idnits 2.17.1 draft-ietf-netmod-system-mgmt-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 214 has weird spacing: '...address ine...' == Line 555 has weird spacing: '...atabase http:...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (April 21, 2013) is 4022 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-ietf-netmod-iana-timezones-00 == Outdated reference: A later version (-03) exists of draft-ietf-netmod-rfc6021-bis-01 -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE-1003.1-2008' ** Downref: Normative reference to an Informational RFC: RFC 1321 ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Bierman 3 Internet-Draft YumaWorks 4 Intended status: Standards Track M. Bjorklund 5 Expires: October 23, 2013 Tail-f Systems 6 April 21, 2013 8 YANG Data Model for System Management 9 draft-ietf-netmod-system-mgmt-06 11 Abstract 13 This document defines a YANG data model for the configuration and 14 identification of the management system of a device. 16 Status of this Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on October 23, 2013. 33 Copyright Notice 35 Copyright (c) 2013 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1.1. Terms . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 2.1. System Identification . . . . . . . . . . . . . . . . . . 5 56 2.2. System Time Management . . . . . . . . . . . . . . . . . . 5 57 2.3. User Authentication . . . . . . . . . . . . . . . . . . . 5 58 3. System Data Model . . . . . . . . . . . . . . . . . . . . . . 6 59 3.1. System Identification . . . . . . . . . . . . . . . . . . 6 60 3.2. System Time Management . . . . . . . . . . . . . . . . . . 6 61 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 6 62 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 7 63 3.5. User Authentication Model . . . . . . . . . . . . . . . . 7 64 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 8 65 3.5.2. Local User Password Authentication . . . . . . . . . . 8 66 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 9 67 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 9 68 4. System YANG module . . . . . . . . . . . . . . . . . . . . . . 10 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27 71 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 29 72 7.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 29 73 7.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 29 74 7.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 29 75 7.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 29 76 7.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 29 77 7.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 30 78 8. Normative References . . . . . . . . . . . . . . . . . . . . . 31 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 81 1. Introduction 83 This document defines a YANG [RFC6020] data model for the 84 configuration and identification of some common properties within the 85 management system of a device. 87 Devices that are managed by NETCONF and perhaps other mechanisms have 88 common properties that need to be configured and monitored in a 89 standard way. 91 The "ietf-system" YANG module defined in this document provides the 92 following features: 94 o system administrative data configuration 96 o system identification monitoring 98 o system time-of-day configuration and monitoring 100 o user authentication configuration 102 o local users configuration 104 1.1. Terminology 106 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 108 "OPTIONAL" in this document are to be interpreted as described in BCP 109 14, [RFC2119]. 111 1.1.1. Terms 113 The following terms are used within this document: 115 o system: This term refers to the embodiment of the entire set of 116 management interfaces that a single NETCONF server is supporting 117 at a given moment. The set of physical entities managed by a 118 single NETCONF server can be static or it can change dynamically. 120 1.2. Tree Diagrams 122 A simplified graphical representation of the data model is used in 123 this document. The meaning of the symbols in these diagrams is as 124 follows: 126 o Brackets "[" and "]" enclose list keys. 128 o Abbreviations before data node names: "rw" means configuration 129 (read-write) and "ro" state data (read-only). 131 o Symbols after data node names: "?" means an optional node and "*" 132 denotes a "leaf-list". 134 o Parentheses enclose choice and case nodes, and case nodes are also 135 marked with a colon (":"). 137 o Ellipsis ("...") stands for contents of subtrees that are not 138 shown. 140 2. Objectives 142 2.1. System Identification 144 There are many common properties used to identify devices, operating 145 systems, software versions, etc. that need to be supported in the 146 system data module. These objects are defined as operational data 147 and the information returned by the server is intended to be specific 148 to the device vendor. 