idnits 2.17.1 draft-ietf-netmod-system-mgmt-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 185 has weird spacing: '...address ine...' == Line 186 has weird spacing: '...enabled boo...' == Line 1082 has weird spacing: '...atabase http:...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 31, 2012) is 4466 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-07) exists of draft-ietf-netconf-access-control-05 == Outdated reference: A later version (-05) exists of draft-lear-iana-timezone-database-04 -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE-1003.1-2008' ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Bierman 3 Internet-Draft Netconf Central 4 Intended status: Standards Track M. Bjorklund 5 Expires: August 3, 2012 Tail-f Systems 6 January 31, 2012 8 YANG Data Model for System Management 9 draft-ietf-netmod-system-mgmt-00 11 Abstract 13 This document defines a YANG data model for the configuration and 14 identification of the management system of a device. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on August 3, 2012. 33 Copyright Notice 35 Copyright (c) 2012 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1.1. Terms . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 2.1. System Identification . . . . . . . . . . . . . . . . . . 4 55 2.2. System Time Management . . . . . . . . . . . . . . . . . . 4 56 2.3. User Authentication . . . . . . . . . . . . . . . . . . . 4 57 3. System Data Model . . . . . . . . . . . . . . . . . . . . . . 5 58 3.1. System Identification . . . . . . . . . . . . . . . . . . 5 59 3.2. System Time Management . . . . . . . . . . . . . . . . . . 5 60 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 5 61 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 6 62 3.5. User Authentication Model . . . . . . . . . . . . . . . . 6 63 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 7 64 3.5.2. Local User Password Authentication . . . . . . . . . . 7 65 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 7 66 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 8 67 4. System YANG module . . . . . . . . . . . . . . . . . . . . . . 9 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 36 70 7. Normative References . . . . . . . . . . . . . . . . . . . . . 38 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 73 1. Introduction 75 This document defines a YANG [RFC6020] data model for the 76 configuration and identification of the management system of a 77 device. 79 Devices that are managed by NETCONF and perhaps other mechanisms have 80 common properties that need to be configured and monitored in a 81 standard way. 83 The YANG module defined in this document provides the following 84 features: 86 o system administrative data configuration 88 o system identification monitoring 90 o system time-of-day configuration and monitoring 92 o user authentication configuration 94 o local users configuration 96 1.1. Terminology 98 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 100 "OPTIONAL" in this document are to be interpreted as described in BCP 101 14, [RFC2119]. 103 1.1.1. Terms 105 The following terms are used within this document: 107 o system: This term refers to the embodiment of the entire set of 108 management interfaces that a single NETCONF server is supporting 109 at a given moment. The set of physical entities managed by a 110 single NETCONF server can be static or it can change dynamically. 112 2. Objectives 114 2.1. System Identification 116 There are many common properties used to identify devices, operating 117 systems, software versions, etc. that need to be supported in the 118 system data module. These objects are defined as operational data 119 and intended to be specific to the device vendor. 121 Some user-configurable administrative strings are also provided such 122 as the system location and description. 124 2.2. System Time Management 126 The management of the date and time used by the system need to be 127 supported. Use of one or more NTP servers to automatically set the 128 system date and time need to be possible. Utilization of the 129 Timezone database [I-D.lear-iana-timezone-database] also need to be 130 supported. 132 2.3. User Authentication 134 The authentication mechanism need to support password authentication 135 over RADIUS, to support deployment scenarios with centralized 136 authentication servers. Additionally, local users need to be 137 supported, for scenarios when no centralized authentication server 138 exists, or for situations where the centralized authentication server 139 cannot be reached from the device. 141 Since the mandatory transport protocol for NETCONF is SSH [RFC6242] 142 the authentication model need to support SSH's "publickey" and 143 "password" authentication methods [RFC4252]. 145 The model for authentication configuration should be flexible enough 146 to support authentication methods defined by other standard documents 147 or by vendors. 149 3. System Data Model 151 3.1. System Identification 153 The data model for system identification has the following structure: 155 +--rw system 156 +--rw contact? string 157 +--rw name? string 158 +--rw location? string 159 +--ro platform 160 +--ro os-name? string 161 +--ro os-release? string 162 +--ro os-version? string 163 +--ro machine? string 164 +--ro nodename? string 166 3.2. System Time Management 168 The data model for system time management has the following 169 structure: 171 +--rw system 172 +--rw clock 173 | +--ro current-datetime? yang:date-and-time 174 | +--ro boot-datetime? yang:date-and-time 175 | +--rw (timezone)? 