idnits 2.17.1 draft-lin-sacm-nid-mp-security-baseline-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 116 instances of too long lines in the document, the longest one being 177 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 233 has weird spacing: '...en-word stri...' == Line 305 has weird spacing: '...rw name stri...' == Line 388 has weird spacing: '...me-name stri...' == Line 393 has weird spacing: '...me-name stri...' == Line 397 has weird spacing: '...me-name strin...' == (13 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 22, 2018) is 2006 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2246' is mentioned on line 249, but not defined ** Obsolete undefined reference: RFC 2246 (Obsoleted by RFC 4346) == Missing Reference: 'RFC4346' is mentioned on line 249, but not defined ** Obsolete undefined reference: RFC 4346 (Obsoleted by RFC 5246) == Unused Reference: 'I-D.ietf-netmod-acl-model' is defined on line 2445, but no explicit reference was found in the text == Unused Reference: 'RFC8446' is defined on line 2501, but no explicit reference was found in the text == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-06 == Outdated reference: A later version (-36) exists of draft-ietf-netconf-netconf-client-server-07 == Outdated reference: A later version (-40) exists of draft-ietf-netconf-ssh-client-server-07 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-07 == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-20 == Outdated reference: A later version (-32) exists of draft-ietf-netmod-syslog-model-26 == Outdated reference: A later version (-03) exists of draft-xia-sacm-nid-dp-security-baseline-02 == Outdated reference: A later version (-12) exists of draft-ietf-tls-oldversions-deprecate-00 Summary: 3 errors (**), 0 flaws (~~), 20 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Security Automation and Continuous Monitoring (SACM) Q. Lin 3 Internet-Draft L. Xia 4 Intended status: Standards Track Huawei 5 Expires: April 25, 2019 H. Birkholz 6 Fraunhofer SIT 7 October 22, 2018 9 The Data Model of Network Infrastructure Device Management Plane 10 Security Baseline 11 draft-lin-sacm-nid-mp-security-baseline-04 13 Abstract 15 This document provides security baseline for network device 16 management plane, which is represented by YANG data model. The 17 corresponding configuration values and status values of the YANG data 18 model can be transported between Security Automation and Continuous 19 Monitoring (SACM) components and used for network device security 20 posture assessment. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on April 25, 2019. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 58 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . . 4 60 5. Data Model Structure . . . . . . . . . . . . . . . . . . . . 4 61 5.1. Administration Security . . . . . . . . . . . . . . . . . 5 62 5.1.1. Administrative Account Security . . . . . . . . . . . 5 63 5.1.2. Administrator Access Security . . . . . . . . . . . . 6 64 5.1.3. AAA . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 5.1.4. Administrator Access Statistics . . . . . . . . . . . 10 66 5.2. System Management Security . . . . . . . . . . . . . . . 11 67 5.2.1. SNMP Management Security . . . . . . . . . . . . . . 11 68 5.2.2. NETCONF Management Security . . . . . . . . . . . . . 13 69 5.3. Port Management Security . . . . . . . . . . . . . . . . 13 70 5.4. Log Security . . . . . . . . . . . . . . . . . . . . . . 14 71 5.5. File Security . . . . . . . . . . . . . . . . . . . . . . 14 72 6. Network Infrastructure Device Security Baseline Yang Module . 15 73 6.1. Module 'ietf-admin-account-security' . . . . . . . . . . 15 74 6.2. Module 'ietf-admin-access-security' . . . . . . . . . . . 18 75 6.3. Module 'ietf-aaa-security' . . . . . . . . . . . . . . . 28 76 6.4. Module 'ietf-admin-access-statistics' . . . . . . . . . . 35 77 6.5. Module 'ietf-snmp-security' . . . . . . . . . . . . . . . 38 78 6.6. Module 'ietf-netconf-security' . . . . . . . . . . . . . 46 79 6.7. Module 'ietf-port-management-security' . . . . . . . . . 50 80 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52 81 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 52 82 9. Security Considerations . . . . . . . . . . . . . . . . . . . 52 83 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 52 84 10.1. Normative References . . . . . . . . . . . . . . . . . . 52 85 10.2. Informative References . . . . . . . . . . . . . . . . . 53 86 Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 89 1. Introduction 91 Besides user devices and servers, network devices such as routers, 92 switches, and firewalls are crucial to enterprise network security. 93 The security baseline defined in this document refers to a minimal 94 set of security controls that are essential to provide network 95 security. Organizations can define additional security controls 96 based on the security baseline. Then the security posture of network 97 devices can be assessed by comparing the configuration values and 98 status values with the required security controls. 100 Network devices typically perform three planes of operation: 101 management plane, control plane and data plane. All the planes 102 should be protected and monitored. This document focuses on security 103 baseline for management plane. Management plane provides 104 configuration and monitoring services to network administrators or 105 device owners. Unauthorized access, insecure access channels, weak 106 cryptographic algorithms are common security issues that break 107 management plane security. A number of security best practices have 108 been proposed to deal with these security issues, such as disabling 109 unused services and ports, discarding insecure access channels, and 110 enforcing strong user authentication and authorization. In this 111 document, we provide a minimal set of security controls that are 112 expected to be widely applicable to common network devices. To 113 assess security posture of network devices, the configurations that 114 are effective on network devices and the current status of the 115 networks devices will be compared with the reference values defined 116 by an organization or a third party. 118 YANG data model is used to describe the security baseline defined in 119 this document. [I-D.birkholz-sacm-yang-content] defines a method to 120 construct the YANG data model scheme for network device security 121 posture assessment by brokering YANG push telemetry through SACM 122 statements. In this document, we follow the same way to define the 123 YANG output for network device security posture based on the 124 [I-D.ietf-sacm-information-model]. 126 Besides management plane, the security baselines for control plane, 127 data plane, and infrastructure layer of network infrastructure 128 devices are described in [I-D.dong-sacm-nid-cp-security-baseline], 129 [I-D.xia-sacm-nid-dp-security-baseline] and 130 [I-D.dong-sacm-nid-infra-security-baseline] respectively. 132 2. Requirements Language 134 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 135 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 136 document are to be interpreted as described in [RFC2119]. 138 3. Terminology 140 This document uses the terms defined in [RFC7950] and [RFC8342]. 142 4. Tree Diagrams 144 Tree diagram defined in [RFC8340] is used to represent the YANG data 145 model of network device management plane security. The meaning of 146 the symbols used in the tree diagram and the syntax are as follows: 148 o A module is identified by "module:" followed the module-name. The 149 top-level data nodes defined in the module, offset by 2 spaces. 150 Submodules are represented in the same fashion as modules, but are 151 identified by "submodule:" followed the (sub)module-name. 153 o Groupings, offset by 2 spaces, and identified by the keyword 154 "grouping" followed by the name of the grouping and a colon (":") 155 character. 157 o Each node in the tree is prefaces with "+--". Schema nodes that 158 are children of another node are offset from the parent by 3 159 spaces. 161 o Brackets "[" and "]" enclose list keys. 163 o Abbreviations before data node names: "rw" means configuration 164 (read-write) and "ro" means state data (read-only), and "-u" 165 indicates the use of a predefined grouping. 167 o Symbols after data node names: "?" means an optional leaf, choice, 168 anydata, or anyxml, "!" means a presence container, and "*" 169 denotes a "list" or "leaf-list". 171 o Parentheses enclose choice and case nodes, and case nodes are also 172 marked with a colon (":"). 174 o At times when the composition of the nodes within a module schema 175 is not important in the context of the presented tree, sibling 176 nodes and their children can be collapsed using the notation "..." 177 in place of the text lines used to represent the summarized nodes. 179 o Curly brackets and a question mark "{...}?" are combined to 180 represent the features that node depends on. 182 5. Data Model Structure 184 The security baseline defined in this document consists of security 185 configuration and runtime security status for administration, system 186 management, port management, log, files. 188 o Administration security 189 o System management security 191 o Port management security 193 o Log security 195 o File security 197 A multitude of YANG modules for network devices and network protocols 198 have been defined in IETF. Several RFCs and drafts model some parts 199 of management plane security. But an overall data model of 200 management plane security is still missing. New modules, groupings, 201 and nodes are defined in this document as supplements. And the 202 existing YANG modules are reused. Appendix A provides a summary of 203 existing YANG modules and the relationship to the security baseline 204 defined in this document. 