[Docs] [txt|pdf|xml] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03

Security Automation and Continuous Monitoring (SACM)              Q. Lin
Internet-Draft                                                    L. Xia
Intended status: Standards Track                                  Huawei
Expires: January 3, 2019                                     H. Birkholz
                                                          Fraunhofer SIT
                                                            July 2, 2018


    The Data Model of Network Infrastructure Device Management Plane
                           Security Baseline
               draft-lin-sacm-nid-mp-security-baseline-03

Abstract

   This document provides security baseline for network infrastructure
   device management plane, which is represented by YANG data model.
   The corresponding values of this YANG data model can be transported
   between Security Automation and Continuous Monitoring (SACM)
   components and used for network infrastructure device security
   evaluation.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 3, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Lin, et al.              Expires January 3, 2019                [Page 1]


Internet-Draft  Network Device Management Plane Security       July 2018


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . . .   3
   5.  Data Model Structure  . . . . . . . . . . . . . . . . . . . .   4
     5.1.  Administrator Management Security . . . . . . . . . . . .   5
       5.1.1.  Administrator Security Policy . . . . . . . . . . . .   5
       5.1.2.  Administrator Login Security  . . . . . . . . . . . .   6
       5.1.3.  AAA . . . . . . . . . . . . . . . . . . . . . . . . .   8
       5.1.4.  Administrator Access Statistics . . . . . . . . . . .   9
     5.2.  System Management Security  . . . . . . . . . . . . . . .  10
       5.2.1.  SNMP Management Security  . . . . . . . . . . . . . .  10
       5.2.2.  NETCONF Management Security . . . . . . . . . . . . .  11
       5.2.3.  Port Management Security  . . . . . . . . . . . . . .  11
     5.3.  Log Security  . . . . . . . . . . . . . . . . . . . . . .  12
     5.4.  File Security . . . . . . . . . . . . . . . . . . . . . .  12
   6.  Network Infrastructure Device Security Baseline Yang Module .  13
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  27
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  27
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  27
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  27
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  27
     10.2.  Informative References . . . . . . . . . . . . . . . . .  28
   Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . .  29
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  30

1.  Introduction

   Besides user devices and servers, network infrastructure devices such
   as routers, switches, and firewalls are crucial to enterprise network
   security.  The security baseline defined in this document is a
   minimal set of security controls that are essential to provide
   network security.  The security posture of network devices can then
   be assessed by compare the applied security controls with security
   baseline and organization-specific security controls.

   Network devices are typically perform three planes of operation:
   management plane, control plane and data plane.  All the planes
   should be protected and monitored to secure the network.  This
   document focuses on security baseline for network device management
   plane.  Management plane provides configuration and monitoring



Lin, et al.              Expires January 3, 2019                [Page 2]


Internet-Draft  Network Device Management Plane Security       July 2018


   services to network administrator or device owner.  Unauthorized
   access, insecure access channels, weak cryptographic algorithms are
   common security issues that break management plane security.  A
   number of security best practices have been proposed to deal with
   these security issues, such as disabling unused services and ports,
   discarding insecure access channels, and enforcing strong user
   authentication and authorization.  In this document, we provide a
   minimal set of security controls that are expected to be widely
   applicable to common network devices.  In order to conduct security
   posture assessment,the values of these security controls that applied
   on network devices will then be compared with the reference values
   defined by an organization or third party.  As for interoperability
   and extensibility, additional security controls can be specified by
   organizations or provided by specific vendors.

   YANG data model is used in this document to describe the security
   baseline for network device management plane.
   [I-D.birkholz-sacm-yang-content] defines a method to construct the
   YANG data model scheme for the security posture assessment of the
   network device by brokering YANG push telemetry via SACM statements.
   In this document, we follow the same way to define the YANG output
   for network device security posture based on the
   [I-D.ietf-sacm-information-model].

   Besides management plane security baseline, the security baselines
   for control plane, data plane, and infrastructure layer of network
   infrastructure devices are described in
   [I-D.dong-sacm-nid-cp-security-baseline],
   [I-D.xia-sacm-nid-dp-security-baseline] and
   [I-D.dong-sacm-nid-infra-security-baseline] respectively.

2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Terminology

   This document uses the terms defined in [RFC6020].

4.  Tree Diagrams

   Tree diagram defined in [RFC8340] is used to represent the YANG data
   model of network device management plane security.  The meaning of
   the symbols used in the tree diagram and the syntax are as follows:





Lin, et al.              Expires January 3, 2019                [Page 3]


Internet-Draft  Network Device Management Plane Security       July 2018


   o  A module is identified by "module:" followed the module-name.  The
      top-level data nodes defined in the module, offset by 2 spaces.
      Submodules are represented in the same fashion as modules, but are
      identified by "submodule:" followed the (sub)module-name.

   o  Groupings, offset by 2 spaces, and identified by the keyword
      "grouping" followed by the name of the grouping and a colon (":")
      character.

   o  Each node in the tree is prefaces with "+--".  Schema nodes that
      are children of another node are offset from the parent by 3
      spaces.

   o  Brackets "[" and "]" enclose list keys.

   o  Abbreviations before data node names: "rw" means configuration
      (read-write) and "ro" means state data (read-only), "x" is used to
      mark rpcs and actions, "w" denotes the input parameters to rpcs
      and actions, and "u" indicates the use of a predefined grouping.

   o  Symbols after data node names: "?" means an optional node, "!"
      means a presence container, and "*" denotes a "list" and "leaf-
      list".

   o  Parentheses enclose choice and case nodes, and case nodes are also
      marked with a colon (":").

   o  Ellipsis ("...") stands for contents of subtrees that are not
      shown.

   o  Curly brackets and a question mark "{...}?" are combined to
      represent the features that node depends on.