176 | +--:(timezone-location) 177 | | +--rw timezone-location? string 178 | +--:(timezone-name) 179 | | +--rw timezone-name? string 180 | +--:(timezone-utc-offset) 181 | +--rw timezone-utc-offset? int16 182 +--rw ntp 183 +--rw use-ntp? boolean 184 +--rw ntp-server [address] 185 +--rw address inet:host 186 +--rw enabled boolean 188 3.3. DNS Resolver Model 190 The data model for configuration of the DNS resolver has the 191 following structure: 193 +--rw system 194 +--rw dns 195 +--rw search* inet:host 196 +--rw server* inet:ip-address 197 +--rw options 198 +--rw ndots? uint8 199 +--rw timeout? uint8 200 +--rw attempts? uint8 202 3.4. RADIUS Client Model 204 The data model for configuration of the RADIUS client has the 205 following structure: 207 +--rw system 208 +--rw radius 209 +--rw server [address] 210 | +--rw address inet:host 211 | +--rw authentication-port? inet:port-number 212 | +--rw shared-secret? string 213 +--rw options 214 +--rw timeout? uint8 215 +--rw attempts? uint8 217 3.5. User Authentication Model 219 This document defines three authentication methods for use with 220 NETCONF: 222 o publickey for local users over SSH 224 o password for local users over any transport 226 o password for RADIUS users over any transport 228 Additional methods can be defined by other standard documents or by 229 vendors. 231 This document defines two optional YANG features, "local-users" and 232 "radius-authentication", which the server advertises to indicate 233 support for configuring local users on the device, and support for 234 using RADIUS for authentication, respectively. 236 The authentication parameters defined in this document are primarily 237 used to configure authentication of NETCONF users, but MAY also be 238 used by other interfaces, e.g., a Command Line Interface or a Web- 239 based User Interface. 241 The data model for user authentication has the following structure: 243 +--rw system 244 +--rw authentication 245 +--rw user-authentication-order* identityref 246 +--rw user [name] 247 +--rw name string 248 +--rw password? crypt-hash 249 +--rw ssh-dsa? binary 250 +--rw ssh-rsa? binary 252 3.5.1. SSH Public Key Authentication 254 If the NETCONF server advertises the "local-users" feature, 255 configuration of local users and their SSH public keys is supported 256 in the /system/authentication/user list. 258 Public key authentication is requested by the SSH client. If the 259 "local-users" feature is supported, then when a NETCONF client starts 260 an SSH session towards the server using the "publickey" 261 authentication "method name" [RFC4252], the SSH server looks up the 262 user name given in the SSH authentication request in the /system/ 263 authentication/user list, and verifies the key as described in 264 [RFC4253]. 266 3.5.2. Local User Password Authentication 268 If the NETCONF server advertises the "local-users" feature, 269 configuration of local users and their passwords is supported in the 270 /system/authentication/user list. 272 For NETCONF transport protocols that support password authentication, 273 the leaf-list "user-authentication-order" is used to control if local 274 user password authentication should be used. 276 In SSH, password authentication is requested by the client. Other 277 NETCONF transport protocols MAY also support password authentication. 279 When local user password authentication is requested, the NETCONF 280 transport looks up the user name provided by the client in the 281 /system/ authentication/user list, and verifies the password. 283 3.5.3. RADIUS Password Authentication 285 If the NETCONF server advertises the "radius-authentication" feature, 286 the device supports user authentication using RADIUS. 288 For NETCONF transport protocols that support password authentication, 289 the leaf-list "user-authentication-order" is used to control if 290 RADIUS password authentication should be used. 292 In SSH, password authentication is requested by the client. Other 293 NETCONF transport protocols MAY also support password authentication. 295 3.6. System Control 297 Two protocol operations are included to restart or shutdown the 298 system. The 'system-restart' operation can be used to restart the 299 entire system (not just the NETCONF server). The 'system-shutdown' 300 operation can be used to power off the entire system. 302 4. System YANG module 304 RFC Ed.: update the date below with the date of RFC publication and 305 remove this note. 307 This YANG module imports YANG extensions from 308 [I-D.ietf-netconf-access-control], imports YANG types from [RFC6021], 309 and references [RFC1321], [RFC2865], [RFC3418], [RFC5607], 310 [IEEE-1003.1-2008], and [FIPS.180-3.2008]. 312 file "ietf-system@2012-01-31.yang" 314 module ietf-system { 315 namespace "urn:ietf:params:xml:ns:yang:ietf-system"; 316 prefix "sys"; 318 import ietf-yang-types { 319 prefix yang; 320 } 322 import ietf-inet-types { 323 prefix inet; 324 } 326 import ietf-netconf-acm { 327 prefix nacm; 328 } 330 organization 331 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 333 contact 334 "WG Web: 335 WG List: 337 WG Chair: David Kessens 338 340 WG Chair: Juergen Schoenwaelder 341 343 Editor: Andy Bierman 344 346 Editor: Martin Bjorklund 347 "; 349 description 350 "This module contains a collection of YANG definitions for the 351 configuration and identification of the management system of a 352 device. 