idnits 2.17.1 draft-ietf-opsawg-tacacs-yang-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 8, 2020) is 1446 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6991' is defined on line 588, but no explicit reference was found in the text ** Downref: Normative reference to an Informational draft: draft-ietf-opsawg-tacacs (ref. 'I-D.ietf-opsawg-tacacs') Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: November 9, 2020 Huawei 6 May 8, 2020 8 Yang data model for TACACS+ 9 draft-ietf-opsawg-tacacs-yang-04 11 Abstract 13 This document defines YANG modules that augment the System Management 14 data model defined in the RFC 7317 with TACACS+ client model. The 15 data model of Terminal Access Controller Access Control System Plus 16 (TACACS+) client allows the configuration of TACACS+ servers for 17 centralized Authentication, Authorization and Accounting. 19 The YANG modules in this document conforms to the Network Management 20 Datastore Architecture (NMDA) defined in RFC 8342. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on November 9, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 60 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 66 8.2. Informative References . . . . . . . . . . . . . . . . . 14 67 Appendix A. Example Tacacs+ Authentication Configuration . . . . 14 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 70 1. Introduction 72 This document defines YANG modules that augment the System Management 73 data model defined in the [RFC7317] with TACACS+ client model. 75 TACACS+ provides Device Administration for routers, network access 76 servers and other networked computing devices via one or more 77 centralized servers which is defined in the TACACS+ Protocol. 78 [I-D.ietf-opsawg-tacacs] 80 The System Management Model [RFC7317] defines two YANG features to 81 support local or RADIUS authentication: 83 o User Authentication Model: Defines a list of usernames and 84 passwords and control the order in which local or RADIUS 85 authentication is used. 87 o RADIUS Client Model: Defines a list of RADIUS servers that a 88 device uses. 90 Since TACACS+ is also used for device management and the feature is 91 not contained in the System Management model, this document defines a 92 YANG data model that allows users to configure TACACS+ client 93 functions on a device for centralized Authentication, Authorization 94 and Accounting provided by TACACS+ servers. 96 The YANG models can be used with network management protocols such as 97 NETCONF[RFC6241] to install, manipulate, and delete the configuration 98 of network devices. 100 The YANG data model in this document conforms to the Network 101 Management Datastore Architecture (NMDA) defined in [RFC8342]. 103 2. Conventions used in this document 105 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in 108 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 The following terms are defined in [RFC6241] and are used in this 112 specification: 114 o client 116 o configuration data 118 o server 120 o state data 122 The following terms are defined in [RFC7950] and are used in this 123 specification: 125 o augment 127 o data model 129 o data node 131 The terminology for describing YANG data models is found in 132 [RFC7950]. 134 2.1. Tree Diagrams 136 Tree diagrams used in this document follow the notation defined in 137 [RFC8340]. 139 3. Design of the Data Model 141 This model is used to configure TACACS+ client on the device to 142 support deployment scenarios with centralized authentication, 143 authorization, and accounting servers. Authentication is used to 144 validate a user's name and password, authorization allows the user to 145 access and execute commands at various command levels assigned to the 146 user and accounting keeps track of the activity of a user who has 147 accessed the device. 149 The ietf-system-tacacsplus module is intended to augment the 150 "/sys:system" path defined in the ietf-system module with the 151 contents of the"tacacsplus" grouping. Therefore, a device can use 152 local, Remote Authentication Dial In User Service (RADIUS), or 153 Terminal Access Controller Access Control System Plus (TACACS+) to 154 validate users who attempt to access the router by several 155 mechanisms, e.g. a command line interface or a web-based user 156 interface. 158 The "server" list is directly under the "tacacsplus" container, which 159 holds a list of TACACS+ servers and uses server-type to distinguish 160 between the three protocols. The list of servers is for redundancy. 162 Most of the parameters in the "server" list are taken directly from 163 the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived 164 from the various implementations by network equipment manufacturers. 