206 5.1. Administration Security 208 5.1.1. Administrative Account Security 210 In order to provide administrative accounts, security controls on 211 account properties and passwords should be applied. The commonly 212 applied security controls include limiting the length of account 213 name, checking the password complied to the complexity policy, 214 forbidding the use of some strings in password, blocking accounts 215 after several login fails, etc. The following data model illustrates 216 these kinds of security controls. 218 module: ietf-admin-account-security 219 +--rw ietf-admin-account-security 220 +--rw account-security-policy {account-security}? 221 | +--rw policy-status? boolean 222 | +--rw account-aging-period? uint64 223 | +--rw account-name-minlen? uint64 224 +--rw pwd-security-policy {pwd-security}? 225 | +--rw expire-days? uint64 226 | +--rw prompt-days? uint64 227 | +--rw change-check? boolean 228 | +--rw complexity-check? boolean 229 | +--ro history-pwd-num? uint64 230 | +--rw pwd-minlen? uint64 231 | +--rw forbidden-word-rules? 232 | +--rw forbidden-word-rule* [forbidden-word] 233 | +--rw forbidden-word string 234 +--rw login-failed-limit {login-failed-block}? 235 +--rw failed-times? uint64 236 +--rw period? uint64 237 +--rw reactive-time? uint64 239 5.1.2. Administrator Access Security 241 Network devices typically can be managed through command line 242 interface (CLI) or web user interface. Insecure access channels 243 (e.g., Telnet), can expose the devices to threats and attacks. 244 Therefore, SSH-based access channels and HTTPS-based web channels 245 should be used. Besides, the right version of the protocols should 246 be chosen. For example, SSHv1 is considered not secure, SSHv2 is 247 recommended. And draft [I-D.ietf-tls-oldversions-deprecate] will 248 formally deprecates Transport Layer Security (TLS) versions 1.0 249 [RFC2246] and 1.1 [RFC4346] and moves these documents to the historic 250 state. 252 module: ietf-admin-access-security 253 +--rw ietf-admin-access-security 254 +--rw console 255 | +--rw auth-mode? auth-mode-type 256 | +--rw privilege-level? uint8 257 +--rw vtys 258 | +--rw vty* [vty-number] 259 | +--rw vty-number uint8 260 | +--rw auth-mode auth-mode-type 261 | +--rw privilege-level uint8 262 | +--rw acl-name-list* string 263 | +--rw ip-block-enable boolean 264 | +--rw ip-block-limit {ip-block-config}? 265 | +--rw failed-times? uint64 266 | +--rw period? uint64 267 | +--rw reactive-time? uint64 268 +--rw ssh 269 | +--rw ssh-enable? boolean 270 | +---u ssh-server-attribute-grouping 271 | +---u ssh-security-harden-grouping 272 | +--rw ip-block-enable boolean 273 | +--rw ip-block-limit {ip-block-config}? 274 | +--rw failed-times? uint64 275 | +--rw period? uint64 276 | +--rw reactive-time? uint64 277 +--rw web {web-interface}? 278 +--rw privilege-level? uint8 279 +--rw http-server-interface? string 280 +--rw https-ipv4-enable? boolean 281 +--rw https-ipv6-enable? boolean 282 +--rw https-source-port? inet:port-number 283 +--rw https-timeout? uint32 284 +--rw acl-name-list*? string 285 +--rw ip-block-enable boolean 286 +--rw ip-block-limit {ip-block-config}? 287 | +--rw failed-times? uint64 288 | +--rw period? uint64 289 | +--rw reactive-time? uint64 290 +---u tls-server-attribute-grouping 292 [I-D.ietf-netconf-ssh-client-server] defines "ssh-server-grouping" 293 for configuring SSH server and does not consider the underlying 294 transport parameters. And it reuses the groupings defined in 295 [I-D.ietf-netconf-keystore]. Because this document focuses on the 296 security configurations that are actively in use when the network 297 device acts as a SSH server, the "ssh-server-attribute-grouping" 298 defined here tailors the "private-key" node and the "certificate- 299 expiration" notification of "ssh-server-grouping". The tree diagram 300 of grouping "ssh-server-attribute-grouping": 302 grouping ssh-server-attribute-grouping: 303 +--rw server-identity 304 | +--rw host-key* [name] 305 | +--rw name string 306 | +--rw (host-key-type) 307 | +--:(public-key) 308 | | +--rw (local-or-keystore) 309 | | +--:(local) 310 | | | +---u ks:public-key-grouping 311 | | +--:(keystore) {ks:keystore-implemented}? 312 | | +--rw ref? ks:asymmetric-key-certificate-ref 313 | +--:(certificate) {sshcmn:ssh-x509-certs}? 314 | +--rw (local-or-keystore) 315 | +--:(local) 316 | | +---u ks:public-key-grouping 317 | | +---u ks:trust-anchor-cert-grouping 318 | +--:(keystore) {ks:keystore-implemented}? 319 | +--rw ref? ks:asymmetric-key-certificate-ref 320 +--rw client-cert-auth {sshcmn:ssh-x509-certs}? 321 | +--rw pinned-ca-certs? ta:pinned-certificates-ref 322 | +--rw pinned-client-certs? ta:pinned-certificates-ref 323 +--rw transport-params {ssh-server-transport-params-config}? 324 +---u sshcmn:transport-params-grouping 326 Besides the security configurations defined "ssh-server-attribute- 327 grouping", there are several other features related the secure use 328 and configuration of SSH, such as which SSH version is used, whether 329 the network device support to be compatible with earlier SSH 330 versions, whether the port number has been changed, etc. The "ssh- 331 security-harden-grouping" includes these kind of security 332 configurations and state. The tree diagram of grouping "ssh- 333 security-harden-grouping": 335 grouping ssh-security-harden-grouping: 336 +--ro ssh-version uint32 337 +--rw ssh-server-port? inet:port-number 338 +--rw ssh-rekey-interval? uint32 339 +--rw ssh-timeout? uint32 340 +--rw ssh-retry-times? uint32 341 +--rw ssh1x-compatible? boolean 342 +--rw ssh-server-interface? string 344 [I-D.ietf-netconf-tls-client-server] defines "tls-server-grouping" 345 for configuring TLS server and does not consider the underlying 346 transport parameters. And it reuses the groupings defined in 348 [I-D.ietf-netconf-keystore]. Because this document focuses on the 349 security configurations that are actively in use when the network 350 device acts as a web server and build connections through HTTPS, the 351 "tls-server-attribute-grouping" defined here tailors the "private- 352 key" node and the "certificate-expiration" notification of "tls- 353 server-grouping". The tree diagram of grouping "tls-server- 354 attribute-grouping": 356 grouping tls-server-attribute-security-grouping: 357 +--rw server-identity 358 | +--rw (local-or-keystore) 359 | +--:(local) 360 | | +---u ks:public-key-grouping 361 | | +---u ks:trust-anchor-cert-grouping 362 | +--:(keystore) {ks:keystore-implemented}? 363 | +--rw ref? ks:asymmetric-key-certificate-ref 364 +--rw client-auth 365 | +--rw pinned-ca-certs? ta:pinned-certificates-ref 366 | +--rw pinned-client-certs? ta:pinned-certificates-ref 367 +--rw hello-params {tls-server-hello-params-config}? 368 +--rw tls-versions 369 | +--rw tls-version* identityref 370 +--rw cipher-suites 371 +--rw cipher-suite* identityref 373 5.1.3. AAA 375 Authentication, Authorization, and Accounting (AAA) provides user 376 management for network devices. RADIUS (Remote Authentication Dial 377 In User Service) and TACACS+ (Terminal Access Controller Access 378 Control System) are the commonly used AAA mechanisms. In order to 379 implement AAA, network devices act as AAA clients to communicate with 380 AAA servers. [RFC7317] defined YANG module for client to configure 381 the RADIUS authentication server information. In this document, 382 authentication, authorization and accounting schemes, as well as AAA 383 server lists are all included. 385 module: ietf-aaa-security 386 +--rw ietf-aaa-security 387 +--rw authentication-scheme* [authen-scheme-name] 388 | +--rw authen-scheme-name string 389 | +--rw authen-mode* aaa-authen-mode 390 | +--rw authen-type? radius-authen-type 391 | +--rw authen-fail-policy? boolean 392 +--rw authorization-scheme* [author-scheme-name] 393 | +--rw author-scheme-name string 394 | +--rw author-mode* aaa-author-mode 395 | +--rw cmd-author-mode* aaa-cmd-author-mode 396 +--rw accounting-scheme* [account-scheme-name] 397 | +--rw account-scheme-name string 398 | +--rw account-mode? aaa-account-name 399 +--rw radius-security 400 | +--rw radius-authen-servers* [address] 401 | | +--rw address inet:host 402 | | +--rw port? inet:port-number 403 | +--rw radius-author-servers*? [address] 404 | | +--rw address inet:host 405 | | +--rw port? inet:port-number 406 | +--rw radius-account-servers* [address] 407 | +--rw address inet:host 408 | +--rw port? inet:port-number 409 +--rw tacacs-security {tacacs-supported}? 410 +--rw tacacs-authen-servers* [address] 411 | +--rw address inet:host 412 | +--rw port? inet:port-number 413 +--rw tacacs-author-servers*? [address] 414 | +--rw address inet:host 415 | +--rw port? inet:port-number 416 +--rw tacacs-account-servers* [address] 417 +--rw address inet:host 418 +--rw port? inet:port-number 420 5.1.4. Administrator Access Statistics 422 The statistics of the current online administrators, the failed login 423 attempts and the blocked addresses are useful for the monitoring of 424 network infrastructure devices. 426 module: ietf-admin-access-statistics 427 +--ro ietf-admin-access-statistics 428 +--ro online 429 | +--ro total-online-users uint32 430 | +--ro online-admin-list {display-online-info}? 