354 Copyright (c) 2011 IETF Trust and the persons identified as 355 authors of the code. All rights reserved. 357 Redistribution and use in source and binary forms, with or 358 without modification, is permitted pursuant to, and subject 359 to the license terms contained in, the Simplified BSD License 360 set forth in Section 4.c of the IETF Trust's Legal Provisions 361 Relating to IETF Documents 362 (http://trustee.ietf.org/license-info). 364 This version of this YANG module is part of RFC XXXX; see 365 the RFC itself for full legal notices."; 367 // RFC Ed.: replace XXXX with actual RFC number and remove this 368 // note. 370 // RFC Ed.: remove this note 371 // Note: extracted from draft-ietf-netmod-system-mgmt-00.txt 373 // RFC Ed.: update the date below with the date of RFC publication 374 // and remove this note. 375 revision 2012-01-31 { 376 description 377 "Initial revision."; 378 reference 379 "RFC XXXX: A YANG Data Model for System Management"; 380 } 382 /* 383 * Typedefs 384 */ 386 typedef timezone-name { 387 description 388 "List of available timezone enumerations. 389 Based on the referenced list, but non-unique names 390 have been changed so they are unique enumeration 391 identifiers."; 392 reference 393 "Wikipedia: http://en.wikipedia.org/wiki/" 394 + "List_of_time_zone_abbreviations"; 395 type enumeration { 396 enum ACDT { 397 description 398 "Australian Central Daylight Time UTC+10:30"; 399 } 400 enum ACST { 401 description 402 "Australian Central Standard Time UTC+09:30"; 403 } 404 enum ACT { 405 description 406 "ASEAN Common Time UTC+08"; 407 } 408 enum ADT { 409 description 410 "Atlantic Daylight Time UTC-03"; 411 } 412 enum AEDT { 413 description 414 "Australian Eastern Daylight Time UTC+11"; 415 } 416 enum AEST { 417 description 418 "Australian Eastern Standard Time UTC+10"; 419 } 420 enum AFT { 421 description 422 "Afghanistan Time UTC+04:30"; 423 } 424 enum AKDT { 425 description 426 "Alaska Daylight Time UTC-08"; 427 } 428 enum AKST { 429 description 430 "Alaska Standard Time UTC-09"; 431 } 432 enum AMST { 433 description 434 "Armenia Summer Time UTC+05"; 435 } 436 enum AMT { 437 description 438 "Armenia Time UTC+04"; 439 } 440 enum ART { 441 description 442 "Argentina Time UTC-03"; 443 } 444 enum AST { 445 description 446 "Arab Standard Time (Kuwait, Riyadh) UTC+03"; 447 } 448 enum AST-2 { 449 description 450 "Arabian Standard Time (Abu Dhabi, Muscat) UTC+04"; 451 } 452 enum AST-3 { 453 description 454 "Arabic Standard Time (Baghdad) UTC+03"; 455 } 456 enum AST-4 { 457 description 458 "Atlantic Standard Time UTC-04"; 459 } 460 enum AWDT { 461 description 462 "Australian Western Daylight Time UTC+09"; 463 } 464 enum AWST { 465 description 466 "Australian Western Standard Time UTC+08"; 467 } 468 enum AZOST { 469 description 470 "Azores Standard Time UTC-01"; 471 } 472 enum AZT { 473 description 474 "Azerbaijan Time UTC+04"; 475 } 476 enum BDT { 477 description 478 "Brunei Time UTC+08"; 479 } 480 enum BIOT { 481 description 482 "British Indian Ocean Time UTC+06"; 483 } 484 enum BIT { 485 description 486 "Baker Island Time UTC-12"; 487 } 488 enum BOT { 489 description 490 "Bolivia Time UTC-04"; 491 } 492 enum BRT { 493 description 494 "Brasilia Time UTC-03"; 495 } 496 enum BST { 497 description 498 "Bangladesh Standard Time UTC+06"; 499 } 500 enum BST-2 { 501 description 502 "British Summer Time (British Standard Time 503 from Feb 1968 to Oct 1971) UTC+01"; 504 } 505 enum BTT { 506 description 507 "Bhutan Time UTC+06"; 508 } 509 enum CAT { 510 description 511 "Central Africa Time UTC+02"; 512 } 513 enum CCT { 514 description 515 "Cocos Islands Time UTC+06:30"; 516 } 517 enum CDT { 518 description 519 "Central Daylight Time (North America) UTC-05"; 520 } 521 enum CEDT { 522 description 523 "Central European Daylight Time UTC+02"; 524 } 525 enum CEST { 526 description 527 "Central European Summer Time (Cf. HAEC) UTC+02"; 528 } 529 enum CET { 530 description 531 "Central European Time UTC+01"; 532 } 533 enum CHADT { 534 description 535 "Chatham Daylight Time UTC+13:45"; 536 } 537 enum CHAST { 538 description 539 "Chatham Standard Time UTC+12:45"; 540 } 541 enum CIST { 542 description 543 "Clipperton Island Standard Time UTC-08"; 544 } 545 enum CKT { 546 description 547 "Cook Island Time UTC-10"; 548 } 549 enum CLST { 550 description 551 "Chile Summer Time UTC-03"; 552 } 553 enum CLT { 554 description 555 "Chile Standard Time UTC-04"; 556 } 557 enum COST { 558 description 559 "Colombia Summer Time UTC-04"; 560 } 561 enum COT { 562 description 563 "Colombia Time UTC-05"; 564 } 565 enum CST { 566 description 567 "Central Standard Time (North America) UTC-06"; 568 } 569 enum CST-2 { 570 description 571 "China Standard Time UTC+08"; 572 } 573 enum CST-3 { 574 description 575 "Central Standard Time (Australia) UTC+09:30"; 576 } 577 enum CT { 578 description 579 "China Time UTC+08"; 580 } 581 enum CVT { 582 description 583 "Cape Verde Time UTC-01"; 584 } 585 enum CXT { 586 description 587 "Christmas Island Time UTC+07"; 588 } 589 enum CHST { 590 description 591 "Chamorro Standard Time UTC+10"; 592 } 593 enum DFT { 594 description 595 "AIX specific equivalent of Central European Time