idnits 2.17.1 draft-ietf-opsawg-tacacs-yang-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 20, 2020) is 1400 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational draft: draft-ietf-opsawg-tacacs (ref. 'I-D.ietf-opsawg-tacacs') Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: December 22, 2020 Huawei 6 June 20, 2020 8 Yang data model for TACACS+ 9 draft-ietf-opsawg-tacacs-yang-07 11 Abstract 13 This document defines a YANG module that augment the System 14 Management data model defined in the RFC 7317 with TACACS+ client 15 model. The data model of Terminal Access Controller Access Control 16 System Plus (TACACS+) client allows the configuration of TACACS+ 17 servers for centralized Authentication, Authorization and Accounting. 19 The YANG module in this document conforms to the Network Management 20 Datastore Architecture (NMDA) defined in RFC 8342. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on December 22, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 60 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 66 8.2. Informative References . . . . . . . . . . . . . . . . . 14 67 Appendix A. Example Tacacs+ Authentication Configuration . . . . 14 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 70 1. Introduction 72 This document defines a YANG module that augment the System 73 Management data model defined in the [RFC7317] with TACACS+ client 74 model. 76 TACACS+ provides Device Administration for routers, network access 77 servers and other networked computing devices via one or more 78 centralized servers which is defined in the TACACS+ Protocol. 79 [I-D.ietf-opsawg-tacacs] 81 The System Management Model [RFC7317] defines two YANG features to 82 support local or RADIUS authentication: 84 o User Authentication Model: Defines a list of usernames and 85 passwords and control the order in which local or RADIUS 86 authentication is used. 88 o RADIUS Client Model: Defines a list of RADIUS servers that a 89 device uses. 91 Since TACACS+ is also used for device management and the feature is 92 not contained in the System Management model, this document defines a 93 YANG data model that allows users to configure TACACS+ client 94 functions on a device for centralized Authentication, Authorization 95 and Accounting provided by TACACS+ servers. 97 The YANG model can be used with network management protocols such as 98 NETCONF[RFC6241] to install, manipulate, and delete the configuration 99 of network devices. 101 The YANG data model in this document conforms to the Network 102 Management Datastore Architecture (NMDA) defined in [RFC8342]. 104 2. Conventions used in this document 106 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 108 "OPTIONAL" in this document are to be interpreted as described in 109 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 110 capitals, as shown here. 112 The following terms are defined in [RFC6241] and are used in this 113 specification: 115 o client 117 o configuration data 119 o server 121 o state data 123 The following terms are defined in [RFC7950] and are used in this 124 specification: 126 o augment 128 o data model 130 o data node 132 The terminology for describing YANG data models is found in 133 [RFC7950]. 135 2.1. Tree Diagrams 137 Tree diagrams used in this document follow the notation defined in 138 [RFC8340]. 140 3. Design of the Data Model 142 This model is used to configure TACACS+ client on the device to 143 support deployment scenarios with centralized authentication, 144 authorization, and accounting servers. Authentication is used to 145 validate a user's name and password, authorization allows the user to 146 access and execute commands at various command levels assigned to the 147 user and accounting keeps track of the activity of a user who has 148 accessed the device. 150 The ietf-system-tacacsplus module is intended to augment the 151 "/sys:system" path defined in the ietf-system module with the 152 contents of the"tacacsplus" grouping. Therefore, a device can use 153 local, Remote Authentication Dial In User Service (RADIUS), or 154 Terminal Access Controller Access Control System Plus (TACACS+) to 155 validate users who attempt to access the router by several 156 mechanisms, e.g. a command line interface or a web-based user 157 interface. 159 The "server" list is directly under the "tacacsplus" container, which 160 holds a list of TACACS+ servers and uses server-type to distinguish 161 between the three protocols. The list of servers is for redundancy. 163 Most of the parameters in the "server" list are taken directly from 164 the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived 165 from the various implementations by network equipment manufacturers. 166 For example, when there are multiple interfaces connected to the 167 TACACS+ client or server, the source address of outgoing TACACS+ 168 packets could be specified, or the source address could be specified 169 through the interface setting, or derived from the out-bound 170 interface from the local FIB. For the TACACS+ server located in a 171 Virtual Private Network(VPN), a VRF instance needs to be specified. 