5.  Data Model Structure

   This document focuses on network infrastructure device management
   plane security, including security of administrator management,
   system management protocols, sytem ports, log, and local file system.
   Both security configuration and runtime state of security controls
   are taken into consideration.  Four submodules will be illustrated in
   the following sections to represent the security baseline for:

   o  Administrator management security

   o  System management protocol security and port management security

   o  Log security




Lin, et al.              Expires January 3, 2019                [Page 4]


Internet-Draft  Network Device Management Plane Security       July 2018


   o  Local file system security

   There exists a multitude of YANG models for network devices and
   network protocols.  For management plane security, several RFCs and
   drafts have defined some related parts.  But an overall data model of
   management plane security is still missing.  Moreover, the related
   data models may only focus on part of the security functions.
   Besides defining new submodules and groupings, the following sections
   will also reuse the existing YANG modules and provide additional
   attributes or groupings for the missing parts.  Appendix A provides a
   summary of existing YANG modules and the relationship to the security
   baseline defined in this document.

5.1.  Administrator Management Security

   The "admin-management-security" submodule is divided into four parts:

   submodule: admin-management-security
     +--rw admin-management-security
        +--rw admin-security-policy
        +--rw admin-login-security
        +--rw aaa-security
        +--ro admin-access-statistics

5.1.1.  Administrator Security Policy

   In order to provide basic protection of administrator accounts,
   security controls on account properties and passwords should be
   applied.  The commonly applied security controls include limiting the
   length of account name, checking the password complied to the
   complexity policy, forbidding the use of some strings in password,
   blocking accounts after several login fails, etc.  The following data
   model illustrates these kinds of security controls.


















Lin, et al.              Expires January 3, 2019                [Page 5]


Internet-Draft  Network Device Management Plane Security       July 2018


     +--rw admin-security-policy
        +--rw account-security-policy
        |  +--rw security-policy        boolean
        |  +--rw account-aging-period   uint64
        |  +--rw account-name-minlen    uint64
        +--rw pwd-security-policy
        |  +--rw expire-days            uint64
        |  +--rw prompt-days            uint64
        |  +--rw change-check           boolean
        |  +--rw complexity-check       boolean
        |  +--rw history-pwd-num        uint64
        |  +--rw pwd-minlen             uint64
        +--rw forbidden-word-rules
        |  +--rw forbidden-word-rule* [forbidden-word]
        |     +--rw forbidden-word      string
        +--rw login-failed-limit
           +--rw failed-times           uint64
           +--rw period                 uint64
           +--rw reactive-time          uint64

5.1.2.  Administrator Login Security

   Network infrastructure devices typically can be managed through
   command line interface (CLI) or web user interface.  The web user
   interface provides basic maintenance and management functions.
   Sometimes an administrator still needs to use the CLI to implement
   complex or fine-grained management.  If insecure access channels have
   to be used, several security controls should be enforced.























Lin, et al.              Expires January 3, 2019                [Page 6]


Internet-Draft  Network Device Management Plane Security       July 2018


     +--rw admin-login-security
        +--rw console
        |  +--rw auth-mode          auth-mode-type
        |  +--rw privilege-level    uint8
        +--rw vtys
        |  +--rw vty* [vty-number]
        |     +--rw vty-number        uint8
        |     +--rw auth-mode         auth-mode-type
        |     +--rw privilege-level   uint8
        |     +--rw acl-name-list*?   string
        |     +--rw ip-block-enable   boolean
        |     +--rw ip-block-limit {ip-block-config}?
        |        +--rw failed-times   uint64
        |        +--rw period         uint64
        |        +--rw reactive-time  uint64
        +--rw telnet
        |  +--rw telnet-ipv4-enable   boolean
        |  +--rw telnet-ipv4-server-port?  inet:port-number
        |  +--rw telnet-ipv6-enable   boolean
        |  +--rw telnet-ipv6-server-port?  inet:port-number
        |  +--rw telnet-server-interface?  string
        |  +--rw acl-name-list*           string
        |  +--rw ip-block-enable   boolean
        |  +--rw ip-block-limit {ip-block-config}?
        |     +--rw failed-times   uint64
        |     +--rw period         uint64
        |     +--rw reactive-time  uint64
        +--rw ssh
        |  +--rw ssh-enable          boolean
        |  +--u ssh-server-grouping [I-D.ietf-netconf-ssh-client-server]
        |  +--u ssh-security-hardening
        +--rw web  {web-interface}?
           +--rw auth-mode         auth-mode-type
           +--rw privilege-level    uint8
           +--rw http-server-interface?         string
           +--rw https-ipv4-enable           boolean
           +--rw https-ipv6-enable           boolean
           +--rw https-source-port?          inet:port-number
           +--rw https-timeout?              uint32
           +--rw ip-block-enable             boolean
           +--rw ip-block-limit {ip-block-config}?
           |  +--rw failed-times   uint64
           |  +--rw period         uint64
           |  +--rw reactive-time  uint64
           +--u tls-server-grouping
                              [I-D.ietf-netconf-tls-client-server]

   In the above structure, several groupings are used.



Lin, et al.              Expires January 3, 2019                [Page 7]


Internet-Draft  Network Device Management Plane Security       July 2018


   o  When an administrator log in to a device through SSH based
      service, e.g.  STelnet, the device acts as a SSH server.  Thus,
      the grouping "ssh-server-grouping" defined in
      [I-D.ietf-netconf-ssh-client-server] is used.  This grouping only
      focuses on SSH-specific configuration, transport-level
      configuration such as what ports to listen-on is not included.
      Thus, configurations related to security hardening of SSH server,
      for example, configuration of port number and rekey interval, are
      added as grouping "ssh-security-hardening" in this document.

   o  When an administrator log in to a device through web interface,
      the device acts as a web server.  Thus, the grouping "tls-server-
      grouping" defined in [I-D.ietf-netconf-tls-client-server] is used.
      This grouping also focuses on TLS-specific configuration,
      additional security configuration nodes are provided to augment it
      in this document.