431 | +--ro online-users* [account-name] 432 | +--ro account-name string 433 | +--ro ip-address inet:ip-address-no-zone 434 | +--ro mac-address yang:mac-address 435 +--ro ip-block-list 436 +--ro blocked-ip* [ip-address] 437 +--ro ip-address inet:ip-address-no-zone 438 +--ro vpn-instance string 439 +--ro state ip-block-state-type 440 +--ro authen-fail-account uint32 442 5.2. System Management Security 444 5.2.1. SNMP Management Security 446 Simple Network Management Protocol (SNMP) is a network management 447 standard to monitor network devices. Three SNMP versions are 448 available: SNMPv1, SNMPv2c, and SNMPv3. [RFC7407] defines community- 449 based security model for SNMPv1 and SNMPv2c, view-based access 450 control model and user-based security model, transport security model 451 for SNMPv3. SNMPv1 and SNMPv2c are lack of authentication and 452 message encryption, which could facilitate unauthorized access to 453 network devices. SNMPv3 needs to be used to authenticate and encrypt 454 payloads. The "ietf-snmp-security" module defined in this section 455 reuses the definitions in [RFC7407], but some modifications and 456 eliminations are made. As this module only focuses on security 457 controls and status of SNMP, the detailed transport information such 458 as IP address and port are not included, while the transport protocol 459 used is under consideration. And the subtree for key configuration 460 is also not needed for user-based security model, but the 461 authentication protocol or encryption protocol used is included. 463 module: ietf-snmp-security 464 +--rw ietf-snmp-security 465 +--rw snmp-enable? boolean 466 +--rw engine 467 | +--rw enabled? boolean 468 | +--rw listen* [name] 469 | | +--rw name snmp:identifier 470 | | +--rw transport snmp-transport-type 471 | +--rw version snmp-version-type 472 | +--rw enable-authen-traps? boolean 473 +--rw target* [name] 474 | +--rw name snmp:identifier 475 | +--rw transport snmp-transport-type 476 | +--rw target-params snmp:identifier 477 +--rw target-params* [name] 478 | +--rw name snmp:identifier 479 | +--rw (params)? 480 | +--:(usm) 481 | | +---u snmp:usm-target-params 482 | +--:(tsm) {snmp:tsm}? 483 | | +---u snmp:tsm-target-params 484 +--rw vacm 485 | +--ro vacm-enable? boolean 486 | +--rw group* [name] 487 | | +--rw name snmp:group-name 488 | | +--rw member* [security-name] 489 | | | +--rw security-name snmp:security-name 490 | | | +--rw security-model* snmp:security-model 491 | | +--rw access* [context security-model security-level] 492 | | +--rw context snmp:context-name 493 | | +--rw context-match? enumeration 494 | | +--rw security-model snmp:security-model-or-any 495 | | +--rw security-level snmp:security-level 496 | | +--rw read-view? snmp:view-name 497 | | +--rw write-view? snmp:view-name 498 | | +--rw notify-view? snmp:view-name 499 | +--rw view* [name] 500 | +--rw name vacm:view-name 501 | +--rw include* snmp:wildcard-object-identifier 502 | +--rw exclude* snmp:wildcard-object-identifier 503 +--rw usm 504 | +--ro usm-enable? boolean 505 | +--rw local 506 | | +---u user-auth-priv 507 | +--rw remote 508 | +---u user-auth-priv 509 +--rw tsm {tsm}? 510 +--ro tsm-enable? boolean 512 The tree diagram of grouping "user-auth-priv": 514 grouping user-auth-priv: 515 +--rw user* [name] 516 +--rw name snmp:identifier 517 +--rw auth-protocol auth-pro-type 518 +--rw priv-protocol priv-pro-type 520 5.2.2. NETCONF Management Security 522 The NETCONF server model defined in 523 [I-D.ietf-netconf-netconf-client-server] supports both the SSH and 524 TLS transport protocols. The "ietf-netconf-security" module defined 525 in this section only reused the security related subtrees and 526 replaces the SSH and TLS related groupings with those defined in 527 "ietf-admin-access-security" module. 529 module: ietf-netconf-security 530 +--rw ietf-netconf-security 531 +--rw netconf-enable? boolean 532 +--rw listen {ncs:listen}? 533 | +--rw endpoint* [name] 534 | +--rw name string 535 | +--rw (transport) 536 | +--:(ssh) {ssh-listen}? 537 | | +--rw port inet:port-number 538 | | +---u accsec:ssh-server-attribute-grouping 539 | +--:(tls) {tls-listen}? 540 | +--rw port inet:port-number 541 | +---u accsec:tls-server-attribute-grouping 542 +--rw call-home {call-home}? 543 +--rw netconf-client* [name] 544 +--rw name string 545 +--rw endpoints 546 +--rw endpoint* [name] 547 +--rw name string 548 +--rw (transport) 549 +--:(ssh) {ssh-call-home}? 550 | +--rw port inet:port-number 551 | +---u accsec:ssh-server-attribute-grouping 552 +--:(tls) {tls-call-home}? 553 +--rw port inet:port-number 554 +---u accsec:tls-server-attribute-grouping 556 5.3. Port Management Security 558 As it is suggested to disable unused service and ports, the current 559 status (open or shut-down) of the ports that are available on the 560 network devices can be retrieved and compared with the communication 561 matrix to check the device security posture. 563 module: ietf-port-management-security 564 +--rw ietf-port-management-security 565 +--rw port-list* [port-number] 566 +--rw port-number inet:port-number 567 +--rw port-status boolean 569 5.4. Log Security 571 To monitor the running status and diagnose faults or attacks on 572 network devices, the activities of network administrators, the 573 operations conducted on devices, and the security notification of 574 abnormal events need to be recorded. Besides, policy should be 575 defined to deal with log overflow. Log records can be outputted to 576 console, or stored locally, or outputted to remote Syslog server. 577 The following defined "ietf-log-security" module reuses the security 578 configuration of log remote transfer in 579 [I-D.ietf-netmod-syslog-model], and adds access control for locally 580 stored log files. 582 module: ietf-log-security 583 +--rw ietf-log-security 584 +--rw alert-notification 585 | +--rw login-fail-threshold uint8 586 | +--rw system-abnormal boolean 587 | +--rw attack boolean 588 | +--rw log-overflow-lost boolean 589 +--rw (log-overflow-action) 590 | +--:(rewrite-when-overflow) boolean 591 | | +--ro rewrite-numbers uint16 592 | +--:(discard-new-logs) boolean 593 | +--ro discard-numbers uint16 594 +--rw (log-mode) 595 +--:(file) {file-action}? 596 | +--rw user-level-for-read uint8 597 | +--rw user-level-for-delete uint8 598 +--:(remote) {remote-action}? [I-D.ietf-netmod-syslog-model] 599 +--rw destination* [name] 600 +--rw name string 601 +--rw (transport) 602 | ... 603 +--rw signing! {signed-messages}? 604 ... 606 5.5. File Security 608 Patches, packages, configuration files, password files are critical 609 system files for network infrastructure devices. Only administrators 610 with certain security privilege levels are allowed to access or 611 operate on these files. For file transfer security, secure protocol 612 should be used. 614 module: ietf-file-security 615 +--rw ietf-file-security 616 +--rw role-based-access-control boolean 617 +--rw transport-protocol file-pro-type 618 +--rw (transport) 619 | +--:(sftp) {sftp}? 620 | | +--rw sftp-enable boolean 621 | | +--rw sftp-server-port inet:port-number 622 | | +---u accsec:ssh-server-attribute-grouping 623 | | +---u accsec:ssh-security-harden-grouping 624 | +--:(scp) {scp}? 625 | | +--rw scp-enable boolean 626 | | +--rw scp-server-port inet:port-number 627 | | +---u accsec:ssh-server-attribute-grouping 628 | | +---u accsec:ssh-security-harden-grouping 629 | +--:(ftps) {ftps}? 630 | | +--rw ftps-enable boolean 631 | | +--rw ftps-server-port inet:port-number 632 | | +---u accsec:tls-server-attribute-grouping 633 +--rw ip-block-enable boolean 634 +--rw ip-block-limit {ip-block-config}? 635 +--rw failed-times uint64 636 +--rw period uint64 637 +--rw reactive-time uint64 639 6. Network Infrastructure Device Security Baseline Yang Module 641 6.1. Module 'ietf-admin-account-security' 643 file "ietf-admin-account-security@2018-10-16.yang" 644 module ietf-admin-account-security { 645 yang-version 1.1; 646 namespace "urn:ietf:params:xml:ns:yang:ietf-admin-account-security"; 647 prefix acsec; 649 organization 650 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 652 contact 653 "WG Web: http://tools.ietf.org/wg/sacm/ 654 WG List: sacm@ietf.org 656 Editor: Qiushi Lin 657 linqiushi@huawei.com; 658 Editor: Liang Xia 659 frank.xialiang@huawei.com 660 Editor: Henk Birkholz 661 henk.birkholz@sit.fraunhofer.de"; 663 description 664 "This YANG module defines ietf-admin-account-security YANG module, which contains configurations that are actively in use for account security control, password security control and administrative account block."; 666 revision 2018-10-16 { 667 description "Initial version."; 668 reference 669 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 670 } 672 /* 673 * features 674 */ 675 feature account-security { 676 description 677 "If the network device supports this feature, then several security controls on administrative accounts can be conducted."; 678 } 680 feature pwd-security { 681 description 682 "If the network device supports this feature, then several security controls on password can be conducted."; 683 } 685 feature login-failed-block { 686 description 687 "If the network device supports this feature, an adminstrative account will be blocked for a certain time range when this account login failed several times in a certain period."; 688 } 690 /* 691 * containers 692 */ 694 container account-security-policy { 695 if-feature account-security; 696 leaf policy-status { 697 type boolean; 698 description 699 "The status of account security policy: enabled, or disabled."; 700 } 701 leaf account-aging-period { 702 type uint64; 703 description 704 "The aging period of an administrative account."; 705 } 706 leaf account-name-minlen { 707 type uint64; 708 description 709 "The minimum length of an administrative account name."; 710 } 711 description 712 "If the network device supports some security controls on administrative accounts, the configuration that is actively in use will be collected."; 713 } 715 container pwd-security-policy { 716 if-feature pwd-security; 717 leaf expire-days { 718 type uint64; 719 description 720 "The password validity period."; 721 } 722 leaf prompt-days { 723 type uint64; 724 description 725 "The period for warning before the password expires."; 726 } 727 leaf change-check { 728 type boolean; 729 description 730 "Whether it is mandatory to change the password when logining for the first time: enabled, or disabled."; 731 } 732 leaf complexity-check { 733 type boolean; 734 description 735 "The status of password complexity check: enabled, or disabled."; 736 } 737 leaf history-pwd-num { 738 type uint64; 