idnits 2.17.1 draft-ietf-opsawg-tacacs-yang-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 12, 2021) is 1131 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 8907 Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Opsawg B. Wu, Ed. 3 Internet-Draft G. Zheng 4 Intended status: Standards Track M. Wang, Ed. 5 Expires: September 13, 2021 Huawei 6 March 12, 2021 8 YANG Data Model for TACACS+ 9 draft-ietf-opsawg-tacacs-yang-09 11 Abstract 13 This document defines a TACACS+ client YANG module, that augments the 14 System Management data model, defined in RFC 7317, to allow devices 15 to make use of TACACS+ servers for centralized Authentication, 16 Authorization and Accounting. 18 The YANG module in this document conforms to the Network Management 19 Datastore Architecture (NMDA) defined in RFC 8342. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 13, 2021. 38 Copyright Notice 40 Copyright (c) 2021 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Conventions used in this document . . . . . . . . . . . . . . 3 57 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 58 3. Design of the TACACS+ Data Model . . . . . . . . . . . . . . 3 59 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 60 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 62 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 63 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 64 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 65 8.2. Informative References . . . . . . . . . . . . . . . . . 14 66 Appendix A. Example TACACS+ Authentication Configuration . . . . 14 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 69 1. Introduction 71 This document defines a YANG module that augments the System 72 Management data model defined in the [RFC7317] to support the 73 configuration and management of TACACS+ clients. 75 TACACS+ [RFC8907] provides device administration for routers, network 76 access servers and other networked devices via one or more 77 centralized servers. 79 The System Management Model [RFC7317] defines separate functionality 80 to support local and RADIUS authentication: 82 o User Authentication Model: Defines a list of usernames with 83 associated passwords and a configuration leaf to decide the order 84 in which local or RADIUS authentication is used. 86 o RADIUS Client Model: Defines a list of RADIUS servers used by a 87 device for centralized user authentication. 89 The System Management Model is augmented with the TACACS+ YANG module 90 defined in this document to allow the use of TACACS+ servers as an 91 alternative to RADIUS servers or local user configuration. 93 The YANG module can be used with network management protocols such as 94 NETCONF[RFC6241]. 96 The YANG module in this document conforms to the Network Management 97 Datastore Architecture (NMDA) defined in [RFC8342]. 99 2. Conventions used in this document 101 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 103 "OPTIONAL" in this document are to be interpreted as described in 104 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 105 capitals, as shown here. 107 The following terms are defined in [RFC6241] and are used in this 108 specification: 110 o configuration data 112 o state data 114 The following terms are defined in [RFC7950] and are used in this 115 specification: 117 o augment 119 o data model 121 o data node 123 The terminology for describing YANG data models is found in 124 [RFC7950]. 126 2.1. Tree Diagrams 128 Tree diagrams used in this document follow the notation defined in 129 [RFC8340]. 131 3. Design of the TACACS+ Data Model 133 This model is used to configure TACACS+ client on a device to support 134 deployment scenarios with centralized authentication, authorization, 135 and accounting servers. Authentication is used to validate a user's 136 username and password, authorization allows the user to access and 137 execute commands at various command levels assigned to the user, and 138 accounting keeps track of the activity of a user who has accessed the 139 device. 