150 Some user-configurable administrative strings are also provided, such 151 as the system location and description. 153 2.2. System Time Management 155 The management of the date and time used by the system need to be 156 supported. Use of one or more NTP servers to automatically set the 157 system date and time need to be possible. Utilization of the 158 Timezone database [RFC6557] also need to be supported. It should be 159 possible for the server, as well as clients, to configure the system 160 to use NTP. 162 2.3. User Authentication 164 The authentication mechanism need to support password authentication 165 over RADIUS, to support deployment scenarios with centralized 166 authentication servers. Additionally, local users need to be 167 supported, for scenarios when no centralized authentication server 168 exists, or for situations where the centralized authentication server 169 cannot be reached from the device. 171 Since the mandatory transport protocol for NETCONF is SSH [RFC6242] 172 the authentication model need to support SSH's "publickey" and 173 "password" authentication methods [RFC4252]. 175 The model for authentication configuration should be flexible enough 176 to support authentication methods defined by other standard documents 177 or by vendors. It should be possible for the server, as well as 178 clients, to configure the system authentication properties. 180 3. System Data Model 182 3.1. System Identification 184 The data model for system identification has the following structure: 186 +--rw system 187 +--rw contact? string 188 +--rw hostname? inet:domain-name 189 +--rw location? string 190 +--ro platform 191 +--ro os-name? string 192 +--ro os-release? string 193 +--ro os-version? string 194 +--ro machine? string 196 3.2. System Time Management 198 The data model for system time management has the following 199 structure: 201 +--rw system 202 +--rw clock 203 | +--ro current-datetime? yang:date-and-time 204 | +--ro boot-datetime? yang:date-and-time 205 | +--rw (timezone)? 206 | +--:(timezone-location) 207 | | +--rw timezone-location? string 208 | +--:(timezone-utc-offset) 209 | +--rw timezone-utc-offset? int16 210 +--rw ntp 211 +--rw enabled? boolean 212 +--rw server [address] 213 +--rw association-type? enumeration 214 +--rw address inet:host 215 +--rw enabled? boolean 216 +--rw iburst? boolean 217 +--rw prefer? boolean 219 3.3. DNS Resolver Model 221 The data model for configuration of the DNS resolver has the 222 following structure: 224 +--rw system 225 +--rw dns 226 +--rw search* inet:domain-name 227 +--rw server* inet:ip-address 228 +--rw options 229 +--rw timeout? uint8 230 +--rw attempts? uint8 232 3.4. RADIUS Client Model 234 The data model for configuration of the RADIUS client has the 235 following structure: 237 +--rw system 238 +--rw radius 239 +--rw server [address] 240 | +--rw address inet:host 241 | +--rw (transport) 242 | | +--:(udp) 243 | | +--rw udp 244 | | +--rw authentication-port? inet:port-number 245 | | +--rw shared-secret string 246 | +--rw authentication-type? identityref 247 +--rw options 248 +--rw timeout? uint8 249 +--rw attempts? uint8 251 3.5. User Authentication Model 253 This document defines three authentication methods for use with 254 NETCONF: 256 o publickey for local users over SSH 258 o password for local users over any transport 260 o password for RADIUS users over any transport 262 Additional methods can be defined by other standard documents or by 263 vendors. 265 This document defines two optional YANG features, "local-users" and 266 "radius-authentication", which the server advertises to indicate 267 support for configuring local users on the device, and support for 268 using RADIUS for authentication, respectively. 270 The authentication parameters defined in this document are primarily 271 used to configure authentication of NETCONF users, but MAY also be 272 used by other interfaces, e.g., a Command Line Interface or a Web- 273 based User Interface. 275 The data model for user authentication has the following structure: 277 +--rw system 278 +--rw authentication 279 +--rw user-authentication-order* identityref 280 +--rw user [name] 281 +--rw name string 282 +--rw password? crypt-hash 283 +--rw ssh-key [name] 284 +--rw name string 285 +--rw algorithm? string 286 +--rw key-data? binary 288 3.5.1. SSH Public Key Authentication 290 If the NETCONF server advertises the "local-users" feature, 291 configuration of local users and their SSH public keys is supported 292 in the /system/authentication/user list. 294 Public key authentication is requested by the SSH client. If the 295 "local-users" feature is supported, then when a NETCONF client starts 296 an SSH session towards the server using the "publickey" 297 authentication "method name" [RFC4252], the SSH server looks up the 298 user name given in the SSH authentication request in the /system/ 299 authentication/user list, and verifies the key as described in 300 [RFC4253]. 