739 config false; 740 description 741 "The newly configured password should not be the same as the several past passwords."; 742 } 743 leaf pwd-minlen { 744 type uint64; 745 description 746 "The minimum length of a password."; 747 } 748 container forbidden-word-rules { 749 list forbidden-word-rule { 750 key "forbidden-word"; 751 leaf forbidden-word { 752 type string; 753 description 754 "A forbidden word in password."; 755 } 756 description 757 "A list of forbidden words that are not allowed to be used in password."; 758 } 759 description 760 "Password blacklist."; 761 } 762 description 763 "If the network device supports some security controls on administrative passwords, the configuration that is actively in use will be collected."; 764 } 766 container login-failed-limit { 767 if-feature login-failed-block; 768 leaf failed-times { 769 type uint64; 770 description 771 "The failed time in a certain period."; 772 } 773 leaf peroid { 774 type uint64; 775 description 776 "The certain period in which the failed times are counted."; 777 } 778 leaf reactive-time { 779 type uint64; 780 description 781 "The reactive time after which the account is not blocked."; 782 } 783 description 784 "If the network device suppor this feature, an account will be blocked for a certain time range when it failed to login for several times in a certain period."; 785 } 786 } 787 789 6.2. Module 'ietf-admin-access-security' 791 module ietf-admin-access-security { 792 yang-version 1.1; 793 namespace "urn:ietf:params:xml:ns:yang:ietf-admin-access-security"; 794 prefix accsec; 796 import ietf-inet-types { 797 prefix inet; 798 reference 799 "RFC 6991 - Common YANG Data Types."; 800 } 802 import ietf-ssh-common { 803 prefix sshcmn; 804 reference 805 "draft-ietf-netconf-ssh-client-server - YANG Groupings for SSH Clients and SSH Servers"; 806 } 807 import ietf-tls-common { 808 prefix tlscmn; 809 reference 810 "draft-ietf-netconf-tls-client-server - YANG Groupings for TLS Clients and SSH Servers"; 811 } 813 import ietf-keystore { 814 prefix ks; 815 reference 816 "draft-ietf-netconf-keystore - YANG Data Model for a Centralized Keystore Mechanism"; 817 } 819 import ietf-trust-anchors { 820 prefix ta; 821 reference 822 "draft-ietf-netconf-trust-anchors - YANG Data Model for Global Trust Anchors"; 823 } 825 organization 826 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 828 contact 829 "WG Web: http://tools.ietf.org/wg/sacm/ 830 WG List: sacm@ietf.org 832 Editor: Qiushi Lin 833 linqiushi@huawei.com; 834 Editor: Liang Xia 835 frank.xialiang@huawei.com 836 Editor: Henk Birkholz 837 henk.birkholz@sit.fraunhofer.de"; 839 description 840 "This YANG module defines ietf-admin-access-security YANG module, which contains security configurations that are actively in use for different access channels."; 842 revision 2018-10-16 { 843 description "Initial version."; 844 reference 845 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 846 } 848 /* 849 * features 850 */ 851 feature web-interface { 852 description 853 "If the network device supports web interface for administration, then administrative account can access this device through web interface."; 854 } 855 feature ip-block-config { 856 description 857 "If the network device supports the configuration of ip block function, then it can be configured to block the access from a list of IP addresses."; 858 } 860 feature ssh-server-transport-params-config { 861 description 862 "SSH transport layer parameters are configurable on an SSH server."; 863 } 865 feature tls-server-hello-params-config { 866 description 867 "TLS hello message parameters are configurable on a TLS server."; 868 } 870 /* 871 * typedefs 872 */ 873 typedef auth-mode-type { 874 type enumeration { 875 enum "none" { 876 description 877 "Authentication mode: none."; 878 } 879 enum "password" { 880 description 881 "Authentication mode: password."; 882 } 883 enum "aaa" { 884 description 885 "Authentication mode: aaa."; 886 } 887 } 888 description 889 "The Authentication mode of console and vty interface."; 890 } 892 /* 893 * groupings 894 */ 895 grouping ssh-server-attribute-grouping { 896 container server-identity { 897 list host-key { 898 key "name"; 899 leaf name { 900 type string; 901 description 902 "The name of the host-key."; 903 } 904 choice host-key-type { 905 mandatory true; 906 case public-key { 907 choice local-or-keystore { 908 case local { 909 uses ks:public-key-grouping; 910 description 911 "The public key and the corresponding algorithm."; 912 } 913 case keystore { 914 if-feature ks:keystore-implemented; 915 leaf ref { 916 type ks:asymmetric-key-certificate-ref; 917 description 918 "A reference to a value that exists in the keystore."; 919 } 920 description 921 "The reference of the key pair that stored in the keystore. "; 922 } 923 description 924 "The key pair is locally stored or can be referenced from the keystore."; 925 } 926 description 927 "The host key type is asymmetric key pair."; 928 } 929 case certificate { 930 if-feature sshcmn:ssh-x509-certs; 931 choice local-or-keystore { 932 case local { 933 uses ks:public-key-grouping; 934 uses ks:trust-anchor-cert-grouping; 935 description 936 "The certificate and the corresponding public key are stored locally."; 937 } 938 case keystore { 939 if-feature ks:keystore-implemented; 940 leaf ref { 941 type ks:asymmetric-key-certificate-ref; 942 description 943 "The certificate is referenced by a value that exists in the keystore."; 944 } 945 description 946 "The reference of the certificate that stored in the keystore."; 947 } 948 description 949 "The certificate is stored locally or can be referenced from the keystore."; 950 } 951 description 952 "The host key type is certificate."; 953 } 954 description 955 "Two types of host key: asymmetric key pair, certificate."; 956 } 957 description 958 "A list of host keys of the network device"; 959 } 960 description 961 "The list of host keys the network device (acts as SSH server) will use to construct its list of algorithms, when sending its SSH-MSG-KEXINIT message, ase defined in Section 7.1 of RFC 4253."; 962 } 963 container client-cert-auth { 964 if-feature sshcmn:ssh-x509-certs; 965 leaf pinned-ca-certs { 966 type ta:pinned-certificates-ref; 967 description 968 "A reference to a list of certificate authority (CA) certificates used by the SSH server to authenticate SSH client certificates."; 969 reference 970 "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; 971 } 972 leaf pinned-client-certs { 973 type ta:pinned-certificates-ref; 974 description 975 "A reference to a list of client certificates used by the SSH server to authenticate SSH client certificates."; 976 reference 977 "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; 978 } 979 description 980 "A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates."; 981 } 982 container transport-params { 983 if-feature ssh-server-transport-params-config; 984 uses sshcmn:transport-params-grouping; 985 description 986 "Configurable parameters of the SSH transport layer."; 987 } 988 description 989 "A reusable grouping of configurations that are actively in use for network devices which act as SSH servers."; 990 } 992 grouping ssh-security-harden-grouping { 993 leaf ssh-version { 994 type uint32; 995 config false; 996 mandatory true; 997 description 998 "The SSH version that the network device supports."; 1000 } 1001 leaf ssh-server-port { 1002 type inet:port-number; 1003 description 1004 "The port number of SSH server."; 1005 } 1006 leaf ssh-rekey-interval { 1007 type uint32; 1008 description 1009 "The interval for updating the key pair of the SSH server."; 1010 } 1011 leaf ssh-timeout { 1012 type uint32; 1013 description 1014 "The authentication timeout period of SSH."; 1015 } 1016 leaf ssh-retry-times { 1017 type uint32; 1018 description 1019 "The authentication retry times."; 1020 } 1021 leaf ssh1x-compatible { 1022 type boolean; 1023 description 1024 "The status of version-compatible function on the SSH server: enabled, disabled."; 1025 } 1026 leaf ssh-server-interface { 1027 type string; 1028 description 1029 "The source interface of SSH server."; 1030 } 1031 description 1032 "A set of SSH configuration status to enhance security."; 1033 } 1035 grouping tls-server-attribute-grouping { 1036 container server-identity { 1037 choice local-or-keystore { 1038 case local { 1039 uses ks:public-key-grouping; 1040 uses ks:trust-anchor-cert-grouping; 1041 description 1042 "The certificate and the corresponding public key are stored locally."; 1043 } 1044 case keystore { 1045 if-feature ks:keystore-implemented; 1046 leaf ref { 1047 type ks:asymmetric-key-certificate-ref; 1048 description 1049 "The certificate is referenced by a value that exists in the keystore."; 1050 } 1051 description 1052 "The reference of the certificate that stored in the keystore."; 1053 } 1054 description 1055 "The certificate is stored locally or can be referenced from the keystore."; 1056 } 1057 description 1058 "A locally-defined or referenced end-entity certificate, including any configured intermediate certificates, the TLS server will present when establishing a TLS connection in its Certificate message, as defined in Section 7.4.2 in RFC5246."; 1059 } 1060 container client-auth { 1061 leaf pinned-ca-certs { 1062 type ta:pinned-certificates-ref; 1063 description 1064 "A reference to a list of certificate authority (CA) certificates used by the TLS server to authenticate TLS client certificates."; 1065 reference 1066 "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; 1067 } 1068 leaf pinned-client-certs { 1069 type ta:pinned-certificates-ref; 1070 description 1071 "A reference to a list of client certificates used by the TLS server to authenticate TLS client certificates."; 1072 reference 1073 "draft-ietf-netconf-trust-anchors: YANG Data Model for Global Trust Anchors"; 1074 } 1075 description 1076 "A reference to a list of