UTC+01"; 596 } 597 enum EAST { 598 description 599 "Easter Island Standard Time UTC-06"; 600 } 601 enum EAT { 602 description 603 "East Africa Time UTC+03"; 604 } 605 enum ECT { 606 description 607 "Eastern Caribbean Time (does not recognise DST) UTC-04"; 608 } 609 enum ECT-2 { 610 description 611 "Ecuador Time UTC-05"; 612 } 613 enum EDT { 614 description 615 "Eastern Daylight Time (North America) UTC-04"; 616 } 617 enum EEDT { 618 description 619 "Eastern European Daylight Time UTC+03"; 620 } 621 enum EEST { 622 description 623 "Eastern European Summer Time UTC+03"; 624 } 625 enum EET { 626 description 627 "Eastern European Time UTC+02"; 628 } 629 enum EST { 630 description 631 "Eastern Standard Time (North America) UTC-05"; 632 } 633 enum FJT { 634 description 635 "Fiji Time UTC+12"; 636 } 637 enum FKST { 638 description 639 "Falkland Islands Summer Time UTC-03"; 640 } 641 enum FKT { 642 description 643 "Falkland Islands Time UTC-04"; 644 } 645 enum GALT { 646 description 647 "Galapagos Time UTC-06"; 648 } 649 enum GET { 650 description 651 "Georgia Standard Time UTC+04"; 652 } 653 enum GFT { 654 description 655 "French Guiana Time UTC-03"; 656 } 657 enum GILT { 658 description 659 "Gilbert Island Time UTC+12"; 660 } 661 enum GIT { 662 description 663 "Gambier Island Time UTC-09"; 664 } 665 enum GMT { 666 description 667 "Greenwich Mean Time UTC"; 668 } 669 enum GST { 670 description 671 "South Georgia and the South Sandwich Islands UTC-02"; 672 } 673 enum GST-2 { 674 description 675 "Gulf Standard Time UTC+04"; 676 } 677 enum GYT { 678 description 679 "Guyana Time UTC-04"; 680 } 681 enum HADT { 682 description 683 "Hawaii-Aleutian Daylight Time UTC-09"; 684 } 685 enum HAEC { 686 description 687 "Heure Avancee d'Europe Centrale francised name for 688 CEST UTC+02"; 689 } 690 enum HAST { 691 description 692 "Hawaii-Aleutian Standard Time UTC-10"; 693 } 694 enum HKT { 695 description 696 "Hong Kong Time UTC+08"; 697 } 698 enum HMT { 699 description 700 "Heard and McDonald Islands Time UTC+05"; 701 } 702 enum HST { 703 description 704 "Hawaii Standard Time UTC-10"; 705 } 706 enum ICT { 707 description 708 "Indochina Time UTC+07"; 709 } 710 enum IDT { 711 description 712 "Israeli Daylight Time UTC+03"; 713 } 714 enum IRKT { 715 description 716 "Irkutsk Time UTC+08"; 717 } 718 enum IRST { 719 description 720 "Iran Standard Time UTC+03:30"; 721 } 722 enum IST { 723 description 724 "Indian Standard Time UTC+05:30"; 725 } 726 enum IST-2 { 727 description 728 "Irish Summer Time UTC+01"; 729 } 730 enum IST-3 { 731 description 732 "Israel Standard Time UTC+02"; 733 } 734 enum JST { 735 description 736 "Japan Standard Time UTC+09"; 737 } 738 enum KRAT { 739 description 740 "Krasnoyarsk Time UTC+07"; 741 } 742 enum KST { 743 description 744 "Korea Standard Time UTC+09"; 745 } 746 enum LHST { 747 description 748 "Lord Howe Standard Time UTC+10:30"; 749 } 750 enum LINT { 751 description 752 "Line Islands Time UTC+14"; 753 } 754 enum MAGT { 755 description 756 "Magadan Time UTC+11"; 757 } 758 enum MDT { 759 description 760 "Mountain Daylight Time (North America) UTC-06"; 761 } 762 enum MET { 763 description 764 "Middle European Time Same zone as CET UTC+02"; 765 } 766 enum MEST { 767 description 768 "Middle European Saving Time Same zone as CEST UTC+02"; 769 } 770 enum MIT { 771 description 772 "Marquesas Islands Time UTC-09:30"; 773 } 774 enum MSD { 775 description 776 "Moscow Summer Time UTC+04"; 777 } 778 enum MSK { 779 description 780 "Moscow Standard Time UTC+03"; 781 } 782 enum MST { 783 description 784 "Malaysian Standard Time UTC+08"; 785 } 786 enum MST-2 { 787 description 788 "Mountain Standard Time (North America) UTC-07"; 789 } 790 enum MST-3 { 791 description 792 "Myanmar Standard Time UTC+06:30"; 793 } 794 enum MUT { 795 description 796 "Mauritius Time UTC+04"; 797 } 798 enum MYT { 799 description 800 "Malaysia Time UTC+08"; 801 } 802 enum NDT { 803 description 804 "Newfoundland Daylight Time UTC-02:30"; 805 } 806 enum NFT { 807 description 808 "Norfolk Time[1] UTC+11:30"; 809 } 810 enum NPT { 811 description 812 "Nepal Time UTC+05:45"; 813 } 814 enum NST { 815 description 816 "Newfoundland Standard Time UTC-03:30"; 817 } 818 enum NT { 819 description 820 "Newfoundland Time UTC-03:30"; 821 } 822 enum NZDT { 823 description 824 "New Zealand Daylight Time UTC+13"; 825 } 826 enum NZST { 827 description 828 "New Zealand Standard Time UTC+12"; 829 } 830 enum OMST { 831 description 832 "Omsk Time UTC+06"; 833 } 834 enum PDT { 835 description 836 "Pacific Daylight Time (North America) UTC-07"; 837 } 838 enum PETT { 839 description 840 "Kamchatka Time UTC+12"; 841 } 842 enum PHOT { 843 description 844 "Phoenix Island Time UTC+13"; 845 } 846 enum PKT { 847 description 848 "Pakistan Standard Time UTC+05"; 849 } 850 enum PST { 851 description 852 "Pacific Standard Time (North America) UTC-08"; 853 } 854 enum PST-2 { 855 description 856 "Philippine Standard Time UTC+08"; 857 } 858 enum RET { 859 description 860 "Reunion Time UTC+04"; 861 } 862 enum SAMT { 863 description 864 "Samara Time UTC+04"; 865 } 866 enum SAST { 867 description 868 "South African Standard Time UTC+02"; 869 } 870 enum SBT { 871 description 872 "Solomon Islands Time UTC+11"; 873 } 874 enum SCT { 875 description 876 "Seychelles Time UTC+04"; 877 } 878 enum SGT { 879 description 880 "Singapore Time UTC+08"; 881 } 882 enum SLT { 883 description 884 "Sri Lanka Time UTC+05:30"; 885 } 886 enum SST { 887 description 888 "Samoa Standard Time UTC-11"; 889 } 890 enum SST-2 { 891 description 892 "Singapore Standard Time UTC+08"; 893 } 894 enum TAHT { 895 description 896 "Tahiti Time UTC-10"; 897 } 898 enum THA { 899 description 900 "Thailand Standard Time UTC+07"; 901 } 902 enum UTC { 903 description 904 "Coordinated Universal Time UTC"; 905 } 906 enum UYST { 907 description 908 "Uruguay Summer Time UTC-02"; 909 } 910 enum UYT { 911 description 912 "Uruguay Standard Time UTC-03"; 913 } 914 enum VET { 915 description 916 "Venezuelan Standard Time UTC-04:30"; 917 } 918 enum VLAT { 919 description 920 "Vladivostok Time UTC+10"; 921 } 922 enum WAT { 923 description 924 "West Africa Time UTC+01"; 925 } 926 enum WEDT { 927 description 928 "Western European Daylight Time UTC+01"; 929 } 930 enum WEST { 931 description 932 "Western European Summer Time UTC+01"; 933 } 934 enum WET { 935 description 936 "Western European Time UTC"; 937 } 938 enum WST { 939 description 940 "Western Standard Time UTC+08"; 941 } 942 enum YAKT { 943 description 944 "Yakutsk Time UTC+09"; 945 } 946 enum YEKT { 947 description 948 "Yekaterinburg Time UTC+05"; 949 } 950 } 951 } 953 typedef crypt-hash { 954 type string { 955 pattern "$0$.* | $1|5|6$[a-zA-Z0-9./]{2,16}$.*"; 956 } 957 description 958 "The crypt-hash type is used to store passwords using 959 a hash function. This type is implemented in various UNIX 960 systems as the function crypt(3). 962 When a clear text value is set to a leaf of this type, the 963 server calculates a password hash, and stores the result 964 in the datastore. Thus, the password is never stored in 965 clear text. 967 When a leaf of this type is read, the stored password hash is 968 returned. 970 A value of this type matches one of the forms: 972 $0$ 973 $$$ 975 The '$0$' prefix signals that the value is clear text. When 976 such a value is received by the server, a hash value is 977 calculated, and the string '$$$' is prepended to the 978 result, where is a random 2-16 characters long salt 979 used to generate the digest. This value is stored in the 980 configuration data store. 982 If a value starting with '$$$' is received, the 983 server knows that the value already represents a hashed value, 984 and stores it as is in the data store. 986 When a server needs to verify a password given by a user, it 987 finds the stored password hash string for that user, extracts 988 the salt, and calculates the hash with the salt and given 989 password as input. If the calculated hash value is the same 990 as the stored value, the password given by the client is 991 correct. 993 This type defines the following hash functions: 995 id | hash function | feature 996 ---+---------------+------------------- 997 1 | MD5 | crypt-hash-md5 998 5 | SHA-256 | crypt-hash-sha-256 999 6 | SHA-512 | crypt-hash-sha-512 1001 The server indicates support for the different hash functions 1002 by advertising the corresponding feature."; 1003 reference 1004 "IEEE Std 1003.1-2008 - crypt() function 1005 Wikipedia: http://en.wikipedia.org/wiki/Crypt_(Unix) 1006 RFC 1321: The MD5 Message-Digest Algorithm 1007 FIPS.180-3.2008: Secure Hash Standard"; 1008 } 1010 /* 1011 * Features 1012 */ 1014 feature radius { 1015 description 1016 "Indicates that the device can be configured as a RADIUS 1017 client."; 1018 reference 1019 "RFC 2865: Remote Authentication Dial In User Service " 1020 + "(RADIUS)"; 1021 } 1022 feature authentication { 1023 description 1024 "Indicates that the device can be configured 1025 to do authentication of users."; 1026 } 1028 feature local-users { 1029 if-feature authentication; 1030 description 1031 "Indicates that the device supports 1032 local user authentication."; 1033 } 1035 feature radius-authentication { 1036 if-feature radius; 1037 if-feature authentication; 1038 description 1039 "Indicates that the device supports user authentication over 1040 RADIUS."; 1041 reference 1042 "RFC 2865: Remote Authentication Dial In User Service (RADIUS) 1043 RFC 5607: Remote Authentication Dial-In User Service (RADIUS) 1044 Authorization for Network Access Server (NAS) 1045 Management"; 1046 } 1048 feature crypt-hash-md5 { 1049 description 1050 "Indicates that the device supports the MD5 1051 hash function in 'crypt-hash' values"; 1052 reference "RFC 1321: The MD5 Message-Digest Algorithm"; 1053 } 1055 feature crypt-hash-sha-256 { 1056 description 1057 "Indicates that the device supports the SHA-256 1058 hash function in 'crypt-hash' values"; 1059 reference "FIPS.180-3.2008: Secure Hash Standard"; 1060 } 1062 feature crypt-hash-sha-512 { 1063 description 1064 "Indicates that the device supports the SHA-512 1065 hash function in 'crypt-hash' values"; 1066 reference "FIPS.180-3.2008: Secure Hash Standard"; 1067 } 1069 feature ntp { 1070 description 1071 "Indicates that the device can be configured 1072 to use one or more NTP servers to set the 1073 system date and time."; 1074 } 1076 feature timezone-location { 1077 description 1078 "Indicates that the local timezone on the device 1079 can be configured to use the TZ database 1080 to set the timezone and manage daylight savings time."; 1081 reference 1082 "TZ Database http://www.twinsun.com/tz/tz-link.htm 1083 Maintaining the Timezone Database 1084 draft-lear-iana-timezone-database-04.txt"; 1085 } 1087 feature timezone-name { 1088 description 