302 3.5.2. Local User Password Authentication 304 If the NETCONF server advertises the "local-users" feature, 305 configuration of local users and their passwords is supported in the 306 /system/authentication/user list. 308 For NETCONF transport protocols that support password authentication, 309 the leaf-list "user-authentication-order" is used to control if local 310 user password authentication should be used. 312 In SSH, password authentication is requested by the client. Other 313 NETCONF transport protocols MAY also support password authentication. 315 When local user password authentication is requested, the NETCONF 316 transport looks up the user name provided by the client in the 317 /system/ authentication/user list, and verifies the password. 319 3.5.3. RADIUS Password Authentication 321 If the NETCONF server advertises the "radius-authentication" feature, 322 the device supports user authentication using RADIUS. 324 For NETCONF transport protocols that support password authentication, 325 the leaf-list "user-authentication-order" is used to control if 326 RADIUS password authentication should be used. 328 In SSH, password authentication is requested by the client. Other 329 NETCONF transport protocols MAY also support password authentication. 331 3.6. System Control 333 Two protocol operations are included to restart or shutdown the 334 system. The 'system-restart' operation can be used to restart the 335 entire system (not just the NETCONF server). The 'system-shutdown' 336 operation can be used to power off the entire system. 338 4. System YANG module 340 This YANG module imports YANG extensions from [RFC6536], and imports 341 YANG types from [I-D.ietf-netmod-rfc6021-bis] and 342 [I-D.ietf-netmod-iana-timezones]. It also references [RFC1321], 343 [RFC2865], [RFC3418], [RFC5607], [IEEE-1003.1-2008], and 344 [FIPS.180-3.2008]. 346 RFC Ed.: update the date below with the date of RFC publication and 347 remove this note. 349 file "ietf-system@2013-04-21.yang" 351 module ietf-system { 352 namespace "urn:ietf:params:xml:ns:yang:ietf-system"; 353 prefix "sys"; 355 import ietf-yang-types { 356 prefix yang; 357 } 359 import ietf-inet-types { 360 prefix inet; 361 } 363 import ietf-netconf-acm { 364 prefix nacm; 365 } 367 import iana-timezones { 368 prefix ianatz; 369 } 371 organization 372 "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; 374 contact 375 "WG Web: 376 WG List: 378 WG Chair: David Kessens 379 381 WG Chair: Juergen Schoenwaelder 382 384 Editor: Andy Bierman 385 387 Editor: Martin Bjorklund 388 "; 390 description 391 "This module contains a collection of YANG definitions for the 392 configuration and identification of the management system of a 393 device. 395 Copyright (c) 2013 IETF Trust and the persons identified as 396 authors of the code. All rights reserved. 398 Redistribution and use in source and binary forms, with or 399 without modification, is permitted pursuant to, and subject 400 to the license terms contained in, the Simplified BSD License 401 set forth in Section 4.c of the IETF Trust's Legal Provisions 402 Relating to IETF Documents 403 (http://trustee.ietf.org/license-info). 405 This version of this YANG module is part of RFC XXXX; see 406 the RFC itself for full legal notices."; 408 // RFC Ed.: replace XXXX with actual RFC number and remove this 409 // note. 411 // RFC Ed.: remove this note 412 // Note: extracted from draft-ietf-netmod-system-mgmt-06.txt 414 // RFC Ed.: update the date below with the date of RFC publication 415 // and remove this note. 416 revision "2013-04-21" { 417 description 418 "Initial revision."; 419 reference 420 "RFC XXXX: A YANG Data Model for System Management"; 421 } 423 /* 424 * Typedefs 425 */ 427 typedef crypt-hash { 428 type string { 429 pattern 430 '$0$.*' 431 + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' 432 + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' 433 + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; 434 } 435 description 436 "The crypt-hash type is used to store passwords using 437 a hash function. The algorithms for applying the hash 438 function and encoding the result are implemented in 439 various UNIX systems as the function crypt(3). 