   The structure of grouping "ssh-security-hardening" :

   grouping ssh-security-hardening:
     +--rw ssh-security-hardening
        +--rw ssh-server-port?           inet:port-number
        +--rw ssh-rekey-interval?        uint32
        +--rw ssh-timeout?               uint32
        +--rw ssh-retry-times?           uint32
        +--rw ssh-compatible-ssh1x-enable  boolean
        +--rw ssh-server-interface?         string
        +--rw ip-block-enable            boolean
        +--rw ip-block-limit {ip-block-config}?
           +--rw failed-times   uint64
           +--rw period         uint64
           +--rw reactive-time  uint64

5.1.3.  AAA

   Authentication, Authorization, and Accounting (AAA) provides user
   management for network devices.  RADIUS (Remote Authentication Dial
   In User Service) and TACACS+ (Terminal Access Controller Access
   Control System) are the commonly used AAA mechanisms.  In order to
   implement AAA, network devices act as AAA clients to communicate with
   AAA servers.  [RFC7317] defined YANG module for client to configure
   the RADIUS authentication server information.  In this document,
   authentication, authorization and accounting schemes, as well as AAA
   server lists are all included.







Lin, et al.              Expires January 3, 2019                [Page 8]


Internet-Draft  Network Device Management Plane Security       July 2018


      +--rw aaa-security
         +--rw authentication-scheme* [authen-scheme-name]
         |  +--rw authen-scheme-name   string
         |  +--rw authen-mode*         aaa-authen-mode
         |  +--rw authen-type?         radius-authen-type
         |  +--rw authen-fail-policy   boolean
         +--rw authorization-scheme* [author-scheme-name]
         |  +--rw author-scheme-name   string
         |  +--rw author-mode*         aaa-author-mode
         |  +--rw cmd-author-mode*     aaa-cmd-author-mode
         +--rw accounting-scheme* [account-scheme-name]
         |  +--rw account-scheme-name  string
         |  +--rw account-mode         aaa-account-name
         +--rw radius-security
         |  +--rw radius-authen-servers* [address]
         |  |  +--rw address         inet:host
         |  |  +--rw port            inet:port-number
         |  +--rw radius-author-servers*? [address]
         |  |  +--rw address         inet:host
         |  |  +--rw port            inet:port-number
         |  +--rw radius-account-servers* [address]
         |     +--rw address         inet:host
         |     +--rw port            inet:port-number
         +--rw tacacs-security
            +--rw tacacs-authen-servers* [address]
            |  +--rw address         inet:host
            |  +--rw port            inet:port-number
            +--rw tacacs-author-servers*? [address]
            |  +--rw address         inet:host
            |  +--rw port            inet:port-number
            +--rw tacacs-account-servers* [address]
               +--rw address         inet:host
               +--rw port            inet:port-number

5.1.4.  Administrator Access Statistics

   The statistics of the current online administrators, the failed login
   attempts and the blocked addresses are useful for the monitoring of
   network infrastructure devices.  The structure is as follows:












Lin, et al.              Expires January 3, 2019                [Page 9]


Internet-Draft  Network Device Management Plane Security       July 2018


     +--ro admin-access-statistics
        +--ro total-online-users        uint32
        +--ro online-admin-list  {display-online-info}?
        |  +--ro online-users* [account-name]
        |     +--ro account-name           string
        |     +--ro ip-address             inet:ip-address-no-zone
        |     +--ro mac-address            yang:mac-address
        +--ro ip-block-list
           +--ro blocked-ip* [ip-address]
              +--ro ip-address         inet:ip-address-no-zone
              +--ro vpn-instance         string
              +--rw state                ip-block-state-type
              +--rw authen-fail-account  uint32

5.2.  System Management Security

   The "system-management-security" submodule is divided into three
   parts:

   submodule: system-management-security
     +--rw system-management-security
        +--rw snmp-security
        +--rw netconf-security
        +--rw port-management-security

5.2.1.  SNMP Management Security

   Simple Network Management Protocol (SNMP) is a network management
   standard to monitor network devices.  Three SNMP versions are
   available: SNMPv1, SNMPv2c, and SNMPv3.  [RFC7407] defines community-
   based security model for SNMPv1 and SNMPv2c, view-based access
   control model and user-based security model for SNMPv3.  The
   following module reuses the subtrees defined in RFC7407 for SNMP
   security configuration, and only supplements ACL configuration for
   VACM group.
















Lin, et al.              Expires January 3, 2019               [Page 10]


Internet-Draft  Network Device Management Plane Security       July 2018


     +--rw snmp-security                [RFC7407]
        +--rw target* [name]
        |  ...
        +--rw target-params* [name]
        |  ...
        +--rw community* [index]
        |   ...
        +--rw vacm
        |   +--rw group* [name]
        |      +--rw name                 snmp:group-name
        |      +--rw access* [context security-model security-level]
        |         ...
        |         +--rw acl-name-list*    string
        +--rw usm
           ...

5.2.2.  NETCONF Management Security

   The NETCONF server model defined in
   [I-D.ietf-netconf-netconf-client-server] supports both the SSH and
   TLS transport protocols.  To conduct more security controls on
   NETCONF based operations, authorization rules can be used to control
   which operations can be done and which resources can be accessed.

