idnits 2.17.1 draft-ietf-opsawg-tacacs-yang-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 8, 2020) is 1503 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6991' is defined on line 564, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-opsawg-tacacs-17 ** Downref: Normative reference to an Informational draft: draft-ietf-opsawg-tacacs (ref. 'I-D.ietf-opsawg-tacacs') Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: September 9, 2020 Huawei 6 March 8, 2020 8 Yang data model for TACACS+ 9 draft-ietf-opsawg-tacacs-yang-02 11 Abstract 13 This document defines YANG modules that augment the System Management 14 data model defined in the RFC 7317 with TACACS+ client model. The 15 data model of Terminal Access Controller Access Control System Plus 16 (TACACS+) client allows the configuration of TACACS+ servers for 17 centralized Authentication, Authorization and Accounting. 19 The YANG modules in this document conforms to the Network Management 20 Datastore Architecture (NMDA) defined in RFC 8342. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 9, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 60 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 66 8.2. Informative References . . . . . . . . . . . . . . . . . 13 67 Appendix A. TACACS+ Authentication Configuration . . . . . . . . 14 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 70 1. Introduction 72 This document defines YANG modules that augment the System Management 73 data model defined in the [RFC7317] with TACACS+ client model. 75 TACACS+ provides Device Administration for routers, network access 76 servers and other networked computing devices via one or more 77 centralized servers which is defined in the TACACS+ Protocol. 78 [I-D.ietf-opsawg-tacacs] 80 The System Management Model [RFC7317] defines two YANG features to 81 support local or RADIUS authentication: 83 o User Authentication Model: Defines a list of usernames and 84 passwords and control the order in which local or RADIUS 85 authentication is used. 87 o RADIUS Client Model: Defines a list of RADIUS servers that a 88 device uses. 90 Since TACACS+ is also used for device management and the feature is 91 not contained in the System Management model, this document defines a 92 YANG data model that allows users to configure TACACS+ client 93 functions on a device for centralized Authentication, Authorization 94 and Accounting provided by TACACS+ servers. 96 The YANG models can be used with network management protocols such as 97 NETCONF[RFC6241] to install, manipulate, and delete the configuration 98 of network devices. 100 The YANG data model in this document conforms to the Network 101 Management Datastore Architecture (NMDA) defined in [RFC8342]. 103 2. Conventions used in this document 105 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in 108 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 The following terms are defined in [RFC6241] and are used in this 112 specification: 114 o client 116 o configuration data 118 o server 120 o state data 122 The following terms are defined in [RFC7950] and are used in this 123 specification: 125 o augment 127 o data model 129 o data node 131 The terminology for describing YANG data models is found in 132 [RFC7950]. 134 2.1. Tree Diagrams 136 Tree diagrams used in this document follow the notation defined in 137 [RFC8340]. 139 3. Design of the Data Model 141 This model is used to configure TACACS+ client on the device to 142 support deployment scenarios with centralized authentication, 143 authorization, and accounting servers. Authentication is used to 144 validate a user's name and password, authorization allows the user to 145 access and execute commands at various command levels assigned to the 146 user and accounting keeps track of the activity of a user who has 147 accessed the device. 149 The ietf-system-tacacsplus module is intended to augment the 150 "/sys:system" path defined in the ietf-system module with 151 "tacacsplus" grouping. Therefore, a device can use local, Remote 152 Authentication Dial In User Service (RADIUS), or Terminal Access 153 Controller Access Control System Plus (TACACS+) to validate users who 154 attempt to access the router by several mechanisms, e.g. a command 155 line interface or a web-based user interface. 157 The "server" list is directly under the "tacacsplus" container, which 158 holds a list of TACACS+ servers and uses server-type to distinguish 159 between the three protocols. The list of servers is for redundancy. 161 Most of the parameters in the "server" list are taken directly from 162 the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived 163 from the various implementations by network equipment manufacturers. 