441 A value of this type matches one of the forms: 443 $0$ 444 $$$ 445 $$$$ 447 The '$0$' prefix signals that the value is clear text. When 448 such a value is received by the server, a hash value is 449 calculated, and the string '$$$' or 450 $$$$ is prepended to the result. This 451 value is stored in the configuration data store. 453 If a value starting with '$$', where is not '0', is 454 received, the server knows that the value already represents a 455 hashed value, and stores it as is in the data store. 457 When a server needs to verify a password given by a user, it 458 finds the stored password hash string for that user, extracts 459 the salt, and calculates the hash with the salt and given 460 password as input. If the calculated hash value is the same 461 as the stored value, the password given by the client is 462 correct. 464 This type defines the following hash functions: 466 id | hash function | feature 467 ---+---------------+------------------- 468 1 | MD5 | crypt-hash-md5 469 5 | SHA-256 | crypt-hash-sha-256 470 6 | SHA-512 | crypt-hash-sha-512 472 The server indicates support for the different hash functions 473 by advertising the corresponding feature."; 474 reference 475 "IEEE Std 1003.1-2008 - crypt() function 476 Wikipedia: http://en.wikipedia.org/wiki/Crypt_(C) 477 RFC 1321: The MD5 Message-Digest Algorithm 478 FIPS.180-3.2008: Secure Hash Standard"; 479 } 481 /* 482 * Features 483 */ 485 feature radius { 486 description 487 "Indicates that the device can be configured as a RADIUS 488 client."; 489 reference 490 "RFC 2865: Remote Authentication Dial In User Service " 491 + "(RADIUS)"; 492 } 494 feature authentication { 495 description 496 "Indicates that the device can be configured 497 to do authentication of users."; 498 } 500 feature local-users { 501 if-feature authentication; 502 description 503 "Indicates that the device supports 504 local user authentication."; 505 } 507 feature radius-authentication { 508 if-feature radius; 509 if-feature authentication; 510 description 511 "Indicates that the device supports user authentication over 512 RADIUS."; 513 reference 514 "RFC 2865: Remote Authentication Dial In User Service (RADIUS) 515 RFC 5607: Remote Authentication Dial-In User Service (RADIUS) 516 Authorization for Network Access Server (NAS) 517 Management"; 518 } 520 feature crypt-hash-md5 { 521 description 522 "Indicates that the device supports the MD5 523 hash function in 'crypt-hash' values"; 524 reference "RFC 1321: The MD5 Message-Digest Algorithm"; 525 } 527 feature crypt-hash-sha-256 { 528 description 529 "Indicates that the device supports the SHA-256 530 hash function in 'crypt-hash' values"; 532 reference "FIPS.180-3.2008: Secure Hash Standard"; 533 } 535 feature crypt-hash-sha-512 { 536 description 537 "Indicates that the device supports the SHA-512 538 hash function in 'crypt-hash' values"; 539 reference "FIPS.180-3.2008: Secure Hash Standard"; 540 } 542 feature ntp { 543 description 544 "Indicates that the device can be configured 545 to use one or more NTP servers to set the 546 system date and time."; 547 } 549 feature timezone-location { 550 description 551 "Indicates that the local timezone on the device 552 can be configured to use the TZ database 553 to set the timezone and manage daylight savings time."; 554 reference 555 "TZ Database http://www.twinsun.com/tz/tz-link.htm 556 Maintaining the Timezone Database 557 RFC 6557 (BCP 175)"; 558 } 560 /* 561 * Identities 562 */ 564 identity authentication-method { 565 description 566 "Base identity for user authentication methods."; 567 } 569 identity radius { 570 base authentication-method; 571 description 572 "Indicates user authentication using RADIUS."; 573 reference 574 "RFC 2865: Remote Authentication Dial In User Service (RADIUS) 575 RFC 5607: Remote Authentication Dial-In User Service (RADIUS) 576 Authorization for Network Access Server (NAS) 577 Management"; 578 } 579 identity local-users { 580 base authentication-method; 581 description 582 "Indicates password-based authentication of locally 583 configured users."; 584 } 586 identity radius-authentication-type { 587 description 588 "Base identity for RADIUS authentication types."; 589 } 591 identity radius-pap { 592 base radius-authentication-type; 593 description 594 "The device requests PAP authentication from the RADIUS 595 server."; 596 reference 597 "RFC 2865: Remote Authentication Dial In User Service"; 598 } 600 identity radius-chap { 601 base radius-authentication-type; 602 description 603 "The device requests CHAP authentication from the RADIUS 604 server."; 605 reference 606 "RFC 2865: Remote Authentication Dial In User Service"; 607 } 609 /* 610 * Top-level container 611 */ 613 container system { 614 description 615 "System group configuration."; 617 leaf contact { 618 type string { 619 length "0..255"; 620 } 621 description 622 "The administrator contact information