  +--rw netconf-security
     +--rw listen {listen}?        [I-D.ietf-netconf-netconf-client-server]
     |  ...
     +--rw call-home {call-home}?  [I-D.ietf-netconf-netconf-client-server]
     |  ...
     +--rw netconf-authorization?
        +--rw task-group-rules* [task-group-name]
        |  +--rw task-group-name             string
        |  +--rw task-group-rule*   [rule-name]
        |     +--rw rule-name                string
        |     +--rw rule-type                identityref
        +--rw user-group-rules* [user-group-name]
           +--rw user-group-name             string
           +--rw user-group-rule*   [rule-name]
              +--rw rule-name                string
              +--rw rule-type                identityref

5.2.3.  Port Management Security

   As it is suggested to disable unused service and ports, the current
   status (open or shut-down) of the ports that are available on the
   network devices can be retrieved and compared with the communication
   matrix to check the device security posture.




Lin, et al.              Expires January 3, 2019               [Page 11]


Internet-Draft  Network Device Management Plane Security       July 2018


     +--rw port-management-security
        +--rw port-list*  [port-number]
           +--rw port-number       inet:port-number
           +--rw port-status        boolean

5.3.  Log Security

   To monitor the running status and diagnose faults or attacks on
   network devices, the activities of network administrators, the
   operations conducted on devices, and the security notification of
   abnormal events are needed to be recorded in logs.  Besides, policy
   should be defined to deal with log overflow.  Log records can be
   outputted to console, or stored locally, or outputted to remote
   Syslog server.  The following defined "log-mode" subtree reuses the
   security configuration of log remote transfer in
   [I-D.ietf-netmod-syslog-model], and adds access control for locally
   stored log files.

submodule: log-security
  +--rw log-security
     +--rw alert-notification
     |  +--rw login-fail-threshold         uint8
     |  +--rw system-abnormal              boolean
     |  +--rw attack                       boolean
     |  +--rw log-overflow-lost            boolean
     +--rw (log-overflow-action)
     |  +--:(rewrite-when-overflow)        boolean
     |  |  +--ro rewrite-numbers           uint16
     |  +--:(discard-new-logs)             boolean
     |     +--ro discard-numbers           uint16
     +--rw (log-mode)
        +--:(file) {file-action}?
        |  +--rw user-level-for-read       uint8
        |  +--rw user-level-for-delete     uint8
        +--:(remote) {remote-action}?      [I-D.ietf-netmod-syslog-model]
           +--rw destination* [name]
              +--rw name                   string
              +--rw (transport)
              |  ...
              +--rw signing! {signed-messages}?
                 ...

5.4.  File Security

   Patches, packages, configuration files, password files are critical
   system files for network infrastructure devices.  To provide
   security, only administrators with certain security privilege levels
   are allowed to access or operate on these files.  For file transfer



Lin, et al.              Expires January 3, 2019               [Page 12]


Internet-Draft  Network Device Management Plane Security       July 2018


   security, secure protocol should be used.  If insecure protocol has
   to be used, security hardening needs to be implemented.

     +--rw file-security
        +--rw role-based-access-control   boolean
        +--rw ftp-transfer
        |  +--rw ftp-enable               boolean
        |  +--rw ftp-server-port          inet:port-number
        |  +--rw ip-block-enable            boolean
        |  +--rw ip-block-limit {ip-block-config}?
        |     +--rw failed-times   uint64
        |     +--rw period         uint64
        |     +--rw reactive-time  uint64
        +--rw sftp-transfer
        |  +--rw sftp-enable              boolean
        |  +--rw sftp-server-port         inet:port-number
        |  +--u ssh-server-grouping
        |               [I-D.ietf-netconf-ssh-client-server]
        |  +--u ssh-security-hardening
        +--rw scp-transfer
        |  +--rw scp-enable               boolean
        |  +--rw scp-server-port          inet:port-number
        |  +--u ssh-server-grouping
        |               [I-D.ietf-netconf-ssh-client-server]
        |  +--u ssh-security-hardening
        +--rw ftps-transfer
           +--rw ftps-enable              boolean
           +--rw ftps-server-port         inet:port-number
           +--u tls-server-grouping
                                 [I-D.ietf-netconf-tls-client-server]
           +--rw ip-block-enable            boolean
           +--rw ip-block-limit {ip-block-config}?
              +--rw failed-times   uint64
              +--rw period         uint64
              +--rw reactive-time  uint64

6.  Network Infrastructure Device Security Baseline Yang Module

<CODE BEGINS> file "ietf-management-plane-security@2018-06-29.yang"
module ietf-management-plane-security {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-management-plane-security";
  prefix mp-sec;

  import ietf-inet-types {
    prefix inet;
      reference "RFC 6991 - Common YANG Data Types.";
  }



Lin, et al.              Expires January 3, 2019               [Page 13]


Internet-Draft  Network Device Management Plane Security       July 2018


  import ietf-yang-types {
    prefix yang;
    reference
      "RFC 6991 - Common YANG Data Types.";
  }

  import ietf-tls-server {
    prefix tlss;
      reference "draft-ietf-netconf-tls-client-server";
    }

  import ietf-ssh-server {
    prefix sshs;
      reference "draft-ietf-netconf-ssh-client-server";
    }

  organization
    "IETF SACM (Security Automation and Continuous Monitoring) Working Group";

  contact
    "WG Web: http://tools.ietf.org/wg/sacm/
    WG List: sacm@ietf.org

    Editor: Qiushi Lin
            linqiushi@huawei.com;
    Editor: Liang Xia
            frank.xialiang@huawei.com
        Editor: Henk Birkholz
            henk.birkholz@sit.fraunhofer.de";

  description
    "This YANG module defines groupings that are used by ietf-management-plane-security YANG module. Their usage is not limited to ietf-management-plane-security and can be used anywhere as applicable.";

  revision 2018-06-29 {
    description "Initial version.";
        reference "draft-lin-sacm-nid-mp-security-baseline-03";
  }