173 The "statistics" container under the "server list" is to record 174 session statistics and usage information during user access which 175 include the amount of data a user has sent and/or received during a 176 session. 178 The data model for TACACS+ client has the following structure: 180 module: ietf-system-tacacsplus 181 augment /sys:system: 182 +--rw tacacsplus {tacacsplus}? 183 +--rw server* [name] 184 +--rw name string 185 +--rw server-type? tcsplus-server-type 186 +--rw address inet:host 187 +--rw port? inet:port-number 188 +--rw shared-secret string 189 +--rw (source-type)? 190 | +--:(source-ip) 191 | | +--rw source-ip? inet:ip-address 192 | +--:(source-interface) 193 | +--rw source-interface? if:interface-ref 194 +--rw vrf-instance? 195 | -> /ni:network-instances/network-instance/name 196 +--rw single-connection? boolean 197 +--rw timeout? uint16 198 +--ro statistics 199 +--ro connection-opens? yang:counter64 200 +--ro connection-closes? yang:counter64 201 +--ro connection-aborts? yang:counter64 202 +--ro connection-failures? yang:counter64 203 +--ro connection-timeouts? yang:counter64 204 +--ro messages-sent? yang:counter64 205 +--ro messages-received? yang:counter64 206 +--ro errors-received? yang:counter64 207 +--ro sessions? yang:counter64 209 4. TACACS+ Client Module 211 This YANG module imports typedefs from [RFC6991]. 213 file "ietf-system-tacacsplus@2020-05-22.yang" 215 module ietf-system-tacacsplus { 216 yang-version 1.1; 217 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; 218 prefix sys-tcsplus; 220 import ietf-inet-types { 221 prefix inet; 222 reference 223 "RFC 6991: Common YANG Data Types"; 224 } 225 import ietf-yang-types { 226 prefix yang; 227 reference 228 "RFC 6991: Common YANG Data Types"; 229 } 230 import ietf-network-instance { 231 prefix ni; 232 reference 233 "RFC 8529: YANG Data Model for Network Instances"; 234 } 235 import ietf-interfaces { 236 prefix if; 237 reference 238 "RFC 8343: A YANG Data Model for Interface Management"; 239 } 240 import ietf-system { 241 prefix sys; 242 reference 243 "RFC 7317: A YANG Data Model for System Management"; 244 } 245 import ietf-netconf-acm { 246 prefix nacm; 247 reference 248 "RFC 8341: Network Configuration Access Control Model"; 249 } 251 organization 252 "IETF Opsawg (Operations and Management Area Working Group)"; 253 contact 254 "WG Web: 255 WG List: 257 Editor: Bo Wu 258 Editor: Guangying Zheng "; 259 description 260 "This module provides configuration of TACACS+ client. 262 Copyright (c) 2020 IETF Trust and the persons identified as 263 authors of the code. All rights reserved. 265 Redistribution and use in source and binary forms, with or 266 without modification, is permitted pursuant to, and subject 267 to the license terms contained in, the Simplified BSD License 268 set forth in Section 4.c of the IETF Trust's Legal Provisions 269 Relating to IETF Documents 270 (http://trustee.ietf.org/license-info). 272 This version of this YANG module is part of RFC XXXX; see the 273 RFC itself for full legal notices."; 275 // RFC Ed.: update the date below with the date of RFC 276 // publication and remove this note. 277 // RFC Ed.: replace XXXX with actual RFC number and remove 278 // this note, and the TACACS+ Protocol refers to 279 // draft-ietf-opsawg-tacacs. 281 revision 2020-05-22 { 282 description 283 "Initial revision."; 284 reference 285 "RFC XXXX: A Yang Data Model for TACACS+"; 286 } 288 typedef tcsplus-server-type { 289 type bits { 290 bit authentication { 291 description 292 "When set, the server is an authentication server."; 293 } 294 bit authorization { 295 description 296 "When set, the server is an authorization server."; 297 } 298 bit accounting { 299 description 300 "When set, the server is an accounting server."; 301 } 302 } 303 description 304 "tcsplus-server-type can be set to 305 authentication/authorization/accounting 306 or any combination of the three types. When all three types are 307 supported, all the three bits are set."; 308 } 310 feature tacacsplus { 311 description 312 "Indicates that the device can be configured as a TACACS+ 313 client."; 314 reference 315 "RFC XXXX : The TACACS+ Protocol "; 316 } 318 identity tacacsplus { 319 base sys:authentication-method; 320 description 321 "Indicates AAA operation using TACACS+."; 322 reference 323 "RFC XXXX: The TACACS+ Protocol"; 325 } 327 grouping statistics { 328 description 329 "Grouping for TACACS+ statistics attributes"; 330 container statistics { 331 config false; 332 description 333 "A collection of server-related statistics objects"; 334 leaf connection-opens { 335 type yang:counter64; 336 description 337 "Number of new connection requests sent to the server, e.g. 338 socket open"; 339 } 340 leaf connection-closes { 341 type yang:counter64; 342 description 343 "Number of connection close requests sent to the server, e.g. 344 socket close"; 345 } 346 leaf connection-aborts { 347 type yang:counter64; 348 description 349 "Number of aborted connections to the