1089 "Indicates that the local timezone on the device 1090 can be configured using the timezone enumeration 1091 strings as an alias for an UTC offset."; 1092 reference 1093 "Wikipedia: http://en.wikipedia.org/wiki/" 1094 + "List_of_time_zone_abbreviations"; 1095 } 1097 /* 1098 * Identities 1099 */ 1101 identity authentication-method { 1102 description 1103 "Base identity for user authentication methods."; 1104 } 1106 identity radius { 1107 base authentication-method; 1108 description 1109 "Indicates user authentication using RADIUS."; 1110 reference 1111 "RFC 2865: Remote Authentication Dial In User Service (RADIUS) 1112 RFC 5607: Remote Authentication Dial-In User Service (RADIUS) 1113 Authorization for Network Access Server (NAS) 1114 Management"; 1115 } 1117 identity local-users { 1118 base authentication-method; 1119 description 1120 "Indicates password-based authentication of locally 1121 configured users."; 1122 } 1124 /* 1125 * Top-level container 1126 */ 1128 container system { 1129 description 1130 "System group configuration."; 1132 leaf contact { 1133 type string { 1134 length "0..255"; 1135 } 1136 default ""; 1137 description 1138 "The administrator contact information for the system."; 1139 reference 1140 "RFC 3418 - Management Information Base (MIB) for the 1141 Simple Network Management Protocol (SNMP) 1142 SNMPv2-MIB.sysContact"; 1143 } 1145 leaf name { 1146 type string { 1147 length "0..255"; 1148 } 1149 default ""; 1150 description 1151 "The administratively assigned system name."; 1152 reference 1153 "RFC 3418 - Management Information Base (MIB) for the 1154 Simple Network Management Protocol (SNMP) 1155 SNMPv2-MIB.sysName"; 1156 } 1158 leaf location { 1159 type string { 1160 length "0..255"; 1161 } 1162 default ""; 1163 description 1164 "The system location"; 1165 reference 1166 "RFC 3418 - Management Information Base (MIB) for the 1167 Simple Network Management Protocol (SNMP) 1168 SNMPv2-MIB.sysLocation"; 1169 } 1171 container platform { 1172 config false; 1173 description 1174 "Contains vendor-specific information for 1175 identifying the system platform and operating system."; 1176 reference 1177 "IEEE Std 1003.1-2008 - sys/utsname.h"; 1179 leaf os-name { 1180 type string; 1181 description 1182 "The name of the operating system in use, 1183 for example 'Linux'"; 1184 reference 1185 "IEEE Std 1003.1-2008 - utsname.sysname"; 1186 } 1188 leaf os-release { 1189 type string; 1190 description 1191 "The current release level of the operating 1192 system in use. This string MAY indicate 1193 the OS source code revision."; 1194 reference 1195 "IEEE Std 1003.1-2008 - utsname.release"; 1196 } 1198 leaf os-version { 1199 type string; 1200 description 1201 "The current version level of the operating 1202 system in use. This string MAY indicate 1203 the specific OS build date and target variant 1204 information."; 1205 reference 1206 "IEEE Std 1003.1-2008 - utsname.version"; 1207 } 1209 leaf machine { 1210 type string; 1211 description 1212 "A vendor-specific identifier string representing 1213 the hardware in use."; 1215 reference 1216 "IEEE Std 1003.1-2008 - utsname.machine"; 1217 } 1219 leaf nodename { 1220 type string; 1221 description 1222 "The host name of this system."; 1223 reference 1224 "IEEE Std 1003.1-2008 - utsname.nodename"; 1225 } 1226 } 1228 container clock { 1229 description 1230 "Configuration and monitoring of the system 1231 date and time properties."; 1233 leaf current-datetime { 1234 type yang:date-and-time; 1235 config false; 1236 description 1237 "The current system date and time."; 1238 } 1240 leaf boot-datetime { 1241 type yang:date-and-time; 1242 config false; 1243 description 1244 "The system date and time when the NETCONF 1245 server last restarted."; 1246 } 1248 choice timezone { 1249 description 1250 "Configure the system timezone information."; 1252 leaf timezone-location { 1253 if-feature timezone-location; 1254 type string; 1255 description 1256 "The TZ database location identifier string 1257 to use for the system, such as 'Europe/Stockholm'."; 1258 } 1260 leaf timezone-name { 1261 if-feature timezone-name; 1262 type timezone-name; 1263 description 1264 "The timezone enumeration string to use 1265 for the system, such as 'CET'."; 1266 } 1268 leaf timezone-utc-offset { 1269 type int16 { 1270 range "-1439 .. 1439"; 1271 } 1272 description 1273 "The number of minutes to add to UTC time to 1274 identify the timezone for this system. 1275 For example, 'UTC - 8:00 hours' would be 1276 represented as '-480'."; 1277 } 1278 } 1279 } 1281 container ntp { 1282 if-feature ntp; 1284 description 1285 "Configuration of the NTP client."; 1287 leaf use-ntp { 1288 type boolean; 1289 default true; 1290 description 1291 "Indicates that the system should attempt 1292 to synchronize the system clock with an 1293 NTP server from the 'ntp-server' list."; 1294 } 1296 list ntp-server { 1297 key address; 1298 ordered-by user; 1299 description 1300 "List of NTP servers to use for 1301 system clock synchronization. If 'use-ntp' 1302 is 'true', then the system will attempt to 1303 contact and utilize the specified NTP servers. 