  /*
  * features
  */
  feature web-interface {
    description "The network device supports web interface for administrator to manage itself.";
  }

  feature ip-block-config {
    description "Whether the network device supports the configuration of ip block function.";
  }



Lin, et al.              Expires January 3, 2019               [Page 14]


Internet-Draft  Network Device Management Plane Security       July 2018


  feature display-online-info {
    description "Whether the device supports providing a list of online administrators.";
  }

  /*
  * typedefs
  */
  typedef auth-mode-type {
    type enumeration {
      enum "none" {
        description "Authentication mode: none.";
      }
      enum "password" {
        description "Authentication mode: password.";
      }
      enum "aaa" {
         description "Authentication mode: aaa.";
      }
    }
    description "The Authentication mode of console and vty interface.";
   }

  typedef aaa-authen-mode {
    type enumeration {
      enum "invalid" {
        description "Invalid authentication mode.";
      }
      enum "local" {
        description "Local authentication mode.";
      }
      enum "tacacs" {
        description "TACACS authentication mode. ";
      }
      enum "radius" {
        description "RADIUS authentication mode. ";
       }
      enum "none" {
        description "In this mode, users can pass with authentication.";
      }
      enum "radius-proxy" {
        description "RADIUS proxy authentication mode.";
      }
    }
    description "Diffrent types of authentication modes.";
  }

  typedef radius-authen-type {
    type enumeration {



Lin, et al.              Expires January 3, 2019               [Page 15]


Internet-Draft  Network Device Management Plane Security       July 2018


      enum "pap" {
        description "PAP authentication";
      }
      enum "chap" {
        description "CHAP authentication.";
      }
    }
    description "Different authentication types of RADIUS authentication.";
  }

  typedef aaa-author-mode {
    type enumeration {
      enum "invalid" {
        description "Invalid authorization mode.";
      }
      enum "local" {
        description "Local authorization mode.";
      }
      enum "tacacs" {
        description "TACACS authorization mode.";
      }
      enum "if-authenticated" {
        description "If-authenticated mode: If users pass the authentication and the authentication is not in this mode, it indicates that the user authorization is passed. Otherwise, the authorization is not passed.";
      }
      enum "none" {
        description "Users can pass without authorization.";
      }
    }
    description "Different types of AAA authorization modes.";
  }

  typedef aaa-cmd-author-mode {
    type enumeration {
      enum "invalid" {
        description "Invalid command line authorization mode.";
      }
      enum "local" {
        description "Local command line authorization mode.";
      }
      enum "tacacs" {
        description "Specifies that the TACACS mode is applied.";
      }
    }
    description "Different types of command line authorization modes.";
  }

  typedef aaa-account-mode {
    type enumeration {



Lin, et al.              Expires January 3, 2019               [Page 16]


Internet-Draft  Network Device Management Plane Security       July 2018


      enum "invalid" {
        description "invalid accounting mode.";
      }
      enum "radius" {
        description "RADIUS accounting mode. ";
      }
      enum "tacacs" {
        description "TACACS accounting mode. ";
      }
      enum "none" {
        description "In this mode, users do not be accounting.";
      }
    }
    description "Different types of accounting modes.";
  }

  typedef ip-block-state-type {
    type enumeration {
      enum "authenfail" {
        description "Authentication fialed State";
      }
      enum "blocked" {
        description "BLOCKED State";
      }
    }
    description "The status of an login failed IP address";
  }

  /*
  * groupings
  */
  grouping ssh-security-hardening {
    leaf ssh-server-port {
      type inet:port-number;
      description "The port number of SSH server.";
    }
    leaf ssh-rekey-interval {
      type uint32;
      description "The interval for updating the key pair of the SSH server.";
    }
    leaf ssh-timeout {
      type uint32;
      description "The authentication timeout period of SSH.";
    }
    leaf ssh-retry-times {
      type uint32;
      description "The authentication retry times.";
    }



Lin, et al.              Expires January 3, 2019               [Page 17]


Internet-Draft  Network Device Management Plane Security       July 2018


    leaf ssh-compatible-ssh1x-enable {
      type boolean;
      description "The status of version-compatible function on the SSH server: enabled, disabled.";
    }
    leaf ssh-server-interface {
      type string;
      description "The source interface of SSH server.";
    }
    leaf ip-block-enable {
      type boolean;
      description "The status of ip block function: enabled, or disabled.";
    }
    container ip-block-limit {
      if-feature ip-block-config;
      leaf failed-times {
        type uint64;
                description "The failed times in a certain perid.";
      }
      leaf peroid {
        type uint64;
                description "The certain period in which the failed times are counted.";
      }
      leaf reactive-time {
        type uint64;
                description "The reactive time after which the address is not blocked.";
      }
      description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
    }
        description "A set of SSH configuration status to enhance security.";
  }

  /*
  * admin-security-policy
  */
  container admin-security-policy {
    container account-sec-policy {
      leaf security-policy {
        type boolean;
        description "The status of account security policy: enabled, or disabled.";
      }
      leaf account-aging-period {
        type uint64;
        description "The aging period of an administrator.";
      }
      leaf account-name-minlen {
        type uint64;
        description "The minimum length of an administrator account name";
      }



Lin, et al.              Expires January 3, 2019               [Page 18]


