idnits 2.17.1 draft-ietf-opsawg-tacacs-yang-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 22, 2020) is 1432 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6991' is defined on line 596, but no explicit reference was found in the text ** Downref: Normative reference to an Informational draft: draft-ietf-opsawg-tacacs (ref. 'I-D.ietf-opsawg-tacacs') Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: November 23, 2020 Huawei 6 May 22, 2020 8 Yang data model for TACACS+ 9 draft-ietf-opsawg-tacacs-yang-05 11 Abstract 13 This document defines YANG modules that augment the System Management 14 data model defined in the RFC 7317 with TACACS+ client model. The 15 data model of Terminal Access Controller Access Control System Plus 16 (TACACS+) client allows the configuration of TACACS+ servers for 17 centralized Authentication, Authorization and Accounting. 19 The YANG modules in this document conforms to the Network Management 20 Datastore Architecture (NMDA) defined in RFC 8342. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on November 23, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 60 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 66 8.2. Informative References . . . . . . . . . . . . . . . . . 14 67 Appendix A. Example Tacacs+ Authentication Configuration . . . . 14 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 70 1. Introduction 72 This document defines YANG modules that augment the System Management 73 data model defined in the [RFC7317] with TACACS+ client model. 75 TACACS+ provides Device Administration for routers, network access 76 servers and other networked computing devices via one or more 77 centralized servers which is defined in the TACACS+ Protocol. 78 [I-D.ietf-opsawg-tacacs] 80 The System Management Model [RFC7317] defines two YANG features to 81 support local or RADIUS authentication: 83 o User Authentication Model: Defines a list of usernames and 84 passwords and control the order in which local or RADIUS 85 authentication is used. 87 o RADIUS Client Model: Defines a list of RADIUS servers that a 88 device uses. 90 Since TACACS+ is also used for device management and the feature is 91 not contained in the System Management model, this document defines a 92 YANG data model that allows users to configure TACACS+ client 93 functions on a device for centralized Authentication, Authorization 94 and Accounting provided by TACACS+ servers. 96 The YANG models can be used with network management protocols such as 97 NETCONF[RFC6241] to install, manipulate, and delete the configuration 98 of network devices. 100 The YANG data model in this document conforms to the Network 101 Management Datastore Architecture (NMDA) defined in [RFC8342]. 103 2. Conventions used in this document 105 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in 108 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 The following terms are defined in [RFC6241] and are used in this 112 specification: 114 o client 116 o configuration data 118 o server 120 o state data 122 The following terms are defined in [RFC7950] and are used in this 123 specification: 125 o augment 127 o data model 129 o data node 131 The terminology for describing YANG data models is found in 132 [RFC7950]. 134 2.1. Tree Diagrams 136 Tree diagrams used in this document follow the notation defined in 137 [RFC8340]. 139 3. Design of the Data Model 141 This model is used to configure TACACS+ client on the device to 142 support deployment scenarios with centralized authentication, 143 authorization, and accounting servers. Authentication is used to 144 validate a user's name and password, authorization allows the user to 145 access and execute commands at various command levels assigned to the 146 user and accounting keeps track of the activity of a user who has 147 accessed the device. 149 The ietf-system-tacacsplus module is intended to augment the 150 "/sys:system" path defined in the ietf-system module with the 151 contents of the"tacacsplus" grouping. Therefore, a device can use 152 local, Remote Authentication Dial In User Service (RADIUS), or 153 Terminal Access Controller Access Control System Plus (TACACS+) to 154 validate users who attempt to access the router by several 155 mechanisms, e.g. a command line interface or a web-based user 156 interface. 158 The "server" list is directly under the "tacacsplus" container, which 159 holds a list of TACACS+ servers and uses server-type to distinguish 160 between the three protocols. The list of servers is for redundancy. 162 Most of the parameters in the "server" list are taken directly from 163 the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived 164 from the various implementations by network equipment manufacturers. 165 For example, when there are multiple interfaces connected to the 166 TACACS+ client or server, the source address of outgoing TACACS+ 167 packets could be specified, or the source address could be specified 168 through the interface setting, or derived from the out-bound 169 interface from the local FIB. For the TACACS+ server located in a 170 Virtual Private Network(VPN), a VRF instance needs to be specified. 