| < draft-ietf-netmod-system-mgmt-15.txt | draft-ietf-netmod-system-mgmt-16.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Bierman | Network Working Group A. Bierman | |||
| Internet-Draft YumaWorks | Internet-Draft YumaWorks | |||
| Intended status: Standards Track M. Bjorklund | Intended status: Standards Track M. Bjorklund | |||
| Expires: October 31, 2014 Tail-f Systems | Expires: November 15, 2014 Tail-f Systems | |||
| April 29, 2014 | May 14, 2014 | |||
| A YANG Data Model for System Management | A YANG Data Model for System Management | |||
| draft-ietf-netmod-system-mgmt-15 | draft-ietf-netmod-system-mgmt-16 | |||
| Abstract | Abstract | |||
| This document defines a YANG data model for the configuration and | This document defines a YANG data model for the configuration and | |||
| identification of some common system properties within a device | identification of some common system properties within a device | |||
| containing a NETCONF server. This includes data node definitions for | containing a NETCONF server. This includes data node definitions for | |||
| system identification, time-of-day management, user management, DNS | system identification, time-of-day management, user management, DNS | |||
| resolver configuration, and some protocol operations for system | resolver configuration, and some protocol operations for system | |||
| management. | management. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 31, 2014. | This Internet-Draft will expire on November 15, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 31 ¶ | skipping to change at page 2, line 31 ¶ | |||
| 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 | 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 | 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 | 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 | |||
| 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 | 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 | |||
| 3.5.2. Local User Password Authentication . . . . . . . . . . 10 | 3.5.2. Local User Password Authentication . . . . . . . . . . 10 | |||
| 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 | 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 | |||
| 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 | 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 | 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 | |||
| 5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12 | 5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12 | |||
| 6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15 | 6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 33 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 34 | |||
| 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 | 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 38 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 39 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 39 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 40 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG [RFC6020] data model for the | This document defines a YANG [RFC6020] data model for the | |||
| configuration and identification of some common properties within a | configuration and identification of some common properties within a | |||
| device containing a NETCONF server. | device containing a NETCONF server. | |||
| Devices that are managed by NETCONF and perhaps other mechanisms have | Devices that are managed by NETCONF and perhaps other mechanisms have | |||
| common properties that need to be configured and monitored in a | common properties that need to be configured and monitored in a | |||
| standard way. | standard way. | |||
| skipping to change at page 9, line 37 ¶ | skipping to change at page 9, line 37 ¶ | |||
| based User Interface. | based User Interface. | |||
| The data model for user authentication has the following structure: | The data model for user authentication has the following structure: | |||
| +--rw system | +--rw system | |||
| +--rw authentication | +--rw authentication | |||
| +--rw user-authentication-order* identityref | +--rw user-authentication-order* identityref | |||
| +--rw user* [name] | +--rw user* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw password? ianach:crypt-hash | +--rw password? ianach:crypt-hash | |||
| +--rw ssh-key* [name] | +--rw authorized-key* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw algorithm string | +--rw algorithm string | |||
| +--rw key-data binary | +--rw key-data binary | |||
| 3.5.1. SSH Public Key Authentication | 3.5.1. SSH Public Key Authentication | |||
| If the NETCONF server advertises the "local-users" feature, | If the NETCONF server advertises the "local-users" feature, | |||
| configuration of local users and their SSH public keys is supported | configuration of local users and their SSH public keys is supported | |||
| in the /system/authentication/user list. | in the /system/authentication/user list. | |||
| skipping to change at page 12, line 10 ¶ | skipping to change at page 12, line 10 ¶ | |||
| +----------------+-------------------+ | +----------------+-------------------+ | |||
