idnits 2.17.1 draft-zheng-opsawg-tacacs-yang-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (June 20, 2019) is 1765 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6991' is defined on line 537, but no explicit reference was found in the text == Outdated reference: A later version (-18) exists of draft-ietf-opsawg-tacacs-13 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zheng 3 Internet-Draft M. Wang 4 Intended status: Standards Track B. Wu 5 Expires: December 22, 2019 Huawei 6 June 20, 2019 8 Yang data model for TACACS+ 9 draft-zheng-opsawg-tacacs-yang-02 11 Abstract 13 This document defines a YANG modules that augment the System data 14 model defined in the RFC 7317 with TACACS+ client model. The data 15 model of Terminal Access Controller Access Control System Plus 16 (TACACS+) client allows the configuration of TACACS+ servers for 17 centralized Authentication, Authorization and Accounting. 19 The YANG modules in this document conforms to the Network Management 20 Datastore Architecture (NMDA) defined in RFC 8342. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on December 22, 2019. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Conventions used in this document . . . . . . . . . . . . . . 3 58 2.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 59 3. TACACS+ Client Model . . . . . . . . . . . . . . . . . . . . 3 60 4. TACACS+ Client Module . . . . . . . . . . . . . . . . . . . . 5 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 63 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 66 8.2. Informative References . . . . . . . . . . . . . . . . . 13 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 69 1. Introduction 71 This document defines a YANG modules that augment the System data 72 model defined in the [RFC7317] with TACACS+ client model. 74 TACACS+ provides Device Administration for routers, network access 75 servers and other networked computing devices via one or more 76 centralized servers which is defined inthe TACACS+ Protocol. 77 [I-D.ietf-opsawg-tacacs] 79 The System Management Model [RFC7317] defines two YANG features to 80 support local or RADIUS authentication: 82 o User Authentication Model: Define a list of usernames and 83 passwords and control the order in which local or RADIUS 84 authentication is used. 86 o RADIUS Client Model: Defines a list of RADIUS server that a device 87 used. 89 Since TACACS+ is also used for device management and the feature is 90 not contained in the system model, this document defines a YANG data 91 model that allows users to configure TACACS+ client functions on a 92 device for centralized Authentication, Authorization and Accounting 93 provided by TACACS+ servers. 95 The YANG models can be used with network management protocols such as 96 NETCONF[RFC6241] to install, manipulate, and delete the configuration 97 of network devices. 99 The YANG data model in this document conforms to the Network 100 Management Datastore Architecture (NMDA) defined in [RFC8342]. 102 2. Conventions used in this document 104 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 106 "OPTIONAL" in this document are to be interpreted as described in 107 BCP14, [RFC2119], [RFC8174] when, and only when, they appear in all 108 capitals, as shown here. 110 The following terms are defined in [RFC6241] and are used in this 111 specification: 113 o client 115 o configuration data 117 o server 119 o state data 121 The following terms are defined in [RFC7950] and are used in this 122 specification: 124 o augment 126 o data model 128 o data node 130 The terminology for describing YANG data models is found in 131 [RFC7950]. 133 2.1. Tree Diagrams 135 Tree diagrams used in this document follow the notation defined in 136 [RFC8340]. 138 3. TACACS+ Client Model 140 This model is used to configure TACACS+ client on the device to 141 support deployment scenarios with centralized authentication, 142 authorization, and accounting servers. Authentication is used to 143 validates a user's name and password, authorization allows the user 144 to access and execute commands at various command levels assigned to 145 the user and accounting keeps track of the activity of a user who has 146 accessed the device. 148 The ietf-system-tacacsplus module is intended to augment the 149 "/sys:system" path defined in the ietf-system module with 150 "tacacsplus" grouping. Therefore, a device can use local, Remote 151 Authentication Dial In User Service (RADIUS), or Terminal Access 152 Controller Access Control System Plus (TACACS+) to validate users who 153 attempt to access the router by several mechanisms, e.g. a command 154 line interface or a web-based user interface. 