172 The "statistics" container under the "server list" is to record 173 session statistics and usage information during user access which 174 include the amount of data a user has sent and/or received during a 175 session. 177 The data model for TACACS+ client has the following structure: 179 module: ietf-system-tacacsplus 180 augment /sys:system: 181 +--rw tacacsplus {tacacsplus}? 182 +--rw server* [name] 183 +--rw name string 184 +--rw server-type? tcsplus-server-type 185 +--rw address inet:host 186 +--rw port? inet:port-number 187 +--rw shared-secret string 188 +--rw (source-type)? 189 | +--:(source-ip) 190 | | +--rw source-ip? inet:ip-address 191 | +--:(source-interface) 192 | +--rw source-interface? if:interface-ref 193 +--rw vrf-instance? 194 | -> /ni:network-instances/network-instance/name 195 +--rw single-connection? boolean 196 +--rw timeout? uint16 197 +--ro statistics 198 +--ro connection-opens? yang:counter64 199 +--ro connection-closes? yang:counter64 200 +--ro connection-aborts? yang:counter64 201 +--ro connection-failures? yang:counter64 202 +--ro connection-timeouts? yang:counter64 203 +--ro messages-sent? yang:counter64 204 +--ro messages-received? yang:counter64 205 +--ro errors-received? yang:counter64 206 +--ro sessions? yang:counter64 208 4. TACACS+ Client Module 210 file "ietf-system-tacacsplus@2020-05-22.yang" 212 module ietf-system-tacacsplus { 213 yang-version 1.1; 214 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; 215 prefix sys-tcsplus; 217 import ietf-inet-types { 218 prefix inet; 219 reference 220 "RFC 6991: Common YANG Data Types"; 221 } 222 import ietf-yang-types { 223 prefix yang; 224 reference 225 "RFC 6991: Common YANG Data Types"; 226 } 227 import ietf-network-instance { 228 prefix ni; 229 reference 230 "RFC 8529: YANG Data Model for Network Instances"; 231 } 232 import ietf-interfaces { 233 prefix if; 234 reference 235 "RFC 8343: A YANG Data Model for Interface Management"; 236 } 237 import ietf-system { 238 prefix sys; 239 reference 240 "RFC 7317: A YANG Data Model for System Management"; 241 } 242 import ietf-netconf-acm { 243 prefix nacm; 244 reference 245 "RFC 8341: Network Configuration Access Control Model"; 246 } 248 organization 249 "IETF Opsawg (Operations and Management Area Working Group)"; 250 contact 251 "WG Web: 252 WG List: 254 Editor: Bo Wu 255 Editor: Guangying Zheng "; 256 description 257 "This module provides configuration of TACACS+ client. 259 Copyright (c) 2020 IETF Trust and the persons identified as 260 authors of the code. All rights reserved. 262 Redistribution and use in source and binary forms, with or 263 without modification, is permitted pursuant to, and subject 264 to the license terms contained in, the Simplified BSD License 265 set forth in Section 4.c of the IETF Trust's Legal Provisions 266 Relating to IETF Documents 267 (http://trustee.ietf.org/license-info). 269 This version of this YANG module is part of RFC XXXX; see the 270 RFC itself for full legal notices."; 272 // RFC Ed.: update the date below with the date of RFC 273 // publication and remove this note. 274 // RFC Ed.: replace XXXX with actual RFC number and remove 275 // this note, and the TACACS+ Protocol refers to 276 // draft-ietf-opsawg-tacacs. 278 revision 2020-05-22 { 279 description 280 "Initial revision."; 281 reference 282 "RFC XXXX: A Yang Data Model for TACACS+"; 283 } 285 typedef tcsplus-server-type { 286 type bits { 287 bit authentication { 288 description 289 "When set, the server is an authentication server."; 290 } 291 bit authorization { 292 description 293 "When set, the server is an authorization server."; 294 } 295 bit accounting { 296 description 297 "When set, the server is an accounting server."; 298 } 299 } 300 description 301 "tcsplus-server-type can be set to 302 authentication/authorization/accounting 303 or any combination of the three types. When all three types are 304 supported, all the three bits are set."; 305 } 307 feature tacacsplus { 308 description 309 "Indicates that the device can be configured as a TACACS+ 310 client."; 311 reference 312 "RFC XXXX : The TACACS+ Protocol "; 313 } 315 identity tacacsplus { 316 base sys:authentication-method; 317 description 318 "Indicates AAA operation using TACACS+."; 319 reference 320 "RFC XXXX: The TACACS+ Protocol"; 321 } 322 grouping statistics { 323 description 324 "Grouping for TACACS+ statistics attributes"; 325 container statistics { 326 config false; 327 description 328 "A collection of server-related statistics objects"; 329 leaf connection-opens { 330 type yang:counter64; 331 description 332 "Number of new connection requests sent to the server, e.g. 333 socket open"; 334 } 335 leaf connection-closes { 336 type yang:counter64; 337 description 338 "Number of connection close requests sent to the server, e.g. 339 socket close"; 340 } 341 leaf connection-aborts { 342 type yang:counter64; 343 description 344 "Number of aborted