idnits 2.17.1 draft-zheng-opsawg-tacacs-yang-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 3 instances of too long lines in the document, the longest one being 4 characters in excess of 72. ** The abstract seems to contain references ([RFC8342]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 24, 2018) is 2042 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC1492' is defined on line 594, but no explicit reference was found in the text == Unused Reference: 'RFC6021' is defined on line 607, but no explicit reference was found in the text == Unused Reference: 'RFC792' is defined on line 629, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-opsawg-tacacs-11 ** Downref: Normative reference to an Informational draft: draft-ietf-opsawg-tacacs (ref. 'I-D.ietf-opsawg-tacacs') ** Downref: Normative reference to an Informational RFC: RFC 1492 ** Obsolete normative reference: RFC 6021 (Obsoleted by RFC 6991) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: March 28, 2019 Huawei 6 September 24, 2018 8 Yang data model for Terminal Access Controller Access Control System 9 Plus 10 draft-zheng-opsawg-tacacs-yang-00 12 Abstract 14 This document describes a data model of Terminal Access Controller 15 Access Control System Plus (TACACS+) client. 17 The YANG data model in this document conforms to the Network 18 Management Datastore Architecture (NMDA) defined in [RFC8342]. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on March 28, 2019. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions used in this document . . . . . . . . . . . . . . 2 56 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 58 4. Design of the Data Model . . . . . . . . . . . . . . . . . . 3 59 5. TACACS+ Module . . . . . . . . . . . . . . . . . . . . . . . 6 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 61 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 62 8. Normative References . . . . . . . . . . . . . . . . . . . . 13 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 65 1. Introduction 67 This document describes a data model of Terminal Access Controller 68 Access Control System Plus (TACACS+) client.TACACS+ provides Device 69 Administration for routers, network access servers and other 70 networked computing devices via one or more centralized servers. 72 This document defines a YANG [RFC7950]data model for the TACACS+ 73 Protocol [I-D.ietf-opsawg-tacacs]client implementation and 74 identification of some common properties within a device containing a 75 Network Configuration Protocol (NETCONF) server. Devices that are 76 managed by NETCONF and perhaps other mechanisms have common 77 properties that need to be configured and monitored in a standard 78 way. 80 The YANG data model in this document conforms to the Network 81 Management Datastore Architecture (NMDA) defined in [RFC8342]. 83 2. Conventions used in this document 85 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 87 "OPTIONAL" in this document are to be interpreted as described in 88 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 89 capitals, as shown here. 91 The following terms are defined in [RFC6241] and are used in this 92 specification: 94 o client 96 o configuration data 97 o server 99 o state data 101 The following terms are defined in [RFC7950] and are used in this 102 specification: 104 o augment 106 o data model 108 o data node 110 The terminology for describing YANG data models is found in 111 [RFC7950]. 113 2.1. Tree Diagrams 115 Tree diagrams used in this document follow the notation defined in 116 [RFC8340]. 118 3. Problem Statement 120 This document defines a YANG data model which allows user to 121 configure the TACACS+ client function on a network system. YANG 122 model can be used with network management protocols such as NETCONF 123 [RFC6241] to install, manipulate, and delete the configuration of 124 network devices. 126 Data model "ietf-system"[RFC7317] only covers the user authentication 127 by using local and RADIUS functionality. However, TACACS+ is also a 128 wide deployed protocol for user authentication of devices. Besides 129 this, TACACS+ could be used for system authorization and accounting 130 which are not defined in [RFC7317]. 132 TACACS+ implementations in every device may vary greatly in terms of 133 the data hierarchy and operations that they support. Therefore this 134 draft proposes a model that can be augmented by standard extensions 135 and vendor models. 137 4. Design of the Data Model 139 This model is used to configure TACACS+ client on the device to 140 support deployment scenarios with centralized authentication, 141 authorization, and accounting servers. Authentication is used to 142 validates a user's name and password, authorization allows the user 143 to access and execute commands at various command levels assigned to 144 the user and accounting keeps track of the activity of a user who has 145 accessed the device. 