Internet-Draft  Network Device Management Plane Security       July 2018


      description "Get configuration data about administrator account security policy.";
    }
    container pwd-sec-policy {
      leaf expire-days {
        type uint64;
        description "The password validity period.";
      }
      leaf prompt-days {
        type uint64;
        description "The period for advance warning before the password expires.";
      }
      leaf change-check {
        type boolean;
        description "The status of mandatory password change when a password is used for the first time: enabled, or disabled.";
      }
      leaf complexity-check {
        type boolean;
        description "The status of password complexity check: enable, or disable.";
      }
      leaf history-pwd-num {
        type uint64;
        description "The newly configured password should not be the same as the several past passwords.";
      }
      leaf pwd-minlen {
        type uint64;
        description "The minimum length of a password.";
      }
      description "Get configuration data about password security policy.";
    }
    container forbidden-word-rules {
      list forbidden-word-rule {
        key "forbidden-word";
        leaf forbidden-word {
          type string;
          description "A forbidden word in password.";
        }
        description "A list of forbidden words that are not allowed to be used in password.";
      }
      description "Password blacklist.";
    }
    container login-failed-limit {
      leaf failed-times {
        type uint64;
                description "The failed time in a certain period.";
      }
      leaf peroid {
        type uint64;
                description "The certain period in which the failed times are counted.";



Lin, et al.              Expires January 3, 2019               [Page 19]


Internet-Draft  Network Device Management Plane Security       July 2018


      }
      leaf reactive-time {
        type uint64;
                description "The reactive time after which the account is not blocked.";
      }
      description "If an account login failed several times in a certain period, this account will be blocked for a certain time range.";
    }
    description "Get configuration data about administrator security policy.";
  }


  /*
  * admin-login-security
  */
  grouping admin-login-security {
    container console {
      leaf auth-mode {
        type auth-mode-type;
        description "The authentication mode used when administrator login through console interface: none, password, AAA.";
      }
      leaf privilege-level {
        type uint8;
        description "User privilege level.";
      }
      description "Status of security contorls for console interface.";
    }
    container vtys {
      list vty {
        key "vty-number";
        leaf vty-number {
          type uint8;
          description "The number of the vty interface.";
        }
        leaf auth-mode {
          type auth-mode-type;
          description "The authentication mode used when administrator login through vty interface: none, password, AAA.";
        }
        leaf privilege-level {
          type uint8;
          description "User privilege level.";
        }
        leaf-list acl-name-list {
          type string;
          description "The name of the acl.";
        }
        leaf ip-block-enable {
          type boolean;
          description "The status of ip block function: enabled, or disabled.";



Lin, et al.              Expires January 3, 2019               [Page 20]


Internet-Draft  Network Device Management Plane Security       July 2018


        }
        container ip-block-limit {
          if-feature ip-block-config;
                  leaf failed-times {
            type uint64;
                    description "The failed times in a certain perid.";
          }
          leaf peroid {
            type uint64;
                    description "The certain period in which the failed times are counted.";
          }
          leaf reactive-time {
            type uint64;
                    description "The reactive time after which the address is not blocked.";
          }
          description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
        }
                description "A list of vty interface configuration status.";
      }
      description "Configuration status of security contorls for vty interface.";
    }
    container telnet {
      leaf telnet-ipv4-enable {
        type boolean;
        description "The status of ipv4 telnet server: enabled, or disabled.";
      }
      leaf telnet-ipv4-server-port {
        type inet:port-number;
        description "The port number of ipv4 telnet server.";
      }
      leaf telnet-ipv6-enable {
        type boolean;
        description "The status of ipv6 telnet server: enabled, or disabled.";
      }
      leaf telnet-ipv6-server-port {
        type inet:port-number;
        description "The port number of ipv6 telnet server.";
      }
      leaf telnet-server-interface {
        type string;
        description "The source interface of telnet server.";
      }
      leaf-list acl-name-list {
        type string;
        description "The name of the acl.";
      }
      leaf ip-block-enable {
        type boolean;



Lin, et al.              Expires January 3, 2019               [Page 21]


Internet-Draft  Network Device Management Plane Security       July 2018


        description "Whether the ip block function is enabled: enabled, disabled.";
      }
      container ip-block-limit {
        if-feature ip-block-config;
        leaf failed-times {
          type uint64;
                  description "The failed times in a certain perid.";
        }
        leaf peroid {
          type uint64;
                  description "The certain period in which the failed times are counted.";
        }
        leaf reactive-time {
          type uint64;
                  description "The reactive time after which the address is not blocked.";
        }
        description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
      }
      description "Configuration status of security contorls for telnet login.";
    }
    container ssh {
      leaf ssh-enable {
        type boolean;
        description "The status of SSH server: enabled, or disabled.";
      }
      uses sshs:ssh-server-grouping;
      uses ssh-security-hardening;
      description "Configuration status of security contorls for SSH login.";
    }
    container web {
      if-feature web-interface;
      uses tlss:tls-server-grouping;
      leaf auth-mode {
        type auth-mode-type;
        description "The authentication mode used when administrator login through web interface: none, password, AAA.";
      }
      leaf privilege-level {
        type uint8;
        description "User privilege level.";
      }
      leaf http-server-interface {
        type string;
        description "The source interface of web server.";
      }
      leaf https-ipv4-enable {
        type boolean;
        description "The status of ipv4 https server: enabled, disabled.";
      }



Lin, et al.              Expires January 3, 2019               [Page 22]