for the system."; 623 reference 624 "RFC 3418 - Management Information Base (MIB) for the 625 Simple Network Management Protocol (SNMP) 626 SNMPv2-MIB.sysContact"; 628 } 630 leaf hostname { 631 type inet:domain-name; 632 description 633 "The name of the host. This name can be a single domain 634 label, or the fully qualified domain name of the host."; 635 } 637 leaf location { 638 type string { 639 length "0..255"; 640 } 641 description 642 "The system location."; 643 reference 644 "RFC 3418 - Management Information Base (MIB) for the 645 Simple Network Management Protocol (SNMP) 646 SNMPv2-MIB.sysLocation"; 647 } 649 container platform { 650 config false; 651 description 652 "Contains vendor-specific information for 653 identifying the system platform and operating system."; 654 reference 655 "IEEE Std 1003.1-2008 - sys/utsname.h"; 657 leaf os-name { 658 type string; 659 description 660 "The name of the operating system in use, 661 for example 'Linux'"; 662 reference 663 "IEEE Std 1003.1-2008 - utsname.sysname"; 664 } 666 leaf os-release { 667 type string; 668 description 669 "The current release level of the operating 670 system in use. This string MAY indicate 671 the OS source code revision."; 672 reference 673 "IEEE Std 1003.1-2008 - utsname.release"; 674 } 675 leaf os-version { 676 type string; 677 description 678 "The current version level of the operating 679 system in use. This string MAY indicate 680 the specific OS build date and target variant 681 information."; 682 reference 683 "IEEE Std 1003.1-2008 - utsname.version"; 684 } 686 leaf machine { 687 type string; 688 description 689 "A vendor-specific identifier string representing 690 the hardware in use."; 691 reference 692 "IEEE Std 1003.1-2008 - utsname.machine"; 693 } 695 } 697 container clock { 698 description 699 "Configuration and monitoring of the system 700 date and time properties."; 702 leaf current-datetime { 703 type yang:date-and-time; 704 config false; 705 description 706 "The current system date and time."; 707 } 709 leaf boot-datetime { 710 type yang:date-and-time; 711 config false; 712 description 713 "The system date and time when the NETCONF 714 server last restarted."; 715 } 717 choice timezone { 718 description 719 "The system timezone information."; 721 leaf timezone-location { 722 if-feature timezone-location; 723 type ianatz:iana-timezone; 724 description 725 "The TZ database location identifier string 726 to use for the system, such as 'Europe/Stockholm'."; 727 } 729 leaf timezone-utc-offset { 730 type int16 { 731 range "-1500 .. 1500"; 732 } 733 units "minutes"; 734 description 735 "The number of minutes to add to UTC time to 736 identify the timezone for this system. 737 For example, 'UTC - 8:00 hours' would be 738 represented as '-480'. Note that automatic 739 daylight savings time adjustment is not provided, 740 if this object is used."; 741 } 742 } 743 } 745 container ntp { 746 if-feature ntp; 748 description 749 "Configuration of the NTP client."; 751 leaf enabled { 752 type boolean; 753 default true; 754 description 755 "Indicates that the system should attempt 756 to synchronize the system clock with an 757 NTP server from the 'ntp/server' list."; 758 } 760 list server { 761 key address; 762 description 763 "List of NTP servers to use for 764 system clock synchronization. If '/system/ntp/enabled' 765 is 'true', then the system will attempt to 766 contact and utilize the specified NTP servers."; 768 leaf association-type { 769 type enumeration { 770 enum server { 771 description 772 "Use client association mode. This device 773 will not provide synchronization to the 774 configured NTP server."; 775 } 776 enum peer { 777 description 778 "Use symmetric active association mode. 779 This device may provide synchronization 780 to the configured NTP server."; 781 } 782 enum pool { 783 description 784 "Use client association mode with one or 785 more of the NTP servers found by DNS 786 resolution of the domain name given by 787 the 'address' leaf. This device will not 788 provide synchronization to the servers."; 789 } 790 } 791 default server; 792 description 793 "The desired association type for this NTP server."; 794 } 795 leaf address { 796 type inet:host; 797 description 798 "The IP address or domain name of the NTP server."; 799 } 800 leaf enabled { 801 type boolean; 802 default true; 803 description 804 "Indicates whether this server is enabled for use or 805 not."; 806 } 807 leaf iburst { 808 type boolean; 809 default false; 810 description 811 "Indicates whether this server should enable burst 812 synchronization or not."; 813 } 814 leaf prefer { 815 type boolean; 816 default false; 817 description 818 "Indicates whether this server should be preferred 819 or not."; 820 } 821 } 822 } 824 container dns { 825 description 826 "Configuration of the DNS resolver."; 828 leaf-list search { 829 type inet:domain-name; 830 ordered-by user; 831 description 832 "An ordered list of domains to search when resolving 833 a host name."; 834 } 835 leaf-list server { 836 type inet:ip-address; 837 ordered-by user; 838 description 839 "Addresses of the name servers that the resolver should 840 query. 