idnits 2.17.1 draft-ietf-opsawg-tacacs-yang-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 3, 2019) is 1629 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6991' is defined on line 545, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-opsawg-tacacs-15 ** Downref: Normative reference to an Informational draft: draft-ietf-opsawg-tacacs (ref. 'I-D.ietf-opsawg-tacacs') Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: May 6, 2020 Huawei 6 November 3, 2019 8 Yang data model for TACACS+ 9 draft-ietf-opsawg-tacacs-yang-01 11 Abstract 13 This document defines YANG modules that augment the System Management 14 data model defined in the RFC 7317 with TACACS+ client model. The 15 data model of Terminal Access Controller Access Control System Plus 16 (TACACS+) client allows the configuration of TACACS+ servers for 17 centralized Authentication, Authorization and Accounting. 19 The YANG modules in this document conforms to the Network Management 20 Datastore Architecture (NMDA) defined in RFC 8342. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 6, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 60 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 66 8.2. Informative References . . . . . . . . . . . . . . . . . 13 67 Appendix A. TACACS+ Authentication Configuration . . . . . . . . 13 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 70 1. Introduction 72 This document defines YANG modules that augment the System Management 73 data model defined in the [RFC7317] with TACACS+ client model. 75 TACACS+ provides Device Administration for routers, network access 76 servers and other networked computing devices via one or more 77 centralized servers which is defined in the TACACS+ Protocol. 78 [I-D.ietf-opsawg-tacacs] 80 The System Management Model [RFC7317] defines two YANG features to 81 support local or RADIUS authentication: 83 o User Authentication Model: Defines a list of usernames and 84 passwords and control the order in which local or RADIUS 85 authentication is used. 87 o RADIUS Client Model: Defines a list of RADIUS servers that a 88 device uses. 90 Since TACACS+ is also used for device management and the feature is 91 not contained in the System Management model, this document defines a 92 YANG data model that allows users to configure TACACS+ client 93 functions on a device for centralized Authentication, Authorization 94 and Accounting provided by TACACS+ servers. 96 The YANG models can be used with network management protocols such as 97 NETCONF[RFC6241] to install, manipulate, and delete the configuration 98 of network devices. 100 The YANG data model in this document conforms to the Network 101 Management Datastore Architecture (NMDA) defined in [RFC8342]. 103 2. Conventions used in this document 105 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in 108 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 The following terms are defined in [RFC6241] and are used in this 112 specification: 114 o client 116 o configuration data 118 o server 120 o state data 122 The following terms are defined in [RFC7950] and are used in this 123 specification: 125 o augment 127 o data model 129 o data node 131 The terminology for describing YANG data models is found in 132 [RFC7950]. 134 2.1. Tree Diagrams 136 Tree diagrams used in this document follow the notation defined in 137 [RFC8340]. 139 3. Design of the Data Model 141 This model is used to configure TACACS+ client on the device to 142 support deployment scenarios with centralized authentication, 143 authorization, and accounting servers. Authentication is used to 144 validate a user's name and password, authorization allows the user to 145 access and execute commands at various command levels assigned to the 146 user and accounting keeps track of the activity of a user who has 147 accessed the device. 149 The ietf-system-tacacsplus module is intended to augment the 150 "/sys:system" path defined in the ietf-system module with 151 "tacacsplus" grouping. Therefore, a device can use local, Remote 152 Authentication Dial In User Service (RADIUS), or Terminal Access 153 Controller Access Control System Plus (TACACS+) to validate users who 154 attempt to access the router by several mechanisms, e.g. a command 155 line interface or a web-based user interface. 157 The "server" list is directly under the "tacacsplus" container, which 158 holds a list of TACACS+ servers and uses server-type to distinguish 159 between the three protocols. The list of servers is for redundancy. 