connections to the server. These do 345 not include connections that are close gracefully."; 346 } 347 leaf connection-failures { 348 type yang:counter64; 349 description 350 "Number of connection failures to the server"; 351 } 352 leaf connection-timeouts { 353 type yang:counter64; 354 description 355 "Number of connection timeouts to the server"; 356 } 357 leaf messages-sent { 358 type yang:counter64; 359 description 360 "Number of messages sent to the server"; 361 } 362 leaf messages-received { 363 type yang:counter64; 364 description 365 "Number of messages received from the server"; 366 } 367 leaf errors-received { 368 type yang:counter64; 369 description 370 "Number of error messages received from the server"; 371 } 372 leaf sessions { 373 type yang:counter64; 374 description 375 "Number of TACACS+ sessions completed with the server. 376 If the Single Connection Mode was NOT enabled, the number of 377 sessions is the same as the number of 'connection-closes'. 378 If the Mode was enabled, a single TCP connection may contain 379 multiple TACACS+ sessions."; 380 } 381 } 382 } 384 grouping tacacsplus { 385 description 386 "Grouping for TACACS+ attributes"; 387 container tacacsplus { 388 if-feature "tacacsplus"; 389 must "not(derived-from-or-self(../sys:authentication" 390 + "/sys:user-authentication-order, 'tacacsplus')) or server" { 391 error-message "When 'tacacsplus' is used as a system" 392 + " authentication method, a TACACS+ server" 393 + " must be configured."; 394 description 395 "When 'tacacsplus' is used as an authentication method, 396 a TACACS+ server must be configured."; 397 } 398 description 399 "Container for TACACS+ configurations and operations."; 400 list server { 401 key "name"; 402 ordered-by user; 403 description 404 "List of TACACS+ servers used by the device."; 405 leaf name { 406 type string; 407 description 408 "An arbitrary name for the TACACS+ server."; 409 } 410 leaf server-type { 411 type tcsplus-server-type; 412 description 413 "Server type: authentication/authorization/accounting and 414 various combinations. 415 When all three types are supported, all the three bits 416 are set."; 417 } 418 leaf address { 419 type inet:host; 420 mandatory true; 421 description 422 "The address of the TACACS+ server."; 423 } 424 leaf port { 425 type inet:port-number; 426 default "49"; 427 description 428 "The port number of TACACS+ Server port."; 429 } 430 leaf shared-secret { 431 type string { 432 length "16..max"; 433 } 434 mandatory true; 435 nacm:default-deny-all; 436 description 437 "The shared secret, which is known to both the 438 TACACS+ client and server. TACACS+ server administrators 439 should configure shared secret of minimum 16 characters 440 length. 441 It is highly recommended that shared keys are at least 32 442 characters long."; 443 reference 444 "RFC XXXX: The TACACS+ Protocol"; 445 } 446 choice source-type { 447 description 448 "The source address type for outbound TACACS+ packets."; 449 case source-ip { 450 leaf source-ip { 451 type inet:ip-address; 452 description 453 "Specifies source IP address for TACACS+ outbound 454 packets."; 455 } 456 } 457 case source-interface { 458 leaf source-interface { 459 type if:interface-ref; 460 description 461 "Specifies the interface from which the IP address is 462 derived for use as the source for the outbound TACACS+ 463 packet"; 464 } 465 } 467 } 468 leaf vrf-instance { 469 type leafref { 470 path "/ni:network-instances/ni:network-instance/ni:name"; 471 } 472 description 473 "Specifies the VPN Routing and Forwarding (VRF) instance to 474 use to communicate with the TACACS+ server."; 475 } 476 leaf single-connection { 477 type boolean; 478 default "false"; 479 description 480 "Whether the single connection mode is enabled for the 481 server. By default, the single connection mode is 482 disabled."; 483 } 484 leaf timeout { 485 type uint16 { 486 range "1..300"; 487 } 488 units "seconds"; 489 default "5"; 490 description 491 "The number of seconds the device will wait for a 492 response from each TACACS+ server before trying with a 493 different server."; 494 } 495 uses statistics; 496 } 497 } 498 } 500 augment "/sys:system" { 501 description 502 "Augment the system model with the tacacsplus model"; 503 uses tacacsplus; 504 } 505 } 507 509 5. Security Considerations 511 The YANG module defined in this document is designed to be accessed 512 via network management protocols such as NETCONF [RFC6241] or 513 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 514 layer, and the mandatory-to-implement secure transport is Secure 515 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 516 mandatory-to-implement secure transport is TLS [RFC8446]. 518 The NETCONF access control model [RFC8341] provides the means to 519 restrict access for particular NETCONF or RESTCONF users to a 520 preconfigured subset of all available NETCONF or RESTCONF protocol 521 operations and content. 