draft-ietf-netmod-system-mgmt-15.txt   draft-ietf-netmod-system-mgmt-16.txt 
Network Working Group A. Bierman Network Working Group A. Bierman
Internet-Draft YumaWorks Internet-Draft YumaWorks
Intended status: Standards Track M. Bjorklund Intended status: Standards Track M. Bjorklund
Expires: October 31, 2014 Tail-f Systems Expires: November 15, 2014 Tail-f Systems
April 29, 2014 May 14, 2014
A YANG Data Model for System Management A YANG Data Model for System Management
draft-ietf-netmod-system-mgmt-15 draft-ietf-netmod-system-mgmt-16
Abstract Abstract
This document defines a YANG data model for the configuration and This document defines a YANG data model for the configuration and
identification of some common system properties within a device identification of some common system properties within a device
containing a NETCONF server. This includes data node definitions for containing a NETCONF server. This includes data node definitions for
system identification, time-of-day management, user management, DNS system identification, time-of-day management, user management, DNS
resolver configuration, and some protocol operations for system resolver configuration, and some protocol operations for system
management. management.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 31, 2014. This Internet-Draft will expire on November 15, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 31 skipping to change at page 2, line 31
3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8 3.3. DNS Resolver Model . . . . . . . . . . . . . . . . . . . . 8
3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8 3.4. RADIUS Client Model . . . . . . . . . . . . . . . . . . . 8
3.5. User Authentication Model . . . . . . . . . . . . . . . . 9 3.5. User Authentication Model . . . . . . . . . . . . . . . . 9
3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9 3.5.1. SSH Public Key Authentication . . . . . . . . . . . . 9
3.5.2. Local User Password Authentication . . . . . . . . . . 10 3.5.2. Local User Password Authentication . . . . . . . . . . 10
3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10 3.5.3. RADIUS Password Authentication . . . . . . . . . . . . 10
3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10 3.6. System Control . . . . . . . . . . . . . . . . . . . . . . 10
4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11 4. Relationship to the SNMPv2-MIB . . . . . . . . . . . . . . . . 11
5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12 5. IANA Crypt Hash YANG module . . . . . . . . . . . . . . . . . 12
6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15 6. System YANG module . . . . . . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
8. Security Considerations . . . . . . . . . . . . . . . . . . . 33 8. Security Considerations . . . . . . . . . . . . . . . . . . . 34
9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 35 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 9.1. 00-01 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 9.2. 01-02 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 9.3. 02-03 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 9.4. 03-04 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 35 9.5. 04-05 . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 9.6. 05-06 . . . . . . . . . . . . . . . . . . . . . . . . . . 37
9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 36 9.7. 06-07 . . . . . . . . . . . . . . . . . . . . . . . . . . 37
9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 9.8. 07-08 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 9.9. 08-09 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 9.10. 09-10 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 9.11. 11-12 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 9.12. 13-14 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 37 9.13. 14-15 . . . . . . . . . . . . . . . . . . . . . . . . . . 38
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 39
10.1. Normative References . . . . . . . . . . . . . . . . . . . 38 10.1. Normative References . . . . . . . . . . . . . . . . . . . 39
10.2. Informative References . . . . . . . . . . . . . . . . . . 39 10.2. Informative References . . . . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration and identification of some common properties within a configuration and identification of some common properties within a
device containing a NETCONF server. device containing a NETCONF server.
Devices that are managed by NETCONF and perhaps other mechanisms have Devices that are managed by NETCONF and perhaps other mechanisms have
common properties that need to be configured and monitored in a common properties that need to be configured and monitored in a
standard way. standard way.
skipping to change at page 9, line 37 skipping to change at page 9, line 37
based User Interface. based User Interface.