161 Most of the parameters in the "server" list are taken directly from 162 the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived 163 from the various implementations by network equipment manufacturers. 164 For example, when there are multiple interfaces connected to the 165 TACACS+ client or server, the source address of outgoing TACACS+ 166 packets could be specified, or the source address could be specified 167 through the interface setting, or derived from the out-bound 168 interface from the local FIB. For the TACACS+ server located in a 169 Virtual Private Network(VPN), a VRF instance needs to be specified. 171 The "statistics" container under the "server list" is to record 172 session statistics and usage information during user access which 173 include the amount of data a user has sent and/or received during a 174 session. 176 The data model for TACACS+ client has the following structure: 178 module: ietf-system-tacacsplus 179 augment /sys:system: 180 +--rw tacacsplus {tacacsplus}? 181 +--rw server* [name] 182 +--rw name string 183 +--rw server-type? enumeration 184 +--rw address inet:host 185 +--rw port? inet:port-number 186 +--rw shared-secret string 187 +--rw (source-type)? 188 | +--:(source-ip) 189 | | +--rw source-ip? inet:ip-address 190 | +--:(source-interface) 191 | +--rw source-interface? if:interface-ref 192 +--rw vrf-instance? 193 | -> /ni:network-instances/network-instance/name 194 +--rw single-connection? boolean 195 +--rw timeout? uint16 196 +--ro statistics 197 +--ro connection-opens? yang:counter64 198 +--ro connection-closes? yang:counter64 199 +--ro connection-aborts? yang:counter64 200 +--ro connection-failures? yang:counter64 201 +--ro connection-timeouts? yang:counter64 202 +--ro messages-sent? yang:counter64 203 +--ro messages-received? yang:counter64 204 +--ro errors-received? yang:counter64 205 +--ro sessions? yang:counter64 207 4. TACACS+ Client Module 209 file "ietf-system-tacacsplus@2019-11-01.yang" 211 module ietf-system-tacacsplus { 212 yang-version 1.1; 213 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; 214 prefix sys-tcsplus; 216 import ietf-inet-types { 217 prefix inet; 218 reference "RFC 6991: Common YANG Data Types"; 219 } 220 import ietf-yang-types { 221 prefix yang; 222 reference "RFC 6991: Common YANG Data Types"; 223 } 224 import ietf-network-instance { 225 prefix ni; 226 reference "RFC 8529: YANG Data Model for Network Instances"; 227 } 228 import ietf-interfaces { 229 prefix if; 230 reference "RFC 8343: A YANG Data Model for Interface Management"; 231 } 232 import ietf-system { 233 prefix sys; 234 reference "RFC 7317: A YANG Data Model for System Management"; 235 } 236 import ietf-netconf-acm { 237 prefix nacm; 238 reference "RFC 8341: Network Configuration Access Control Model"; 239 } 241 organization 242 "IETF Opsawg (Operations and Management Area Working Group)"; 243 contact 244 "WG Web: 245 WG List: 247 Editor: Guangying Zheng 248 "; 249 description 250 "This module provides configuration of TACACS+ client. 252 Copyright (c) 2019 IETF Trust and the persons identified as 253 authors of the code. All rights reserved. 255 Redistribution and use in source and binary forms, with or 256 without modification, is permitted pursuant to, and subject 257 to the license terms contained in, the Simplified BSD License 258 set forth in Section 4.c of the IETF Trust's Legal Provisions 259 Relating to IETF Documents 260 (http://trustee.ietf.org/license-info). 262 This version of this YANG module is part of RFC XXXX; see the 263 RFC itself for full legal notices."; 265 revision 2019-11-01 { 266 description 267 "Initial revision."; 268 reference "foo"; 269 } 271 feature tacacsplus { 272 description 273 "Indicates that the device can be configured as a TACACS+ 274 client."; 275 reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; 276 } 278 identity tacacsplus { 279 base sys:authentication-method; 280 description 281 "Indicates AAA operation using TACACS+."; 282 reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; 283 } 285 grouping statistics { 286 description 287 "Grouping for TACACS+ statistics attributes"; 288 container statistics { 289 config false; 290 description 291 "A collection of server-related statistics objects"; 292 leaf connection-opens { 293 type yang:counter64; 294 description 295 "Number of new connection requests sent to the server, e.g. 296 socket open"; 297 } 298 leaf connection-closes { 299 type yang:counter64; 300 description 301 "Number of connection close requests sent to the server, e.g. 302 socket close"; 303 } 304 leaf connection-aborts { 305 type yang:counter64; 306 description 