141 The ietf-system-tacacs-plus module augments the "/sys:system" path 142 defined in the ietf-system module with the contents of the"tacacs- 143 plus" grouping. Therefore, a device can use local, RADIUS, or 144 TACACS+ to validate users who attempt to access the router by several 145 mechanisms, e.g., a command line interface or a web-based user 146 interface. 148 The "server" list is directly under the "tacacs-plus" container, 149 which holds a list of TACACS+ servers and uses server-type to 150 distinguish between Authentication, Authorization and Accounting 151 (AAA). The list of servers is for redundancy. 153 Most of the parameters in the "server" list are taken directly from 154 the TACACS+ protocol [RFC8907], and some are derived from the various 155 implementations by network equipment manufacturers. For example, 156 when there are multiple interfaces connected to the TACACS+ client or 157 server, the source address of outgoing TACACS+ packets could be 158 specified, or the source address could be specified through the 159 interface IP address setting, or derived from the outbound interface 160 from the local FIB. For the TACACS+ server located in a Virtual 161 Private Network(VPN), a VRF instance needs to be specified. 163 The "statistics" container under the "server list" is a collection of 164 read-only counters for sent and received messages from a configured 165 server. 167 The data model for TACACS+ client has the following structure: 169 module: ietf-system-tacacs-plus 170 augment /sys:system: 171 +--rw tacacs-plus 172 +--rw server* [name] 173 +--rw name string 174 +--rw server-type? tacacs-plus-server-type 175 +--rw address inet:host 176 +--rw port? inet:port-number 177 +--rw (encryption) 178 | +--:(shared-secret) 179 | +--rw shared-secret? string 180 +--rw (source-type)? 181 | +--:(source-ip) 182 | | +--rw source-ip? inet:ip-address 183 | +--:(source-interface) 184 | +--rw source-interface? if:interface-ref 185 +--rw vrf-instance? 186 | -> /ni:network-instances/network-instance/name 187 +--rw single-connection? boolean 188 +--rw timeout? uint16 189 +--ro statistics 190 +--ro connection-opens? yang:counter64 191 +--ro connection-closes? yang:counter64 192 +--ro connection-aborts? yang:counter64 193 +--ro connection-failures? yang:counter64 194 +--ro connection-timeouts? yang:counter64 195 +--ro messages-sent? yang:counter64 196 +--ro messages-received? yang:counter64 197 +--ro errors-received? yang:counter64 198 +--ro sessions? yang:counter64 200 4. TACACS+ Client Module 202 This YANG module imports typedefs from [RFC6991]. This module also 203 uses the interface typedef from [RFC8343], the leafref to VRF 204 instance from [RFC8529], and the "default-deny-all" extension 205 statement from [RFC8341]. 207 file "ietf-system-tacacs-plus@2021-03-12.yang" 209 module ietf-system-tacacs-plus { 210 yang-version 1.1; 211 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus"; 212 prefix sys-tcs-plus; 214 import ietf-inet-types { 215 prefix inet; 216 reference 217 "RFC 6991: Common YANG Data Types"; 218 } 219 import ietf-yang-types { 220 prefix yang; 221 reference 222 "RFC 6991: Common YANG Data Types"; 223 } 224 import ietf-network-instance { 225 prefix ni; 226 reference 227 "RFC 8529: YANG Data Model for Network Instances"; 228 } 229 import ietf-interfaces { 230 prefix if; 231 reference 232 "RFC 8343: A YANG Data Model for Interface Management"; 233 } 234 import ietf-system { 235 prefix sys; 236 reference 237 "RFC 7317: A YANG Data Model for System Management"; 238 } 239 import ietf-netconf-acm { 240 prefix nacm; 241 reference 242 "RFC 8341: Network Configuration Access Control Model"; 243 } 245 organization 246 "IETF Opsawg (Operations and Management Area Working Group)"; 247 contact 248 "WG Web: 249 WG List: 251 Editor: Bo Wu 252 Editor: Guangying Zheng "; 253 description 254 "This module provides configuration of TACACS+ client. 256 Copyright (c) 2021 IETF Trust and the persons identified as 257 authors of the code. All rights reserved. 259 Redistribution and use in source and binary forms, with or 260 without modification, is permitted pursuant to, and subject 261 to the license terms contained in, the Simplified BSD License 262 set forth in Section 4.c of the IETF Trust's Legal Provisions 263 Relating to IETF Documents 264 (http://trustee.ietf.org/license-info). 