156 The "server" list is directly under the "tacacsplus" container, which 157 is to hold a list of different TACACS+ server and use server-type to 158 distinguish the three protocols. The list of servers is for 159 redundancy purpose. 161 Most of the parameters in the "server" list are taken directly from 162 the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived 163 from the wide implementation of network equipment manufacturers. For 164 example, when there are multiple interfaces connected to the TACACS+ 165 server, the source address of outgoing TACACS+ packets could be 166 specified, or the source address could be specified through the 167 interface setting. For the TACACS + server located in a private 168 network, a VRF instance needs to be specified. 170 The "statistics" container under the "server list" is to record 171 session statistics and usage information during user access which 172 include the amount of data a user has sent and/or received during a 173 session. 175 The data model for TACACS+ client has the following structure: 177 module: ietf-system-tacacsplus 178 augment /sys:system: 179 +--rw tacacsplus {tacacsplus}? 180 +--rw server* [name] 181 +--rw name string 182 +--rw server-type? enumeration 183 +--rw address inet:host 184 +--rw port? inet:port-number 185 +--rw shared-secret string 186 +--rw (source-type)? 187 | +--:(source-ip) 188 | | +--rw source-ip? inet:ip-address 189 | +--:(source-interface) 190 | +--rw source-interface? if:interface-ref 191 +--rw single-connection? boolean 192 +--rw timeout? uint16 193 +--rw vrf-instance? 194 | -> /ni:network-instances/network-instance/name 195 +--ro statistics 196 +--ro connection-opens? yang:counter64 197 +--ro connection-closes? yang:counter64 198 +--ro connection-aborts? yang:counter64 199 +--ro connection-failures? yang:counter64 200 +--ro connection-timeouts? yang:counter64 201 +--ro messages-sent? yang:counter64 202 +--ro messages-received? yang:counter64 203 +--ro errors-received? yang:counter64 205 4. TACACS+ Client Module 207 file "ietf-system-tacacsplus@2019-06-20.yang" 209 module ietf-system-tacacsplus { 210 yang-version 1.1; 211 namespace "urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus"; 212 prefix sys-tcsplus; 214 import ietf-inet-types { 215 prefix inet; 216 reference "RFC 6991: Common YANG Data Types"; 217 } 218 import ietf-yang-types { 219 prefix yang; 220 reference "RFC 6991: Common YANG Data Types"; 221 } 222 import ietf-network-instance { 223 prefix ni; 224 reference 225 "RFC 8529: YANG Data Model for Network Instances"; 226 } 227 import ietf-interfaces { 228 prefix if; 229 reference 230 "RFC 8343: A YANG Data Model for Interface Management"; 231 } 232 import ietf-system { 233 prefix sys; 234 reference "RFC 7317: A YANG Data Model for System Management"; 235 } 236 import ietf-netconf-acm { 237 prefix nacm; 238 reference "RFC 8341: Network Configuration Access Control Model"; 239 } 241 organization 242 "IETF Opsawg (Operations and Management Area Working Group)"; 243 contact 244 "WG Web: 245 WG List: 247 Editor: Guangying Zheng 248 "; 249 description 250 "This module provides configuration of TACACS+ client. 252 Copyright (c) 2018 IETF Trust and the persons identified as 253 authors of the code. All rights reserved. 255 Redistribution and use in source and binary forms, with or 256 without modification, is permitted pursuant to, and subject 257 to the license terms contained in, the Simplified BSD License 258 set forth in Section 4.c of the IETF Trust's Legal Provisions 259 Relating to IETF Documents 260 (http://trustee.ietf.org/license-info). 262 This version of this YANG module is part of RFC XXXX; see the RFC 263 itself for full legal notices."; 265 revision 2019-06-20 { 266 description 267 "Initial revision."; 268 reference "foo"; 269 } 271 feature tacacsplus { 272 description 273 "Indicates that the device can be configured as a TACACS+ 274 client."; 275 reference "draft-ietf-opsawg-tacacs-11: The TACACS+ Protocol"; 276 } 278 grouping statistics { 279 description 280 "Grouping for TACACS+ packets statistics attributes"; 281 container statistics { 282 config false; 283 description 284 "A collection of server-related statistics objects"; 285 leaf connection-opens { 286 type yang:counter64; 287 description 288 "Number of new connection requests