Internet-Draft  Network Device Management Plane Security       July 2018


      leaf https-ipv6-enable {
        type boolean;
        description "The status of ipv6 https server: enabled, disabled.";
      }
      leaf https-source-port {
        type inet:port-number;
        description "The port number of web server.";
      }
      leaf https-timeout {
        type uint32;
        description "The authentication timeout period of https.";
      }
      leaf ip-block-enable {
        type boolean;
        description "The status of ip block function: enabled, or disabled.";
      }
      container ip-block-limit {
        if-feature ip-block-config;
        leaf failed-times {
          type uint64;
                  description "The failed times in a certain perid.";
        }
        leaf peroid {
          type uint64;
                  description "The certain period in which the failed times are counted.";
        }
        leaf reactive-time {
          type uint64;
                  description "The reactive time after which the address is not blocked.";
        }
        description "If the login from an address failed several times in a certain period, this address will be blocked for a certain time range.";
      }
      description "If the network device supports web interface. The configuration status of the web server.";
    }
    description "Configuration status of different types of login interfaces.";
  }

  container aaa-security {
    list authentication-scheme {
      key "authen-scheme-name";
      leaf authen-scheme-name {
        type string;
        description "The name of the authentication scheme.";
      }
      leaf-list authen-mode {
        type aaa-authen-mode;
        description "A list of authentication modes with different preference level. The second, third, and the following authentication mode is used only when the first authentication mode does not respond.";
      }



Lin, et al.              Expires January 3, 2019               [Page 23]


Internet-Draft  Network Device Management Plane Security       July 2018


      leaf authen-type {
        type radius-authen-type;
        description "Authentication type of RADIUS: PAP, CHAP.";
      }
      leaf authen-fail-policy {
        type boolean;
        description "The policy to be adopted after user authentication fail: force the user to be offline, allow user login to a domain with access control.";
      }
      description "Authentication scheme list.";
    }
    list authorization-scheme {
      key "author-scheme-name";
      leaf author-scheme-name {
        type string;
        description "The name of the authorization scheme.";
      }
      leaf-list auhtor-mode {
        type aaa-author-mode;
        description "A list of authorization modes with different preference level. The second, third, and the following authorization mode is used only when the first authorization mode does not respond.";
      }
      leaf-list cmd-auhtor-mode {
        type aaa-cmd-author-mode;
        description "A list of command line authorization modes with different preference level. The second, third, and the following command line authorization mode is used only when the first command line authorization mode does not respond.";
      }
      description "Authorization scheme list.";
    }
    list accounting-scheme {
      key "account-scheme-name";
      leaf account-scheme-name {
        type string;
        description "The name of the accounting scheme.";
      }
      leaf account-mode {
        type aaa-account-mode;
        description "Accounting mode.";
      }
      description "Accounting scheme list.";
    }
    container radius-security {
      list radius-authen-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authentication server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authentication server.";



Lin, et al.              Expires January 3, 2019               [Page 24]


Internet-Draft  Network Device Management Plane Security       July 2018


        }
                description "A list of RADIUS authentication servers";
      }
      list radius-author-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authorization server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authorization server.";
        }
                description "A list of RADIUS authorization servers";
      }
      list radius-account-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the accounting server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the accounting server.";
        }
                description "A list of RADIUS accounting servers";
      }
      description "RADIUS authentication servers, authorization servers and accounting servers.";
    }
    container tacacs-security {
      list tacacs-authen-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authentication server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the authentication server.";
        }
        description "A list of TACACS+ and TACACS+ compatible authentication servers";
      }
      list tacacs-author-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the authorization server.";
        }



Lin, et al.              Expires January 3, 2019               [Page 25]


Internet-Draft  Network Device Management Plane Security       July 2018


        leaf port {
          type inet:port-number;
          description "The port number of the authorization server.";
        }
        description "A list of TACACS+ and TACACS+ compatible authorization servers";
      }
      list tacacs-account-servers {
        key "address";
        leaf address {
          type inet:host;
          description "The ip address of the accounting server.";
        }
        leaf port {
          type inet:port-number;
          description "The port number of the accounting server.";
        }
                description "A list of TACACS+ and TACACS+ compatible accounting servers";
      }
      description "TACACS+ and TACACS+ compatible authentication servers, authorization servers, and accounting servers.";
    }
    description "Configuration status of AAA.";
  }

  container admin-access-statistics {
    config false;
    leaf total-online-users {
      type uint32;
      config false;
      description "The number of administrators that are current online.";
    }
    container online-admin-list {
      if-feature display-online-info;
      config false;
      list online-users {
        key "account-name";
        leaf account-name {
          type string;
          config false;
          description "The account name of the online account.";
        }
        leaf ip-address {
          type inet:ip-address-no-zone;
          config false;
                  description "The ip address of the online account.";
        }
        leaf mac-address {
          type yang:mac-address;
          config false;



Lin, et al.              Expires January 3, 2019               [Page 26]


Internet-Draft  Network Device Management Plane Security       July 2018


                  description "The MAC address of the online account.";
        }
        description "Online adminstrator list.";
      }
      description "If the device supports providing information of online administrators, a list of account details are provided.";
    }
    description "online administrator lists, ip addresses authentication failure or blocked ip addresses. ";
  }
}



7.  Acknowledgements

8.  IANA Considerations

   This document requires no IANA actions.

9.  Security Considerations

   Secure transport should be used to retrieve the current status of
   management plane security baseline.

10.  References

10.1.  Normative References

   [I-D.birkholz-sacm-yang-content]
              Birkholz, H. and N. Cam-Winget, "YANG subscribed
              notifications via SACM Statements", draft-birkholz-sacm-
              yang-content-01 (work in progress), January 2018.

   [I-D.dong-sacm-nid-cp-security-baseline]
              Dong, Y. and L. Xia, "The Data Model of Network
              Infrastructure Device Control Plane Security Baseline",
              draft-dong-sacm-nid-cp-security-baseline-00 (work in
              progress), September 2017.

   [I-D.dong-sacm-nid-infra-security-baseline]
              Dong, Y. and L. Xia, "The Data Model of Network
              Infrastructure Device Infrastructure Layer Security
              Baseline", draft-dong-sacm-nid-infra-security-baseline-01
              (work in progress), May 2018.