| YANG interface configuration data nodes and related SNMPv2-MIB | YANG interface configuration data nodes and related SNMPv2-MIB | |||
| objects | objects | |||
| 5. IANA Crypt Hash YANG module | 5. IANA Crypt Hash YANG module | |||
| This YANG module references [RFC1321], [IEEE-1003.1-2008], and | This YANG module references [RFC1321], [IEEE-1003.1-2008], and | |||
| [FIPS.180-3.2008]. | [FIPS.180-3.2008]. | |||
| RFC Ed.: update the date below with the date of RFC publication and | ||||
| remove this note. | ||||
| <CODE BEGINS> file "iana-crypt-hash@2014-04-04.yang" | <CODE BEGINS> file "iana-crypt-hash@2014-04-04.yang" | |||
| module iana-crypt-hash { | module iana-crypt-hash { | |||
| namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; | namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; | |||
| prefix ianach; | prefix ianach; | |||
| organization "IANA"; | organization "IANA"; | |||
| contact | contact | |||
| " Internet Assigned Numbers Authority | " Internet Assigned Numbers Authority | |||
| skipping to change at page 15, line 14 ¶ | skipping to change at page 15, line 14 ¶ | |||
| 6. System YANG module | 6. System YANG module | |||
| This YANG module imports YANG extensions from [RFC6536], and imports | This YANG module imports YANG extensions from [RFC6536], and imports | |||
| YANG types from [RFC6991]. It also references [RFC1035], [RFC2865], | YANG types from [RFC6991]. It also references [RFC1035], [RFC2865], | |||
| [RFC3418], [RFC5607], [RFC5966], [RFC6557]. | [RFC3418], [RFC5607], [RFC5966], [RFC6557]. | |||
| RFC Ed.: update the date below with the date of RFC publication and | RFC Ed.: update the date below with the date of RFC publication and | |||
| remove this note. | remove this note. | |||
| <CODE BEGINS> file "ietf-system@2014-04-04.yang" | <CODE BEGINS> file "ietf-system@2014-05-14.yang" | |||
| module ietf-system { | module ietf-system { | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-system"; | namespace "urn:ietf:params:xml:ns:yang:ietf-system"; | |||
| prefix "sys"; | prefix "sys"; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| } | } | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| skipping to change at page 16, line 36 ¶ | skipping to change at page 16, line 36 ¶ | |||
| the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||
| // RFC Ed.: replace XXXX with actual RFC number and remove this | // RFC Ed.: replace XXXX with actual RFC number and remove this | |||
| // note. | // note. | |||
| // RFC Ed.: remove this note | // RFC Ed.: remove this note | |||
| // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt | // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt | |||
| // RFC Ed.: update the date below with the date of RFC publication | // RFC Ed.: update the date below with the date of RFC publication | |||
| // and remove this note. | // and remove this note. | |||
| revision "2014-04-04" { | revision "2014-05-14" { | |||
| description | description | |||
| "Initial revision."; | "Initial revision."; | |||
| reference | reference | |||
| "RFC XXXX: A YANG Data Model for System Management"; | "RFC XXXX: A YANG Data Model for System Management"; | |||
| } | } | |||
| /* | /* | |||
| * Typedefs | * Typedefs | |||
| */ | */ | |||
| skipping to change at page 28, line 40 ¶ | skipping to change at page 28, line 40 ¶ | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "The user name string identifying this entry."; | "The user name string identifying this entry."; | |||
| } | } | |||
| leaf password { | leaf password { | |||
| type ianach:crypt-hash; | type ianach:crypt-hash; | |||
| description | description | |||
| "The password for this entry."; | "The password for this entry."; | |||
| } | } | |||
| list ssh-key { | list authorized-key { | |||
| key name; | key name; | |||
| description | description | |||
| "A list of public SSH keys for this user."; | "A list of public SSH keys for this user. These keys | |||
| are allowed for SSH authentication, as described in | ||||
| RFC 4253."; | ||||
| reference | reference | |||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||
| Protocol"; | Protocol"; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "An arbitrary name for the ssh key."; | "An arbitrary name for the SSH key."; | |||
| } | } | |||
| leaf algorithm { | leaf algorithm { | |||
| type string; | type string; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The public key algorithm name for this ssh key. | "The public key algorithm name for this SSH key. | |||
| Valid values are the values in the IANA Secure Shell | Valid values are the values in the IANA Secure Shell | |||
| (SSH) Protocol Parameters registry, Public Key | (SSH) Protocol Parameters registry, Public Key | |||
| Algorithm Names"; | Algorithm Names"; | |||
| reference | reference | |||
| "IANA Secure Shell (SSH) Protocol Parameters registry, | "IANA Secure Shell (SSH) Protocol Parameters registry, | |||
| Public Key Algorithm Names"; | Public Key Algorithm Names"; | |||
| } | } | |||
| leaf key-data { | leaf key-data { | |||
| type binary; | type binary; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The binary key data for this ssh key."; | "The binary public key data for this SSH key, as | |||