307 "Number of aborted connections to the server. These do 308 not include connections that are close gracefully."; 309 } 310 leaf connection-failures { 311 type yang:counter64; 312 description 313 "Number of connection failures to the server"; 314 } 315 leaf connection-timeouts { 316 type yang:counter64; 317 description 318 "Number of connection timeouts to the server"; 319 } 320 leaf messages-sent { 321 type yang:counter64; 322 description 323 "Number of messages sent to the server"; 324 } 325 leaf messages-received { 326 type yang:counter64; 327 description 328 "Number of messages received by the server"; 329 } 330 leaf errors-received { 331 type yang:counter64; 332 description 333 "Number of error messages received from the server"; 334 } 335 leaf sessions { 336 type yang:counter64; 337 description 338 "Total Number of sessions. A single-connection tacacs+ 339 connection may be >1 sessions."; 340 } 341 } 342 } 344 grouping tacacsplus { 345 description 346 "Grouping for TACACS+ attributes"; 347 container tacacsplus { 348 if-feature "tacacsplus"; 349 description 350 "Container for TACACS+ configurations and operations."; 351 list server { 352 key "name"; 353 ordered-by user; 354 description 355 "List of TACACS+ servers used by the device."; 356 leaf name { 357 type string; 358 description 359 "An arbitrary name for the TACACS+ server."; 360 } 361 leaf server-type { 362 type enumeration { 363 enum authentication { 364 description 365 "The server is an authentication server."; 366 } 367 enum authorization { 368 description 369 "The server is an authorization server."; 370 } 371 enum accounting { 372 description 373 "The server is an accounting server."; 374 } 375 enum all { 376 description 377 "The group of all types of TACACS+ servers."; 378 } 379 } 380 description 381 "Server type: authentication/authorization/accounting/all."; 382 } 383 leaf address { 384 type inet:host; 385 mandatory true; 386 description 387 "The address of the TACACS+ server."; 388 } 389 leaf port { 390 type inet:port-number; 391 default "49"; 392 description 393 "The port number of TACACS+ Server port."; 394 } 395 leaf shared-secret { 396 type string; 397 mandatory true; 398 nacm:default-deny-all; 399 description 400 "The shared secret, which is known to both the 401 TACACS+ client and server. TACACS+ server administrators 402 should configure secret keys of minimum 403 16 characters length."; 404 reference "TACACS+ protocol:"; 405 } 406 choice source-type { 407 description 408 "The source address type for outbound TACACS+ packets."; 409 case source-ip { 410 leaf source-ip { 411 type inet:ip-address; 412 description 413 "Specifies source IP address for TACACS+ outbound 414 packets."; 415 } 416 } 417 case source-interface { 418 leaf source-interface { 419 type if:interface-ref; 420 description 421 "Specifies the interface from which the IP address is 422 derived for use as the source for the outbound TACACS+ 423 packet"; 424 } 425 } 426 } 427 leaf vrf-instance { 428 type leafref { 429 path "/ni:network-instances/ni:network-instance/ni:name"; 430 } 431 description 432 "Specifies the VPN Routing and Forwarding (VRF) instance to 433 use to communicate with the TACACS+ server."; 434 } 435 leaf single-connection { 436 type boolean; 437 default "false"; 438 description 439 "Whether the single connection mode is enabled for the 440 server. By default, the single connection mode is 441 disabled."; 442 } 443 leaf timeout { 444 type uint16 { 445 range "1..300"; 446 } 447 units "seconds"; 448 default "5"; 449 description 450 "The number of seconds the device will wait for a 451 response from each TACACS+ server before trying with a 452 different server."; 453 } 454 uses statistics; 455 } 456 } 457 } 459 augment "/sys:system" { 460 description 461 "Augment the system model with authorization and accounting 462 attributes 463 Augment the system model with the tacacsplus model"; 464 uses tacacsplus; 466 } 467 } 469 471 5. Security Considerations 473 The YANG module defined in this document is designed to be accessed 474 via network management protocols such as NETCONF [RFC6241] or 475 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 476 layer, and the mandatory-to-implement secure transport is Secure 477 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 478 mandatory-to-implement secure transport is TLS [RFC8446]. 480 The NETCONF access control model [RFC8341] provides the means to 481 restrict access for particular NETCONF or RESTCONF users to a 482 preconfigured subset of all available NETCONF or RESTCONF protocol 483 operations and content. 