The data model for user authentication has the following structure: The data model for user authentication has the following structure:
+--rw system +--rw system
+--rw authentication +--rw authentication
+--rw user-authentication-order* identityref +--rw user-authentication-order* identityref
+--rw user* [name] +--rw user* [name]
+--rw name string +--rw name string
+--rw password? ianach:crypt-hash +--rw password? ianach:crypt-hash
+--rw ssh-key* [name] +--rw authorized-key* [name]
+--rw name string +--rw name string
+--rw algorithm string +--rw algorithm string
+--rw key-data binary +--rw key-data binary
3.5.1. SSH Public Key Authentication 3.5.1. SSH Public Key Authentication
If the NETCONF server advertises the "local-users" feature, If the NETCONF server advertises the "local-users" feature,
configuration of local users and their SSH public keys is supported configuration of local users and their SSH public keys is supported
in the /system/authentication/user list. in the /system/authentication/user list.
skipping to change at page 12, line 10 skipping to change at page 12, line 10
+----------------+-------------------+ +----------------+-------------------+
YANG interface configuration data nodes and related SNMPv2-MIB YANG interface configuration data nodes and related SNMPv2-MIB
objects objects
5. IANA Crypt Hash YANG module 5. IANA Crypt Hash YANG module
This YANG module references [RFC1321], [IEEE-1003.1-2008], and This YANG module references [RFC1321], [IEEE-1003.1-2008], and
[FIPS.180-3.2008]. [FIPS.180-3.2008].
RFC Ed.: update the date below with the date of RFC publication and
remove this note.
<CODE BEGINS> file "iana-crypt-hash@2014-04-04.yang" <CODE BEGINS> file "iana-crypt-hash@2014-04-04.yang"
module iana-crypt-hash { module iana-crypt-hash {
namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash"; namespace "urn:ietf:params:xml:ns:yang:iana-crypt-hash";
prefix ianach; prefix ianach;
organization "IANA"; organization "IANA";
contact contact
" Internet Assigned Numbers Authority " Internet Assigned Numbers Authority
skipping to change at page 15, line 14 skipping to change at page 15, line 14
6. System YANG module 6. System YANG module
This YANG module imports YANG extensions from [RFC6536], and imports This YANG module imports YANG extensions from [RFC6536], and imports
YANG types from [RFC6991]. It also references [RFC1035], [RFC2865], YANG types from [RFC6991]. It also references [RFC1035], [RFC2865],
[RFC3418], [RFC5607], [RFC5966], [RFC6557]. [RFC3418], [RFC5607], [RFC5966], [RFC6557].
RFC Ed.: update the date below with the date of RFC publication and RFC Ed.: update the date below with the date of RFC publication and
remove this note. remove this note.
<CODE BEGINS> file "ietf-system@2014-04-04.yang" <CODE BEGINS> file "ietf-system@2014-05-14.yang"
module ietf-system { module ietf-system {
namespace "urn:ietf:params:xml:ns:yang:ietf-system"; namespace "urn:ietf:params:xml:ns:yang:ietf-system";
prefix "sys"; prefix "sys";
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 16, line 36 skipping to change at page 16, line 36
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
// RFC Ed.: replace XXXX with actual RFC number and remove this // RFC Ed.: replace XXXX with actual RFC number and remove this
// note. // note.
// RFC Ed.: remove this note // RFC Ed.: remove this note
// Note: extracted from draft-ietf-netmod-system-mgmt-07.txt // Note: extracted from draft-ietf-netmod-system-mgmt-07.txt
// RFC Ed.: update the date below with the date of RFC publication // RFC Ed.: update the date below with the date of RFC publication
// and remove this note. // and remove this note.
revision "2014-04-04" { revision "2014-05-14" {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for System Management"; "RFC XXXX: A YANG Data Model for System Management";
} }
/* /*
* Typedefs * Typedefs
*/ */
skipping to change at page 28, line 40 skipping to change at page 28, line 40
leaf name { leaf name {
type string; type string;
description description
"The user name string identifying this entry."; "The user name string identifying this entry.";
} }
leaf password { leaf password {
type ianach:crypt-hash; type ianach:crypt-hash;
description description
"The password for this entry."; "The password for this entry.";
} }
list ssh-key { list authorized-key {
key name; key name;
description description
"A list of public SSH keys for this user."; "A list of public SSH keys for this user. These keys
are allowed for SSH authentication, as described in
RFC 4253.";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer "RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol"; Protocol";
leaf name { leaf name {
type string; type string;
description description
"An arbitrary name for the ssh key."; "An arbitrary name for the SSH key.";
} }
leaf algorithm { leaf algorithm {
type string; type string;
mandatory true; mandatory true;
description description
"The public key algorithm name for this ssh key. "The public key algorithm name for this SSH key.
