9.1. Normative References | o moved the "crypt-hash" typedef to an IANA maintained module. | |||
| o updated security considerations to mention RADIUS threats. | ||||
| 9.13. 14-15 | ||||
| o updated security considerations to mention SSH authentication | ||||
| method threats. | ||||
| 10. References | ||||
| 10.1. Normative References | ||||
| [FIPS.180-3.2008] | [FIPS.180-3.2008] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| Hash Standard", FIPS PUB 180-3, October 2008, <http:// | Hash Standard", FIPS PUB 180-3, October 2008, <http:// | |||
| csrc.nist.gov/publications/fips/fips180-3/ | csrc.nist.gov/publications/fips/fips180-3/ | |||
| fips180-3_final.pdf>. | fips180-3_final.pdf>. | |||
| [IEEE-1003.1-2008] | [IEEE-1003.1-2008] | |||
| Institute of Electrical and Electronics Engineers, | Institute of Electrical and Electronics Engineers, | |||
| "POSIX.1-2008", IEEE Standard 1003.1, March 2008. | "POSIX.1-2008", IEEE Standard 1003.1, March 2008. | |||
| skipping to change at page 37, line 32 ¶ | skipping to change at page 39, line 32 ¶ | |||
| [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | |||
| April 1992. | April 1992. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
| "Remote Authentication Dial In User Service (RADIUS)", | "Remote Authentication Dial In User Service (RADIUS)", | |||
| RFC 2865, June 2000. | RFC 2865, June 2000. | |||
| [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", | ||||
| RFC 3162, August 2001. | ||||
| [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | [RFC3418] Presuhn, R., "Management Information Base (MIB) for the | |||
| Simple Network Management Protocol (SNMP)", STD 62, | Simple Network Management Protocol (SNMP)", STD 62, | |||
| RFC 3418, December 2002. | RFC 3418, December 2002. | |||
| [RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | ||||
| Protocol Architecture", RFC 4251, January 2006. | ||||
| [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | |||
| Authentication Protocol", RFC 4252, January 2006. | Authentication Protocol", RFC 4252, January 2006. | |||
| [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) | |||
| Transport Layer Protocol", RFC 4253, January 2006. | Transport Layer Protocol", RFC 4253, January 2006. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | ||||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | ||||
| May 2008. | ||||
| [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In | [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In | |||
| User Service (RADIUS) Authorization for Network Access | User Service (RADIUS) Authorization for Network Access | |||
| Server (NAS) Management", RFC 5607, July 2009. | Server (NAS) Management", RFC 5607, July 2009. | |||
| [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation | [RFC5966] Bellis, R., "DNS Transport over TCP - Implementation | |||
| Requirements", RFC 5966, August 2010. | Requirements", RFC 5966, August 2010. | |||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| skipping to change at page 38, line 23 ¶ | skipping to change at page 40, line 32 ¶ | |||
| [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure | |||
| Shell (SSH)", RFC 6242, June 2011. | Shell (SSH)", RFC 6242, June 2011. | |||
| [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Protocol (NETCONF) Access Control Model", RFC 6536, | Protocol (NETCONF) Access Control Model", RFC 6536, | |||
| March 2012. | March 2012. | |||
| [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, | [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, | |||
| July 2013. | July 2013. | |||
| 9.2. Informative References | 10.2. Informative References | |||
| [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication | ||||
| Dial In User Service) Support For Extensible | ||||
| Authentication Protocol (EAP)", RFC 3579, September 2003. | ||||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| January 2004. | January 2004. | |||
| [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the | [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the | |||
| Time Zone Database", BCP 175, RFC 6557, February 2012. | Time Zone Database", BCP 175, RFC 6557, February 2012. | |||
| Authors' Addresses | Authors' Addresses | |||
| Andy Bierman | Andy Bierman | |||
| End of changes. 54 change blocks. | ||||
| 158 lines changed or deleted | 286 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||