842 Implementations MAY limit the number of entries in this 843 leaf list."; 844 } 845 container options { 846 description 847 "Resolver options. The set of available options has been 848 limited to those that are generally available across 849 different resolver implementations, and generally 850 useful."; 851 leaf timeout { 852 type uint8 { 853 range "1..max"; 854 } 855 units "seconds"; 856 default "5"; 857 description 858 "The amount of time the resolver will wait for a 859 response from a remote name server before 860 retrying the query via a different name server."; 861 } 862 leaf attempts { 863 type uint8 { 864 range "1..max"; 865 } 866 default "2"; 867 description 868 "The number of times the resolver will send a query to 869 its name servers before giving up and returning an 870 error to the calling application."; 871 } 872 } 873 } 875 container radius { 876 if-feature radius; 878 description 879 "Configuration of the RADIUS client."; 881 list server { 882 key address; 883 ordered-by user; 884 description 885 "List of RADIUS servers used by the device."; 887 leaf address { 888 type inet:host; 889 description 890 "The address of the RADIUS server."; 891 } 892 choice transport { 893 mandatory true; 894 description 895 "The transport protocol specific parameters 896 for this server. It is expected that new 897 case statements will be added over time to 898 support other transport protocols."; 899 case udp { 900 container udp { 901 description 902 "Contains UDP specific configuration parameters 903 for RADIUS."; 904 leaf authentication-port { 905 type inet:port-number; 906 default "1812"; 907 description 908 "The port number of the RADIUS server."; 909 } 910 leaf shared-secret { 911 type string; 912 mandatory true; 913 nacm:default-deny-all; 914 description 915 "The shared secret which is known to both the 916 RADIUS client and server."; 917 reference 918 "RFC 2865: Remote Authentication Dial In User 919 Service"; 920 } 921 } 922 } 923 } 924 leaf authentication-type { 925 type identityref { 926 base radius-authentication-type; 927 } 928 default radius-pap; 929 description 930 "The authentication type requested from the RADIUS 931 server."; 932 } 933 } 934 container options { 935 description 936 "RADIUS client options."; 938 leaf timeout { 939 type uint8 { 940 range "1..max"; 941 } 942 units "seconds"; 943 default "5"; 944 description 945 "The number of seconds the device will wait for a 946 response from a RADIUS server before trying with a 947 different server."; 948 } 949 leaf attempts { 950 type uint8 { 951 range "1..max"; 952 } 953 default "2"; 954 description 955 "The number of times the device will send a query to 956 the RADIUS servers before giving up."; 957 } 958 } 959 } 961 container authentication { 962 nacm:default-deny-write; 963 if-feature authentication; 965 description 966 "The authentication configuration subtree."; 968 leaf-list user-authentication-order { 969 type identityref { 970 base authentication-method; 971 } 972 must '(. != "sys:radius" or ../../radius/server)' { 973 error-message 974 "When 'radius' is used, a RADIUS server" 975 + " must be configured."; 976 description 977 "When 'radius' is used as an authentication method, 978 a RADIUS server must be configured."; 979 } 980 ordered-by user; 982 description 983 "When the device authenticates a user with 984 a password, it tries the authentication methods in this 985 leaf-list in order. If authentication with one method 986 fails, the next method is used. If no method succeeds, 987 the user is denied access. 989 If the 'radius-authentication' feature is advertised by 990 the NETCONF server, the 'radius' identity can be added to 991 this list. 993 If the 'local-users' feature is advertised by the 994 NETCONF server, the 'local-users' identity can be 995 added to this list."; 996 } 998 list user { 999 if-feature local-users; 1000 key name; 1001 description 1002 "The list of local users configured on this device."; 1004 leaf name { 1005 type string; 1006 description 1007 "The user name string identifying this entry."; 1008 } 1009 leaf password { 1010 type crypt-hash; 1011 description 1012 "The password for this entry."; 1013 } 1014 list ssh-key { 1015 key name; 1016 description 1017 "A list of public SSH keys for this user."; 1018 reference 1019 "RFC 4253: The Secure Shell (SSH) Transport