164 For example, when there are multiple interfaces connected to the 165 TACACS+ client or server, the source address of outgoing TACACS+ 166 packets could be specified, or the source address could be specified 167 through the interface setting, or derived from the out-bound 168 interface from the local FIB. For the TACACS+ server located in a 169 Virtual Private Network(VPN), a VRF instance needs to be specified. 171 The "statistics" container under the "server list" is to record 172 session statistics and usage information during user access which 173 include the amount of data a user has sent and/or received during a 174 session. 176 The data model for TACACS+ client has the following structure: 178 module: ietf-system-tacacsplus 179 augment /sys:system: 180 +--rw tacacsplus {tacacsplus}? 181 +--rw server* [name] 182 +--rw name string 183 +--rw server-type? enumeration 184 +--rw address inet:host 185 +--rw port? inet:port-number 186 +--rw shared-secret string 187 +--rw (source-type)? 188 | +--:(source-ip) 189 | | +--rw source-ip? inet:ip-address 190 | +--:(source-interface) 191 | +--rw source-interface? if:interface-ref 192 +--rw vrf-instance? 193 | -> /ni:network-instances/network-instance/name 194 +--rw single-connection? boolean 195 +--rw timeout? uint16 196 +--ro statistics 197 +--ro connection-opens? yang:counter64 198 +--ro connection-closes? yang:counter64 199 +--ro connection-aborts? yang:counter64 200 +--ro connection-failures? yang:counter64 201 +--ro connection-timeouts? yang:counter64 202 +--ro messages-sent? yang:counter64 203 +--ro messages-received? yang:counter64 204 +--ro errors-received? yang:counter64 205 +--ro sessions? yang:counter64 207 4. TACACS+ Client Module 209 file "ietf-system-tacacsplus@2020-03-05.yang" 211 module ietf-system-tacacsplus { 212 yang-version 1.1; 213 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; 214 prefix sys-tcsplus; 216 import ietf-inet-types { 217 prefix inet; 218 reference 219 "RFC 6991: Common YANG Data Types"; 220 } 221 import ietf-yang-types { 222 prefix yang; 223 reference 224 "RFC 6991: Common YANG Data Types"; 225 } 226 import ietf-network-instance { 227 prefix ni; 228 reference 229 "RFC 8529: YANG Data Model for Network Instances"; 230 } 231 import ietf-interfaces { 232 prefix if; 233 reference 234 "RFC 8343: A YANG Data Model for Interface Management"; 235 } 236 import ietf-system { 237 prefix sys; 238 reference 239 "RFC 7317: A YANG Data Model for System Management"; 240 } 241 import ietf-netconf-acm { 242 prefix nacm; 243 reference 244 "RFC 8341: Network Configuration Access Control Model"; 245 } 247 organization 248 "IETF Opsawg (Operations and Management Area Working Group)"; 249 contact 250 "WG Web: 251 WG List: 253 Editor: Guangying Zheng 254 "; 255 description 256 "This module provides configuration of TACACS+ client. 258 Copyright (c) 2019 IETF Trust and the persons identified as 259 authors of the code. All rights reserved. 261 Redistribution and use in source and binary forms, with or 262 without modification, is permitted pursuant to, and subject 263 to the license terms contained in, the Simplified BSD License 264 set forth in Section 4.c of the IETF Trust's Legal Provisions 265 Relating to IETF Documents 266 (http://trustee.ietf.org/license-info). 268 This version of this YANG module is part of RFC XXXX; see the 269 RFC itself for full legal notices."; 271 revision 2020-03-05 { 272 description 273 "Initial revision."; 275 reference 276 "foo"; 277 } 279 feature tacacsplus { 280 description 281 "Indicates that the device can be configured as a TACACS+ 282 client."; 283 reference 284 "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; 285 } 287 identity tacacsplus { 288 base sys:authentication-method; 289 description 290 "Indicates AAA operation using TACACS+."; 291 reference 292 "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; 293 } 295 grouping statistics { 296 description 297 "Grouping for TACACS+ statistics attributes"; 298 container statistics { 299 config false; 300 description 301 "A collection of server-related statistics objects"; 302 leaf connection-opens { 303 type yang:counter64; 304 description 305 "Number of new connection requests sent to the server, e.g. 306 socket open"; 307 } 308 leaf connection-closes { 309 type yang:counter64; 310 description 311 "Number of connection close requests sent to the server, e.g. 312 socket close"; 313 } 314 leaf connection-aborts { 315 type yang:counter64; 316 description 317 "Number of aborted connections to the server. These do 318 not include connections that are close gracefully."; 319 } 320 leaf connection-failures { 321 type