sent to the server, e.g. 289 socket open"; 290 } 291 leaf connection-closes { 292 type yang:counter64; 293 description 294 "Number of connection close requests sent to the server, e.g. 295 socket close"; 296 } 297 leaf connection-aborts { 298 type yang:counter64; 299 description 300 "Number of aborted connections to the server. These do 301 not include connections that are close gracefully."; 302 } 303 leaf connection-failures { 304 type yang:counter64; 305 description 306 "Number of connection failures to the server"; 307 } 308 leaf connection-timeouts { 309 type yang:counter64; 310 description 311 "Number of connection timeouts to the server"; 312 } 313 leaf messages-sent { 314 type yang:counter64; 315 description 316 "Number of messages sent to the server"; 317 } 318 leaf messages-received { 319 type yang:counter64; 320 description 321 "Number of messages received by the server"; 322 } 323 leaf errors-received { 324 type yang:counter64; 325 description 326 "Number of error messages received from the server"; 327 } 328 } 329 } 331 grouping tacacsplus { 332 description 333 "Grouping for TACACS+ attributes"; 334 container tacacsplus { 335 if-feature "tacacsplus"; 336 description 337 "Container for TACACS+ configurations and operations."; 338 list server { 339 key "name"; 340 ordered-by user; 341 description 342 "List of TACACS+ servers used by the device 344 When the TACACS+ client is invoked by a calling 345 application, it sends the query to the first server in 346 this list. If no response has been received within 347 'timeout' seconds, the client continues with the next 348 server in the list. If no response is received from any 349 server, the client continues with the first server again. 350 When the client has traversed the list 'attempts' times 351 without receiving any response, it gives up and returns an 352 error to the calling application."; 353 leaf name { 354 type string; 355 description 356 "An arbitrary name for the TACACS+ server."; 357 } 358 leaf server-type { 359 type enumeration { 360 enum authentication { 361 description 362 "The server is an authentication server."; 363 } 364 enum authorization { 365 description 366 "The server is an authorization server."; 367 } 368 enum accounting { 369 description 370 "The server is an accounting server."; 371 } 372 } 373 description 374 "Server type: authentication/authorization/accounting."; 375 } 376 leaf address { 377 type inet:host; 378 mandatory true; 379 description 380 "The address of the TACACS+ server."; 381 } 382 leaf port { 383 type inet:port-number; 384 default "49"; 385 description 386 "The port number of TACACS+ Server port."; 387 } 388 leaf shared-secret { 389 type string; 390 mandatory true; 391 nacm:default-deny-all; 392 description 393 "The shared secret, which is known to both the 394 TACACS+ client and server. TACACS+ server administrators 395 SHOULD configure secret keys of minimum 396 16 characters length."; 397 reference "TACACS+ protocol:"; 398 } 399 choice source-type { 400 description 401 "The source address type for outbound TACACS+ packets."; 402 case source-ip { 403 leaf source-ip { 404 type inet:ip-address; 405 description 406 "Specifies source IP address for TACACS+ outbound 407 packets."; 408 } 409 } 410 case source-interface { 411 leaf source-interface { 412 type if:interface-ref; 413 description 414 "Specifies the interface from which the IP address is 415 derived for use as the source for the outbound TACACS+ 416 packet"; 418 } 419 } 420 } 421 leaf single-connection { 422 type boolean; 423 default "false"; 424 description 425 "Whether the single connection mode is enabled for the 426 server. By default, the single connection mode is 427 disabled."; 428 } 429 leaf timeout { 430 type uint16 { 431 range "1..300"; 432 } 433 units "seconds"; 434 default "5"; 435 description 436 "The number of seconds the device will wait for a 437 response from each TACACS+ server before trying with a 438 different server."; 439 } 440 leaf vrf-instance { 441 type leafref { 442 path "/ni:network-instances/ni:network-instance/ni:name"; 443 } 444 description 445 "Specifies the VPN Routing and Forwarding (VRF) instance to 446 use to communicate with the TACACS+ server."; 447 } 449 uses statistics; 450 } 451 } 452 } 454 augment "/sys:system" { 455 description 456 "Augment the system model with authorization and accounting 457 attributes 458 Augment the system model with the tacacsplus model"; 459 uses tacacsplus; 460 } 461 } 463 465 5. Security Considerations 467 The YANG module defined in this document is designed to be accessed 468 via network management protocols such as NETCONF [RFC6241] or 469 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 470 layer, and the mandatory-to-implement secure transport is Secure 471 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 472 mandatory-to-implement secure transport is TLS [RFC8446]. 