147 The ietf-tacacs module is intended to augment the "/sys:system" path 148 defined in the ietf-system module [RFC7317] with "tacacs" grouping. 149 Therefore, a device can use local, Remote Authentication Dial In User 150 Service (RADIUS), or Terminal Access Controller Access Control System 151 Plus (TACACS+) security to validate users who attempt to access the 152 router by several mechanisms, e.g. a command line interface or a web- 153 based user interface. 155 Under the "tacacs" grouping, there is a tacacs-servers container. 156 The container is used to present the "enable" and global parameters 157 configuration used by all the TACACS+ server configured. But the 158 configuration of a individual tacacs server could override the global 159 shared-key configuration. 161 TACACS+ protocol defines a suite of the three protocols. But it is 162 not required that an implementation to use them simultaneously. 163 "tacacs-server" list is to hold a list of different TACACS+ server 164 and use server-type to distinguish the three protocols. The list of 165 servers is for redundancy purpose. 167 In the direction orthogonal to the tacacs container, presented are 168 the commands. Those, in YANG terms, are the RPC commands. These RPC 169 commands provide uniform APIs for resetting all statistics, resetting 170 authentication statistics, resetting authorization statistics, 171 resetting accounting statistics, and resetting common statistics. 173 The data model for tacacs has the following structure: 175 module: ietf-tacacs 176 augment /sys:system: 177 +--rw tacacs {tacacs}? 178 +--rw enable? boolean 179 +--rw tacacs-servers 180 +--rw timeout? uint32 181 +--rw quiet-time? uint32 182 +--rw shared-key? password-extend 183 +--rw source-ip? inet:ip-address 184 +--rw tacacs-server* [name] 185 +--rw name string 186 +--rw server-ip? inet:ip-address 187 +--rw server-type? server-type 188 +--rw network-instance? -> /ni:network-instances 189 /network-instance/name 190 +--rw server-port? uint32 191 +--rw single-connection? boolean 192 +--ro server-state? server-state 193 +--ro current-srv? boolean 194 +--rw shared-key? password-extend 195 +--ro authen-srv-connected-num? uint32 196 +--ro authen-srv-disconnected-num? uint32 197 +--ro authen-reqs-num? uint32 198 +--ro authen-rsps-num? uint32 199 +--ro authen-errors? uint32 200 +--ro author-srv-connected-num? uint32 201 +--ro author-srv-disconnected-num? uint32 202 +--ro author-reqs-num? uint32 203 +--ro author-rsps-num? uint32 204 +--ro author-errors? uint32 205 +--ro acct-reqs-num? uint32 206 +--ro acct-rsps-num? uint32 207 +--ro acct-srv-connected-num? uint32 208 +--ro acct-srv-disconnected-num? uint32 209 +--ro account-rsp-err? uint32 211 rpcs: 212 +---x rest-all-statistics 213 +---x reset-authen-statistics 214 +---x reset-author-statistics 215 +---x reset-account-statistics 216 +---x reset-common-statistics 218 5. TACACS+ Module 220 file "ietf-tacacs@2018-09-24.yang" 222 module ietf-tacacs { 223 namespace "urn:ietf:params:xml:ns:yang:ietf-tacacs"; 224 prefix tcs; 226 import ietf-inet-types { 227 prefix inet; 228 } 229 import ietf-network-instance { 230 prefix ni; 231 } 232 import ietf-system { 233 prefix sys; 234 } 236 organization 237 "IETF Opsawg (Operations and Management Area Working Group)"; 238 contact 239 "WG Web: 240 WG List: 242 Editor: Guangying Zheng 243 "; 244 description 245 "This module provide defines a component that describe the 246 configuration of TACACS+ client."; 248 revision 2018-09-24 { 249 description 250 "Initial revision."; 251 reference "foo"; 252 } 254 typedef password-extend { 255 type string { 256 length "1..255"; 257 } 258 description 259 "now password extend is like string"; 260 } 262 typedef server-state { 263 type enumeration { 264 enum up { 265 description 266 "The server is active."; 267 } 268 enum down { 269 description 270 "The server is inactive."; 271 } 272 } 273 description 274 "The type of TACACS+ server state"; 275 } 277 typedef server-type { 278 type enumeration { 279 enum authentication { 280 description 281 "The server is an authentication server."; 282 } 283 enum authorization { 284 description 285 "The server is an authorization server."; 286 } 287 enum accounting { 288 description 289 "The server is an accounting server."; 290 } 291 } 292 description 293 "The type of TACACS+ server"; 294 } 296 feature tacacs { 297 description 298 "Indicates that the device can be configured as a 299 TACACS+ client."; 300 } 302 grouping tacacs { 303 container tacacs { 304 if-feature "tacacs"; 305 description 306 "Container for TACACS+ configurations and operations."; 307 leaf enable { 308 type boolean; 309 default "false"; 310 description 311 "Whether the TACACS+ server is enabled."; 312 } 313 container tacacs-servers { 314 description 315 "A set of TACACS+ servers."; 316 leaf timeout { 317 type uint32 { 318 