523 There are a number of data nodes defined in this YANG module that are 524 writable/creatable/deletable (i.e., config true, which is the 525 default). These data nodes may be considered sensitive or vulnerable 526 in some network environments. Write operations (e.g., edit-config) 527 to these data nodes without proper protection can have a negative 528 effect on network operations. These are the subtrees and data nodes 529 and their sensitivity/vulnerability: 531 /system/tacacsplus/server: This list contains the objects used to 532 control the TACACS+ servers used by the device. Unauthorized 533 access to this list could cause a user management failure on the 534 device . 536 /system/tacacsplus/server/shared-secret: This leaf controls the 537 key known to both the TACACS+ client and server. Unauthorized 538 access to this leaf could cause the device vulnerable to attacks, 539 therefore has been restricted using the "default-deny-all" access 540 control defined in [RFC8341]. 542 This document describes the use of TACACS+ for purposes of 543 authentication, authorization and accounting, it is vulnerable to all 544 of the threats that are present in TACACS+ applications. For a 545 discussion of such threats, see Section 9 of the TACACS+ Protocol 546 [I-D.ietf-opsawg-tacacs]. 548 6. IANA Considerations 550 This document registers a URI in the IETF XML registry [RFC3688]. 551 Following the format in [RFC3688], the following registration is 552 requested to be made: 554 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus 555 Registrant Contact: The IESG. 556 XML: N/A, the requested URI is an XML namespace. 558 This document registers a YANG module in the YANG Module Names 559 registry [RFC7950]. 561 Name: ietf-system-tacacsplus 562 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus 563 Prefix: sys-tcsplus 564 Reference: RFC XXXX (RFC Ed.: replace XXXX with actual 565 RFC number and remove this note.) 567 7. Acknowledgments 569 The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, 570 Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for 571 their helpful comments and suggestions. 573 8. References 575 8.1. Normative References 577 [I-D.ietf-opsawg-tacacs] 578 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 579 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 580 tacacs-18 (work in progress), March 2020. 582 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 583 Requirement Levels", BCP 14, RFC 2119, 584 DOI 10.17487/RFC2119, March 1997, 585 . 587 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 588 and A. Bierman, Ed., "Network Configuration Protocol 589 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 590 . 592 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 593 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 594 . 596 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 597 RFC 6991, DOI 10.17487/RFC6991, July 2013, 598 . 600 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 601 System Management", RFC 7317, DOI 10.17487/RFC7317, August 602 2014, . 604 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 605 RFC 7950, DOI 10.17487/RFC7950, August 2016, 606 . 608 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 609 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 610 . 612 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 613 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 614 May 2017, . 616 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 617 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 618 . 620 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 621 Access Control Model", STD 91, RFC 8341, 622 DOI 10.17487/RFC8341, March 2018, 623 . 625 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 626 and R. Wilton, "Network Management Datastore Architecture 627 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 628 . 630 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 631 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 632 . 634 8.2. Informative References 636 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 637 DOI 10.17487/RFC3688, January 2004, 638 . 640 Appendix A. Example Tacacs+ Authentication Configuration 642 The following shows an example where a tacacs+ authentication server 643 instance is configured. 645 { 646 "ietf-system:system": { 647 "authentication": { 648 "user-authentication-order": [tacacsplus, local-users] 649 } 650 "tacacsplus": { 651 "server": [ 652 { 653 "name": "tac_plus1", 654 "server-type": "authentication" 655 "address": "10.10.10.2", 656 "shared-secret": "QaEfThUkO1980100754609236h3TbE8n", 657 "source-ip": "10.10.10.12" 658 "single-connection": "false" 659 "timeout": "10" 660 } 661 ] 662 } 663 } 664 } 666 Authors' Addresses 668 Guangying Zheng 669 Huawei 670 101 Software Avenue, Yuhua District 671 Nanjing, Jiangsu 210012 672 China 674 Email: zhengguangying@huawei.com 676 Michael Wang 677 Huawei Technologies, Co., 678 Ltd 679 101 Software Avenue, Yuhua District 680 Nanjing 210012 681 China 683 Email: wangzitao@huawei.com 684 Bo Wu 685 Huawei 686 101 Software Avenue, Yuhua District 687 Nanjing, Jiangsu 210012 688 China 690 Email: lana.wubo@huawei.com