Layer 1020 Protocol"; 1022 leaf name { 1023 type string; 1024 description 1025 "An arbitrary name for the ssh key."; 1026 } 1027 leaf algorithm { 1028 type string; 1029 description 1030 "The public key algorithm name for this ssh key. 1032 Valid values are the values in the IANA Secure Shell 1033 (SSH) Protocol Parameters registry, Public Key 1034 Algorithm Names"; 1035 reference 1036 "IANA Secure Shell (SSH) Protocol Parameters registry, 1037 Public Key Algorithm Names"; 1038 } 1039 leaf key-data { 1040 type binary; 1041 description 1042 "The binary key data for this ssh key."; 1043 } 1044 } 1045 } 1046 } 1047 } 1049 rpc set-current-datetime { 1050 nacm:default-deny-all; 1051 description 1052 "Set the /system/clock/current-datetime leaf 1053 to the specified value. 1055 If the system is using NTP (i.e., /system/ntp/enabled 1056 is set to 'true'), then this operation will 1057 fail with error-tag 'operation-failed', 1058 and error-app-tag value of 'ntp-active'"; 1060 input { 1061 leaf current-datetime { 1062 type yang:date-and-time; 1063 mandatory true; 1064 description 1065 "The current system date and time."; 1066 } 1067 } 1068 } 1070 rpc system-restart { 1071 nacm:default-deny-all; 1072 description 1073 "Request that the entire system be restarted immediately. 1074 A server SHOULD send an rpc reply to the client before 1075 restarting the system."; 1076 } 1078 rpc system-shutdown { 1079 nacm:default-deny-all; 1080 description 1081 "Request that the entire system be shut down immediately. 1082 A server SHOULD send an rpc reply to the client before 1083 shutting down the system."; 1084 } 1086 } 1088 1090 5. IANA Considerations 1092 This document registers one URI in the IETF XML registry [RFC3688]. 1093 Following the format in RFC 3688, the following registration is 1094 requested to be made. 1096 URI: urn:ietf:params:xml:ns:yang:ietf-system 1097 Registrant Contact: The NETMOD WG of the IETF. 1098 XML: N/A, the requested URI is an XML namespace. 1100 This document registers one YANG module in the YANG Module Names 1101 registry [RFC6020]. 1103 name: ietf-system 1104 namespace: urn:ietf:params:xml:ns:yang:ietf-system 1105 prefix: sys 1106 reference: RFC XXXX 1108 6. Security Considerations 1110 The YANG module defined in this memo is designed to be accessed via 1111 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 1112 secure transport layer and the mandatory-to-implement secure 1113 transport is SSH [RFC6242]. 1115 There are a number of data nodes defined in this YANG module which 1116 are writable/creatable/deletable (i.e., config true, which is the 1117 default). These data nodes may be considered sensitive or vulnerable 1118 in some network environments. Write operations (e.g., edit-config) 1119 to these data nodes without proper protection can have a negative 1120 effect on network operations. These are the subtrees and data nodes 1121 and their sensitivity/vulnerability: 1123 o /system/clock/timezone: This choice contains the objects used to 1124 control the timezone used by the device. 1126 o /system/ntp: This container contains the objects used to control 1127 the Network Time Protocol servers used by the device. 1129 o /system/dns: This container contains the objects used to control 1130 the Domain Name System servers used by the device. 1132 o /system/radius: This container contains the objects used to 1133 control the Remote Authentication Dial-In User Service servers 1134 used by the device. 1136 o /system/authentication/user-authentication-order: This leaf 1137 controls how user login attempts are authenticated by the device. 1139 o /system/authentication/user: This list contains the local users 1140 enabled on the system. 1142 Some of the readable data nodes in this YANG module may be considered 1143 sensitive or vulnerable in some network environments. It is thus 1144 important to control read access (e.g., via get, get-config, or 1145 notification) to these data nodes. These are the subtrees and data 1146 nodes and their sensitivity/vulnerability: 1148 o /system/platform: This container has objects which may help 1149 identify the specific NETCONF server and/or operating system 1150 implementation used on the device. 1152 Some of the RPC operations in this YANG module may be considered 1153 sensitive or vulnerable in some network environments. It is thus 1154 important to control access to these operations. These are the 1155 operations and their sensitivity/vulnerability: 1157 o set-current-datetime: Changes the current date and time on the 1158 device. 1160 o system-restart: Reboots the device. 1162 o system-shutdown: Shuts down the device. 1164 7. Change Log 1166 -- RFC Ed.: remove this section before publication. 1168 7.1. 