265 This version of this YANG module is part of RFC XXXX; see the 266 RFC itself for full legal notices."; 268 // RFC Ed.: update the date below with the date of RFC 269 // publication and remove this note. 270 // RFC Ed.: replace XXXX with actual RFC number and remove 271 // this note. 273 revision 2021-03-12 { 274 description 275 "Initial revision."; 276 reference 277 "RFC XXXX: A Yang Data Model for TACACS+"; 278 } 280 typedef tacacs-plus-server-type { 281 type bits { 282 bit authentication { 283 description 284 "Indicates that the TACACS server is providing authentication 285 services."; 286 } 287 bit authorization { 288 description 289 "Indicates that the TACACS server is providing authorization 290 services."; 291 } 292 bit accounting { 293 description 294 "Indicates that the TACACS server is providing accounting 295 services."; 296 } 297 } 298 description 299 "tacacs-plus-server-type can be set to 300 authentication/authorization/accounting 301 or any combination of the three types."; 302 } 304 identity tacacs-plus { 305 base sys:authentication-method; 306 description 307 "Indicates AAA operation using TACACS+."; 308 reference 309 "RFC 8907: The TACACS+ Protocol"; 310 } 312 grouping statistics { 313 description 314 "Grouping for TACACS+ statistics attributes"; 315 container statistics { 316 config false; 317 description 318 "A collection of server-related statistics objects"; 319 leaf connection-opens { 320 type yang:counter64; 321 description 322 "Number of new connection requests sent to the server, e.g., 323 socket open"; 324 } 325 leaf connection-closes { 326 type yang:counter64; 327 description 328 "Number of connection close requests sent to the server, e.g., 329 socket close"; 330 } 331 leaf connection-aborts { 332 type yang:counter64; 333 description 334 "Number of aborted connections to the server. These do 335 not include connections that are close gracefully."; 336 } 337 leaf connection-failures { 338 type yang:counter64; 339 description 340 "Number of connection failures to the server"; 341 } 342 leaf connection-timeouts { 343 type yang:counter64; 344 description 345 "Number of connection timeouts to the server"; 346 } 347 leaf messages-sent { 348 type yang:counter64; 349 description 350 "Number of messages sent to the server"; 351 } 352 leaf messages-received { 353 type yang:counter64; 354 description 355 "Number of messages received from the server"; 356 } 357 leaf errors-received { 358 type yang:counter64; 359 description 360 "Number of error messages received from the server"; 362 } 363 leaf sessions { 364 type yang:counter64; 365 description 366 "Number of TACACS+ sessions completed with the server. 367 If the Single Connection Mode was NOT enabled, the number of 368 sessions is the same as the number of 'connection-closes'. 369 If the Mode was enabled, a single TCP connection may contain 370 multiple TACACS+ sessions."; 371 } 372 } 373 } 375 grouping tacacs-plus { 376 description 377 "Grouping for TACACS+ attributes"; 378 container tacacs-plus { 379 must "not(derived-from-or-self(../sys:authentication" 380 + "/sys:user-authentication-order, 'tacacs-plus'))" 381 + " or bit-is-set(server/server-type,'authentication')" { 382 error-message "When 'tacacs-plus' is used as a system" 383 + " authentication method, a TACACS+ authentication" 384 + " server must be configured."; 385 description 386 "When 'tacacs-plus' is used as an authentication method, 387 a TACACS+ server must be configured."; 388 } 389 description 390 "Container for TACACS+ configurations and operations."; 391 list server { 392 key "name"; 393 ordered-by user; 394 description 395 "List of TACACS+ servers used by the device."; 396 leaf name { 397 type string; 398 description 399 "An arbitrary name for the TACACS+ server."; 400 } 401 leaf server-type { 402 type tacacs-plus-server-type; 403 description 404 "Server type: authentication/authorization/accounting and 405 various combinations."; 406 } 407 leaf address { 408 type inet:host; 409 mandatory true; 410 description 411 "The address of the TACACS+ server."; 412 } 413 leaf port { 414 type inet:port-number; 415 default "49"; 416 description 417 "The port number of TACACS+ Server port."; 418 } 419 choice encryption { 420 mandatory true; 421 description 422 "Encryption mechanism between TACACS+ client and server."; 423 case shared-secret { 424 leaf shared-secret { 425 type string { 426 length "16..max"; 427 } 428 nacm:default-deny-all; 429 description 430 "The shared secret, which is known to both the 431 TACACS+ client and server. TACACS+ server 432 administrators should configure shared secret of 433 minimum 16 characters length. 