pinned certificate authority (CA) certificates and a reference to a list of pinned client certificates."; 1077 } 1078 container hello-params { 1079 if-feature tls-server-hello-params-config; 1080 uses tlscmn:hello-params-grouping; 1081 description 1082 "Configurable parameters for the TLS hello message."; 1083 } 1084 description 1085 "A reusable grouping of configurations that are actively in use for network devices which act as TLS servers."; 1086 } 1088 /* 1089 * containers 1090 */ 1091 container console { 1092 leaf auth-mode { 1093 type auth-mode-type; 1094 description 1095 "The authentication mode used when administrative accounts login through console interface: none, password, AAA."; 1096 } 1097 leaf privilege-level { 1098 type uint8; 1099 description 1100 "User privilege level."; 1101 } 1102 description 1103 "Security configurations that are actively in use for console interface."; 1104 } 1106 container vtys { 1107 list vty { 1108 key "vty-number"; 1109 leaf vty-number { 1110 type uint8; 1111 description 1112 "The number of the vty interface."; 1113 } 1114 leaf auth-mode { 1115 type auth-mode-type; 1116 mandatory true; 1117 description 1118 "The authentication mode used when administrator login through vty interface: none, password, AAA."; 1119 } 1120 leaf privilege-level { 1121 type uint8; 1122 mandatory true; 1123 description 1124 "User privilege level."; 1125 } 1126 leaf-list acl-name-list { 1127 type string; 1128 description 1129 "The name of the acl."; 1130 } 1131 leaf ip-block-enable { 1132 type boolean; 1133 mandatory true; 1134 description 1135 "The status of ip block function: enabled, or disabled."; 1136 } 1137 container ip-block-limit { 1138 if-feature ip-block-config; 1139 leaf failed-times { 1140 type uint64; 1141 description 1142 "The failed times in a certain perid."; 1144 } 1145 leaf peroid { 1146 type uint64; 1147 description 1148 "The certain period in which the failed times are counted."; 1149 } 1150 leaf reactive-time { 1151 type uint64; 1152 description 1153 "The reactive time after which the address is not blocked."; 1154 } 1155 description 1156 "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 1157 } 1158 description 1159 "Security configurations that are actively in use for a vty interface."; 1160 } 1161 description 1162 "A list of security configurations that are actively in use for each vty interface."; 1163 } 1165 container ssh { 1166 uses ssh-server-attribute-grouping; 1167 uses ssh-security-harden-grouping; 1168 leaf ssh-enable { 1169 type boolean; 1170 description 1171 "The status of SSH server: enabled, or disabled."; 1172 } 1173 leaf ip-block-enable { 1174 type boolean; 1175 description 1176 "The status of ip block function: enabled, or disabled."; 1177 } 1178 container ip-block-limit { 1179 if-feature ip-block-config; 1180 leaf failed-times { 1181 type uint64; 1182 description 1183 "The failed times in a certain perid."; 1184 } 1185 leaf peroid { 1186 type uint64; 1187 description 1188 "The certain period in which the failed times are counted."; 1189 } 1190 leaf reactive-time { 1191 type uint64; 1192 description 1193 "The reactive time after which the address is not blocked."; 1194 } 1195 description 1196 "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 1197 } 1198 description 1199 "Security configurations that are actively in use for SSH-based access channel."; 1200 } 1202 container web { 1203 if-feature web-interface; 1204 uses tls-server-attribute-grouping; 1205 leaf auth-mode { 1206 type auth-mode-type; 1207 description 1208 "The authentication mode used when administrator login through web interface: none, password, AAA."; 1209 } 1210 leaf privilege-level { 1211 type uint8; 1212 description 1213 "User privilege level."; 1214 } 1215 leaf http-server-interface { 1216 type string; 1217 description 1218 "The source interface of web server."; 1219 } 1220 leaf https-ipv4-enable { 1221 type boolean; 1222 description 1223 "The status of ipv4 https server: enabled, disabled."; 1224 } 1225 leaf https-ipv6-enable { 1226 type boolean; 1227 description 1228 "The status of ipv6 https server: enabled, disabled."; 1229 } 1230 leaf https-source-port { 1231 type inet:port-number; 1232 description 1233 "The port number of web server."; 1234 } 1235 leaf https-timeout { 1236 type uint32; 1237 description 1238 "The authentication timeout period of https."; 1239 } 1240 leaf ip-block-enable { 1241 type boolean; 1242 description 1243 "The status of ip block function: enabled, or disabled."; 1244 } 1245 container ip-block-limit { 1246 if-feature ip-block-config; 1247 leaf failed-times { 1248 type uint64; 1249 description 1250 "The failed times in a certain perid."; 1251 } 1252 leaf peroid { 1253 type uint64; 1254 description 1255 "The certain period in which the failed times are counted."; 1256 } 1257 leaf reactive-time { 1258 type uint64; 1259 description 1260 "The reactive time after which the address is not blocked."; 1261 } 1262 description 1263 "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range."; 1264 } 1265 description 1266 "If the network device supports web interface. The configuration status of the web server."; 1267 } 1268 } 1270 6.3. Module 'ietf-aaa-security' 1272 file "ietf-aaa-security@2018-10-16.yang" 1273 module ietf-aaa-security { 1274 yang-version 1.1; 1275 namespace "urn:ietf:params:xml:ns:yang:ietf-aaa-security"; 1276 prefix aaasec; 1278 import ietf-inet-types { 1279 prefix inet; 1280 reference 1281 "RFC 6991 - Common YANG Data Types."; 1282 } 1284 organization 1285 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 1287 contact 1288 "WG Web: http://tools.ietf.org/wg/sacm/ 1289 WG List: sacm@ietf.org 1291 Editor: Qiushi Lin 1292 linqiushi@huawei.com; 1293 Editor: Liang Xia 1294 frank.xialiang@huawei.com 1295 Editor: Henk Birkholz 1296 henk.birkholz@sit.fraunhofer.de"; 1298 description 1299 "This YANG module defines ietf-aaa-security YANG module, which contains configurations of AAA."; 1301 revision 2018-10-16 { 1302 description "Initial version."; 1303 reference 1304 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 1305 } 1307 /* 1308 * features 1309 */ 1310 feature tacacs-supported { 1311 description 1312 "Whether the device supports TACACS+ based Authentication, Authorization, and Accounting."; 1313 } 1315 /* 1316 * typedefs 1317 */ 1318 typedef aaa-authen-mode { 1319 type enumeration { 1320 enum "invalid" { 1321 description 1322 "Invalid authentication mode."; 1323 } 1324 enum "local" { 1325 description 1326 "Local authentication mode."; 1327 } 1328 enum "tacacs" { 1329 description 1330 "TACACS authentication mode. "; 1331 } 1332 enum "radius" { 1333 description 1334 "RADIUS authentication mode. "; 1335 } 1337 enum "none" { 1338 description 1339 "In this mode, users can pass with authentication."; 1340 } 1341 enum "radius-proxy" { 1342 description 1343 "RADIUS proxy authentication mode."; 1344 } 1345 } 1346 description 1347 "Diffrent types of authentication modes."; 1348 } 1350 typedef radius-authen-type { 1351 type enumeration { 1352 enum "pap" { 1353 description 1354 "PAP authentication."; 1355 } 1356 enum "chap" { 1357 description 1358 "CHAP authentication."; 1359 } 1360 } 1361 description 1362 "Different authentication types of RADIUS authentication."; 1363 } 1365 typedef aaa-author-mode { 1366 type enumeration { 1367 enum "invalid" { 1368 description 1369 "Invalid authorization mode."; 1370 } 1371 enum "local" { 1372 description 1373 "Local authorization mode."; 1374 } 1375 enum "tacacs" { 1376 description 1377 "TACACS authorization mode."; 1378 } 1379 enum "if-authenticated" { 1380 description 1381 "If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed."; 1382 } 1383 enum "none" { 1384 description 1385 "Users can pass without authorization."; 1386 } 1387 } 1388 description 1389 "Different types of AAA authorization modes."; 1390 } 1392 typedef aaa-cmd-author-mode { 1393 type enumeration { 1394 enum "invalid" { 1395 description 1396 "Invalid command line authorization mode."; 1397 } 1398 enum "local" { 1399 description 1400 "Local command line authorization mode."; 1401 } 1402 enum "tacacs" { 1403 description 1404 "Specifies that the TACACS mode is applied."; 1405 } 1406 } 1407 description 1408 "Different types of command line authorization modes."; 1409 } 1411 typedef aaa-account-mode { 1412 type enumeration { 1413 enum "invalid" { 1414 description 1415 "invalid accounting mode."; 1416 } 1417 enum "radius" { 1418 description 1419 "RADIUS accounting mode. "; 1420 } 1421 enum "tacacs" { 1422 description 1423 "TACACS accounting mode. "; 1424 } 1425 enum "none" { 1426 description 1427 "In this mode, users do not be accounting."; 1428 } 1429 } 1430 description 1431 "Different types of accounting modes."; 1432 } 1433 /* 1434 * lists & containers 1435 */ 1436 list authentication-scheme { 1437 key "authen-scheme-name"; 1438 leaf authen-scheme-name { 1439 type string; 1440 description 1441 "The name of the authentication scheme."; 1442 } 1443 leaf-list authen-mode { 1444 type aaa-authen-mode; 1445 description 1446 "A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond."; 1447 } 1448 leaf authen-type { 1449 type radius-authen-type; 1450 description 1451 "Authentication type of RADIUS: PAP, CHAP."; 1452 } 1453 leaf authen-fail-policy { 1454 type boolean; 1455 description 1456 "The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control."; 1457 } 1458 description 1459 "Authentication scheme list."; 1460 } 1462 list authorization-scheme { 1463 key "author-scheme-name"; 1464 leaf author-scheme-name { 1465 type string; 1466 description 1467 "The name of the authorization scheme."; 1468 } 1469 leaf-list auhtor-mode { 1470 type aaa-author-mode; 1471 description 1472 "A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond."; 1473 } 1474 leaf-list cmd-auhtor-mode { 1475 type aaa-cmd-author-mode; 1476 description 1477 "A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond."; 