yang:counter64; 322 description 323 "Number of connection failures to the server"; 324 } 325 leaf connection-timeouts { 326 type yang:counter64; 327 description 328 "Number of connection timeouts to the server"; 329 } 330 leaf messages-sent { 331 type yang:counter64; 332 description 333 "Number of messages sent to the server"; 334 } 335 leaf messages-received { 336 type yang:counter64; 337 description 338 "Number of messages received by the server"; 339 } 340 leaf errors-received { 341 type yang:counter64; 342 description 343 "Number of error messages received from the server"; 344 } 345 leaf sessions { 346 type yang:counter64; 347 description 348 "Total Number of sessions. A single-connection tacacs+ 349 connection may be >1 sessions."; 350 } 351 } 352 } 354 grouping tacacsplus { 355 description 356 "Grouping for TACACS+ attributes"; 357 container tacacsplus { 358 must "not(derived-from-or-self(../sys:authentication" 359 + "/sys:user-authentication-order, 'tacacsplus')) or server" { 360 error-message "When 'tacacsplus' is used as a sysytem" 361 + " authentication method, a TACACS+ server" 362 + " must be configured."; 363 description 364 "When 'tacacsplus' is used as an authentication method, 365 a TACACS+ server must be configured."; 366 } 367 if-feature "tacacsplus"; 368 description 369 "Container for TACACS+ configurations and operations."; 370 list server { 371 key "name"; 372 ordered-by user; 373 description 374 "List of TACACS+ servers used by the device."; 375 leaf name { 376 type string; 377 description 378 "An arbitrary name for the TACACS+ server."; 379 } 380 leaf server-type { 381 type enumeration { 382 enum authentication { 383 description 384 "The server is an authentication server."; 385 } 386 enum authorization { 387 description 388 "The server is an authorization server."; 389 } 390 enum accounting { 391 description 392 "The server is an accounting server."; 393 } 394 enum all { 395 description 396 "The group of all types of TACACS+ servers."; 397 } 398 } 399 description 400 "Server type: authentication/authorization/accounting/all."; 401 } 402 leaf address { 403 type inet:host; 404 mandatory true; 405 description 406 "The address of the TACACS+ server."; 407 } 408 leaf port { 409 type inet:port-number; 410 default "49"; 411 description 412 "The port number of TACACS+ Server port."; 413 } 414 leaf shared-secret { 415 type string; 416 mandatory true; 417 nacm:default-deny-all; 418 description 419 "The shared secret, which is known to both the 420 TACACS+ client and server. TACACS+ server administrators 421 should configure secret keys of minimum 422 16 characters length."; 423 reference 424 "TACACS+ protocol:"; 425 } 426 choice source-type { 427 description 428 "The source address type for outbound TACACS+ packets."; 429 case source-ip { 430 leaf source-ip { 431 type inet:ip-address; 432 description 433 "Specifies source IP address for TACACS+ outbound 434 packets."; 435 } 436 } 437 case source-interface { 438 leaf source-interface { 439 type if:interface-ref; 440 description 441 "Specifies the interface from which the IP address is 442 derived for use as the source for the outbound TACACS+ 443 packet"; 444 } 445 } 446 } 447 leaf vrf-instance { 448 type leafref { 449 path "/ni:network-instances/ni:network-instance/ni:name"; 450 } 451 description 452 "Specifies the VPN Routing and Forwarding (VRF) instance to 453 use to communicate with the TACACS+ server."; 454 } 455 leaf single-connection { 456 type boolean; 457 default "false"; 458 description 459 "Whether the single connection mode is enabled for the 460 server. By default, the single connection mode is 461 disabled."; 462 } 463 leaf timeout { 464 type uint16 { 465 range "1..300"; 466 } 467 units "seconds"; 468 default "5"; 469 description 470 "The number of seconds the device will wait for a 471 response from each TACACS+ server before trying with a 472 different server."; 473 } 474 uses statistics; 475 } 476 } 477 } 479 augment "/sys:system" { 480 description 481 "Augment the system model with authorization and accounting 482 attributes 483 Augment the system model with the tacacsplus model"; 484 uses tacacsplus; 485 } 486 } 488 490 5. Security Considerations 492 The YANG module defined in this document is designed to be accessed 493 via network management protocols such as NETCONF [RFC6241] or 494 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 495 layer, and the mandatory-to-implement secure transport is Secure 496 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 497 mandatory-to-implement secure transport is TLS [RFC8446]. 