165 For example, when there are multiple interfaces connected to the 166 TACACS+ client or server, the source address of outgoing TACACS+ 167 packets could be specified, or the source address could be specified 168 through the interface setting, or derived from the out-bound 169 interface from the local FIB. For the TACACS+ server located in a 170 Virtual Private Network(VPN), a VRF instance needs to be specified. 172 The "statistics" container under the "server list" is to record 173 session statistics and usage information during user access which 174 include the amount of data a user has sent and/or received during a 175 session. 177 The data model for TACACS+ client has the following structure: 179 module: ietf-system-tacacsplus 180 augment /sys:system: 181 +--rw tacacsplus {tacacsplus}? 182 +--rw server* [name] 183 +--rw name string 184 +--rw server-type? tcsplus-server-type 185 +--rw address inet:host 186 +--rw port? inet:port-number 187 +--rw shared-secret string 188 +--rw (source-type)? 189 | +--:(source-ip) 190 | | +--rw source-ip? inet:ip-address 191 | +--:(source-interface) 192 | +--rw source-interface? if:interface-ref 193 +--rw vrf-instance? 194 | -> /ni:network-instances/network-instance/name 195 +--rw single-connection? boolean 196 +--rw timeout? uint16 197 +--ro statistics 198 +--ro connection-opens? yang:counter64 199 +--ro connection-closes? yang:counter64 200 +--ro connection-aborts? yang:counter64 201 +--ro connection-failures? yang:counter64 202 +--ro connection-timeouts? yang:counter64 203 +--ro messages-sent? yang:counter64 204 +--ro messages-received? yang:counter64 205 +--ro errors-received? yang:counter64 206 +--ro sessions? yang:counter64 208 4. TACACS+ Client Module 210 file "ietf-system-tacacsplus@2020-05-09.yang" 212 module ietf-system-tacacsplus { 213 yang-version 1.1; 214 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; 215 prefix sys-tcsplus; 217 import ietf-inet-types { 218 prefix inet; 219 reference 220 "RFC 6991: Common YANG Data Types"; 221 } 222 import ietf-yang-types { 223 prefix yang; 224 reference 225 "RFC 6991: Common YANG Data Types"; 226 } 227 import ietf-network-instance { 228 prefix ni; 229 reference 230 "RFC 8529: YANG Data Model for Network Instances"; 231 } 232 import ietf-interfaces { 233 prefix if; 234 reference 235 "RFC 8343: A YANG Data Model for Interface Management"; 236 } 237 import ietf-system { 238 prefix sys; 239 reference 240 "RFC 7317: A YANG Data Model for System Management"; 241 } 242 import ietf-netconf-acm { 243 prefix nacm; 244 reference 245 "RFC 8341: Network Configuration Access Control Model"; 246 } 248 organization 249 "IETF Opsawg (Operations and Management Area Working Group)"; 250 contact 251 "WG Web: 252 WG List: 254 Editor: Bo Wu 255 Editor: Guangying Zheng "; 256 description 257 "This module provides configuration of TACACS+ client. 259 Copyright (c) 2020 IETF Trust and the persons identified as 260 authors of the code. All rights reserved. 262 Redistribution and use in source and binary forms, with or 263 without modification, is permitted pursuant to, and subject 264 to the license terms contained in, the Simplified BSD License 265 set forth in Section 4.c of the IETF Trust's Legal Provisions 266 Relating to IETF Documents 267 (http://trustee.ietf.org/license-info). 269 This version of this YANG module is part of RFC XXXX; see the 270 RFC itself for full legal notices."; 272 revision 2020-05-09 { 273 description 274 "Initial revision."; 276 reference 277 "RFC XXXX: A Yang Data Model for TACACS+"; 278 } 280 typedef tcsplus-server-type { 281 type bits { 282 bit authentication { 283 description 284 "When set, the server is an authentication server."; 285 } 286 bit authorization { 287 description 288 "When set, the server is an authorization server."; 289 } 290 bit accounting { 291 description 292 "When set, the server is an accounting server."; 293 } 294 } 295 description 296 "server-type can be set to authentication/authorization/accounting 297 or any combination of the three types. When all three types are 298 supported, all the three bits are set."; 299 } 301 feature tacacsplus { 302 description 303 "Indicates that the device can be configured as a TACACS+ 304 client."; 305 reference 306 "draft-ietf-opsawg-tacacs-18: The TACACS+ Protocol"; 307 } 309 identity tacacsplus { 310 base sys:authentication-method; 311 description 312 "Indicates AAA operation using TACACS+."; 313 reference 314 "draft-ietf-opsawg-tacacs-18: The TACACS+ Protocol"; 315 } 317 grouping statistics { 318 description 319 "Grouping for TACACS+ statistics attributes"; 320 container statistics { 321 config false; 322 description 323 "A collection of server-related statistics objects"; 325 leaf connection-opens { 326 type yang:counter64; 327 description 328 "Number of new connection requests sent to the server, e.g. 329 socket open"; 330 } 331 leaf connection-closes { 332 type yang:counter64; 333 description 334 "Number of connection close requests sent to the server, e.g. 335 socket close"; 336 } 337 leaf connection-aborts { 338 type yang:counter64; 339 description 340 "Number of aborted connections to the