| specified by RFC 4253, Section 6.6, i.e.,: | ||||
| string certificate or public key format | ||||
| identifier | ||||
| byte[n] key/certificate data | ||||
| "; | ||||
| reference | ||||
| "RFC 4253: The Secure Shell (SSH) Transport Layer | ||||
| Protocol"; | ||||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| /* | /* | |||
| * Operational state data nodes | * Operational state data nodes | |||
| */ | */ | |||
| skipping to change at page 31, line 41 ¶ | skipping to change at page 32, line 4 ¶ | |||
| rpc system-shutdown { | rpc system-shutdown { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| description | description | |||
| "Request that the entire system be shut down immediately. | "Request that the entire system be shut down immediately. | |||
| A server SHOULD send an rpc reply to the client before | A server SHOULD send an rpc reply to the client before | |||
| shutting down the system."; | shutting down the system."; | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document defines first version of the IANA-maintained | IANA is requested to create an IANA-maintained YANG Module called | |||
| "iana-crypt-hash" YANG module, which will allow for new hash | "iana-crypt-hash", based on the contents of Section 5, which will | |||
| algorithms to be added to the type "crypt-hash". An Expert Review, | allow for new hash algorithms to be added to the type "crypt-hash". | |||
| as defined by [RFC5226], is REQUIRED, for each modification. | The registration procedure will be Expert Review, as defined by | |||
| [RFC5226]. | ||||
| This document registers two URIs in the IETF XML registry [RFC3688]. | This document registers two URIs in the IETF XML registry [RFC3688]. | |||
| Following the format in RFC 3688, the following registrations are | Following the format in RFC 3688, the following registrations are | |||
| requested to be made. | requested to be made. | |||
| URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash | URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash | |||
| Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-system | URI: urn:ietf:params:xml:ns:yang:ietf-system | |||
| skipping to change at page 34, line 25 ¶ | skipping to change at page 35, line 25 ¶ | |||
| o set-current-datetime: Changes the current date and time on the | o set-current-datetime: Changes the current date and time on the | |||
| device. | device. | |||
| o system-restart: Reboots the device. | o system-restart: Reboots the device. | |||
| o system-shutdown: Shuts down the device. | o system-shutdown: Shuts down the device. | |||
| Since this document describes the use of RADIUS for purposes of | Since this document describes the use of RADIUS for purposes of | |||
| authentication, it is vulnerable to all of the threats that are | authentication, it is vulnerable to all of the threats that are | |||
| present in other RADIUS applications. For a discussion of such | present in other RADIUS applications. For a discussion of such | |||
| threats, see [RFC2865] and [RFC3162]. | threats, see [RFC2865] and [RFC3162], and section 4 of [RFC3579]. | |||
| This document provides configuration parameters for SSH's "publickey" | This document provides configuration parameters for SSH's "publickey" | |||
| and "password" authentication mechanisms. Section 9.4 of [RFC4251] | and "password" authentication mechanisms. Section 9.4 of [RFC4251] | |||
| and section 11 of [RFC4252] discuss security considerations for these | and section 11 of [RFC4252] discuss security considerations for these | |||
| mechanisms. | mechanisms. | |||
| The "iana-crypt-hash" YANG module defines a type "crypt-hash" that | The "iana-crypt-hash" YANG module defines a type "crypt-hash" that | |||
| can be used to store MD5 hashes. [RFC6151] discusses security | can be used to store MD5 hashes. [RFC6151] discusses security | |||
| considerations for MD5. The usage of MD5 is NOT RECOMMENDED. | considerations for MD5. The usage of MD5 is NOT RECOMMENDED. | |||
| skipping to change at page 39, line 34 ¶ | skipping to change at page 40, line 34 ¶ | |||
| [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Protocol (NETCONF) Access Control Model", RFC 6536, | Protocol (NETCONF) Access Control Model", RFC 6536, | |||
| March 2012. | March 2012. | |||
| [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, | [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, | |||
| July 2013. | July 2013. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication | ||||
| Dial In User Service) Support For Extensible | ||||
| Authentication Protocol (EAP)", RFC 3579, September 2003. | ||||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| January 2004. | January 2004. | |||
| [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the | [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the | |||
| Time Zone Database", BCP 175, RFC 6557, February 2012. | Time Zone Database", BCP 175, RFC 6557, February 2012. | |||
| Authors' Addresses | Authors' Addresses | |||
| Andy Bierman | Andy Bierman | |||
| YumaWorks | YumaWorks | |||
| End of changes. 17 change blocks. | ||||
| 39 lines changed or deleted | 56 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||