499 The NETCONF access control model [RFC8341] provides the means to 500 restrict access for particular NETCONF or RESTCONF users to a 501 preconfigured subset of all available NETCONF or RESTCONF protocol 502 operations and content. 504 There are a number of data nodes defined in this YANG module that are 505 writable/creatable/deletable (i.e., config true, which is the 506 default). These data nodes may be considered sensitive or vulnerable 507 in some network environments. Write operations (e.g., edit-config) 508 to these data nodes without proper protection can have a negative 509 effect on network operations. 511 This document describes the use of TACACS+ for purposes of 512 authentication, authorization and accounting, it is vulnerable to all 513 of the threats that are present in TACACS+ applications. For a 514 discussion of such threats, see Section 9 of the TACACS+ Protocol 515 [I-D.ietf-opsawg-tacacs]. 517 6. IANA Considerations 519 This document registers a URI in the IETF XML registry [RFC3688]. 520 Following the format in [RFC3688], the following registration is 521 requested to be made: 523 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus 524 Registrant Contact: The IESG. 525 XML: N/A, the requested URI is an XML namespace. 527 This document registers a YANG module in the YANG Module Names 528 registry [RFC7950]. 530 Name: ietf-system-tacacsplus 531 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus 532 Prefix: sys-tcsplus 533 Reference: RFC XXXX 535 7. Acknowledgments 537 The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, 538 Alan DeKok, Joe Clarke, and many others for their helpful comments 539 and suggestions. 541 8. References 543 8.1. Normative References 545 [I-D.ietf-opsawg-tacacs] 546 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 547 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 548 tacacs-17 (work in progress), November 2019. 550 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 551 Requirement Levels", BCP 14, RFC 2119, 552 DOI 10.17487/RFC2119, March 1997, 553 . 555 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 556 and A. Bierman, Ed., "Network Configuration Protocol 557 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 558 . 560 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 561 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 562 . 564 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 565 RFC 6991, DOI 10.17487/RFC6991, July 2013, 566 . 568 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 569 System Management", RFC 7317, DOI 10.17487/RFC7317, August 570 2014, . 572 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 573 RFC 7950, DOI 10.17487/RFC7950, August 2016, 574 . 576 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 577 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 578 . 580 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 581 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 582 May 2017, . 584 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 585 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 586 . 588 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 589 Access Control Model", STD 91, RFC 8341, 590 DOI 10.17487/RFC8341, March 2018, 591 . 593 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 594 and R. Wilton, "Network Management Datastore Architecture 595 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 596 . 598 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 599 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 600 . 602 8.2. Informative References 604 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 605 DOI 10.17487/RFC3688, January 2004, 606 . 608 Appendix A. TACACS+ Authentication Configuration 610 The system management model defines two authentication configuration 611 options and controls authentication methods by configuring "user- 612 authentication-order" . One is "local-users", and the other is 613 "radius". 615 This draft defines the "tacacsplus" model extension and therefore 616 needs to be configured in the same way. The 'tacacsplus' identity is 617 defined to control whether or not TACACS+ authentication should be 618 used. The current system authentication configuration model is as 619 follows: 621 +--rw system 622 +--rw authentication 623 +--rw user-authentication-order* identityref 624 ... 626 Authors' Addresses 628 Guangying Zheng 629 Huawei 630 101 Software Avenue, Yuhua District 631 Nanjing, Jiangsu 210012 632 China 634 Email: zhengguangying@huawei.com 636 Michael Wang 637 Huawei Technologies, Co., 638 Ltd 639 101 Software Avenue, Yuhua District 640 Nanjing 210012 641 China 643 Email: wangzitao@huawei.com 645 Bo Wu 646 Huawei 647 101 Software Avenue, Yuhua District 648 Nanjing, Jiangsu 210012 649 China 651 Email: lana.wubo@huawei.com