server. These do 341 not include connections that are close gracefully."; 342 } 343 leaf connection-failures { 344 type yang:counter64; 345 description 346 "Number of connection failures to the server"; 347 } 348 leaf connection-timeouts { 349 type yang:counter64; 350 description 351 "Number of connection timeouts to the server"; 352 } 353 leaf messages-sent { 354 type yang:counter64; 355 description 356 "Number of messages sent to the server"; 357 } 358 leaf messages-received { 359 type yang:counter64; 360 description 361 "Number of messages received by the server"; 362 } 363 leaf errors-received { 364 type yang:counter64; 365 description 366 "Number of error messages received from the server"; 367 } 368 leaf sessions { 369 type yang:counter64; 370 description 371 "Number of TACACS+ sessions completed with the server. 372 If the Single Connection Mode was NOT enabled, the number of 373 sessions is the same as the number of 'connection-closes'. 374 If the Mode was enabled, a single TCP connection may contain 375 multiple TACACS+ sessions."; 376 } 377 } 378 } 380 grouping tacacsplus { 381 description 382 "Grouping for TACACS+ attributes"; 383 container tacacsplus { 384 if-feature "tacacsplus"; 385 must "not(derived-from-or-self(../sys:authentication" 386 + "/sys:user-authentication-order, 'tacacsplus')) or server" { 387 error-message "When 'tacacsplus' is used as a system" 388 + " authentication method, a TACACS+ server" 389 + " must be configured."; 390 description 391 "When 'tacacsplus' is used as an authentication method, 392 a TACACS+ server must be configured."; 393 } 394 description 395 "Container for TACACS+ configurations and operations."; 396 list server { 397 key "name"; 398 ordered-by user; 399 description 400 "List of TACACS+ servers used by the device."; 401 leaf name { 402 type string; 403 description 404 "An arbitrary name for the TACACS+ server."; 405 } 406 leaf server-type { 407 type tcsplus-server-type; 408 description 409 "Server type: authentication/authorization/accounting and 410 various combinations. 411 When all three types are supported, all the three bits 412 are set."; 413 } 414 leaf address { 415 type inet:host; 416 mandatory true; 417 description 418 "The address of the TACACS+ server."; 419 } 420 leaf port { 421 type inet:port-number; 422 default "49"; 423 description 424 "The port number of TACACS+ Server port."; 425 } 426 leaf shared-secret { 427 type string { 428 length "16..max"; 429 } 430 mandatory true; 431 nacm:default-deny-all; 432 description 433 "The shared secret, which is known to both the 434 TACACS+ client and server. TACACS+ server administrators 435 should configure shared secret of minimum 16 characters 436 length. 437 It is highly recommended that shared keys are at least 32 438 characters long."; 439 reference 440 "TACACS+ protocol"; 441 } 442 choice source-type { 443 description 444 "The source address type for outbound TACACS+ packets."; 445 case source-ip { 446 leaf source-ip { 447 type inet:ip-address; 448 description 449 "Specifies source IP address for TACACS+ outbound 450 packets."; 451 } 452 } 453 case source-interface { 454 leaf source-interface { 455 type if:interface-ref; 456 description 457 "Specifies the interface from which the IP address is 458 derived for use as the source for the outbound TACACS+ 459 packet"; 460 } 461 } 462 } 463 leaf vrf-instance { 464 type leafref { 465 path "/ni:network-instances/ni:network-instance/ni:name"; 466 } 467 description 468 "Specifies the VPN Routing and Forwarding (VRF) instance to 469 use to communicate with the TACACS+ server."; 470 } 471 leaf single-connection { 472 type boolean; 473 default "false"; 474 description 475 "Whether the single connection mode is enabled for the 476 server. By default, the single connection mode is 477 disabled."; 478 } 479 leaf timeout { 480 type uint16 { 481 range "1..300"; 482 } 483 units "seconds"; 484 default "5"; 485 description 486 "The number of seconds the device will wait for a 487 response from each TACACS+ server before trying with a 488 different server."; 489 } 490 uses statistics; 491 } 492 } 493 } 495 augment "/sys:system" { 496 description 497 "Augment the system model with the tacacsplus model"; 498 uses tacacsplus; 499 } 500 } 502 504 5. Security Considerations 506 The YANG module defined in this document is designed to be accessed 507 via network management protocols such as NETCONF [RFC6241] or 508 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 509 layer, and the mandatory-to-implement secure transport is Secure 510 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 511 mandatory-to-implement secure transport is TLS [RFC8446]. 513 The NETCONF access control model [RFC8341] provides the means to 514 restrict access for particular NETCONF or RESTCONF users to a 515 preconfigured subset of all available NETCONF or RESTCONF protocol 516 operations and content. 