434 It is highly recommended that shared keys are at least 435 32 characters long."; 436 reference 437 "RFC 8907: The TACACS+ Protocol"; 438 } 439 } 440 } 441 choice source-type { 442 description 443 "The source address type for outbound TACACS+ packets."; 444 case source-ip { 445 leaf source-ip { 446 type inet:ip-address; 447 description 448 "Specifies source IP address for TACACS+ outbound 449 packets."; 450 } 451 } 452 case source-interface { 453 leaf source-interface { 454 type if:interface-ref; 455 description 456 "Specifies the interface from which the IP address is 457 derived for use as the source for the outbound TACACS+ 458 packet"; 459 } 460 } 461 } 462 leaf vrf-instance { 463 type leafref { 464 path "/ni:network-instances/ni:network-instance/ni:name"; 465 } 466 description 467 "Specifies the VPN Routing and Forwarding (VRF) instance to 468 use to communicate with the TACACS+ server."; 469 reference 470 "RFC 8529: YANG Data Model for Network Instances"; 471 } 472 leaf single-connection { 473 type boolean; 474 default "false"; 475 description 476 "Whether the single connection mode is enabled for the 477 server. By default, the single connection mode is 478 disabled."; 479 } 480 leaf timeout { 481 type uint16 { 482 range "1..300"; 483 } 484 units "seconds"; 485 default "5"; 486 description 487 "The number of seconds the device will wait for a 488 response from each TACACS+ server before trying with a 489 different server."; 490 } 491 uses statistics; 492 } 493 } 494 } 496 augment "/sys:system" { 497 description 498 "Augment the system model with the tacacs-plus model"; 499 uses tacacs-plus; 500 } 501 } 503 505 5. Security Considerations 507 The YANG module defined in this document is designed to be accessed 508 via network management protocols such as NETCONF [RFC6241] or 509 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 510 layer, and the mandatory-to-implement secure transport is Secure 511 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 512 mandatory-to-implement secure transport is TLS [RFC8446]. 514 The NETCONF access control model [RFC8341] provides the means to 515 restrict access for particular NETCONF or RESTCONF users to a 516 preconfigured subset of all available NETCONF or RESTCONF protocol 517 operations and content. 519 There are a number of data nodes defined in this YANG module that are 520 writable/creatable/deletable (i.e., config true, which is the 521 default). These data nodes may be considered sensitive or vulnerable 522 in some network environments. Write operations (e.g., edit-config) 523 to these data nodes without proper protection can have a negative 524 effect on network operations. These are the subtrees and data nodes 525 and their sensitivity/vulnerability: 527 /system/tacacsplus/server: This list contains the data nodes used to 528 control the TACACS+ servers used by the device. Unauthorized 529 access to this list could cause a complete control over the device 530 by pointing to a compromised TACACS+ server. 532 /system/tacacsplus/server/shared-secret: This leaf controls the key 533 known to both the TACACS+ client and server. Unauthorized access 534 to this leaf could make the device vulnerable to attacks, 535 therefore has been restricted using the "default-deny-all" access 536 control defined in [RFC8341]. 538 This document describes the use of TACACS+ for purposes of 539 authentication, authorization and accounting, it is vulnerable to all 540 of the threats that are present in TACACS+ applications. For a 541 discussion of such threats, see Section 9 of the TACACS+ Protocol 542 [RFC8907]. 544 6. IANA Considerations 546 This document registers a URI in the IETF XML registry [RFC3688]. 