range "1..300"; 319 } 320 default "5"; 321 description 322 "Server response timeout period. The default timeout period 323 is 5 seconds."; 324 } 325 leaf quiet-time { 326 type uint32 { 327 range "1..255"; 328 } 329 default "5"; 330 description 331 "Time period after which the primary server restores to 332 active. The default time period is 5 minutes."; 333 } 334 leaf shared-key { 335 type password-extend; 336 description 337 "Shared key for a TACACS+ server. Configuring a shared key 338 improves the communication security between a router and 339 TACACS+ server. By default, no shared key is configured."; 340 } 341 leaf source-ip { 342 type inet:ip-address; 343 description 344 "Source IP address for a TACACS+ server."; 345 } 346 list tacacs-server { 347 key "name"; 348 description 349 "List for TACACS+ server. "; 350 leaf name { 351 type string; 352 description 353 "Name of TACACS+ server"; 354 } 355 leaf server-ip { 356 type inet:ip-address; 357 description 358 "Server IP address. Must be a valid unicast IP address."; 359 } 360 leaf server-type { 361 type server-type; 362 description 363 "Server type: authentication/authorization/accounting."; 364 } 365 leaf network-instance { 366 type leafref { 367 path "/ni:network-instances/ni:network-instance/ni:name"; 368 } 369 description 370 "Configure the vpn-instance name."; 371 } 372 leaf server-port { 373 type uint32 { 374 range "1..65535"; 375 } 376 default "49"; 377 description 378 "Server port. Value range: 1-65535. The default port 379 number is 49."; 380 } 381 leaf single-connection { 382 type boolean; 383 default "false"; 384 description 385 "Whether the single connection mode is enabled for the 386 server. By default, the single connection mode is disabled."; 387 } 388 leaf server-state { 389 type server-state; 390 config false; 391 description 392 "Server running status."; 393 } 394 leaf current-srv { 395 type boolean; 396 default "false"; 397 config false; 398 description 399 "Whether the server is being used."; 400 } 401 leaf shared-key { 402 type password-extend; 403 description 404 "Shared key for a TACACS+ server. Configuring a shared key 405 improves the communication security between a router and 406 TACACS+ server. By default, no shared key is configured."; 407 } 408 leaf authen-srv-connected-num { 409 type uint32; 410 config false; 411 description 412 "Number of times that the TACACS+ client successfully 413 connected to the authentication server."; 414 } 415 leaf authen-srv-disconnected-num { 416 type uint32; 417 config false; 418 description 419 "Number of times that the TACACS+ client disconnected 420 from the authentication server."; 421 } 422 leaf authen-reqs-num { 423 type uint32; 424 config false; 425 description 426 "Number of authentication requests. "; 427 } 428 leaf authen-rsps-num { 429 type uint32; 430 config false; 431 description 432 "Number of authentication responses."; 433 } 434 leaf authen-errors { 435 type uint32; 436 config false; 437 description 438 "Number of authentication errors."; 439 } 440 leaf author-srv-connected-num { 441 type uint32; 442 config false; 443 description 444 "Number of times that the TACACS+ client connected 445 to the authorization server."; 446 } 447 leaf author-srv-disconnected-num { 448 type uint32; 449 config false; 450 description 451 "Number of times that the TACACS+ client disconnected 452 from the authorization server."; 453 } 454 leaf author-reqs-num { 455 type uint32; 456 config false; 457 description 458 "Number of authorization requests. "; 459 } 460 leaf author-rsps-num { 461 type uint32; 462 config false; 463 description 464 "Number of authorization responses."; 465 } 466 leaf author-errors { 467 type uint32; 468 config false; 469 description 470 "Number of authorization errors."; 471 } 472 leaf acct-reqs-num { 473 type uint32; 474 config false; 475 description 476 "Number of accounting requests. "; 477 } 478 leaf acct-rsps-num { 479 type uint32; 480 config false; 481 description 482 "Number of accounting responses."; 483 } 484 leaf acct-srv-connected-num { 485 type uint32; 486 config false; 487 description 488 "Number of times that the TACACS+ client connected to 489 the accounting server."; 490 } 491 leaf acct-srv-disconnected-num { 492 type uint32; 493 config false; 494 description 495 "Number of times that the TACACS+ client disconnected 496 from the accounting server."; 497 } 498 leaf account-rsp-err { 499 type uint32; 500 config false; 501 description 502 "Number of abnormal accounting responses received from 503 the server."; 504 } 505 } 507 } 508 } 509 description 510 "Grouping for tacacs"; 511 } 513 augment "/sys:system" { 514 uses tacacs; 515 description 516 "Augment the system module"; 517 } 518 rpc rest-all-statistics { 519 description 520 "Reset All Statistics."; 521 } 522 rpc reset-authen-statistics { 523 description 524 "Reset authentication statistics of the TACACS+ server."; 