518 There are a number of data nodes defined in this YANG module that are 519 writable/creatable/deletable (i.e., config true, which is the 520 default). These data nodes may be considered sensitive or vulnerable 521 in some network environments. Write operations (e.g., edit-config) 522 to these data nodes without proper protection can have a negative 523 effect on network operations. These are the subtrees and data nodes 524 and their sensitivity/vulnerability: 526 /system/tacacsplus/server: This list contains the objects used to 527 control the TACACS+ servers used by the device. Unauthorized 528 access to this list could cause a user management failure on the 529 device . 531 /system/tacacsplus/server/shared-secret: This leaf controls the 532 key known to both the TACACS+ client and server. Unauthorized 533 access to this leaf could cause the device vulnerable to attacks. 535 This document describes the use of TACACS+ for purposes of 536 authentication, authorization and accounting, it is vulnerable to all 537 of the threats that are present in TACACS+ applications. For a 538 discussion of such threats, see Section 9 of the TACACS+ Protocol 539 [I-D.ietf-opsawg-tacacs]. 541 6. IANA Considerations 543 This document registers a URI in the IETF XML registry [RFC3688]. 544 Following the format in [RFC3688], the following registration is 545 requested to be made: 547 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus 548 Registrant Contact: The IESG. 549 XML: N/A, the requested URI is an XML namespace. 551 This document registers a YANG module in the YANG Module Names 552 registry [RFC7950]. 554 Name: ietf-system-tacacsplus 555 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus 556 Prefix: sys-tcsplus 557 Reference: RFC XXXX 559 7. Acknowledgments 561 The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, 562 Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for 563 their helpful comments and suggestions. 565 8. References 567 8.1. Normative References 569 [I-D.ietf-opsawg-tacacs] 570 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 571 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 572 tacacs-18 (work in progress), March 2020. 574 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 575 Requirement Levels", BCP 14, RFC 2119, 576 DOI 10.17487/RFC2119, March 1997, 577 . 579 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 580 and A. Bierman, Ed., "Network Configuration Protocol 581 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 582 . 584 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 585 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 586 . 588 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 589 RFC 6991, DOI 10.17487/RFC6991, July 2013, 590 . 592 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 593 System Management", RFC 7317, DOI 10.17487/RFC7317, August 594 2014, . 596 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 597 RFC 7950, DOI 10.17487/RFC7950, August 2016, 598 . 600 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 601 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 602 . 604 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 605 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 606 May 2017, . 608 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 609 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 610 . 612 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 613 Access Control Model", STD 91, RFC 8341, 614 DOI 10.17487/RFC8341, March 2018, 615 . 617 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 618 and R. Wilton, "Network Management Datastore Architecture 619 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 620 . 622 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 623 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 624 . 626 8.2. Informative References 628 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 629 DOI 10.17487/RFC3688, January 2004, 630 . 632 Appendix A. Example Tacacs+ Authentication Configuration 634 The following shows an example where a tacacs+ authentication server 635 instance is configured. 637 { 638 "ietf-system:system": { 639 "authentication": { 640 "user-authentication-order": [tacacsplus, local-users] 641 } 642 "tacacsplus": { 643 "server": [ 644 { 645 "name": "tac_plus1", 646 "server-type": "authentication" 647 "address": "10.10.10.2", 648 "shared-secret": "QaEfThUkO1980100754609236h3TbE8n", 649 "source-ip": "10.10.10.12" 650 "single-connection": "false" 651 "timeout": "10" 652 } 653 ] 654 } 655 } 656 } 658 Authors' Addresses 660 Guangying Zheng 661 Huawei 662 101 Software Avenue, Yuhua District 663 Nanjing, Jiangsu 210012 664 China 666 Email: zhengguangying@huawei.com 668 Michael Wang 669 Huawei Technologies, Co., 670 Ltd 671 101 Software Avenue, Yuhua District 672 Nanjing 210012 673 China 675 Email: wangzitao@huawei.com 677 Bo Wu 678 Huawei 679 101 Software Avenue, Yuhua District 680 Nanjing, Jiangsu 210012 681 China 683 Email: lana.wubo@huawei.com