1478 } 1479 description 1480 "Authorization scheme list."; 1482 } 1484 list accounting-scheme { 1485 key "account-scheme-name"; 1486 leaf account-scheme-name { 1487 type string; 1488 description 1489 "The name of the accounting scheme."; 1490 } 1491 leaf account-mode { 1492 type aaa-account-mode; 1493 description 1494 "Accounting mode."; 1495 } 1496 description 1497 "Accounting scheme list."; 1498 } 1500 container radius-security { 1501 list radius-authen-servers { 1502 key "address"; 1503 leaf address { 1504 type inet:host; 1505 description 1506 "The ip address of the authentication server."; 1507 } 1508 leaf port { 1509 type inet:port-number; 1510 description 1511 "The port number of the authentication server."; 1512 } 1513 description 1514 "A list of RADIUS authentication servers"; 1515 } 1516 list radius-author-servers { 1517 key "address"; 1518 leaf address { 1519 type inet:host; 1520 description 1521 "The ip address of the authorization server."; 1522 } 1523 leaf port { 1524 type inet:port-number; 1525 description 1526 "The port number of the authorization server."; 1527 } 1528 description 1529 "A list of RADIUS authorization servers"; 1531 } 1532 list radius-account-servers { 1533 key "address"; 1534 leaf address { 1535 type inet:host; 1536 description 1537 "The ip address of the accounting server."; 1538 } 1539 leaf port { 1540 type inet:port-number; 1541 description 1542 "The port number of the accounting server."; 1543 } 1544 description 1545 "A list of RADIUS accounting servers"; 1546 } 1547 description 1548 "RADIUS authentication servers, authorization servers and accounting servers."; 1549 } 1551 container tacacs-security { 1552 if-feature tacacs-supported; 1553 list tacacs-authen-servers { 1554 key "address"; 1555 leaf address { 1556 type inet:host; 1557 description 1558 "The ip address of the authentication server."; 1559 } 1560 leaf port { 1561 type inet:port-number; 1562 description 1563 "The port number of the authentication server."; 1564 } 1565 description 1566 "A list of TACACS+ and TACACS+ compatible authentication servers"; 1567 } 1568 list tacacs-author-servers { 1569 key "address"; 1570 leaf address { 1571 type inet:host; 1572 description 1573 "The ip address of the authorization server."; 1574 } 1575 leaf port { 1576 type inet:port-number; 1577 description 1578 "The port number of the authorization server."; 1580 } 1581 description 1582 "A list of TACACS+ and TACACS+ compatible authorization servers"; 1583 } 1584 list tacacs-account-servers { 1585 key "address"; 1586 leaf address { 1587 type inet:host; 1588 description 1589 "The ip address of the accounting server."; 1590 } 1591 leaf port { 1592 type inet:port-number; 1593 description 1594 "The port number of the accounting server."; 1595 } 1596 description 1597 "A list of TACACS+ and TACACS+ compatible accounting servers"; 1598 } 1599 description 1600 "TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers."; 1601 } 1602 } 1603 1605 6.4. Module 'ietf-admin-access-statistics' 1607 file "ietf-admin-access-statistics@2018-10-16.yang" 1608 module ietf-admin-access-statistics { 1609 yang-version 1.1; 1610 namespace "urn:ietf:params:xml:ns:yang:ietf-admin-access-statistics"; 1611 prefix stat; 1613 import ietf-inet-types { 1614 prefix inet; 1615 reference 1616 "RFC 6991 - Common YANG Data Types."; 1617 } 1619 import ietf-yang-types { 1620 prefix yang; 1621 reference 1622 "RFC 6991 - Common YANG Data Types."; 1623 } 1625 organization 1626 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 1628 contact 1629 "WG Web: http://tools.ietf.org/wg/sacm/ 1630 WG List: sacm@ietf.org 1632 Editor: Qiushi Lin 1633 linqiushi@huawei.com; 1634 Editor: Liang Xia 1635 frank.xialiang@huawei.com 1636 Editor: Henk Birkholz 1637 henk.birkholz@sit.fraunhofer.de"; 1639 description 1640 "This YANG module defines ietf-admin-access-statistics YANG module, which contains online administrator lists, ip addresses authentication failure or blocked ip addresses."; 1642 revision 2018-10-16 { 1643 description "Initial version."; 1644 reference 1645 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 1646 } 1648 /* 1649 * features 1650 */ 1651 feature display-online-info { 1652 description 1653 "If the device supports reporting the details of administrative accounts that are currenlty online."; 1654 } 1656 /* 1657 * typedef 1658 */ 1659 typedef ip-block-state-type { 1660 type enumeration { 1661 enum "authenfail" { 1662 description 1663 "Authentication fialed State"; 1664 } 1665 enum "blocked" { 1666 description 1667 "BLOCKED State"; 1668 } 1669 } 1670 description 1671 "The status of an login failed IP address."; 1672 } 1674 /* 1675 * containers 1676 */ 1677 container online { 1678 leaf total-online-users { 1679 type uint32; 1680 config false; 1681 description 1682 "The number of administrators that are current online."; 1683 } 1684 container online-admin-list { 1685 if-feature display-online-info; 1686 list online-users { 1687 key "account-name"; 1688 leaf account-name { 1689 type string; 1690 description 1691 "The account name of the online account."; 1692 } 1693 leaf ip-address { 1694 type inet:ip-address-no-zone; 1695 config false; 1696 description 1697 "The ip address of the online account."; 1698 } 1699 leaf mac-address { 1700 type yang:mac-address; 1701 config false; 1702 description 1703 "The MAC address of the online account."; 1704 } 1705 description 1706 "Online adminstrator list."; 1707 } 1708 description 1709 "If the device supports providing information of online administrators, a list of account details are provided."; 1710 } 1711 description 1712 "Online administrator statistics and details."; 1713 } 1715 container ip-block-list { 1716 list blocked-ip { 1717 key "ip-address"; 1718 leaf ip-address { 1719 type inet:ip-address-no-zone; 1720 description 1721 "The blocked IP address."; 1722 } 1723 leaf vpn-instance { 1724 type string; 1725 config false; 1726 description 1727 "The VPN instance of the blocked IP address."; 1728 } 1729 leaf state { 1730 type ip-block-state-type; 1731 config false; 1732 description 1733 "The status of an login failed IP address."; 1734 } 1735 leaf authen-fail-account { 1736 type uint32; 1737 config false; 1738 description 1739 "The number of the login failed attempts."; 1740 } 1741 description 1742 "The list of blocked IP addresses and related information."; 1743 } 1744 description 1745 "The information of blocked IP addresses and related information."; 1746 } 1747 } 1748 1750 6.5. Module 'ietf-snmp-security' 1752 file "ietf-snmp-security@2018-10-16.yang" 1753 module ietf-snmp-security { 1754 yang-version 1.1; 1755 namespace "urn:ietf:params:xml:ns:yang:ietf-snmp-security"; 1756 prefix snmpsec; 1758 import ietf-snmp { 1759 prefix snmp; 1760 reference 1761 "RFC 7407."; 1762 } 1764 organization 1765 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 1767 contact 1768 "WG Web: http://tools.ietf.org/wg/sacm/ 1769 WG List: sacm@ietf.org 1771 Editor: Qiushi Lin 1772 linqiushi@huawei.com; 1773 Editor: Liang Xia 1774 frank.xialiang@huawei.com 1775 Editor: Henk Birkholz 1776 henk.birkholz@sit.fraunhofer.de"; 1778 description 1779 "This YANG module defines ietf-snmp-security YANG module."; 1781 revision 2018-10-16 { 1782 description "Initial version."; 1783 reference 1784 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 1785 } 1787 feature tsm { 1788 description 1789 "Whether the network device supports Transport Security Model for SNMP."; 1790 } 1792 /* 1793 * typedef 1794 */ 1795 typedef snmp-transport-type { 1796 type enumeration { 1797 enum "udp" { 1798 description 1799 "SNMP over UDP."; 1800 } 1801 enum "ssh" { 1802 description 1803 "SNMP over SSH."; 1804 } 1805 enum "tls" { 1806 description 1807 "SNMP over TLS."; 1808 } 1809 enum "dtls" { 1810 description 1811 "SNMP over DTLS."; 1812 } 1813 } 1814 description 1815 "The transport channels on which the SNMP engine listens."; 1816 } 1818 typedef snmp-version-type { 1819 type enumeration { 1820 enum "v1" { 1821 description 1822 "SNMPv1"; 1823 } 1824 enum "v2c" { 1825 description 1826 "SNMPv2c"; 1827 } 1828 enum "v3" { 1829 description 1830 "SNMPv3"; 1831 } 1832 } 1833 description 1834 "The version of SNMP protocol"; 1835 } 1837 typedef auth-pro-type { 1838 type enumeration { 1839 enum "none" { 1840 description 1841 "Do not enable the authentication of messages sent on behalf of the user."; 1842 } 1843 enum "md5" { 1844 description 1845 "HMAC-MD5-96 authentication protocol"; 1846 } 1847 enum "sha" { 1848 description 1849 "HMAC-SHA-96 authentication protocol"; 1850 } 1851 } 1852 description 1853 "An indication of whether messages sent on behalf of this user can be authenticated, and if so, the type of authentication protocol which is used: MD5, SHA."; 1854 reference 1855 "RFC 3414"; 1856 } 1858 typedef priv-pro-type { 1859 type enumeration { 1860 enum "none" { 1861 description 1862 "Do not enable the encryption of messages sent on behalf of the user."; 1863 } 1864 enum "des" { 1865 description 1866 "DES is used to encrypt messages sent on behalf of the user."; 1867 } 1868 enum "aes" { 1869 description 1870 "AES is used to encrypt messages sent on behalf of the user."; 1871 } 1872 } 1873 description 1874 "An indication of whether messages sent on behalf of this user can be protected from disclosure, and if so, the type of privacy protocol which is used: EDS, AES."; 1875 reference 1876 "RFC 3414 & RFC 3826"; 1877 } 1879 /* 1880 * grouping 1881 */ 1882 grouping user-auth-priv { 1883 list user { 1884 key "name"; 1885 leaf name { 1886 type snmp:identifier; 1887 description 1888 "The identifier that represents a user."; 1889 } 1890 leaf auth-protocol { 1891 type auth-pro-type; 1892 description 1893 "The type of authentication protocol: none, md5, sha."; 1894 } 1895 leaf priv-protocol { 1896 type priv-pro-type; 1897 description 1898 "The type of encryption protocol: none, des, aes."; 1899 } 1900 description 1901 "A list of