1304 The user specified order indicates the server priority."; 1306 leaf address { 1307 type inet:host; 1308 description 1309 "The IP address or domain name of the NTP server."; 1310 } 1311 leaf enabled { 1312 type boolean; 1313 default true; 1314 description 1315 "Indicates whether this server is enabled for use or 1316 not."; 1317 } 1318 } 1319 } 1321 container dns { 1322 description 1323 "Configuration of the DNS resolver."; 1325 leaf-list search { 1326 type inet:host; 1327 ordered-by user; 1328 description 1329 "An ordered list of domains to search when resolving 1330 a host name."; 1331 } 1332 leaf-list server { 1333 type inet:ip-address; 1334 ordered-by user; 1335 description 1336 "Addresses of the name servers that the resolver should 1337 query. 1339 Implementations MAY limit the number of entries in this 1340 leaf list."; 1341 } 1342 container options { 1343 description 1344 "Resolver options. The set of available options has been 1345 limited to those that are generally available across 1346 different resolver implementations, and generally 1347 useful."; 1348 leaf ndots { 1349 type uint8; 1350 default "1"; 1351 description 1352 "This parameter sets a threshold for the number of dots 1353 which must appear in a query request before an initial 1354 absolute query will be made."; 1355 } 1356 leaf timeout { 1357 type uint8; 1358 units "seconds"; 1359 default "5"; 1360 description 1361 "The amount of time the resolver will wait for a 1362 response from a remote name server before 1363 retrying the query via a different name server."; 1364 } 1365 leaf attempts { 1366 type uint8; 1367 default "2"; 1368 description 1369 "The number of times the resolver will send a query to 1370 its name servers before giving up and returning an 1371 error to the calling application."; 1372 } 1373 } 1374 } 1376 container radius { 1377 if-feature radius; 1379 description 1380 "Configuration of the RADIUS client."; 1382 list server { 1383 key address; 1384 ordered-by user; 1385 description 1386 "List of RADIUS servers used by the device."; 1388 leaf address { 1389 type inet:host; 1390 description 1391 "The address of the RADIUS server."; 1392 } 1393 leaf authentication-port { 1394 type inet:port-number; 1395 default "1812"; 1396 description 1397 "The port number of the RADIUS server."; 1398 } 1399 leaf shared-secret { 1400 type string; 1401 nacm:default-deny-all; 1402 description 1403 "The shared secret which is known to both the RADIUS 1404 client and server."; 1405 reference 1406 "RFC 2865: Remote Authentication Dial In User Service"; 1408 } 1409 } 1410 container options { 1411 description 1412 "RADIUS client options."; 1414 leaf timeout { 1415 type uint8; 1416 units "seconds"; 1417 default "5"; 1418 description 1419 "The number of seconds the device will wait for a 1420 response from a RADIUS server before trying with a 1421 different server."; 1422 } 1423 leaf attempts { 1424 type uint8; 1425 default "2"; 1426 description 1427 "The number of times the device will send a query to 1428 the RADIUS servers before giving up."; 1429 } 1430 } 1431 } 1433 container authentication { 1434 nacm:default-deny-write; 1435 if-feature authentication; 1437 description 1438 "The authentication configuration subtree."; 1440 leaf-list user-authentication-order { 1441 type identityref { 1442 base authentication-method; 1443 } 1444 must '(. = "sys:radius" and ../../radius/server) or' 1445 + '(. != "sys:radius")' { 1446 error-message 1447 "When 'radius' is used, a radius server" 1448 + " must be configured."; 1449 } 1450 ordered-by user; 1452 description 1453 "When the device authenticates a user with 1454 a password, it tries the authentication methods in this 1455 leaf-list in order. If authentication with one method 1456 fails, the next method is used. If no method succeeds, 1457 the user is denied access. 1459 If the 'radius-authentication' feature is advertised by 1460 the NETCONF server, the 'radius' identity can be added to 1461 this list. 1463 If the 'local-users' feature is advertised by the 1464 NETCONF server, the 'local-users' identity can be 1465 added to this list."; 1466 } 1468 list user { 1469 if-feature local-users; 1470 key name; 1471 description 1472 "The list of local users configured on this device."; 1474 leaf name { 1475 type string; 1476 description 1477 "The user name string identifying this entry."; 1478 } 1479 leaf password { 1480 type crypt-hash; 1481 description 1482 "The password for this entry."; 1483 } 1484 leaf ssh-dsa { 1485 type binary; 1486 description 1487 "The public DSA key for this entry."; 1488 } 1489 leaf ssh-rsa { 1490 type binary; 1491 description 1492 "The public RSA key for this entry."; 1493 } 1494 } 1495 } 1496 } 1498 rpc set-current-datetime { 1499 nacm:default-deny-all; 1500 description 1501 "Manually set the /system/clock/current-datetime leaf 1502 to the specified value. 1504 If the /system/ntp/ntp-in-use leaf exists and 1505 is set to 'true', then this operation will 1506 fail with error-tag 'operation-failed', 1507 and error-app-tag value of 'ntp-active'"; 1508 input { 1509 leaf current-datetime { 1510 type yang:date-and-time; 1511 mandatory true; 1512 description 1513 "The current system date and time."; 1514 } 1515 } 1516 } 1518 rpc system-restart { 1519 nacm:default-deny-all; 1520 description 1521 "Request that the entire system be restarted immediately. 1522 A server SHOULD send an rpc reply to the client before 1523 restarting the system."; 1524 } 1526 rpc system-shutdown { 1527 nacm:default-deny-all; 1528 description 1529 "Request that the entire system be shut down immediately. 