server. These do 350 not include connections that are close gracefully."; 351 } 352 leaf connection-failures { 353 type yang:counter64; 354 description 355 "Number of connection failures to the server"; 356 } 357 leaf connection-timeouts { 358 type yang:counter64; 359 description 360 "Number of connection timeouts to the server"; 361 } 362 leaf messages-sent { 363 type yang:counter64; 364 description 365 "Number of messages sent to the server"; 366 } 367 leaf messages-received { 368 type yang:counter64; 369 description 370 "Number of messages received from the server"; 371 } 372 leaf errors-received { 373 type yang:counter64; 374 description 375 "Number of error messages received from the server"; 376 } 377 leaf sessions { 378 type yang:counter64; 379 description 380 "Number of TACACS+ sessions completed with the server. 381 If the Single Connection Mode was NOT enabled, the number of 382 sessions is the same as the number of 'connection-closes'. 383 If the Mode was enabled, a single TCP connection may contain 384 multiple TACACS+ sessions."; 385 } 386 } 387 } 389 grouping tacacsplus { 390 description 391 "Grouping for TACACS+ attributes"; 392 container tacacsplus { 393 if-feature "tacacsplus"; 394 must "not(derived-from-or-self(../sys:authentication" 395 + "/sys:user-authentication-order, 'tacacsplus')) or server" { 396 error-message "When 'tacacsplus' is used as a system" 397 + " authentication method, a TACACS+ server" 398 + " must be configured."; 399 description 400 "When 'tacacsplus' is used as an authentication method, 401 a TACACS+ server must be configured."; 402 } 403 description 404 "Container for TACACS+ configurations and operations."; 405 list server { 406 key "name"; 407 ordered-by user; 408 description 409 "List of TACACS+ servers used by the device."; 410 leaf name { 411 type string; 412 description 413 "An arbitrary name for the TACACS+ server."; 414 } 415 leaf server-type { 416 type tcsplus-server-type; 417 description 418 "Server type: authentication/authorization/accounting and 419 various combinations. 420 When all three types are supported, all the three bits 421 are set."; 422 } 423 leaf address { 424 type inet:host; 425 mandatory true; 426 description 427 "The address of the TACACS+ server."; 428 } 429 leaf port { 430 type inet:port-number; 431 default "49"; 432 description 433 "The port number of TACACS+ Server port."; 434 } 435 leaf shared-secret { 436 type string { 437 length "16..max"; 438 } 439 mandatory true; 440 nacm:default-deny-all; 441 description 442 "The shared secret, which is known to both the 443 TACACS+ client and server. TACACS+ server administrators 444 should configure shared secret of minimum 16 characters 445 length. 446 It is highly recommended that shared keys are at least 32 447 characters long."; 448 reference 449 "RFC XXXX: The TACACS+ Protocol"; 450 } 451 choice source-type { 452 description 453 "The source address type for outbound TACACS+ packets."; 454 case source-ip { 455 leaf source-ip { 456 type inet:ip-address; 457 description 458 "Specifies source IP address for TACACS+ outbound 459 packets."; 460 } 461 } 462 case source-interface { 463 leaf source-interface { 464 type if:interface-ref; 465 description 466 "Specifies the interface from which the IP address is 467 derived for use as the source for the outbound TACACS+ 468 packet"; 470 } 471 } 472 } 473 leaf vrf-instance { 474 type leafref { 475 path "/ni:network-instances/ni:network-instance/ni:name"; 476 } 477 description 478 "Specifies the VPN Routing and Forwarding (VRF) instance to 479 use to communicate with the TACACS+ server."; 480 } 481 leaf single-connection { 482 type boolean; 483 default "false"; 484 description 485 "Whether the single connection mode is enabled for the 486 server. By default, the single connection mode is 487 disabled."; 488 } 489 leaf timeout { 490 type uint16 { 491 range "1..300"; 492 } 493 units "seconds"; 494 default "5"; 495 description 496 "The number of seconds the device will wait for a 497 response from each TACACS+ server before trying with a 498 different server."; 499 } 500 uses statistics; 501 } 502 } 503 } 505 augment "/sys:system" { 506 description 507 "Augment the system model with the tacacsplus model"; 508 uses tacacsplus; 509 } 510 } 512 514 5. Security Considerations 516 The YANG module defined in this document is designed to be accessed 517 via network management protocols such as NETCONF [RFC6241] or 518 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 519 layer, and the mandatory-to-implement secure transport is Secure 520 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 521 mandatory-to-implement secure transport is TLS [RFC8446]. 523 The NETCONF access control model [RFC8341] provides the means to 524 restrict access for particular NETCONF or RESTCONF users to a 525 preconfigured subset of all available NETCONF or RESTCONF protocol 526 operations and content. 