547 Following the format in [RFC3688], the following registration is 548 requested to be made: 550 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus 551 Registrant Contact: The IESG. 552 XML: N/A, the requested URI is an XML namespace. 554 This document registers a YANG module in the YANG Module Names 555 registry [RFC7950]. 557 Name: ietf-system-tacacs-plus 558 Namespace: urn:ietf:params:xml:ns:yang:ietf-system-tacacs-plus 559 Prefix: sys-tcs-plus 560 Reference: RFC XXXX (RFC Ed.: replace XXXX with actual 561 RFC number and remove this note.) 563 7. Acknowledgments 565 The authors wish to thank Alex Campbell, John Heasley, Ebben Aries, 566 Alan DeKok, Joe Clarke, Joe Clarke, Tom Petch, Robert Wilton, and 567 many others for their helpful comments and suggestions. 569 8. References 571 8.1. Normative References 573 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 574 Requirement Levels", BCP 14, RFC 2119, 575 DOI 10.17487/RFC2119, March 1997, 576 . 578 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 579 and A. Bierman, Ed., "Network Configuration Protocol 580 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 581 . 583 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 584 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 585 . 587 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 588 RFC 6991, DOI 10.17487/RFC6991, July 2013, 589 . 591 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 592 System Management", RFC 7317, DOI 10.17487/RFC7317, August 593 2014, . 595 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 596 RFC 7950, DOI 10.17487/RFC7950, August 2016, 597 . 599 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 600 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 601 . 603 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 604 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 605 May 2017, . 607 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 608 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 609 . 611 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 612 Access Control Model", STD 91, RFC 8341, 613 DOI 10.17487/RFC8341, March 2018, 614 . 616 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 617 and R. Wilton, "Network Management Datastore Architecture 618 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 619 . 621 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 622 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 623 . 625 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 626 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 627 . 629 [RFC8529] Berger, L., Hopps, C., Lindem, A., Bogdanovic, D., and X. 630 Liu, "YANG Data Model for Network Instances", RFC 8529, 631 DOI 10.17487/RFC8529, March 2019, 632 . 634 [RFC8907] Dahm, T., Ota, A., Medway Gash, D., Carrel, D., and L. 635 Grant, "The Terminal Access Controller Access-Control 636 System Plus (TACACS+) Protocol", RFC 8907, 637 DOI 10.17487/RFC8907, September 2020, 638 . 640 8.2. Informative References 642 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 643 DOI 10.17487/RFC3688, January 2004, 644 . 646 Appendix A. Example TACACS+ Authentication Configuration 648 The following shows an example where a TACACS+ authentication server 649 instance is configured. 651 { 652 "ietf-system:system": { 653 "authentication": { 654 "user-authentication-order": [tacacs-plus, local-users] 655 } 656 "tacacs-plus": { 657 "server": [ 658 { 659 "name": "tac_plus1", 660 "server-type": "authentication", 661 "address": "192.0.2.2", 662 "shared-secret": "QaEfThUkO1980100754609236h3TbE8n", 663 "source-ip": "192.0.2.12", 664 "timeout": "10" 665 } 666 ] 667 } 668 } 669 } 671 Authors' Addresses 673 Bo Wu (editor) 674 Huawei Technologies, Co., 675 Ltd 676 101 Software Avenue, Yuhua District 677 Nanjing, Jiangsu 210012 678 China 680 Email: lana.wubo@huawei.com 682 Guangying Zheng 683 Huawei Technologies, Co., 684 Ltd 685 101 Software Avenue, Yuhua District 686 Nanjing, Jiangsu 210012 687 China 689 Email: zhengguangying@huawei.com 690 Michael Wang (editor) 691 Huawei Technologies, Co., 692 Ltd 693 101 Software Avenue, Yuhua District 694 Nanjing 210012 695 China 697 Email: wangzitao@huawei.com