Valid values are the values in the IANA Secure Shell Valid values are the values in the IANA Secure Shell
(SSH) Protocol Parameters registry, Public Key (SSH) Protocol Parameters registry, Public Key
Algorithm Names"; Algorithm Names";
reference reference
"IANA Secure Shell (SSH) Protocol Parameters registry, "IANA Secure Shell (SSH) Protocol Parameters registry,
Public Key Algorithm Names"; Public Key Algorithm Names";
} }
leaf key-data { leaf key-data {
type binary; type binary;
mandatory true; mandatory true;
description description
"The binary key data for this ssh key."; "The binary public key data for this SSH key, as
specified by RFC 4253, Section 6.6, i.e.,:
string certificate or public key format
identifier
byte[n] key/certificate data
";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol";
} }
} }
} }
} }
} }
/* /*
* Operational state data nodes * Operational state data nodes
*/ */
skipping to change at page 31, line 41 skipping to change at page 32, line 4
rpc system-shutdown { rpc system-shutdown {
nacm:default-deny-all; nacm:default-deny-all;
description description
"Request that the entire system be shut down immediately. "Request that the entire system be shut down immediately.
A server SHOULD send an rpc reply to the client before A server SHOULD send an rpc reply to the client before
shutting down the system."; shutting down the system.";
} }
} }
<CODE ENDS> <CODE ENDS>
7. IANA Considerations 7. IANA Considerations
This document defines first version of the IANA-maintained IANA is requested to create an IANA-maintained YANG Module called
"iana-crypt-hash" YANG module, which will allow for new hash "iana-crypt-hash", based on the contents of Section 5, which will
algorithms to be added to the type "crypt-hash". An Expert Review, allow for new hash algorithms to be added to the type "crypt-hash".
as defined by [RFC5226], is REQUIRED, for each modification. The registration procedure will be Expert Review, as defined by
[RFC5226].
This document registers two URIs in the IETF XML registry [RFC3688]. This document registers two URIs in the IETF XML registry [RFC3688].
Following the format in RFC 3688, the following registrations are Following the format in RFC 3688, the following registrations are
requested to be made. requested to be made.
URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash URI: urn:ietf:params:xml:ns:yang:iana-crypt-hash
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-system URI: urn:ietf:params:xml:ns:yang:ietf-system
skipping to change at page 34, line 25 skipping to change at page 35, line 25
o set-current-datetime: Changes the current date and time on the o set-current-datetime: Changes the current date and time on the
device. device.
o system-restart: Reboots the device. o system-restart: Reboots the device.
o system-shutdown: Shuts down the device. o system-shutdown: Shuts down the device.
Since this document describes the use of RADIUS for purposes of Since this document describes the use of RADIUS for purposes of
authentication, it is vulnerable to all of the threats that are authentication, it is vulnerable to all of the threats that are
present in other RADIUS applications. For a discussion of such present in other RADIUS applications. For a discussion of such
threats, see [RFC2865] and [RFC3162]. threats, see [RFC2865] and [RFC3162], and section 4 of [RFC3579].
This document provides configuration parameters for SSH's "publickey" This document provides configuration parameters for SSH's "publickey"
and "password" authentication mechanisms. Section 9.4 of [RFC4251] and "password" authentication mechanisms. Section 9.4 of [RFC4251]
and section 11 of [RFC4252] discuss security considerations for these and section 11 of [RFC4252] discuss security considerations for these
mechanisms. mechanisms.
The "iana-crypt-hash" YANG module defines a type "crypt-hash" that The "iana-crypt-hash" YANG module defines a type "crypt-hash" that
can be used to store MD5 hashes. [RFC6151] discusses security can be used to store MD5 hashes. [RFC6151] discusses security
considerations for MD5. The usage of MD5 is NOT RECOMMENDED. considerations for MD5. The usage of MD5 is NOT RECOMMENDED.
skipping to change at page 39, line 34 skipping to change at page 40, line 34
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
March 2012. March 2012.
[RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991, [RFC6991] Schoenwaelder, J., "Common YANG Data Types", RFC 6991,
July 2013. July 2013.
10.2. Informative References 10.2. Informative References
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004. January 2004.
[RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the
Time Zone Database", BCP 175, RFC 6557, February 2012. Time Zone Database", BCP 175, RFC 6557, February 2012.
Authors' Addresses Authors' Addresses
Andy Bierman Andy Bierman
YumaWorks YumaWorks
 End of changes. 17 change blocks. 
39 lines changed or deleted 56 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/