485 There are a number of data nodes defined in this YANG module that are 486 writable/creatable/deletable (i.e., config true, which is the 487 default). These data nodes may be considered sensitive or vulnerable 488 in some network environments. Write operations (e.g., edit-config) 489 to these data nodes without proper protection can have a negative 490 effect on network operations. 492 This document describes the use of TACACS+ for purposes of 493 authentication, authorization and accounting, it is vulnerable to all 494 of the threats that are present in TACACS+ applications. For a 495 discussion of such threats, see Section 9 of the TACACS+ Protocol 496 [I-D.ietf-opsawg-tacacs]. 498 6. IANA Considerations 500 This document registers a URI in the IETF XML registry [RFC3688]. 501 Following the format in [RFC3688], the following registration is 502 requested to be made: 504 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus 505 Registrant Contact: The IESG. 506 XML: N/A, the requested URI is an XML namespace. 508 This document registers a YANG module in the YANG Module Names 509 registry [RFC7950]. 511 Name: ietf-system-tacacsplus 512 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus 513 Prefix: sys-tcsplus 514 Reference: RFC XXXX 516 7. Acknowledgments 518 The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, 519 Alan DeKok, Joe Clarke, and many others for their helpful comments 520 and suggestions. 522 8. References 524 8.1. Normative References 526 [I-D.ietf-opsawg-tacacs] 527 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 528 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 529 tacacs-15 (work in progress), September 2019. 531 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 532 Requirement Levels", BCP 14, RFC 2119, 533 DOI 10.17487/RFC2119, March 1997, 534 . 536 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 537 and A. Bierman, Ed., "Network Configuration Protocol 538 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 539 . 541 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 542 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 543 . 545 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 546 RFC 6991, DOI 10.17487/RFC6991, July 2013, 547 . 549 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 550 System Management", RFC 7317, DOI 10.17487/RFC7317, August 551 2014, . 553 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 554 RFC 7950, DOI 10.17487/RFC7950, August 2016, 555 . 557 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 558 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 559 . 561 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 562 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 563 May 2017, . 565 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 566 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 567 . 569 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 570 Access Control Model", STD 91, RFC 8341, 571 DOI 10.17487/RFC8341, March 2018, 572 . 574 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 575 and R. Wilton, "Network Management Datastore Architecture 576 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 577 . 579 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 580 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 581 . 583 8.2. Informative References 585 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 586 DOI 10.17487/RFC3688, January 2004, 587 . 589 Appendix A. TACACS+ Authentication Configuration 591 The system management model defines two authentication configuration 592 options and controls authentication methods by configuring "user- 593 authentication-order" . One is "local-users", and the other is 594 "radius". 596 This draft defines the "tacacsplus" model extension and therefore 597 needs to be configured in the same way. The 'tacacsplus' identity is 598 defined to control whether or not TACACS+ authentication should be 599 used. The current system authentication configuration model is as 600 follows: 602 +--rw system 603 +--rw authentication 604 +--rw user-authentication-order* identityref 605 ... 607 Authors' Addresses 609 Guangying Zheng 610 Huawei 611 101 Software Avenue, Yuhua District 612 Nanjing, Jiangsu 210012 613 China 615 Email: zhengguangying@huawei.com 617 Michael Wang 618 Huawei Technologies, Co., Ltd 619 101 Software Avenue, Yuhua District 620 Nanjing 210012 621 China 623 Email: wangzitao@huawei.com 625 Bo Wu 626 Huawei 627 101 Software Avenue, Yuhua District 628 Nanjing, Jiangsu 210012 629 China 631 Email: lana.wubo@huawei.com