474 The NETCONF access control model [RFC8341] provides the means to 475 restrict access for particular NETCONF or RESTCONF users to a 476 preconfigured subset of all available NETCONF or RESTCONF protocol 477 operations and content. 479 There are a number of data nodes defined in this YANG module that are 480 writable/creatable/deletable (i.e., config true, which is the 481 default). These data nodes may be considered sensitive or vulnerable 482 in some network environments. Write operations (e.g., edit-config) 483 to these data nodes without proper protection can have a negative 484 effect on network operations. 486 This document describes the use of TACACS+ for purposes of 487 authentication, authorization and accounting, it is vulnerable to all 488 of the threats that are present in TACACS+ applications. For a 489 discussion of such threats, see Section 9 of the TACACS+ Protocol 490 [I-D.ietf-opsawg-tacacs]. 492 6. IANA Considerations 494 This document registers a URI in the IETF XML registry [RFC3688]. 495 Following the format in [RFC3688], the following registration is 496 requested to be made: 498 URI: urn:ietf:params:xml:ns:yang:ietf-system-tacacsplus 499 Registrant Contact: The IESG. 500 XML: N/A, the requested URI is an XML namespace. 502 This document registers a YANG module in the YANG Module Names 503 registry [RFC7950]. 505 Name: ietf-system-tacacsplus 506 Namespace: urn:ietf:params:xml:ns:yang: ietf-tacacsplus 507 Prefix: sys-tcsplus 508 Reference: RFC XXXX 510 7. Acknowledgments 512 The authors wish to thank Alex Campbell and Ebben Aries, Alan DeKok, 513 Joe Clarke, many others for their helpful comments. 515 8. References 517 8.1. Normative References 519 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 520 Requirement Levels", BCP 14, RFC 2119, 521 DOI 10.17487/RFC2119, March 1997, 522 . 524 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 525 DOI 10.17487/RFC3688, January 2004, 526 . 528 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 529 and A. Bierman, Ed., "Network Configuration Protocol 530 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 531 . 533 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 534 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 535 . 537 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 538 RFC 6991, DOI 10.17487/RFC6991, July 2013, 539 . 541 [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for 542 System Management", RFC 7317, DOI 10.17487/RFC7317, August 543 2014, . 545 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 546 RFC 7950, DOI 10.17487/RFC7950, August 2016, 547 . 549 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 550 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 551 . 553 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 554 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 555 May 2017, . 557 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 558 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 559 . 561 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 562 Access Control Model", STD 91, RFC 8341, 563 DOI 10.17487/RFC8341, March 2018, 564 . 566 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 567 and R. Wilton, "Network Management Datastore Architecture 568 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 569 . 571 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 572 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 573 . 575 8.2. Informative References 577 [I-D.ietf-opsawg-tacacs] 578 Dahm, T., Ota, A., dcmgash@cisco.com, d., Carrel, D., and 579 L. Grant, "The TACACS+ Protocol", draft-ietf-opsawg- 580 tacacs-13 (work in progress), March 2019. 582 Authors' Addresses 584 Guangying Zheng 585 Huawei 586 101 Software Avenue, Yuhua District 587 Nanjing, Jiangsu 210012 588 China 590 Email: zhengguangying@huawei.com 592 Michael Wang 593 Huawei Technologies, Co., Ltd 594 101 Software Avenue, Yuhua District 595 Nanjing 210012 596 China 598 Email: wangzitao@huawei.com 599 Bo Wu 600 Huawei 601 101 Software Avenue, Yuhua District 602 Nanjing, Jiangsu 210012 603 China 605 Email: lana.wubo@huawei.com