users and their corresponding authProtocol, privProtocol."; 1902 } 1903 description 1904 "A grouping that represents a list of users and their corresponding authProtocol, privProtocol."; 1905 reference 1906 "RFC 3414"; 1907 } 1909 leaf snmp-enable { 1910 type boolean; 1911 description 1912 "whether SNMP is used."; 1913 } 1915 /* 1916 * containers 1917 */ 1918 container engine { 1919 leaf enabled { 1920 type boolean; 1921 description 1922 "The status of the SNMP engine: enabled, disabled."; 1923 } 1924 list listen { 1925 key "name"; 1926 leaf name { 1927 type snmp:identifier; 1928 description 1929 "The name of a transport channel on which the SNMP engine listens."; 1930 } 1931 leaf transport { 1932 type snmp-transport-type; 1933 description 1934 "The transport protocol that SNMP uses."; 1935 } 1936 description 1937 "A list of transport channels on which the SNMP engine listens."; 1938 } 1939 leaf version { 1940 type snmp-version-type; 1941 description 1942 "SNMP version used by the SNMP engine."; 1943 } 1944 leaf enable-authen-traps { 1945 type boolean; 1946 description 1947 "Whether the SNMP entity is permitted to generate authenticationFailure traps."; 1948 reference 1949 "RFC 3418: Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) SNMPv2-MIB.snmpEnableAuthenTraps"; 1950 } 1951 description 1952 "The security configurations for SNMP engine."; 1953 } 1955 list target { 1956 key name; 1957 leaf name { 1958 type snmp:identifier; 1959 description 1960 "The name identifies the target."; 1961 } 1962 leaf transport { 1963 type snmp-transport-type; 1964 description 1965 "The transport protocol used."; 1966 } 1967 leaf target-parmas { 1968 type snmp:identifier; 1969 description 1970 "Parameters for the target."; 1971 } 1972 description 1973 "The list of targets."; 1974 reference 1975 "RFC 3413 & RFC 7407"; 1976 } 1978 list target-params { 1979 key name; 1980 leaf name { 1981 type snmp:identifier; 1982 description 1983 "The name identifies the target params."; 1984 } 1985 choice params { 1986 case usm { 1987 uses snmp:usm-target-params; 1988 description 1989 "Reuse the grouping defined in ietf-snmp-usm"; 1990 } 1991 case tsm { 1992 if-feature snmp:tsm; 1993 uses snmp:tsm-target-params; 1994 description 1995 "Reuse the grouping defined in ietf-snmp-tsm"; 1996 } 1997 description 1998 "The parameters specific to each security model."; 1999 } 2000 description 2001 "List of target parameters."; 2002 } 2004 container vacm { 2005 leaf vacm-enable { 2006 type boolean; 2007 config false; 2008 description 2009 "Whether VACM based security configurations are used."; 2010 } 2011 list group { 2012 key name; 2013 leaf name { 2014 type snmp:group-name; 2015 description 2016 "The name of this VACM group."; 2017 } 2018 list member { 2019 key "security-name"; 2020 leaf security-name { 2021 type snmp:security-name; 2022 description 2023 "The securityName of a group member."; 2024 } 2025 leaf-list security-model { 2026 type snmp:security-model; 2027 min-elements 1; 2028 description 2029 "The security models under which this security-name is a member of this group."; 2030 } 2031 description 2032 "A member of this VACM group."; 2033 } 2034 list access { 2035 key "context security-model security-level"; 2036 leaf context { 2037 type snmp:context-name; 2038 description 2039 "The context under which the access rights apply."; 2040 } 2041 leaf context-match { 2042 type enumeration { 2043 enum exact { 2044 value 1; 2045 description 2046 "The context match type: exact."; 2047 } 2048 enum prefix { 2049 value 2; 2050 description 2051 "The context match type: prefix"; 2052 } 2053 } 2054 description 2055 "The match type of the context."; 2056 } 2057 leaf security-model { 2058 type snmp:security-model-or-any; 2059 description 2060 "The security model under which the access rights apply."; 2061 } 2062 leaf security-level { 2063 type snmp:security-level; 2064 description 2065 "The minimum security level under which the access rights apply."; 2066 } 2067 leaf read-view { 2068 type snmp:view-name; 2069 description 2070 "The name of the MIB view of the SNMP context authorizing read access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessReadViewName."; 2071 } 2072 leaf wirte-view { 2073 type snmp:view-name; 2074 description 2075 "The name of the MIB view of the SNMP context authorizing write access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessWriteViewName."; 2076 } 2077 leaf notify-view { 2078 type snmp:view-name; 2079 description 2080 "The name of the MIB view of the SNMP context authorizing notify access. If this leaf does not exist in a configuration, it maps to a zero-length vacmAccessNotifyViewName."; 2081 } 2082 description 2083 "Definition of access right for groups."; 2084 } 2085 description 2086 "VACM groups"; 2087 reference 2088 "RFC 3415: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)"; 2089 } 2090 list view { 2091 key name; 2092 leaf name { 2093 type snmp:view-name; 2094 description 2095 "The name of this MIB view."; 2096 } 2097 leaf-list include { 2098 type snmp:wildcard-object-identifier; 2099 description 2100 "A family of subtrees included in this MIB view."; 2101 } 2102 leaf-list exclude { 2103 type snmp:wildcard-object-identifier; 2104 description 2105 "A family of subtrees excluded in this MIB view."; 2106 } 2107 description 2108 "Definition of MIB views."; 2109 } 2110 description 2111 "The security configurations for View-based Access Control Model (VACM)."; 2112 } 2114 container usm { 2115 leaf usm-enable { 2116 type boolean; 2117 config false; 2118 description 2119 "Whether USM based security configurations are used."; 2120 } 2121 container local { 2122 uses user-auth-priv; 2123 description 2124 "A list of local users and their corresponding authentication and privacy protocols."; 2125 } 2126 container remote { 2127 uses user-auth-priv; 2128 description 2129 "A list of remote users and their corresponding authentication and privacy protocols."; 2130 } 2131 description 2132 "Configuration of the User-based Security Model."; 2133 } 2135 container tsm { 2136 if-feature tsm; 2137 leaf tsm-enable { 2138 type boolean; 2139 config false; 2140 description 2141 "Whether TSM based security configurations are used."; 2142 } 2143 description 2144 "Configuration of Transport Security Model."; 2145 } 2146 } 2147 2149 6.6. Module 'ietf-netconf-security' 2151 module ietf-netconf-security { 2152 yang-version 1.1; 2153 namespace "urn:ietf:params:xml:ns:yang:ietf-netconf-security"; 2154 prefix netsec; 2155 import ietf-admin-access-security { 2156 prefix accsec; 2157 } 2159 import ietf-inet-types { 2160 prefix inet; 2161 reference 2162 "RFC 6991: Common YANG Data Types"; 2163 } 2165 organization 2166 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 2168 contact 2169 "WG Web: http://tools.ietf.org/wg/sacm/ 2170 WG List: sacm@ietf.org 2172 Editor: Qiushi Lin 2173 linqiushi@huawei.com; 2174 Editor: Liang Xia 2175 frank.xialiang@huawei.com 2176 Editor: Henk Birkholz 2177 henk.birkholz@sit.fraunhofer.de"; 2179 description 2180 "This YANG module defines ietf-netconf-security YANG module."; 2182 revision 2018-10-16 { 2183 description "Initial version."; 2184 reference 2185 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 2186 } 2188 /* 2189 * features 2190 */ 2191 feature listen { 2192 description 2193 "The 'listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF client connections using at least one transport (e.g., SSH, TLS, etc.)."; 2194 } 2196 feature ssh-listen { 2197 description 2198 "The 'ssh-listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF over SSH client connections."; 2199 reference 2200 "RFC 6242: Using the NETCONF Protocol over Secure Shell (SSH)"; 2201 } 2202 feature tls-listen { 2203 description 2204 "The 'tls-listen' feature indicates that the NETCONF server supports opening a port to accept NETCONF over TLS client connections."; 2205 reference 2206 "RFC 7589: Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication"; 2207 } 2209 feature call-home { 2210 description 2211 "The 'call-home' feature indicates that the NETCONF server supports initiating NETCONF call home connections to NETCONF clients using at least one transport (e.g., SSH, TLS, etc.)."; 2212 reference 2213 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 2214 } 2216 feature ssh-call-home { 2217 description 2218 "The 'ssh-call-home' feature indicates that the NETCONF server supports initiating a NETCONF over SSH call home connection to NETCONF clients."; 2219 reference 2220 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 2221 } 2223 feature tls-call-home { 2224 description 2225 "The 'tls-call-home' feature indicates that the NETCONF server supports initiating a NETCONF over TLS call home connection to NETCONF clients."; 2226 reference 2227 "RFC 8071: NETCONF Call Home and RESTCONF Call Home"; 2228 } 2230 /* 2231 * leaf & containers 2232 */ 2234 leaf netconf-enable { 2235 type boolean; 2236 description 2237 "Whether the NETCONF protocol is used."; 2238 } 2240 container listen { 2241 if-feature listen; 2242 list endpoint { 2243 key name; 2244 leaf name { 2245 type string; 2246 description 2247 "The name of the NETCONF listen endpoint."; 2248 } 2249 choice transport { 2250 case ssh { 2251 if-feature ssh-listen; 2252 leaf port { 2253 type inet:port-number; 2254 description 2255 "The local port number to listen on."; 2256 } 2257 uses accsec:ssh-server-attribute-grouping; 2258 description 2259 "SSH based listening."; 2260 } 2261 case tls { 2262 if-feature tls-listen; 2263 leaf port { 2264 type inet:port-number; 2265 description 2266 "The local port number to listen on."; 2267 } 2268 uses accsec:tls-server-attribute-grouping; 2269 description 2270 "TLS based listening."; 2271 } 2272 description 2273 "The transport protocol used."; 2274 } 2275 description 2276 "List of endpoints to listen for NETCONF connections."; 2277 } 2278 description 2279 "Configurations related the