525 } 526 rpc reset-author-statistics { 527 description 528 "Reset authorization statistics of the TACACS+ server."; 529 } 530 rpc reset-account-statistics { 531 description 532 "Reset accounting statistics of the TACACS+ server."; 533 } 534 rpc reset-common-statistics { 535 description 536 "Reset common statistics of the TACACS+ server."; 537 } 538 } 540 542 6. Security Considerations 544 The YANG module defined in this document is designed to be accessed 545 via network management protocols such as NETCONF [RFC6241] or 546 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 547 layer, and the mandatory-to-implement secure transport is Secure 548 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 549 mandatory-to-implement secure transport is TLS [RFC8446]. 551 The NETCONF access control model [RFC6536] provides the means to 552 restrict access for particular NETCONF or RESTCONF users to a 553 preconfigured subset of all available NETCONF or RESTCONF protocol 554 operations and content. 556 There are a number of data nodes defined in this YANG module that are 557 writable/creatable/deletable (i.e., config true, which is the 558 default). These data nodes may be considered sensitive or vulnerable 559 in some network environments. Write operations (e.g., edit-config) 560 to these data nodes without proper protection can have a negative 561 effect on network operations. 563 This document describes the use of TACACS+ for purposes of 564 authentication, authorization and accouting, it is vulnerable to all 565 of the threats that are present in TACACS+ applications. For a 566 discussion of such threats, see Section 9 of the TACACS+ Protocol 567 [I-D.ietf-opsawg-tacacs]. 569 7. IANA Considerations 571 This document registers a URI in the IETF XML registry [RFC3688]. 572 Following the format in [RFC3688], the following registration is 573 requested to be made: 575 URI: urn:ietf:params:xml:ns:yang:ietf-tacacs 576 Registrant Contact: The IESG. 577 XML: N/A, the requested URI is an XML namespace. 579 This document registers a YANG module in the YANG Module Names 580 registry [RFC7950]. 582 Name: ietf-tacacs 583 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacs 584 Prefix: tcs 585 Reference: RFC XXXX 587 8. Normative References 589 [I-D.ietf-opsawg-tacacs] 590 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 591 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 592 tacacs-11 (work in progress), September 2018. 594 [RFC1492] Finseth, C., "An Access Control Protocol, Sometimes Called 595 TACACS", RFC 1492, DOI 10.17487/RFC1492, July 1993, 596 . 598 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 599 Requirement Levels", BCP 14, RFC 2119, 600 DOI 10.17487/RFC2119, March 1997, 601 . 603 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 604 DOI 10.17487/RFC3688, January 2004, 605 . 607 [RFC6021] Schoenwaelder, J., Ed., "Common YANG Data Types", 608 RFC 6021, DOI 10.17487/RFC6021, October 2010, 609 . 611 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 612 and A. Bierman, Ed., "Network Configuration Protocol 613 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 614 . 616 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 617 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 618 . 620 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 621 Protocol (NETCONF) Access Control Model", RFC 6536, 622 DOI 10.17487/RFC6536, March 2012, 623 . 625 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 626 System Management", RFC 7317, DOI 10.17487/RFC7317, August 627 2014, . 629 [RFC792] Postel, J., "Internet Control Message Protocol", RFC 792, 630 September 1981. 632 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 633 RFC 7950, DOI 10.17487/RFC7950, August 2016, 634 . 636 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 637 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 638 . 640 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 641 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 642 May 2017, . 644 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 645 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 646 . 648 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 649 and R. Wilton, "Network Management Datastore Architecture 650 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 651 . 653 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 654 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 655 . 657 Authors' Addresses 659 Guangying Zheng 660 Huawei 661 101 Software Avenue, Yuhua District 662 Nanjing, Jiangsu 210012 663 China 665 Email: zhengguangying@huawei.com 667 Michael Wang 668 Huawei Technologies, Co., Ltd 669 101 Software Avenue, Yuhua District 670 Nanjing 210012 671 China 673 Email: wangzitao@huawei.com 675 Bo Wu 676 Huawei 677 101 Software Avenue, Yuhua District 678 Nanjing, Jiangsu 210012 679 China 681 Email: lana.wubo@huawei.com