00-01 1170 o added configuration-source identities 1172 o added configuration-source leaf to ntp and dns (via grouping) to 1173 choose configuration source 1175 o added association-type, iburst, prefer, and true leafs to the ntp- 1176 server list 1178 o extended the ssh keys for a user to a list of keys. support all 1179 defined key algorithms, not just dsa and rsa 1181 o clarified timezone-utc-offset description-stmt 1183 o removed '/system/ntp/server/true' leaf from data model 1185 7.2. 01-02 1187 o added default-stmts to ntp-server/iburst and ntp-server/prefer 1188 leafs 1190 o changed timezone-location leaf to use iana-timezone typedef 1191 instead of a string 1193 7.3. 02-03 1195 o removed configuration-source identities and leafs 1197 7.4. 03-04 1199 o removed ndots dns resolver option 1201 o added radius-authentication-type identity, and identities for pap 1202 and chap, and a leaf to control which authentication type to use 1203 when communicating with the radius server 1205 o made 0 an invalid value for timeouts and attempts 1207 7.5. 04-05 1209 o updated tree diagram explanation text 1211 7.6. 05-06 1213 o changed ntp/use-ntp to ntp/enabled 1215 o changed ntp/ntp-server to ntp/server 1217 o removed /system/platform/nodename leaf 1219 o changed /system/name to /system/hostname 1221 o simplified must expression in user-authentication-order 1223 o added optional rounds to sha hash definition 1225 o clarified the crypt-hash description 1227 o clarified ntp descriptions 1229 o clarified YANG module description to indicate that some system 1230 properties are supported, not the entire system 1232 o clarified that system identification values are vendor specific, 1233 not the data node objects 1235 o clarified sec. 2.2 and 2.3 to indicate that the server should also 1236 be capable of configuring these properties 1238 o changed /system/dns/search from inet:host to inet:domain-name 1240 o changed RFC6021 reference to 6021-bis 1242 o changed /system/platform/nodename to /system/platform/hostname 1244 o changed /system/radius/server/{leafs} to be within a choice and 1245 'udp' case statement so other transport specific parameters can 1246 augment this list or they can be added by the WG to a future 1247 version of this module. {leafs} are authentication-port and 1248 shared-secret. 1250 o updated YANG tree diagrams for objects added in -05 and -06 1252 8. Normative References 1254 [FIPS.180-3.2008] 1255 National Institute of Standards and Technology, "Secure 1256 Hash Standard", FIPS PUB 180-3, October 2008, . 1260 [I-D.ietf-netmod-iana-timezones] 1261 Lange, J., "IANA Timezone Database YANG Module", 1262 draft-ietf-netmod-iana-timezones-00 (work in progress), 1263 July 2012. 1265 [I-D.ietf-netmod-rfc6021-bis] 1266 Schoenwaelder, J., "Common YANG Data Types", 1267 draft-ietf-netmod-rfc6021-bis-01 (work in progress), 1268 March 2013. 1270 [IEEE-1003.1-2008] 1271 Institute of Electrical and Electronics Engineers, 1272 "POSIX.1-2008", IEEE Standard 1003.1, March 2008. 1274 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, 1275 April 1992. 1277 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1278 Requirement Levels", BCP 14, RFC 2119, March 1997. 1280 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1281 "Remote Authentication Dial In User Service (RADIUS)", 1282 RFC 2865, June 2000. 1284 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 1285 Simple Network Management Protocol (SNMP)", STD 62, 1286 RFC 3418, December 2002. 1288 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1289 January 2004. 1291 [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 1292 Authentication Protocol", RFC 4252, January 2006. 1294 [RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) 1295 Transport Layer Protocol", RFC 4253, January 2006. 1297 [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In 1298 User Service (RADIUS) Authorization for Network Access 1299 Server (NAS) Management", RFC 5607, July 2009. 1301 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 1302 Network Configuration Protocol (NETCONF)", RFC 6020, 1303 October 2010. 1305 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1306 and A. Bierman, Ed., "Network Configuration Protocol 1307 (NETCONF)", RFC 6241, June 2011. 1309 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1310 Shell (SSH)", RFC 6242, June 2011. 1312 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1313 Protocol (NETCONF) Access Control Model", RFC 6536, 1314 March 2012. 1316 [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the 1317 Time Zone Database", BCP 175, RFC 6557, February 2012. 1319 Authors' Addresses 1321 Andy Bierman 1322 YumaWorks 1324 Email: andy@yumaworks.com 1326 Martin Bjorklund 1327 Tail-f Systems 1329 Email: mbj@tail-f.com