listen behavior."; 2280 } 2282 container call-home { 2283 if-feature call-home; 2284 list netconf-client { 2285 key name; 2286 leaf name { 2287 type string; 2288 description 2289 "The name of the remote NETCONF client."; 2290 } 2291 container endpoints { 2292 list endpoint { 2293 key name; 2294 leaf name { 2295 type string; 2296 description 2297 "The name for this endpoint."; 2299 } 2300 choice transport { 2301 case ssh { 2302 if-feature ssh-call-home; 2303 leaf port { 2304 type inet:port-number; 2305 description 2306 "The IP port for this endpoint."; 2307 } 2308 uses accsec:ssh-server-attribute-grouping; 2309 description 2310 "SSH based call-home."; 2311 } 2312 case tls { 2313 if-feature tls-call-home; 2314 leaf port { 2315 type inet:port-number; 2316 description 2317 "The IP port for this endpoint."; 2318 } 2319 uses accsec:tls-server-attribute-grouping; 2320 description 2321 "TLS based call-home."; 2322 } 2323 description 2324 "The used transport protocol."; 2325 } 2326 description 2327 "A list of endpoints for this NETCONF server to try to connect in sequence."; 2328 } 2329 description 2330 "List of endpoints"; 2331 } 2332 description 2333 "List of NETCONF clients the NETCONF server is to initiate call-home connections to in parallel."; 2334 } 2335 description 2336 "Configurations related to call-home behavior."; 2337 } 2338 } 2340 6.7. Module 'ietf-port-management-security' 2342 file "ietf-port-management-security@2018-10-16.yang" 2343 module ietf-port-management-security { 2344 yang-version 1.1; 2345 namespace "urn:ietf:params:xml:ns:yang:ietf-port-management-security"; 2346 prefix acsec; 2347 import ietf-inet-types { 2348 prefix inet; 2349 reference 2350 "RFC 6991: Common YANG Data Types"; 2351 } 2353 organization 2354 "IETF SACM (Security Automation and Continuous Monitoring) Working Group"; 2356 contact 2357 "WG Web: http://tools.ietf.org/wg/sacm/ 2358 WG List: sacm@ietf.org 2360 Editor: Qiushi Lin 2361 linqiushi@huawei.com; 2362 Editor: Liang Xia 2363 frank.xialiang@huawei.com 2364 Editor: Henk Birkholz 2365 henk.birkholz@sit.fraunhofer.de"; 2367 description 2368 "This YANG module defines ietf-port-management-security YANG module."; 2370 revision 2018-10-16 { 2371 description "Initial version."; 2372 reference 2373 "draft-lin-sacm-nid-mp-security-baseline-04: The Data Model of Network Infrastructure Device Management Plane Security Baseline"; 2374 } 2376 list port-list { 2377 key port-number; 2378 leaf port-number { 2379 type inet:port-number; 2380 description 2381 "The port number."; 2382 } 2383 leaf port-status { 2384 type boolean; 2385 description 2386 "The status of the port: open or shut-down."; 2387 } 2388 description 2389 "The status of all the ports in the device."; 2390 } 2391 } 2392 2393 7. Acknowledgements 2395 8. IANA Considerations 2397 This document requires no IANA actions. 2399 9. Security Considerations 2401 Secure transport should be used to retrieve the current status of 2402 management plane security baseline. 2404 10. References 2406 10.1. Normative References 2408 [I-D.birkholz-sacm-yang-content] 2409 Birkholz, H. and N. Cam-Winget, "YANG subscribed 2410 notifications via SACM Statements", draft-birkholz-sacm- 2411 yang-content-01 (work in progress), January 2018. 2413 [I-D.dong-sacm-nid-cp-security-baseline] 2414 Dong, Y. and L. Xia, "The Data Model of Network 2415 Infrastructure Device Control Plane Security Baseline", 2416 draft-dong-sacm-nid-cp-security-baseline-00 (work in 2417 progress), September 2017. 2419 [I-D.dong-sacm-nid-infra-security-baseline] 2420 Dong, Y. and L. Xia, "The Data Model of Network 2421 Infrastructure Device Infrastructure Layer Security 2422 Baseline", draft-dong-sacm-nid-infra-security-baseline-01 2423 (work in progress), May 2018. 2425 [I-D.ietf-netconf-keystore] 2426 Watsen, K., "YANG Data Model for a Centralized Keystore 2427 Mechanism", draft-ietf-netconf-keystore-06 (work in 2428 progress), September 2018. 2430 [I-D.ietf-netconf-netconf-client-server] 2431 Watsen, K., "NETCONF Client and Server Models", draft- 2432 ietf-netconf-netconf-client-server-07 (work in progress), 2433 September 2018. 2435 [I-D.ietf-netconf-ssh-client-server] 2436 Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and 2437 SSH Servers", draft-ietf-netconf-ssh-client-server-07 2438 (work in progress), September 2018. 2440 [I-D.ietf-netconf-tls-client-server] 2441 Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and 2442 TLS Servers", draft-ietf-netconf-tls-client-server-07 2443 (work in progress), September 2018. 2445 [I-D.ietf-netmod-acl-model] 2446 Jethanandani, M., Agarwal, S., Huang, L., and D. Blair, 2447 "Network Access Control List (ACL) YANG Data Model", 2448 draft-ietf-netmod-acl-model-20 (work in progress), October 2449 2018. 2451 [I-D.ietf-netmod-syslog-model] 2452 Wildes, C. and K. Koushik, "A YANG Data Model for Syslog 2453 Configuration", draft-ietf-netmod-syslog-model-26 (work in 2454 progress), March 2018. 2456 [I-D.ietf-sacm-information-model] 2457 Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus, 2458 M., Haynes, D., and H. Birkholz, "SACM Information Model", 2459 draft-ietf-sacm-information-model-10 (work in progress), 2460 April 2017. 2462 [I-D.xia-sacm-nid-dp-security-baseline] 2463 Xia, L. and G. Zheng, "The Data Model of Network 2464 Infrastructure Device Data Plane Security Baseline", 2465 draft-xia-sacm-nid-dp-security-baseline-02 (work in 2466 progress), June 2018. 2468 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 2469 System Management", RFC 7317, DOI 10.17487/RFC7317, August 2470 2014, . 2472 [RFC7407] Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for 2473 SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407, 2474 December 2014, . 2476 10.2. Informative References 2478 [I-D.ietf-tls-oldversions-deprecate] 2479 Moriarty, K. and S. Farrell, "Deprecating TLSv1.0 and 2480 TLSv1.1", draft-ietf-tls-oldversions-deprecate-00 (work in 2481 progress), September 2018. 2483 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2484 Requirement Levels", BCP 14, RFC 2119, 2485 DOI 10.17487/RFC2119, March 1997, 2486 . 2488 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2489 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2490 . 2492 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 2493 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 2494 . 2496 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 2497 and R. Wilton, "Network Management Datastore Architecture 2498 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 2499 . 2501 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2502 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 2503 . 2505 Appendix A. 2507 The following is the whole structure of the YANG tree diagram for 2508 network infrastructure device management plane. The existed RFCs and 2509 drafts that related this document are listed at the right side. 2511 +----------------+--------------------------------------------------+ 2512 | Modules | Related RFCs/Drafts | 2513 +----------------+--------------------------------------------------+ 2514 | ietf-admin- | None | 2515 | account- | | 2516 | security | | 2517 | | | 2518 | ietf-admin- | draft-ietf-netconf-keystore,draft-ietf-netconf- | 2519 | access- | ssh-client-server,draft-ietf-netconf-tls-client- | 2520 | security | server | 2521 | | | 2522 | ietf-aaa- | RFC7317 | 2523 | security | | 2524 | | | 2525 | ietf-admin- | None | 2526 | access- | | 2527 | statistics | | 2528 | | | 2529 | ietf-snmp- | RFC7407 | 2530 | security | | 2531 | | | 2532 | ietf-netconf- | draft-ietf-netconf-netconf-client-server,draft- | 2533 | security | ietf-netconf-keystore | 2534 | | | 2535 | ietf-port- | None | 2536 | management- | | 2537 | security | | 2538 | | | 2539 | ietf-log- | draft-ietf-netmod-syslog-model | 2540 | security | | 2541 | | | 2542 | ietf-file- | draft-ietf-netconf-keystore,draft-ietf-netconf- | 2543 | security | ssh-client-server,draft-ietf-netconf-tls-client- | 2544 | | server | 2545 +----------------+--------------------------------------------------+ 2547 The modules defined in this document and related RFCs/drafts 2549 Draft [I-D.ietf-netconf-tls-client-server] and draft 2550 [I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS- 2551 specific configuration and SSH-specific configuration respectively. 2552 The transport-level configuration, such as what ports to listen-on or 2553 connect-to, is not included. Besides, as these grouping focus on 2554 configurations, the configuration of private-key and "certificate- 2555 expiration" notification are not needed. Draft 2556 [I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model 2557 based on the data models defined in the above two documents. 2559 [RFC7317] defines a YANG data model for system management of device 2560 containing a NETCONF sever. It summarizes data modules for NETCONF 2561 user authentication, and defined YANG module for client to configure 2562 the RADIUS authentication server information. Three methods are 2563 defined for user authentication: public key for local users over SSH, 2564 password for local users over any secure transport, password for 2565 RADIUS users over any secure transport. 2567 [RFC7407] defines a YANG model for SNMP configuration it is not 2568 limited security related configurations and status. 2570 Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog 2571 configuration, including TLS based transport security and syslog 2572 messages signing. 2574 Authors' Addresses 2576 Qiushi Lin 2577 Huawei 2578 Huawei Industrial Base 2579 Shenzhen, Guangdong 518129 2580 China 2582 Email: linqiushi@huawei.com 2584 Liang Xia 2585 Huawei 2586 101 Software Avenue, Yuhuatai District 2587 Nanjing, Jiangsu 210012 2588 China 2590 Email: Frank.xialiang@huawei.com 2592 Henk Birkholz 2593 Fraunhofer SIT 2594 Rheinstrasse 75 2595 Darmstadt 64295 2596 Germany 2598 Email: henk.birkholz@sit.fraunhofer.de