1530 A server SHOULD send an rpc reply to the client before 1531 shutting down the system."; 1532 } 1534 } 1536 1538 5. IANA Considerations 1540 This document registers a URI in the IETF XML registry [RFC3688]. 1541 Following the format in RFC 3688, the following registration is 1542 requested to be made. 1544 URI: urn:ietf:params:xml:ns:yang:ietf-system 1546 Registrant Contact: The NETMOD WG of the IETF. 1548 XML: N/A, the requested URI is an XML namespace. 1550 This document registers a YANG module in the YANG Module Names 1551 registry [RFC6020]. 1553 name: ietf-system 1554 namespace: urn:ietf:params:xml:ns:yang:ietf-system 1555 prefix: sys 1556 reference: RFC XXXX 1558 6. Security Considerations 1560 The YANG module defined in this memo is designed to be accessed via 1561 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 1562 secure transport layer and the mandatory-to-implement secure 1563 transport is SSH [RFC6242]. 1565 There are a number of data nodes defined in this YANG module which 1566 are writable/creatable/deletable (i.e., config true, which is the 1567 default). These data nodes may be considered sensitive or vulnerable 1568 in some network environments. Write operations (e.g., edit-config) 1569 to these data nodes without proper protection can have a negative 1570 effect on network operations. These are the subtrees and data nodes 1571 and their sensitivity/vulnerability: 1573 o /system/clock/timezone: This choice contains the objects used to 1574 control the timezone used by the device. 1576 o /system/ntp: This container contains the objects used to control 1577 the Network Time Protocol servers used by the device. 1579 o /system/dns: This container contains the objects used to control 1580 the Domain Name System servers used by the device. 1582 o /system/radius: This container contains the objects used to 1583 control the Remote Authentication Dial-In User Service servers 1584 used by the device. 1586 o /system/authentication/user-authentication-order: This leaf 1587 controls how user login attempts are authenticated by the device. 1589 o /system/authentication/user: This list contains the local users 1590 enabled on the system. 1592 Some of the readable data nodes in this YANG module may be considered 1593 sensitive or vulnerable in some network environments. It is thus 1594 important to control read access (e.g., via get, get-config, or 1595 notification) to these data nodes. These are the subtrees and data 1596 nodes and their sensitivity/vulnerability: 1598 o /system/platform: This container has objects which may help 1599 identify the specific NETCONF server and/or operating system 1600 implementation used on the device. 1602 Some of the RPC operations in this YANG module may be considered 1603 sensitive or vulnerable in some network environments. It is thus 1604 important to control access to these operations. These are the 1605 operations and their sensitivity/vulnerability: 1607 o set-current-datetime: Changes the current date and time on the 1608 device. 1610 o system-restart: Reboots the device. 1612 o system-shutdown: Shuts down the device. 1614 7. Normative References 1616 [FIPS.180-3.2008] 1617 National Institute of Standards and Technology, "Secure 1618 Hash Standard", FIPS PUB 180-3, October 2008, . 1622 [I-D.ietf-netconf-access-control] 1623 Bierman, A. and M. Bjorklund, "Network Configuration 1624 Protocol (NETCONF) Access Control Model", 1625 draft-ietf-netconf-access-control-05 (work in progress), 1626 October 2011. 1628 [I-D.lear-iana-timezone-database] 1629 Lear, E. and P. Eggert, "IANA Procedures for Maintaining 1630 the Timezone Database", 1631 draft-lear-iana-timezone-database-04 (work in progress), 1632 May 2011. 1634 [IEEE-1003.1-2008] 1635 Institute of Electrical and Electronics Engineers, 1636 "POSIX.1-2008", IEEE Standard 1003.1, March 2008. 1638 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 1639 April 1992. 1641 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1642 Requirement Levels", BCP 14, RFC 2119, March 1997. 1644 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1645 "Remote Authentication Dial In User Service (RADIUS)", 1646 RFC 2865, June 2000. 1648 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 1649 Simple Network Management Protocol (SNMP)", STD 62, 1650 RFC 3418, December 2002. 1652 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1653 January 2004. 1655 [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 1656 Authentication Protocol", RFC 4252, January 2006. 1658 [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 1659 Transport Layer Protocol", RFC 4253, January 2006. 1661 [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In 1662 User Service (RADIUS) Authorization for Network Access 1663 Server (NAS) Management", RFC 5607, July 2009. 1665 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1666 Network Configuration Protocol (NETCONF)", RFC 6020, 1667 October 2010. 1669 [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, 1670 October 2010. 1672 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1673 and A. Bierman, Ed., "Network Configuration Protocol 1674 (NETCONF)", RFC 6241, June 2011. 1676 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1677 Shell (SSH)", RFC 6242, June 2011. 1679 Authors' Addresses 1681 Andy Bierman 1682 Netconf Central 1684 Email: andy@netconfcentral.org 1686 Martin Bjorklund 1687 Tail-f Systems 1689 Email: mbj@tail-f.com