528 There are a number of data nodes defined in this YANG module that are 529 writable/creatable/deletable (i.e., config true, which is the 530 default). These data nodes may be considered sensitive or vulnerable 531 in some network environments. Write operations (e.g., edit-config) 532 to these data nodes without proper protection can have a negative 533 effect on network operations. These are the subtrees and data nodes 534 and their sensitivity/vulnerability: 536 /system/tacacsplus/server: This list contains the objects used to 537 control the TACACS+ servers used by the device. Unauthorized 538 access to this list could cause a user management failure on the 539 device. 541 /system/tacacsplus/server/shared-secret: This leaf controls the key 542 known to both the TACACS+ client and server. Unauthorized access 543 to this leaf could cause the device vulnerable to attacks, 544 therefore has been restricted using the "default-deny-all" access 545 control defined in [RFC8341]. 547 This document describes the use of TACACS+ for purposes of 548 authentication, authorization and accounting, it is vulnerable to all 549 of the threats that are present in TACACS+ applications. For a 550 discussion of such threats, see Section 9 of the TACACS+ Protocol 551 [I-D.ietf-opsawg-tacacs]. 553 6. IANA Considerations 555 This document registers a URI in the IETF XML registry [RFC3688]. 556 Following the format in [RFC3688], the following registration is 557 requested to be made: 559 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus 560 Registrant Contact: The IESG. 561 XML: N/A, the requested URI is an XML namespace. 563 This document registers a YANG module in the YANG Module Names 564 registry [RFC7950]. 566 Name: ietf-system-tacacsplus 567 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus 568 Prefix: sys-tcsplus 569 Reference: RFC XXXX (RFC Ed.: replace XXXX with actual 570 RFC number and remove this note.) 572 7. Acknowledgments 574 The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, 575 Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, and many others for 576 their helpful comments and suggestions. 578 8. References 580 8.1. Normative References 582 [I-D.ietf-opsawg-tacacs] 583 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 584 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 585 tacacs-18 (work in progress), March 2020. 587 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 588 Requirement Levels", BCP 14, RFC 2119, 589 DOI 10.17487/RFC2119, March 1997, 590 . 592 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 593 and A. Bierman, Ed., "Network Configuration Protocol 594 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 595 . 597 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 598 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 599 . 601 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 602 RFC 6991, DOI 10.17487/RFC6991, July 2013, 603 . 605 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 606 System Management", RFC 7317, DOI 10.17487/RFC7317, August 607 2014, . 609 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 610 RFC 7950, DOI 10.17487/RFC7950, August 2016, 611 . 613 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 614 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 615 . 617 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 618 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 619 May 2017, . 621 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 622 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 623 . 625 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 626 Access Control Model", STD 91, RFC 8341, 627 DOI 10.17487/RFC8341, March 2018, 628 . 630 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 631 and R. Wilton, "Network Management Datastore Architecture 632 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 633 . 635 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 636 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 637 . 639 8.2. Informative References 641 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 642 DOI 10.17487/RFC3688, January 2004, 643 . 645 Appendix A. Example Tacacs+ Authentication Configuration 647 The following shows an example where a tacacs+ authentication server 648 instance is configured. 650 { 651 "ietf-system:system": { 652 "authentication": { 653 "user-authentication-order": [tacacsplus, local-users] 654 } 655 "tacacsplus": { 656 "server": [ 657 { 658 "name": "tac_plus1", 659 "server-type": "authentication", 660 "address": "192.0.2.2", 661 "shared-secret": "QaEfThUkO1980100754609236h3TbE8n", 662 "source-ip": "192.0.2.12", 663 "single-connection": "false", 664 "timeout": "10" 665 } 666 ] 667 } 668 } 669 } 671 Authors' Addresses 673 Guangying Zheng 674 Huawei Technologies, Co., 675 Ltd 676 101 Software Avenue, Yuhua District 677 Nanjing, Jiangsu 210012 678 China 680 Email: zhengguangying@huawei.com 682 Michael Wang 683 Huawei Technologies, Co., 684 Ltd 685 101 Software Avenue, Yuhua District 686 Nanjing 210012 687 China 689 Email: wangzitao@huawei.com 690 Bo Wu 691 Huawei Technologies, Co., 692 Ltd 693 101 Software Avenue, Yuhua District 694 Nanjing, Jiangsu 210012 695 China 697 Email: lana.wubo@huawei.com