   [I-D.ietf-netconf-netconf-client-server]
              Watsen, K. and G. Wu, "NETCONF Client and Server Models",
              draft-ietf-netconf-netconf-client-server-06 (work in
              progress), June 2018.



Lin, et al.              Expires January 3, 2019               [Page 27]


Internet-Draft  Network Device Management Plane Security       July 2018


   [I-D.ietf-netconf-ssh-client-server]
              Watsen, K. and G. Wu, "YANG Groupings for SSH Clients and
              SSH Servers", draft-ietf-netconf-ssh-client-server-06
              (work in progress), June 2018.

   [I-D.ietf-netconf-tls-client-server]
              Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and
              TLS Servers", draft-ietf-netconf-tls-client-server-06
              (work in progress), June 2018.

   [I-D.ietf-netmod-acl-model]
              Jethanandani, M., Huang, L., Agarwal, S., and D. Blair,
              "Network Access Control List (ACL) YANG Data Model",
              draft-ietf-netmod-acl-model-19 (work in progress), April
              2018.

   [I-D.ietf-netmod-syslog-model]
              Wildes, C. and K. Koushik, "A YANG Data Model for Syslog
              Configuration", draft-ietf-netmod-syslog-model-26 (work in
              progress), March 2018.

   [I-D.ietf-sacm-information-model]
              Waltermire, D., Watson, K., Kahn, C., Lorenzin, L., Cokus,
              M., Haynes, D., and H. Birkholz, "SACM Information Model",
              draft-ietf-sacm-information-model-10 (work in progress),
              April 2017.

   [I-D.xia-sacm-nid-dp-security-baseline]
              Xia, L. and G. Zheng, "The Data Model of Network
              Infrastructure Device Data Plane Security Baseline",
              draft-xia-sacm-nid-dp-security-baseline-02 (work in
              progress), June 2018.

   [RFC7317]  Bierman, A. and M. Bjorklund, "A YANG Data Model for
              System Management", RFC 7317, DOI 10.17487/RFC7317, August
              2014, <https://www.rfc-editor.org/info/rfc7317>.

   [RFC7407]  Bjorklund, M. and J. Schoenwaelder, "A YANG Data Model for
              SNMP Configuration", RFC 7407, DOI 10.17487/RFC7407,
              December 2014, <https://www.rfc-editor.org/info/rfc7407>.

10.2.  Informative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.




Lin, et al.              Expires January 3, 2019               [Page 28]


Internet-Draft  Network Device Management Plane Security       July 2018


   [RFC6020]  Bjorklund, M., Ed., "YANG - A Data Modeling Language for
              the Network Configuration Protocol (NETCONF)", RFC 6020,
              DOI 10.17487/RFC6020, October 2010,
              <https://www.rfc-editor.org/info/rfc6020>.

   [RFC8340]  Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
              BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
              <https://www.rfc-editor.org/info/rfc8340>.

Appendix A.

   The following is the whole structure of the YANG tree diagram for
   network infrastructure device management plane.  The existed RFCs and
   drafts that related this document are listed at the right side.

module: nid-management-plane-security
  +--rw admin-management-security
  |  +--rw admin-security-policy
  |  +--rw admin-login-security     [I-D.ietf-netconf-ssh-client-server]
  |                                 [I-D.ietf-netconf-tls-client-server]
  |  +--rw aaa-security      [RFC7317]
  |  +--rw admin-access-statistics
  +--rw system-management-security
  |  +--rw snmp-security            [RFC7407]
  |  +--rw netconf-security         [I-D.ietf-netconf-netconf-client-server]
  |  +--rw port-management-security
  +--rw log-security
  |  +--rw alert-notification
  |  +--rw log-overflow-action
  |  +--rw log-mode                [I-D.ietf-netmod-syslog-model]
  +--rw file-security              [I-D.ietf-netconf-ssh-client-server]
                                   [I-D.ietf-netconf-tls-client-server]

   Draft [I-D.ietf-netconf-tls-client-server] and draft
   [I-D.ietf-netconf-ssh-client-server] focus on YANG models for TLS-
   specific configuration and SSH-specific configuration respectively.
   The transport-level configuration, such as what ports to listen-on or
   connect-to, is not included.  Draft
   [I-D.ietf-netconf-netconf-client-server] defines NETCONF YANG model
   based on the data models defined in the above two documents.

   [RFC7317] defines a YANG data model for system management of device
   containing a NETCONF sever.  It summarizes data modules for NETCONF
   user authentication, and defined YANG module for client to configure
   the RADIUS authentication server information.  Three methods are
   defined for user authentication: public key for local users over SSH,
   password for local users over any secure transport, password for
   RADIUS users over any secure transport.



Lin, et al.              Expires January 3, 2019               [Page 29]


Internet-Draft  Network Device Management Plane Security       July 2018


   [RFC7407] defines a YANG model for SNMP configuration, including
   community-based security module for SNMPv1 and SNMPv2c, as well as
   view-based access control module and user-based security module for
   SNMPv3.

   Draft [I-D.ietf-netmod-syslog-model] defines a YANG model for Syslog
   configuration, including TLS based transport security and syslog
   messages signing.

Authors' Addresses

   Qiushi Lin
   Huawei
   Huawei Industrial Base
   Shenzhen, Guangdong  518129
   China

   Email: linqiushi@huawei.com


   Liang Xia
   Huawei
   101 Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: Frank.xialiang@huawei.com


   Henk Birkholz
   Fraunhofer SIT
   Rheinstrasse 75
   Darmstadt  64295
   Germany

   Email: henk.birkholz@sit.fraunhofer.de















Lin, et al.              Expires January 3, 2019               [Page 30]


Html markup produced by rfcmarkup 1.127, available from https://tools.ietf.org/tools/rfcmarkup/